[xmlsec] canonicalization and transcoding

[Aleksey Sanin]

You are absolutely right! But this happens internaly and does not affect 
your
document. For example, I have the following file template file with an 
enveloped
signature (some line skipped):
   
[aleksey@lsh examples]$ cat test.xml
<Envelope xmlns="urn:envelope">
  <Data>
        Hello, World!
        <test />
  </Data>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
       .... 
  </Signature>
</Envelope>

Now I am signing it with xmlsec utility using '--store-references' option
to see waht *exactly* was signed (it ouputs a lot of data so we save our 
document
to a file with '--output' option and as usual skip some lines):

[aleksey@lsh examples]$ ../apps/xmlsec sign --store-references --privkey 
./rsakey.pem --output ./test-res.xml ./test.xml
...
== PreDigest data - start buffer:
<Envelope xmlns="urn:envelope">
  <Data>
        Hello, World!
        <test></test>
  </Data>

</Envelope>
== PreDigest data - end buffer
...

As you can see, before calculating the digest we did C14N as it is 
described (for example,
inserted the missing end tag). However, the result document does not 
have this tag because
one who verifies the signature *MUST* perform the same C14N internaly:

[aleksey@lsh examples]$ cat test-res.xml
<Envelope xmlns="urn:envelope">
  <Data>
        Hello, World!
        <test />
  </Data>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
       .... 
  </Signature>
</Envelope>

Try it out yourself! Use '--store-results' and '--store-signatures' 
option to see what
binary data go to digest or signature.



Aleksey