Read the FAQ :) http://www.aleksey.com/xmlsec/faq.html
Aleksey On 9/19/12 3:43 AM, Umberto Rustichelli aka Ubi wrote: > On 09/06/2012 05:34 PM, Aleksey Sanin wrote: >> Yes, you just need to construct the right template to sign :) > > Sorry, Sanin, yet the discussion you pointed to was a bit unhelpful. > Now, I'm trying to write my code based on example 2 but there is > something for sure that I'm missing, probably because I quite don't know > much about XML. > Just for starting, I intended to skip the use of SignedProperties and > SHA256, I wrote this trivial content (well, two, but they both failed): > > --- > <?xml version="1.0" encoding="UTF-8" ?> > <Envelope xmlns="urn:envelope"><Data Id="orig">my stuff</Data></Envelope> > --- > (also tried this one) > <?xml version="1.0" encoding="UTF-8" ?> > <Envelope xmlns="urn:envelope"> > <ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > Encoding="UTF-8" Id="orig" MimeType="text/xml"><test>my > stuff</test></ds:Object> > </Envelope> > --- > > and used the following code: > > doc = xmlParseFile(xml_file); > > // create signature template for RSA-SHA1 enveloped signature > signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId, > xmlSecTransformRsaSha1Id, NULL); > > // add <dsig:Signature/> node to the doc > xmlAddChild(xmlDocGetRootElement(doc), signNode); > > // add reference -Ubi: to what??? Let's say our node has Id 'orig' > refNode = xmlSecTmplSignatureAddReference(signNode, > xmlSecTransformSha1Id, NULL, "#orig", NULL); > > // add enveloped transform > xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId); > > // add <dsig:KeyInfo/> -Ubi, we also want an ID > keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, "UbiKey"); > > // add reference to the key > refNode = xmlSecTmplSignatureAddReference(signNode, > xmlSecTransformSha1Id, NULL, "#UbiKey", NULL); > > // Ubi: can I do this? Put PEM-format certificate here > xmlNodeSetContent(x509DataCrtNode, crtpem); > > // create signature context > dsigCtx = xmlSecDSigCtxCreate(NULL); > > // load private key, assuming that there is not password > dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file, > xmlSecKeyDataFormatPem, NULL, NULL, NULL); > > // Ubi: is this required? Set key name to the file name, this is just an > example! > xmlSecKeySetName(dsigCtx->signKey, "UbiKey"); > > // sign the template > if (xmlSecDSigCtxSign(dsigCtx, signNode) < 0) > { fprintf(stderr,"Error: signature failed\n"); goto done; } > > I omitted the checks but they are in the code and there is no error > reported (before "sign the template"). > I thought that the idea of the tamplate was to put the Reference URIs so > that the API will look for the related objects. > > But running, I get (seems that passing the Id in the URI is not what I > muast do): > > func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 > library function failed:expr=xpointer(id('orig')) > func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec > library function failed: > func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec > library function failed:transform=xpointer > func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec > library function failed: > func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec > library function failed:node=Reference > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec > library function failed: > Error: signature failed > > What is the issue? > Also, I seem to remember there is a function in libxml to set which is > the ID attribute, because it may not be "Id", but I cannot find it any > more. Has it anything to do with this? > Where am I wrong? > > On 9/6/12 12:28 AM, Umberto Rustichelli aka Ubi wrote: >>> Ah! I forgot to fix... >>> >>> The Reference URI is not URI="#SignedProperties-Signer-T-1345709484789" >>> but URI="#sprop" >>> >>> >>> On 09/06/2012 09:25 AM, Umberto Rustichelli aka Ubi wrote: >>>> Hi all, >>>> I'm new to XMLSEC -and just giving up writing my own library (got lost >>>> in the canonicalization labyrinth)...- >>>> >>>> Is it possible to use the current XMLSEC API for producing XML >>>> signatures that comply with the ETSI specifications and the following: >>>> >>>> 1) have a Reference (in SignedInfo) to KeyInfo (KeyInfo obviously >>>> needs an Id="..."); >>>> >>>> 2) add the Object for QualifyingProperties (example later) and a >>>> Reference to that too? >>>> >>>> Thanks a lot for any suggestion / explanation! >>>> >>>> This is an example of the aforementioned Object (target value is the >>>> Id of the Signature): >>>> >>>> <ds:Object> >>>> <xades:QualifyingProperties >>>> xmlns:xades="http://uri.etsi.org/01903/v1.3.2#"; Target="#sig"> >>>> <xades:SignedProperties Id="sprop"> >>>> <xades:SignedSignatureProperties> >>>> <xades:SigningTime>2012-08-23T10:11:24+02:00</xades:SigningTime> >>>> </xades:SignedSignatureProperties> >>>> </xades:SignedProperties> >>>> </xades:QualifyingProperties> >>>> </ds:Object> >>>> >>>> And this is how the whole should glue together: >>>> >>>> <Envelope> >>>> <ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; >>>> Encoding="UTF-8" Id="orig" MimeType="text/xml">blah blah >>>> blah...</ds:Object> >>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; >>>> Id="sig"> >>>> <ds:SignedInfo> >>>> >>>> <!-- the Reference to the object, must be expressed this way... --> >>>> <ds:CanonicalizationMethod >>>> Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments";></ds:CanonicalizationMethod> >>>> >>>> >>>> <ds:SignatureMethod >>>> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";></ds:SignatureMethod> >>>> >>>> >>>> <ds:Reference Type="http://uri.etsi.org/01903#SignedProperties"; >>>> URI="#SignedProperties-Signer-T-1345709484789"> >>>> <ds:DigestMethod >>>> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256";></ds:DigestMethod> >>>> <ds:DigestValue>dRkQKf/Kqv/V8SZej/41+T6z4+4Pxus8wyPAFUaJM5E=</ds:DigestValue> >>>> >>>> >>>> </ds:Reference> >>>> >>>> <ds:Reference URI="#orig">blah blah blah...</ds:Reference> >>>> <ds:Reference URI="#crt">blah blah blah...</ds:Reference> >>>> >>>> </ds:SignedInfo> >>>> >>>> <ds:SignatureValue>blah blah blah...</ds:SignatureValue> >>>> >>>> <ds:KeyInfo Id="crt"><ds:X509Data><ds:X509Certificate>blah blah >>>> blah...</ds:X509Certificate></ds:X509Data></ds:KeyInfo> >>>> >>>> <ds:Object>(...as indicated above...)</ds:Object> >>>> >>>> </ds:Signature> >>>> </Envelope> >>>> >>>> >>>> _______________________________________________ >>>> xmlsec mailing list >>>> [email protected] >>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] >>> http://www.aleksey.com/mailman/listinfo/xmlsec > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
