[xmlsec] digestvalue failure
Aleksey Sanin
aleksey at aleksey.com
Wed Mar 3 08:14:05 PST 2004
> I have to implement an XML digital signature checker, but unfortunately,
> without using the xmlsec library. This environment has a specially
> patched (and 0.9.6 only) libssl that renders xmlsec library unusable.
I wonder, why? XMLSEC does support 0.9.6 (you need to set a correct define
if you don't use autotools) but some algorithms will be disabled because
they don't exist in 0.9.6. Everything else should work. IMHO, it should be
much more simple to fix xmlsec to work with your patched 0.9.6 than write
verification from scratch.
> Here's the problem:
>
> I read the xml file, parse it with libxml2, then I try to canonize it with:
>
> xmlC14NDocDumpMemory(xmlDoc, NULL, 1, NULL, doc_txt_ptr);
>
> where xmlDoc is an xmlDocPtr, and doc_txt_ptr is an **xmlChar.
>
> When I dump the canonized content, it seems ok, at least it's readable,
> has 0x0a at each line end, has no whitespace but 0x20, etc....
>
> At the next step, I look for the referenced URI in the document, in my
> case, it looks like this: <Reference URI="#Body">. It is a digitally
> signed XML SOAP content, so it refers to the section, starts with
> "<SOAP-ENV:Body". I check through the document, and cut the part
> _starting_ with <SOAP-ENV:Body and _ending_ with: </SOAP-ENV:Body>. The
> < is the first byte in my sha1 buffer and the last one is a > (of the
> both SOAP-ENV:Body tags). I generate an sha1 hash, then do a base64
> encoding. (I encode the bytes, not the UTF8 chars, of course) and it
> produces a DigestValue for me.
Well, there is no surprise. The C14N for the part of a document *will not*
be the same as a cut from C14N of the whole document. The problem is namespaces.
For example, if you have something like this:
<Root xmlns="http://example.org/test">
<Data/>
</Root>
then C14N for the whole document will be
<Root xmlns="http://example.org/test">
<Data><Data/>
</Root>
but C14N for the <Data> element only (say, selected with XPath) will be
<Data xmlns="http://example.org/test"><Data/>
Hope this explains the problem but you can find more details in the C14N spec.
Aleksey
More information about the xmlsec
mailing list