[xmlsec] xmlsec

aleksey at aleksey.com aleksey at aleksey.com
Sat Dec 24 09:56:41 PST 2005


First of all, this is absolutely correct because namespace
prefix *does not* matter at all (look up XML namespaces
spec for details).

Now, the short answer on your question is: there is no way
to make xmlsec use "custom" namespace prefix for dsig namespace.
I really don't see reasons for making this change but
if you would be interested in creating a patch then I'll
be happy to apply it.

Aleksey

> Yes I am seeing the same thing with numerous templates.
>
> -----Original Message-----
> From: Alexander Trishin [mailto:trial at trishin.com]
> Sent: December 23, 2005 12:20 PM
> To: ed.shallow at rogers.com
> Cc: xmlsec at aleksey.com
> Subject: Re: [xmlsec] xmlsec
>
> I'm using xCBL 4.0 documents which define dgs prefix for xmldsig <Invoice
> xmlns:dgs="http://www.w3.org/2000/09/xmldsig#" > So I'm defining signature
> template as <dgs:Signature>
>     <dgs:SignedInfo>
>         <dgs:CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>         <dgs:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>         <dgs:Reference URI="">
>             <dgs:Transforms>
>                 <dgs:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>             </dgs:Transforms>
>             <dgs:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>             <dgs:DigestValue/>
>         </dgs:Reference>
>     </dgs:SignedInfo>
>     <dgs:SignatureValue/>
>     <dgs:KeyInfo>
>         <dgs:KeyName/>
>         <dgs:X509Data><dgs:X509Certificate/>
>         </dgs:X509Data>
>     </dgs:KeyInfo>
> </dgs:Signature>
>
> After document is signed all elements still have dgs prefix but
> X509Certificate:
>         <dgs:X509Data>
>         <X509Certificate
> xmlns="http://www.w3.org/2000/09/xmldsig#">MIICAjCCAWugAwIBAgIQnS98DETrP7RGk
> aTvoI4evjANBgkqhkiG9w0BAQQFADAY
> [skip]
> </X509Certificate>
> </dgs:X509Data>
>
> Although it does not create a verification problem, I find it strange.
> Is there a way to keep it consistent?
>
> Thank you,
> Alex.
>
>
> Edward Shallow wrote:
>
>>Hi Alex,
>>
>>   Aleksey did understand you correctly. Simply initialize the
>><KeyName> in a template file (sample attached) and the private signing
>>key will be extracted from the MS system key store (i.e. 'MY'). Rough
>>sequence of calls
>>(simplified) as follows:
>>
>>    xmlParseFile('the template')
>>    xmlDocGetRootElement()
>>    xmlSecFindNode(rootNode, 'Signature',
>>'http://www.w3.org/2000/09/xmldsig#')
>>    xmlSecKeysMngrCreate()
>>    xmlSecCryptoAppDefaultKeysMngrInit(keysMngr)
>>    xmlSecDSigCtxCreate()
>>    xmlSecDSigCtxInitialize(dsigCtx, keysMngr)
>>    xmlSecDSigCtxSign(dsigCtx, sigNode)
>>
>>   Depending on which crypto you are using the <KeyName> can contain
>>either the short friendly name (from CN=...) or the full X509
>> Distinguished
> Name.
>>Both will work. mscrypto for example will look first in the Simple Key
>>Store if you have adopted one and then in the 'MY' certificate store
>>for your signing key. In the above sequence, I did not load or adopt a
>>Key Store, so mscrypto goes directly to the system key store 'MY'.
>>
>>   Note: OpenSSL does not have a system key store.
>>
>>Cheers,
>>Ed
>>
>>
>>
>>-----Original Message-----
>>From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
>>Behalf Of Alexander Trishin
>>Sent: December 19, 2005 7:00 PM
>>To: Aleksey Sanin
>>Cc: xmlsec at aleksey.com
>>Subject: Re: [xmlsec] xmlsec
>>
>>Aleksey,
>>
>>I probably didn't make myself clear.
>>I'm looking at the code to produce a signed xml, the key info and
>>certificate come from the external file for the sample.
>>My question is - what functions should I use to change that? So that
>>key info and Certificate come from the system store, and not from the
>> file.
>>
>>Thank you in advance,
>>Alex
>>
>>Aleksey Sanin wrote:
>>
>>
>>
>>>I am not a big mscrypto user myself and I hope someone will correct my
>>>lies here... but I believe that you just need to put the key name
>>>(i.e. certificate subject) into the <KeyName> element of your
>>>signature template.
>>>
>>>Aleksey
>>>
>>>Alexander Trishin wrote:
>>>
>>>
>>>
>>>>Dear Friends,
>>>>
>>>>I'm trying to create a test console app to sign XML files with the
>>>>X509 certificate. I took a look at samples provided but yet to figure
>>>>out how do I sign an XML file with the Certificate that I already
>>>>have in "MY" store. Certificate does have a private key.
>>>>
>>>>If someone can point me in the right direction or has sample I'd be
>>>>greatly appreciated.
>>>>
>>>>Platform is Windows with ms crypto library.
>>>>
>>>>Thank you,
>>>>Alex.
>>>>_______________________________________________
>>>>xmlsec mailing list
>>>>xmlsec at aleksey.com
>>>>http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>
>>>>
>>>
>>>
>>>
>>>
>>_______________________________________________
>>xmlsec mailing list
>>xmlsec at aleksey.com
>>http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>



More information about the xmlsec mailing list