Thank You Aleksey. I finally understood by changing your sha'd to sha1'ed. I can clearly see what is sha1'ed of the input-file. Between </Document> and </MsgHead> where <Signature/> belongs, there are 2 spaces, 0x20. That is the only difference between the result from xmlsec1 canonalization and the 'xmllint --c14n' canonalization. But still, trying to run the openssl dsgt -sha1 -binary | openssl enc -base64 on the exactly hex-controlled copy of the --store-references dumped PreDigest buffer part does not give the same DigestValue, and I so far do not understand why. -- Si St [email protected]
On Friday, November 11, 2011 10:49 AM, "Si St" <[email protected]> wrote: > Well, of course I notice the reference here, but sorry, I am not able to > understand how to use the information from that w3.org page, eventually > what collides with the command openssl dgst -sha1. > Sorry, my brain is njet harasjà; ploche. > == Digest Method: > === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > -- > Si St > [email protected] > > > On Friday, November 11, 2011 10:07 AM, "Aleksey Sanin" > <[email protected]> wrote: > > Run the xmlsec1 utility with --store-references to see what exactly is > > sha'd > > > > Aleksey > > > > On 11/11/11 10:05 AM, Si St wrote: > > > Is sha1 in xmlsec1 after the canonicalization of the xmlfile-docpart to > > > sign identical to this: > > > > > > cat xmlfile-docpart | openssl dgst -sha1 -binary | openssl enc -base64> > > > xmlfile-docpart-digest > > > ? > > > If xmlfile-docpart is as simple as the following (letting out the > > > signaturepart): > > > > > > <?xml version="1.0" encoding="ISO-8859-1"?> > > > <MsgHead> > > > <Document> > > > <Krav/> > > > </Document> > > > </MsgHead> > > > > > > > > > then the C14N of it cannot give anything more than this: > > > > > > <MsgHead> > > > <Document> > > > <Krav></Krav> > > > </Document> > > > </MsgHead> > > > > > > but doing the sha1 with openssl on this postC14N file (done with xmllint > > > --c14n),we get this digestvalue : > > > tkuyB5MHizGiQsl9ljG+YcPogOA= > > > the digestvalue from running xmlsec1 sign on the preC14N+sigpart file > > > give this: > > > pKl5h5ALLpm57qM8FeuQSaa4Ogk= > > > > > > Does this mean the xmldsig#sha1 is something different from 'sha1sum' > > > and 'openssl -sha1'? > > > In case, what is the difference? That C14N puts in (empty) elements from > > > a xsd-scheme, or what? > > > > > > I am talking about the DigestValue from the document part here, not the > > > DigestValue of the SignedInfo that disappears in the SignatureValue. > > > > > > I thought that SHA1 = SHA1. Period. > > > > -- > http://www.fastmail.fm - Send your email first class > -- http://www.fastmail.fm - One of many happy users: http://www.fastmail.fm/docs/quotes.html _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
