Yes, you just need to construct the right template to sign :) There was a discussion a few years ago:
http://www.aleksey.com/pipermail/xmlsec/2008/008269.html Aleksey On 9/6/12 12:28 AM, Umberto Rustichelli aka Ubi wrote: > > Ah! I forgot to fix... > > The Reference URI is not URI="#SignedProperties-Signer-T-1345709484789" > but URI="#sprop" > > > On 09/06/2012 09:25 AM, Umberto Rustichelli aka Ubi wrote: >> >> Hi all, >> I'm new to XMLSEC -and just giving up writing my own library (got lost >> in the canonicalization labyrinth)...- >> >> Is it possible to use the current XMLSEC API for producing XML >> signatures that comply with the ETSI specifications and the following: >> >> 1) have a Reference (in SignedInfo) to KeyInfo (KeyInfo obviously >> needs an Id="..."); >> >> 2) add the Object for QualifyingProperties (example later) and a >> Reference to that too? >> >> Thanks a lot for any suggestion / explanation! >> >> This is an example of the aforementioned Object (target value is the >> Id of the Signature): >> >> <ds:Object> >> <xades:QualifyingProperties >> xmlns:xades="http://uri.etsi.org/01903/v1.3.2#"; Target="#sig"> >> <xades:SignedProperties Id="sprop"> >> <xades:SignedSignatureProperties> >> <xades:SigningTime>2012-08-23T10:11:24+02:00</xades:SigningTime> >> </xades:SignedSignatureProperties> >> </xades:SignedProperties> >> </xades:QualifyingProperties> >> </ds:Object> >> >> And this is how the whole should glue together: >> >> <Envelope> >> <ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; >> Encoding="UTF-8" Id="orig" MimeType="text/xml">blah blah >> blah...</ds:Object> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="sig"> >> <ds:SignedInfo> >> >> <!-- the Reference to the object, must be expressed this way... --> >> <ds:CanonicalizationMethod >> Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments";></ds:CanonicalizationMethod> >> >> <ds:SignatureMethod >> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";></ds:SignatureMethod> >> >> <ds:Reference Type="http://uri.etsi.org/01903#SignedProperties"; >> URI="#SignedProperties-Signer-T-1345709484789"> >> <ds:DigestMethod >> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256";></ds:DigestMethod> >> <ds:DigestValue>dRkQKf/Kqv/V8SZej/41+T6z4+4Pxus8wyPAFUaJM5E=</ds:DigestValue> >> >> </ds:Reference> >> >> <ds:Reference URI="#orig">blah blah blah...</ds:Reference> >> <ds:Reference URI="#crt">blah blah blah...</ds:Reference> >> >> </ds:SignedInfo> >> >> <ds:SignatureValue>blah blah blah...</ds:SignatureValue> >> >> <ds:KeyInfo Id="crt"><ds:X509Data><ds:X509Certificate>blah blah >> blah...</ds:X509Certificate></ds:X509Data></ds:KeyInfo> >> >> <ds:Object>(...as indicated above...)</ds:Object> >> >> </ds:Signature> >> </Envelope> >> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec >> > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
