Re: [xmlsec] How to reference KeyInfo and add SignedProperties?

Wed, 19 Sep 2012 03:40:26 -0700 

On 09/06/2012 05:34 PM, Aleksey Sanin wrote:

Yes, you just need to construct the right template to sign :)


Sorry, Sanin, yet the discussion you pointed to was a bit unhelpful.

Now, I'm trying to write my code based on example 2 but there is 
something for sure that I'm missing, probably because I quite don't know 
much about XML.
Just for starting, I intended to skip the use of SignedProperties and 
SHA256, I wrote this trivial content (well, two, but they both failed):


---
<?xml version="1.0" encoding="UTF-8" ?>
<Envelope xmlns="urn:envelope"><Data Id="orig">my stuff</Data></Envelope>
---
(also tried this one)
<?xml version="1.0" encoding="UTF-8" ?>
<Envelope xmlns="urn:envelope">

  <ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; 
Encoding="UTF-8" Id="orig" MimeType="text/xml"><test>my 
stuff</test></ds:Object>

</Envelope>
---

and used the following code:

doc = xmlParseFile(xml_file);

// create signature template for RSA-SHA1 enveloped signature

signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId, 
xmlSecTransformRsaSha1Id, NULL);


// add <dsig:Signature/> node to the doc
xmlAddChild(xmlDocGetRootElement(doc), signNode);

// add reference -Ubi: to what??? Let's say our node has Id 'orig'

refNode = xmlSecTmplSignatureAddReference(signNode, 
xmlSecTransformSha1Id, NULL, "#orig", NULL);


// add enveloped transform
xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId);

// add <dsig:KeyInfo/> -Ubi, we also want an ID
keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, "UbiKey");

// add reference to the key

refNode = xmlSecTmplSignatureAddReference(signNode, 
xmlSecTransformSha1Id, NULL, "#UbiKey", NULL);


// Ubi: can I do this? Put PEM-format certificate here
xmlNodeSetContent(x509DataCrtNode, crtpem);

// create signature context
dsigCtx = xmlSecDSigCtxCreate(NULL);

// load private key, assuming that there is not password

dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file, 
xmlSecKeyDataFormatPem, NULL, NULL, NULL);



// Ubi: is this required? Set key name to the file name, this is just an 
example!

xmlSecKeySetName(dsigCtx->signKey, "UbiKey");

// sign the template
if (xmlSecDSigCtxSign(dsigCtx, signNode) < 0)
    { fprintf(stderr,"Error: signature failed\n"); goto done; }


I omitted the checks but they are in the code and there is no error 
reported (before "sign the template").
I thought that the idea of the tamplate was to put the Reference URIs so 
that the API will look for the related objects.



But running, I get (seems that passing the Id in the URI is not what I 
muast do):



func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 
library function failed:expr=xpointer(id('orig'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec 
library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec 
library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec 
library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec 
library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec 
library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec 
library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec 
library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec 
library function failed:
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec 
library function failed:

Error: signature failed

What is the issue?

Also, I seem to remember there is a function in libxml to set which is 
the ID attribute, because it may not be "Id", but I cannot find it any 
more. Has it anything to do with this?

Where am I wrong?

On 9/6/12 12:28 AM, Umberto Rustichelli aka Ubi wrote:

Ah! I forgot to fix...

The Reference URI is not URI="#SignedProperties-Signer-T-1345709484789"
but URI="#sprop"


On 09/06/2012 09:25 AM, Umberto Rustichelli aka Ubi wrote:

Hi all,
I'm new to XMLSEC -and just giving up writing my own library (got lost
in the canonicalization labyrinth)...-

Is it possible to use the current XMLSEC API for producing XML
signatures that comply with the ETSI specifications and the following:

1) have a Reference (in SignedInfo) to KeyInfo (KeyInfo obviously
needs an Id="...");

2) add the Object for QualifyingProperties (example later) and a
Reference to that too?

Thanks a lot for any suggestion / explanation!

This is an example of the aforementioned Object (target value is the
Id of the Signature):

     <ds:Object>
       <xades:QualifyingProperties
xmlns:xades="http://uri.etsi.org/01903/v1.3.2#"; Target="#sig">
         <xades:SignedProperties Id="sprop">
           <xades:SignedSignatureProperties>
<xades:SigningTime>2012-08-23T10:11:24+02:00</xades:SigningTime>
           </xades:SignedSignatureProperties>
         </xades:SignedProperties>
       </xades:QualifyingProperties>
     </ds:Object>

And this is how the whole should glue together:

<Envelope>
   <ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Encoding="UTF-8" Id="orig" MimeType="text/xml">blah blah
blah...</ds:Object>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="sig">
     <ds:SignedInfo>

<!-- the Reference to the object, must be expressed this way... -->
       <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments";></ds:CanonicalizationMethod>

       <ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";></ds:SignatureMethod>

       <ds:Reference Type="http://uri.etsi.org/01903#SignedProperties";
URI="#SignedProperties-Signer-T-1345709484789">
         <ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256";></ds:DigestMethod>
<ds:DigestValue>dRkQKf/Kqv/V8SZej/41+T6z4+4Pxus8wyPAFUaJM5E=</ds:DigestValue>

       </ds:Reference>

       <ds:Reference URI="#orig">blah blah blah...</ds:Reference>
       <ds:Reference URI="#crt">blah blah blah...</ds:Reference>

     </ds:SignedInfo>

     <ds:SignatureValue>blah blah blah...</ds:SignatureValue>

     <ds:KeyInfo Id="crt"><ds:X509Data><ds:X509Certificate>blah blah
blah...</ds:X509Certificate></ds:X509Data></ds:KeyInfo>

     <ds:Object>(...as indicated above...)</ds:Object>

   </ds:Signature>
</Envelope>


_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec


_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec


_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec






















					Reply via email to