[xmlsec] canonicalization and transcoding
Aleksey Sanin
aleksey at aleksey.com
Sat Mar 29 11:05:03 PST 2003
You are absolutely right! But this happens internaly and does not affect
your
document. For example, I have the following file template file with an
enveloped
signature (some line skipped):
[aleksey at lsh examples]$ cat test.xml
<Envelope xmlns="urn:envelope">
<Data>
Hello, World!
<test />
</Data>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
....
</Signature>
</Envelope>
Now I am signing it with xmlsec utility using '--store-references' option
to see waht *exactly* was signed (it ouputs a lot of data so we save our
document
to a file with '--output' option and as usual skip some lines):
[aleksey at lsh examples]$ ../apps/xmlsec sign --store-references --privkey
./rsakey.pem --output ./test-res.xml ./test.xml
...
== PreDigest data - start buffer:
<Envelope xmlns="urn:envelope">
<Data>
Hello, World!
<test></test>
</Data>
</Envelope>
== PreDigest data - end buffer
...
As you can see, before calculating the digest we did C14N as it is
described (for example,
inserted the missing end tag). However, the result document does not
have this tag because
one who verifies the signature *MUST* perform the same C14N internaly:
[aleksey at lsh examples]$ cat test-res.xml
<Envelope xmlns="urn:envelope">
<Data>
Hello, World!
<test />
</Data>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
....
</Signature>
</Envelope>
Try it out yourself! Use '--store-results' and '--store-signatures'
option to see what
binary data go to digest or signature.
Aleksey
More information about the xmlsec
mailing list