[xmlsec] canonicalization and transcoding

Aleksey Sanin aleksey at aleksey.com
Sat Mar 29 11:05:03 PST 2003


You are absolutely right! But this happens internaly and does not affect 
your
document. For example, I have the following file template file with an 
enveloped
signature (some line skipped):
   
[aleksey at lsh examples]$ cat test.xml
<Envelope xmlns="urn:envelope">
  <Data>
        Hello, World!
        <test />
  </Data>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
       .... 
  </Signature>
</Envelope>

Now I am signing it with xmlsec utility using '--store-references' option
to see waht *exactly* was signed (it ouputs a lot of data so we save our 
document
to a file with '--output' option and as usual skip some lines):

[aleksey at lsh examples]$ ../apps/xmlsec sign --store-references --privkey 
./rsakey.pem --output ./test-res.xml ./test.xml
...
== PreDigest data - start buffer:
<Envelope xmlns="urn:envelope">
  <Data>
        Hello, World!
        <test></test>
  </Data>

</Envelope>
== PreDigest data - end buffer
...

As you can see, before calculating the digest we did C14N as it is 
described (for example,
inserted the missing end tag). However, the result document does not 
have this tag because
one who verifies the signature *MUST* perform the same C14N internaly:

[aleksey at lsh examples]$ cat test-res.xml
<Envelope xmlns="urn:envelope">
  <Data>
        Hello, World!
        <test />
  </Data>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
       .... 
  </Signature>
</Envelope>

Try it out yourself! Use '--store-results' and '--store-signatures' 
option to see what
binary data go to digest or signature.



Aleksey






More information about the xmlsec mailing list