RTFM http://www.w3.org/TR/xml-c14n#Terminology http://www.w3.org/TR/xml-c14n#Example-WhitespaceInContent
Aleksey On 7/7/14, 12:17 AM, Thomas Elstner wrote: > Hello, > > I¹m trying to adopt the examples given in sign3.c and verify3.c to sign > and verify subnodes of a xml document using embedded signatures. > The templated XML I¹m signing looks like this: > > <?xml version="1.0" encoding="UTF-8" standalone="yes" ?> > <!DOCTYPE test [ > <!ATTLIST License Id ID #IMPLIED> > ]> > <LicenseList> > <License Id="base"> > <Component>base</Component> > <ValidFrom>2012-01-01T00:00:00</ValidFrom> > <ValidTo>3000-12-31T00:00:00</ValidTo> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; > Id="SIG-base"> > <SignedInfo> > <CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <Reference URI="#base"> > <Transforms> > <Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; > /> > </Transforms> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue/> > </Reference> > </SignedInfo> > <SignatureValue/> > <KeyInfo> > <X509Data/> > </KeyInfo> > </Signature> > </License> > <License Id="bookmarks"> > <Component>bookmarks</Component> > <ValidFrom>2012-01-01T00:00:00</ValidFrom> > <ValidTo>3000-12-31T00:00:00</ValidTo> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; > Id="SIG-bookmarks"> > <SignedInfo> > <CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <Reference URI="#bookmarks"> > <Transforms> > <Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; > /> > </Transforms> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue/> > </Reference> > </SignedInfo> > <SignatureValue/> > <KeyInfo> > <X509Data/> > </KeyInfo> > </Signature> > </License> > </LicenseList> > > The signed XML my code produces looks like this: > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <!DOCTYPE test [ > <!ATTLIST License Id ID #IMPLIED> > ]> > <LicenseList><License > Id="base"><Component>base</Component><ValidFrom>2012-01-01T00:00:00</ValidF > rom><ValidTo>3000-12-31T00:00:00</ValidTo><Signature > xmlns="http://www.w3.org/2000/09/xmldsig#"; > Id="SIG-base"><SignedInfo><CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></CanonicalizationMetho > d><SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod><R > eference URI="#base"><Transforms><Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transfo > rm></Transforms><DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod><DigestVa > lue>W4FWJ3y4LDVvDqZrFXvMzNaIAq0=</DigestValue></Reference></SignedInfo><Sig > natureValue>PeTwPHH1ncQ0vVevOXWW0ZQTj4BmdqVNivqNRgIiQ0mHW8s/Fd93WOaPJ7sTF+j > X > GKYY/9L3DsQG/8qIwhQSGR52vM6FoorNKopZ1ld31B6+d7y4sn45G7Lm9l4geFG6 > s42ahK823UVNQQppNE1Se3+IhUPd5yepZM77IqaT4VQ=</SignatureValue><KeyInfo><X509 > Data> > <X509Certificate>Šblablabla...</X509Certificate> > </X509Data></KeyInfo></Signature></License><License > Id="bookmarks"><Component>bookmarks</Component><ValidFrom>2012-01-01T00:00: > 00</ValidFrom><ValidTo>3000-12-31T00:00:00</ValidTo><Signature > xmlns="http://www.w3.org/2000/09/xmldsig#"; > Id="SIG-bookmarks"><SignedInfo><CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></CanonicalizationMetho > d><SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod><R > eference URI="#bookmarks"><Transforms><Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transfo > rm></Transforms><DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod><DigestVa > lue>q20LUJoSDkpF1uyCNx+htvUhMxY=</DigestValue></Reference></SignedInfo><Sig > natureValue>E0VUK9iVIO9weJIQ4fSC151O1kCl6ZZ9vvPmPwiwHa2g32dTv4eZPFktptaRORp > 2 > S3o9FtFk5UUB8lp8TXxvhp2G9Dor5Sk/iOyrfhiDqhZCQyOR5HVnnAEDEldtSoW1 > 6wpqBxJwzglK6nUdc+6baV1/Oat/YaO6agIAKaR0CLU=</SignatureValue><KeyInfo><X509 > Data> > <X509Certificate>Šblablabla...</X509Certificate> > </X509Data></KeyInfo></Signature></License></LicenseList> > > I can successfully sign & verify the XML for each License node, however, > the DigestValue and the SignatureValues are different from what I achieve > using the xmlsec1 command line tool > (using this commandline: xmlsec1 --sign --privkey-pem base.key,base.pem > --node-id base --output signed.xml tosign.xml and similar for the > bookmarks-node): > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <!DOCTYPE test [ > <!ATTLIST License Id ID #IMPLIED> > ]> > <LicenseList> > <License Id="base"> > <Component>base</Component> > <ValidFrom>2012-01-01T00:00:00</ValidFrom> > <ValidTo>3000-12-31T00:00:00</ValidTo> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; > Id="SIG-base"> > <SignedInfo> > <CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <Reference URI="#base"> > <Transforms> > <Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > </Transforms> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>Sbk/adhAenj+cbDJ+L0V6ZO3ukg=</DigestValue> > </Reference> > </SignedInfo> > > <SignatureValue>RF9jZrnIaOqJLMRIQq0eG2Yo/9y+bsMDwMOMxEDJYRjWJ6ZCdniyRbwRw4M > IdsPs > fq95khfvTTJdpaDXMEl6qIqEsJZHc/g6OlHnjcsK+ZIOnvbBUEwB3jugvCecaM0W > kkIrUdsuqOwqhg8IByk0pRKDJh5f6NSzxz+P7MH5rlg=</SignatureValue> > <KeyInfo> > <X509Data> > <X509Certificate>Šblablabla...</X509Certificate> > </X509Data> > </KeyInfo> > </Signature> > </License> > <License Id="bookmarks"> > <Component>bookmarks</Component> > <ValidFrom>2012-01-01T00:00:00</ValidFrom> > <ValidTo>3000-12-31T00:00:00</ValidTo> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; > Id="SIG-bookmarks"> > <SignedInfo> > <CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <Reference URI="#bookmarks"> > <Transforms> > <Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > </Transforms> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>rjn86scL4vVK0rRB6WAOanjZ7TA=</DigestValue> > </Reference> > </SignedInfo> > > <SignatureValue>h/lEvsYx2edALXiFyRB7HtIStKH/T8vsdcO+2keNIsU1k4vlwqSYoShRpNj > 8My7y > 6jjrdX8Ne42KvDgLrK41QSW8INt0/PRqrNdf1pM+V0KC91bWlDVOtCNV1lY2dLpc > S3zdqgAUyHsl5eJ9u0Lw++joPfpuv1Z45MEXmfsNTjY=</SignatureValue> > <KeyInfo> > <X509Data> > <X509Certificate>Šblablabla...</X509Certificate> > </X509Data> > </KeyInfo> > </Signature> > </License> > </LicenseList> > > > Also I have noticed that my signed XML is very sensitive against > reformatting (just look at the compact nodes, if I pretty print this, the > validation fails), so I guess something is wrong with the way I am > applying the canonicalization. > Actually, I am not adding any particular code to the example code in > sign3.c and verify3.c to perform the canonicalization except for having a > CanonicalizationMethod in my template - maybe that¹s the problem? > > Thanks in advance for any help, > Thomas > > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
