OK, that actually really helped :-) Any idea why DigestValues and SignatureValues are different or should I ignore that as long as both can verify the results?
Best regards, Thomas Am 07.07.14 09:33 schrieb "Aleksey Sanin" unter <[email protected]>: >RTFM > >http://www.w3.org/TR/xml-c14n#Terminology >http://www.w3.org/TR/xml-c14n#Example-WhitespaceInContent > >Aleksey > >On 7/7/14, 12:17 AM, Thomas Elstner wrote: >> Hello, >> >> I¹m trying to adopt the examples given in sign3.c and verify3.c to sign >> and verify subnodes of a xml document using embedded signatures. >> The templated XML I¹m signing looks like this: >> >> <?xml version="1.0" encoding="UTF-8" standalone="yes" ?> >> <!DOCTYPE test [ >> <!ATTLIST License Id ID #IMPLIED> >> ]> >> <LicenseList> >> <License Id="base"> >> <Component>base</Component> >> <ValidFrom>2012-01-01T00:00:00</ValidFrom> >> <ValidTo>3000-12-31T00:00:00</ValidTo> >> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; >> Id="SIG-base"> >> <SignedInfo> >> <CanonicalizationMethod >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> <SignatureMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >> <Reference URI="#base"> >> <Transforms> >> <Transform >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; >> /> >> </Transforms> >> <DigestMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> <DigestValue/> >> </Reference> >> </SignedInfo> >> <SignatureValue/> >> <KeyInfo> >> <X509Data/> >> </KeyInfo> >> </Signature> >> </License> >> <License Id="bookmarks"> >> <Component>bookmarks</Component> >> <ValidFrom>2012-01-01T00:00:00</ValidFrom> >> <ValidTo>3000-12-31T00:00:00</ValidTo> >> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; >> Id="SIG-bookmarks"> >> <SignedInfo> >> <CanonicalizationMethod >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> <SignatureMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >> <Reference URI="#bookmarks"> >> <Transforms> >> <Transform >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; >> /> >> </Transforms> >> <DigestMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> <DigestValue/> >> </Reference> >> </SignedInfo> >> <SignatureValue/> >> <KeyInfo> >> <X509Data/> >> </KeyInfo> >> </Signature> >> </License> >> </LicenseList> >> >> The signed XML my code produces looks like this: >> >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >> <!DOCTYPE test [ >> <!ATTLIST License Id ID #IMPLIED> >> ]> >> <LicenseList><License >> >>Id="base"><Component>base</Component><ValidFrom>2012-01-01T00:00:00</Vali >>dF >> rom><ValidTo>3000-12-31T00:00:00</ValidTo><Signature >> xmlns="http://www.w3.org/2000/09/xmldsig#"; >> Id="SIG-base"><SignedInfo><CanonicalizationMethod >> >>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></CanonicalizationMet >>ho >> d><SignatureMethod >> >>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> >><R >> eference URI="#base"><Transforms><Transform >> >>Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Trans >>fo >> rm></Transforms><DigestMethod >> >>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod><Digest >>Va >> >>lue>W4FWJ3y4LDVvDqZrFXvMzNaIAq0=</DigestValue></Reference></SignedInfo><S >>ig >> >>natureValue>PeTwPHH1ncQ0vVevOXWW0ZQTj4BmdqVNivqNRgIiQ0mHW8s/Fd93WOaPJ7sTF >>+j >> X >> GKYY/9L3DsQG/8qIwhQSGR52vM6FoorNKopZ1ld31B6+d7y4sn45G7Lm9l4geFG6 >> >>s42ahK823UVNQQppNE1Se3+IhUPd5yepZM77IqaT4VQ=</SignatureValue><KeyInfo><X5 >>09 >> Data> >> <X509Certificate>Šblablabla...</X509Certificate> >> </X509Data></KeyInfo></Signature></License><License >> >>Id="bookmarks"><Component>bookmarks</Component><ValidFrom>2012-01-01T00:0 >>0: >> 00</ValidFrom><ValidTo>3000-12-31T00:00:00</ValidTo><Signature >> xmlns="http://www.w3.org/2000/09/xmldsig#"; >> Id="SIG-bookmarks"><SignedInfo><CanonicalizationMethod >> >>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></CanonicalizationMet >>ho >> d><SignatureMethod >> >>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> >><R >> eference URI="#bookmarks"><Transforms><Transform >> >>Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Trans >>fo >> rm></Transforms><DigestMethod >> >>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod><Digest >>Va >> >>lue>q20LUJoSDkpF1uyCNx+htvUhMxY=</DigestValue></Reference></SignedInfo><S >>ig >> >>natureValue>E0VUK9iVIO9weJIQ4fSC151O1kCl6ZZ9vvPmPwiwHa2g32dTv4eZPFktptaRO >>Rp >> 2 >> S3o9FtFk5UUB8lp8TXxvhp2G9Dor5Sk/iOyrfhiDqhZCQyOR5HVnnAEDEldtSoW1 >> >>6wpqBxJwzglK6nUdc+6baV1/Oat/YaO6agIAKaR0CLU=</SignatureValue><KeyInfo><X5 >>09 >> Data> >> <X509Certificate>Šblablabla...</X509Certificate> >> </X509Data></KeyInfo></Signature></License></LicenseList> >> >> I can successfully sign & verify the XML for each License node, however, >> the DigestValue and the SignatureValues are different from what I >>achieve >> using the xmlsec1 command line tool >> (using this commandline: xmlsec1 --sign --privkey-pem base.key,base.pem >> --node-id base --output signed.xml tosign.xml and similar for the >> bookmarks-node): >> >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >> <!DOCTYPE test [ >> <!ATTLIST License Id ID #IMPLIED> >> ]> >> <LicenseList> >> <License Id="base"> >> <Component>base</Component> >> <ValidFrom>2012-01-01T00:00:00</ValidFrom> >> <ValidTo>3000-12-31T00:00:00</ValidTo> >> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; >> Id="SIG-base"> >> <SignedInfo> >> <CanonicalizationMethod >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> <SignatureMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >> <Reference URI="#base"> >> <Transforms> >> <Transform >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >> </Transforms> >> <DigestMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> >><DigestValue>Sbk/adhAenj+cbDJ+L0V6ZO3ukg=</DigestValue> >> </Reference> >> </SignedInfo> >> >> >><SignatureValue>RF9jZrnIaOqJLMRIQq0eG2Yo/9y+bsMDwMOMxEDJYRjWJ6ZCdniyRbwRw >>4M >> IdsPs >> fq95khfvTTJdpaDXMEl6qIqEsJZHc/g6OlHnjcsK+ZIOnvbBUEwB3jugvCecaM0W >> kkIrUdsuqOwqhg8IByk0pRKDJh5f6NSzxz+P7MH5rlg=</SignatureValue> >> <KeyInfo> >> <X509Data> >> <X509Certificate>Šblablabla...</X509Certificate> >> </X509Data> >> </KeyInfo> >> </Signature> >> </License> >> <License Id="bookmarks"> >> <Component>bookmarks</Component> >> <ValidFrom>2012-01-01T00:00:00</ValidFrom> >> <ValidTo>3000-12-31T00:00:00</ValidTo> >> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; >> Id="SIG-bookmarks"> >> <SignedInfo> >> <CanonicalizationMethod >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> <SignatureMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >> <Reference URI="#bookmarks"> >> <Transforms> >> <Transform >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >> </Transforms> >> <DigestMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> >><DigestValue>rjn86scL4vVK0rRB6WAOanjZ7TA=</DigestValue> >> </Reference> >> </SignedInfo> >> >> >><SignatureValue>h/lEvsYx2edALXiFyRB7HtIStKH/T8vsdcO+2keNIsU1k4vlwqSYoShRp >>Nj >> 8My7y >> 6jjrdX8Ne42KvDgLrK41QSW8INt0/PRqrNdf1pM+V0KC91bWlDVOtCNV1lY2dLpc >> S3zdqgAUyHsl5eJ9u0Lw++joPfpuv1Z45MEXmfsNTjY=</SignatureValue> >> <KeyInfo> >> <X509Data> >> <X509Certificate>Šblablabla...</X509Certificate> >> </X509Data> >> </KeyInfo> >> </Signature> >> </License> >> </LicenseList> >> >> >> Also I have noticed that my signed XML is very sensitive against >> reformatting (just look at the compact nodes, if I pretty print this, >>the >> validation fails), so I guess something is wrong with the way I am >> applying the canonicalization. >> Actually, I am not adding any particular code to the example code in >> sign3.c and verify3.c to perform the canonicalization except for having >>a >> CanonicalizationMethod in my template - maybe that¹s the problem? >> >> Thanks in advance for any help, >> Thomas >> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec >> _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
