[xmlsec] XML Sig

Aleksey Sanin aleksey at aleksey.com
Thu Oct 31 23:23:34 PST 2002


Hi, Gregor!

I assume that you are asking not about cannonicalization but about 
signing a given Object.
There are multiple ways to sign particular part of the XML document 
(i.e. sign its digest)
using an XPath transofrm(s). I think you'll find useful to read 
annotated example from
the XMLDSig spec:  
    http://www.w3.org/TR/xmldsig-core/#sec-o-SignatureProperty
Also the XMLSec sources distribution package contains a lot of test 
vectors (look in
xmlsec-x.x.x/tests folder) that are very helpful in understanding how 
does this work
(most of these tests could also be found on the W3C web site:
    http://www.w3.org/Signature/2001/04/05-xmldsig-interop.html

When you add Reference element to the Signature, you can specify 
particular cannonicalization
method by just adding c14n transform to it. If no c14n is specified and 
an XML to binary
data conversion is required (for example, when a digest for an XML nodes 
set is calculated)
then default c14n is used.

The enveloped Signature could be created by using an Enveloped Signature 
transform.
You do not need to use XPath expressions for this. In most cases (for 
example, in XMLSec
cases), using Enveloping transform is *much* faster.

The current XMLSec implementation has a crypto layer (xmlSecKey, 
xmlSecBinTransform,
xmlSecKyeManager, xmlSecX509Manager) that abstracts the low level crypto 
stuff. In order
to replace OpenSSL with a new crypto engine you just need to 
re-implement rsa.c, dsa.c, ... files.
Another problem is that currently the crypto stuff is not clear 
separated. I thought about doing the
separation soon but I just had no time for this yet. If you are 
interested in participating in doing this
then we can discuss what needs to be done in more details.

With best regards,
Aleksey

Gregor Ibic wrote:

>Hi!
>
>Im writing a xmlsig with MS cryptoapi support. I use your library for
>verification of digests and signatures.
>It turns out that I have do redo some of your work and now Im stuck with
>proper canonization.
>How can I embed a data object in Signature element and request to canonize
>it.
>I found out that Enveloping signature does not canonize (C14N) that <Object>
>element.
>But I would like to have a transparent solution.
>
>Also I have to remove Signature element with XPath before doing digests if I
>use Enveloped signature, right?
>
>What about doing a wrapper for crypto support? In this way other crypto libs
>could be used.
>
>Regards,
>Gregor
>
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>  
>





More information about the xmlsec mailing list