Re: [xmlsec] How to control C14N

Aleksey Sanin Tue, 15 May 2012 21:03:20 -0700

You probably want to contact RSA FIM to figure out what this
exception means.


Aleksey

On 5/14/12 11:58 AM, Rich Duzenbury wrote:
> Hi,
> 
> I'm attempting to generate an identity provider assertion that will
> work with RSA FIM.
> 
> Here is a recent assertion, ready to be signed:
> http://pastie.org/private/gobkuozf0asjpqw3rekavq
> 
> Here is that same assertion, signed:
> http://pastie.org/private/yrrlqgxqcwkn7tqorva44a
> 
> I use xmlsec to do the signing.  I can validate the signature via
> xmlsec.  That is to say, the validation runs and returns a good
> result.  If I change a byte in the output document, the signature
> validation fails, as should be expected.  However, RSA FIM doesn't
> like it, and throws a NULL exception.  I don't have access to more
> than a stack trace.
> 
> I have doubt about whether I set up the signature block correctly.
> Here is my <signature> template:
> 
>               <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>                       <ds:SignedInfo>
>                               <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                               <ds:SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>                               <ds:Reference URI="">
>                                       <ds:Transforms>
>                                               <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                                               <ds:Transform 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                                       </ds:Transforms>
>                                       <ds:DigestMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                                       <ds:DigestValue></ds:DigestValue>
>                               </ds:Reference>
>                       </ds:SignedInfo>
>                       <ds:SignatureValue></ds:SignatureValue>
>                       <ds:KeyInfo>
>                               <ds:X509Data>
>                                       
> <ds:X509Certificate></ds:X509Certificate>
>                               </ds:X509Data>
>                       </ds:KeyInfo>
>               </ds:Signature>
> 
> I presume enveloped signature means to sign the whole message, right?
> Is it enough to simply include <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> in the signature
> method, and the conicalization will magically be done by the library?
> Or do I have to signal xmlsec to do it in some way? or does it have to
> be done with a different tool before the signing is completed?  Have I
> built this correctly?
> 
> I'm using the command line for now, by the way, if that makes any real
> difference.
> 
> --
> Thank you.
> 
> Regards,
> Rich
> _______________________________________________
> xmlsec mailing list
> [email protected]
> http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Re: [xmlsec] How to control C14N

Reply via email to