I would really
appreciate any help in how the signature value is
calculated.
From what I have
read, my understanding is that the signature value is calculated on the
canonicalized SignedInfo node (after the digest value has been inserted). This
does appear to be so, when I step through the xmlsec code in the debugger. I am
trying to verify that I have got this right by calculating this signature value
using openssl on the command line.
I would appreciate
feedback showing me exactly what piece is being signed in the example signed
document below and if I am using openssl properly.
The openssl commands
I am executing are:
Calculate the binary
signature using my private key:
openssl dgst -sign
mykey.pem -out mysig.bin signedinfo.xml
and then convert the
result to base64
openssl base64 -in
mysig.bin
The file
signedinfo.xml contains the SignedInfo node from the full document
below.
In other
words:
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>sUD7jzvAdt3liQEkrpGsJukqftU=</DigestValue>
</Reference>
</SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>sUD7jzvAdt3liQEkrpGsJukqftU=</DigestValue>
</Reference>
</SignedInfo>
The example signed
document is:
<?xml-stylesheet
type="text/xsl" href="" ?>
<sales quarter="2001-01">
<region name="Northeast">
<units>374</units>
<amount>12500.26</amount>
</region>
<region name="Southeast">
<units>512</units>
<amount>17692</amount>
</region>
<region name="Southwest">
<units>161</units>
<amount>8349.72</amount>
</region>
<region name="Northwest">
<units>465</units>
<amount>15239.6</amount>
</region>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>sUD7jzvAdt3liQEkrpGsJukqftU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>HB34BqrIo4511h072CpiTv2z48+/7NHq/T9laNlwiWOQtWLpIVipSfsqjRx/QDoO
XguVyZGXc1v/jvik4B2OMmgyiFGIJMQ8n8N9LxnLToOYN8TUJjGXY2M1HRuGnCGb
vhyhXikITmlfFBqm29XewpFwSGO5jS4v0qmt5TNCX3YX5o7dAenMVtziK/r37JvY
ZFbDFusHCRJ3/phfae9mjWuIHPbIdypMayB5gF4wtT69nLVmjHykVV1PXHSDhbbn
sSNZTIN3W2w1UOadogBKwu4g/T9/hlbCkRsSranSGPPkCbN5tl6LnpWIRIPCFk1a
Y2ye8RfyO2u7akUjjCXTfw==</SignatureValue>
<KeyInfo>
<X509Data></X509Data>
</KeyInfo>
</Signature></sales>
<sales quarter="2001-01">
<region name="Northeast">
<units>374</units>
<amount>12500.26</amount>
</region>
<region name="Southeast">
<units>512</units>
<amount>17692</amount>
</region>
<region name="Southwest">
<units>161</units>
<amount>8349.72</amount>
</region>
<region name="Northwest">
<units>465</units>
<amount>15239.6</amount>
</region>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>sUD7jzvAdt3liQEkrpGsJukqftU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>HB34BqrIo4511h072CpiTv2z48+/7NHq/T9laNlwiWOQtWLpIVipSfsqjRx/QDoO
XguVyZGXc1v/jvik4B2OMmgyiFGIJMQ8n8N9LxnLToOYN8TUJjGXY2M1HRuGnCGb
vhyhXikITmlfFBqm29XewpFwSGO5jS4v0qmt5TNCX3YX5o7dAenMVtziK/r37JvY
ZFbDFusHCRJ3/phfae9mjWuIHPbIdypMayB5gF4wtT69nLVmjHykVV1PXHSDhbbn
sSNZTIN3W2w1UOadogBKwu4g/T9/hlbCkRsSranSGPPkCbN5tl6LnpWIRIPCFk1a
Y2ye8RfyO2u7akUjjCXTfw==</SignatureValue>
<KeyInfo>
<X509Data></X509Data>
</KeyInfo>
</Signature></sales>
Thanks,
--
Sanjay
