<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Texto sin formato Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EstiloCorreo17
{mso-style-type:personal;
font-family:"Courier New";
color:windowtext;}
span.TextosinformatoCar
{mso-style-name:"Texto sin formato Car";
mso-style-priority:99;
mso-style-link:"Texto sin formato";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="ES-CL" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">A couple of weeks ago I revisited xmlsec somehow by chance.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">One of our vendors was sending invoices with a faulty xmldsig signature. I used the xmlsec1 command line tool to verify some signatures. As it turned out, the vendor
had managed to sign an ISO-8859-1 encoded xml, and then e-mail it using us-ascii 7bit.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">Anyway, I noticed that after 12 years there's still no perl module for xmlsec. I decided to have a go on this. The repository is available at
<a href="https://github.com/estrelow/Perl-LibXML-Sec">https://github.com/estrelow/Perl-LibXML-Sec</a>.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">This is still a work in progress. So far I've been able to sign a "Hello world" xml document. The module is still useless beyond that.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">Others have tried and failed. I might as well fail.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">use XML::LibXML::xmlsec;<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">my $signer=XML::LibXML::xmlsec->new();<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">$signer->set_pkey(PEM => 'key.pem', secret => 'the watcher and the tower');<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">my $doc=XML::LibXML->load_xml(location => 'hello-ready.xml', load_ext_dtd =>1, complete_attributes=>1,no_network=>1);<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">$signer->signdoc($doc, id => "hello", 'id-node' => 'Data', 'id-attr' => 'id');<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">Some ideas:<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">1. Design principles.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> -The module should interact with XML::LibXML, the main libxml2 port under perl. Therefore the targeted module name as XML::LibXML::xmlsec.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> -This means a XML::LibXML Document handle might be passed to xmlsec and work out.
<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> -If the LibXML Document was ill parsed or is ill formed, xmlsec should complain and fail.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> -This also means a product of xmlsec signing/encryption should be usable by XML::LibXML.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> -Instead of a full perl binding of xmlsec, the goal is to produce a xmldsig signing/encryption perl toolkit using xmlsec.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> -The module should have simple verbs, like sign(), verify(), encrypt().<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> -The arguments should be passed using perl name-value pairs to allow different formats and options. i.e., the above code should have been set_pkey(DER => 'key.der').<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> -The module must have a performance at least as good as calling xmlsec command from perl.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">2. Motivation.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> -For many years, libxml has been my xml library of choice under perl.
<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> -The Chilean tax authority has adopted xmldsig for 20 years now. This means invoices can be exchanged using xmldsig, and even accounting ledgers are to be archived
using xmldsig.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> -I hate calling xmlsec1 from perl. I always feel I'm double parsing everything.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">3. Simplifications.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> - So far I'm using XMLSEC_NO_CRYPTO_DYNAMIC_LOADING to reach a workable toolkit.
<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> - Still, since allowing different crypto engines is a xmlsec feature, and there might be compliance issues here, at some point I have to let it go.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> - I'm favoring the "app" versions of xmlsec functions.
<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">4. Use case.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> The sign/encrypt perl script use case should be as follows:<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> +<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> v<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">+--------+---------+<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| App layer |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">+--------+---------+<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> v<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">+--------+---------+<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| xmlsec |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">+--------+---------+<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> v<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">+--------+---------+<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| store or send |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">+------------------+<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">The app layer should build the XML document using perl LibXML, or DBI, or some module to fetch data from a legacy system. Whatever.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">In my case, I connect to SQL server.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">The xmlsec layer will sign and/or encrypt the document. The appropriate key should be selected by any combination of source, target, contents.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">The store/send layer will save the resulting document in some storage, or send it to a receiving party, like a customer, vendor, compliance authority.
<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">The decrypt/verify perl script would be the opposite:<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> +<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> v<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">+---------+---------------+<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| receive or retrieve |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">+---------+---------------+<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> v<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">+---------+---------------+<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| xmlsec layer |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">+---------+---------------+<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""> v<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">+---------+---------------+<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| App layer |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">| |<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">+-------------------------+<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">A receive/retrieve should fetch a xml document from storage, or maybe be the receiving end in a https POST channel.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">The xmlsec should verify the signature.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">The app layer then can consume the xml data using LibXML.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">Regards.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New"">Erich.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
</div>
</body>
</html>