The digests are different because one document has spaces and another doesn't.
Aleksey On 7/7/14, 1:45 AM, Thomas Elstner wrote: > OK, that actually really helped :-) > Any idea why DigestValues and SignatureValues are different or should I > ignore that as long as both can verify the results? > > > Best regards, > Thomas > > Am 07.07.14 09:33 schrieb "Aleksey Sanin" unter <[email protected]>: > >> RTFM >> >> http://www.w3.org/TR/xml-c14n#Terminology >> http://www.w3.org/TR/xml-c14n#Example-WhitespaceInContent >> >> Aleksey >> >> On 7/7/14, 12:17 AM, Thomas Elstner wrote: >>> Hello, >>> >>> I¹m trying to adopt the examples given in sign3.c and verify3.c to sign >>> and verify subnodes of a xml document using embedded signatures. >>> The templated XML I¹m signing looks like this: >>> >>> <?xml version="1.0" encoding="UTF-8" standalone="yes" ?> >>> <!DOCTYPE test [ >>> <!ATTLIST License Id ID #IMPLIED> >>> ]> >>> <LicenseList> >>> <License Id="base"> >>> <Component>base</Component> >>> <ValidFrom>2012-01-01T00:00:00</ValidFrom> >>> <ValidTo>3000-12-31T00:00:00</ValidTo> >>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; >>> Id="SIG-base"> >>> <SignedInfo> >>> <CanonicalizationMethod >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >>> <SignatureMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >>> <Reference URI="#base"> >>> <Transforms> >>> <Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; >>> /> >>> </Transforms> >>> <DigestMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >>> <DigestValue/> >>> </Reference> >>> </SignedInfo> >>> <SignatureValue/> >>> <KeyInfo> >>> <X509Data/> >>> </KeyInfo> >>> </Signature> >>> </License> >>> <License Id="bookmarks"> >>> <Component>bookmarks</Component> >>> <ValidFrom>2012-01-01T00:00:00</ValidFrom> >>> <ValidTo>3000-12-31T00:00:00</ValidTo> >>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; >>> Id="SIG-bookmarks"> >>> <SignedInfo> >>> <CanonicalizationMethod >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >>> <SignatureMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >>> <Reference URI="#bookmarks"> >>> <Transforms> >>> <Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; >>> /> >>> </Transforms> >>> <DigestMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >>> <DigestValue/> >>> </Reference> >>> </SignedInfo> >>> <SignatureValue/> >>> <KeyInfo> >>> <X509Data/> >>> </KeyInfo> >>> </Signature> >>> </License> >>> </LicenseList> >>> >>> The signed XML my code produces looks like this: >>> >>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >>> <!DOCTYPE test [ >>> <!ATTLIST License Id ID #IMPLIED> >>> ]> >>> <LicenseList><License >>> >>> Id="base"><Component>base</Component><ValidFrom>2012-01-01T00:00:00</Vali >>> dF >>> rom><ValidTo>3000-12-31T00:00:00</ValidTo><Signature >>> xmlns="http://www.w3.org/2000/09/xmldsig#"; >>> Id="SIG-base"><SignedInfo><CanonicalizationMethod >>> >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></CanonicalizationMet >>> ho >>> d><SignatureMethod >>> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> >>> <R >>> eference URI="#base"><Transforms><Transform >>> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Trans >>> fo >>> rm></Transforms><DigestMethod >>> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod><Digest >>> Va >>> >>> lue>W4FWJ3y4LDVvDqZrFXvMzNaIAq0=</DigestValue></Reference></SignedInfo><S >>> ig >>> >>> natureValue>PeTwPHH1ncQ0vVevOXWW0ZQTj4BmdqVNivqNRgIiQ0mHW8s/Fd93WOaPJ7sTF >>> +j >>> X >>> GKYY/9L3DsQG/8qIwhQSGR52vM6FoorNKopZ1ld31B6+d7y4sn45G7Lm9l4geFG6 >>> >>> s42ahK823UVNQQppNE1Se3+IhUPd5yepZM77IqaT4VQ=</SignatureValue><KeyInfo><X5 >>> 09 >>> Data> >>> <X509Certificate>Šblablabla...</X509Certificate> >>> </X509Data></KeyInfo></Signature></License><License >>> >>> Id="bookmarks"><Component>bookmarks</Component><ValidFrom>2012-01-01T00:0 >>> 0: >>> 00</ValidFrom><ValidTo>3000-12-31T00:00:00</ValidTo><Signature >>> xmlns="http://www.w3.org/2000/09/xmldsig#"; >>> Id="SIG-bookmarks"><SignedInfo><CanonicalizationMethod >>> >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></CanonicalizationMet >>> ho >>> d><SignatureMethod >>> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> >>> <R >>> eference URI="#bookmarks"><Transforms><Transform >>> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Trans >>> fo >>> rm></Transforms><DigestMethod >>> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod><Digest >>> Va >>> >>> lue>q20LUJoSDkpF1uyCNx+htvUhMxY=</DigestValue></Reference></SignedInfo><S >>> ig >>> >>> natureValue>E0VUK9iVIO9weJIQ4fSC151O1kCl6ZZ9vvPmPwiwHa2g32dTv4eZPFktptaRO >>> Rp >>> 2 >>> S3o9FtFk5UUB8lp8TXxvhp2G9Dor5Sk/iOyrfhiDqhZCQyOR5HVnnAEDEldtSoW1 >>> >>> 6wpqBxJwzglK6nUdc+6baV1/Oat/YaO6agIAKaR0CLU=</SignatureValue><KeyInfo><X5 >>> 09 >>> Data> >>> <X509Certificate>Šblablabla...</X509Certificate> >>> </X509Data></KeyInfo></Signature></License></LicenseList> >>> >>> I can successfully sign & verify the XML for each License node, however, >>> the DigestValue and the SignatureValues are different from what I >>> achieve >>> using the xmlsec1 command line tool >>> (using this commandline: xmlsec1 --sign --privkey-pem base.key,base.pem >>> --node-id base --output signed.xml tosign.xml and similar for the >>> bookmarks-node): >>> >>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >>> <!DOCTYPE test [ >>> <!ATTLIST License Id ID #IMPLIED> >>> ]> >>> <LicenseList> >>> <License Id="base"> >>> <Component>base</Component> >>> <ValidFrom>2012-01-01T00:00:00</ValidFrom> >>> <ValidTo>3000-12-31T00:00:00</ValidTo> >>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; >>> Id="SIG-base"> >>> <SignedInfo> >>> <CanonicalizationMethod >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >>> <SignatureMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >>> <Reference URI="#base"> >>> <Transforms> >>> <Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >>> </Transforms> >>> <DigestMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >>> >>> <DigestValue>Sbk/adhAenj+cbDJ+L0V6ZO3ukg=</DigestValue> >>> </Reference> >>> </SignedInfo> >>> >>> >>> <SignatureValue>RF9jZrnIaOqJLMRIQq0eG2Yo/9y+bsMDwMOMxEDJYRjWJ6ZCdniyRbwRw >>> 4M >>> IdsPs >>> fq95khfvTTJdpaDXMEl6qIqEsJZHc/g6OlHnjcsK+ZIOnvbBUEwB3jugvCecaM0W >>> kkIrUdsuqOwqhg8IByk0pRKDJh5f6NSzxz+P7MH5rlg=</SignatureValue> >>> <KeyInfo> >>> <X509Data> >>> <X509Certificate>Šblablabla...</X509Certificate> >>> </X509Data> >>> </KeyInfo> >>> </Signature> >>> </License> >>> <License Id="bookmarks"> >>> <Component>bookmarks</Component> >>> <ValidFrom>2012-01-01T00:00:00</ValidFrom> >>> <ValidTo>3000-12-31T00:00:00</ValidTo> >>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; >>> Id="SIG-bookmarks"> >>> <SignedInfo> >>> <CanonicalizationMethod >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >>> <SignatureMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >>> <Reference URI="#bookmarks"> >>> <Transforms> >>> <Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >>> </Transforms> >>> <DigestMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >>> >>> <DigestValue>rjn86scL4vVK0rRB6WAOanjZ7TA=</DigestValue> >>> </Reference> >>> </SignedInfo> >>> >>> >>> <SignatureValue>h/lEvsYx2edALXiFyRB7HtIStKH/T8vsdcO+2keNIsU1k4vlwqSYoShRp >>> Nj >>> 8My7y >>> 6jjrdX8Ne42KvDgLrK41QSW8INt0/PRqrNdf1pM+V0KC91bWlDVOtCNV1lY2dLpc >>> S3zdqgAUyHsl5eJ9u0Lw++joPfpuv1Z45MEXmfsNTjY=</SignatureValue> >>> <KeyInfo> >>> <X509Data> >>> <X509Certificate>Šblablabla...</X509Certificate> >>> </X509Data> >>> </KeyInfo> >>> </Signature> >>> </License> >>> </LicenseList> >>> >>> >>> Also I have noticed that my signed XML is very sensitive against >>> reformatting (just look at the compact nodes, if I pretty print this, >>> the >>> validation fails), so I guess something is wrong with the way I am >>> applying the canonicalization. >>> Actually, I am not adding any particular code to the example code in >>> sign3.c and verify3.c to perform the canonicalization except for having >>> a >>> CanonicalizationMethod in my template - maybe that¹s the problem? >>> >>> Thanks in advance for any help, >>> Thomas >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
