[xmlsec] How to control C14N

Mon, 14 May 2012 11:58:50 -0700 

Hi,

I'm attempting to generate an identity provider assertion that will
work with RSA FIM.

Here is a recent assertion, ready to be signed:
http://pastie.org/private/gobkuozf0asjpqw3rekavq

Here is that same assertion, signed:
http://pastie.org/private/yrrlqgxqcwkn7tqorva44a

I use xmlsec to do the signing.  I can validate the signature via
xmlsec.  That is to say, the validation runs and returns a good
result.  If I change a byte in the output document, the signature
validation fails, as should be expected.  However, RSA FIM doesn't
like it, and throws a NULL exception.  I don't have access to more
than a stack trace.

I have doubt about whether I set up the signature block correctly.
Here is my <signature> template:

                <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
                        <ds:SignedInfo>
                                <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                <ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                                <ds:Reference URI="">
                                        <ds:Transforms>
                                                <ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                                <ds:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                        </ds:Transforms>
                                        <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                        <ds:DigestValue></ds:DigestValue>
                                </ds:Reference>
                        </ds:SignedInfo>
                        <ds:SignatureValue></ds:SignatureValue>
                        <ds:KeyInfo>
                                <ds:X509Data>
                                        
<ds:X509Certificate></ds:X509Certificate>
                                </ds:X509Data>
                        </ds:KeyInfo>
                </ds:Signature>

I presume enveloped signature means to sign the whole message, right?
Is it enough to simply include <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> in the signature
method, and the conicalization will magically be done by the library?
Or do I have to signal xmlsec to do it in some way? or does it have to
be done with a different tool before the signing is completed?  Have I
built this correctly?

I'm using the command line for now, by the way, if that makes any real
difference.

--
Thank you.

Regards,
Rich
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to