[xmlsec] More help on Stlysheets and XML DSIG
Pere Rosell
prosell at gs1es.org
Mon Nov 7 05:01:06 PST 2005
Dear all,
I sent the same concerns some weeks ago, but I still have not found an
answer. That is why I am writing again, I have been following all the
instructions you told me but still could not solve the problem.
Main issue: Enveloped XML DSIG result in a XML file is different if I
include or not the reference to a Style Sheet which is external to the Tags
signed.
Command to get the output:
xmlsec sign --pkcs12 fc_1.p12 --pwd 669378673Pere --store-references
--output hota2output.xml hola1.xml
I used the --sfote-references function to log the output for the digital
signature process and follow intermediate steps
File 1:
<?xml version="1.0" encoding="UTF-8" ?>
<Example>
<Data>Hello, World!</Data>
</Example>
File 2:
<?xml version="1.0" encoding="UTF-8" ?>
<?xml-stylesheet type="text/xsl" href="xsl-file.xsl" ?>
<Example>
<Data>Hello, World!</Data>
</Example>
Tag to be signed: Example: additional information to be completed added.
<Example>
<Data>Hello, World!</Data>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
<ds:DigestValue></ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id='1233'/>
<ds:KeyInfo>
<ds:KeyValue/>
<ds:X509Data/>
</ds:KeyInfo>
</ds:Signature>
</Example>
Log File 1:
C:\Documents and Settings\Pere\Escritorio\SED\APIs Factura\API Firma
XML\xmlsec>xmlsec sign --pkcs12 fc_1.p12 --pwd 669378673Pere
--store-references --output hota2output.xml hola1.xml
= SIGNATURE CONTEXT
== Status: succeeded
== flags: 0x00000006
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000002
==== keyUsage: 0x00000001
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Private
=== key usage: -1
=== rsa key: size = 512
=== list size: 1
=== X509 Data:
==== Key Certificate:
==== Subject Name: /CN=AECOC EDI - AECOC/emailAddress=aecocedi at terra.es
==== Issuer Name: /C=ES/ST=ESPANA/L=BARCELONA/O=AECOC/OU=AECOC/CN=CERT
AECOC PARA AECOC-DATA/emailAddress=info at aecoc.es
==== Issuer Serial: FC
==== Certificate:
==== Subject Name: /CN=AECOC EDI - AECOC/emailAddress=aecocedi at terra.es
==== Issuer Name: /C=ES/ST=ESPANA/L=BARCELONA/O=AECOC/OU=AECOC/CN=CERT
AECOC PARA AECOC-DATA/emailAddress=info at aecoc.es
==== Issuer Serial: FC
== SignedInfo References List:
=== list size: 1
= REFERENCE CALCULATION CONTEXT
== Status: succeeded
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: c14n
(href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== PreDigest data - start buffer:
<Example>
<Data>Hello, World!</Data>
</Example>
== PreDigest data - end buffer
== Result - start buffer:
8XnpfMjFME9M6TtRY1JfFWrBrrk=
== Result - end buffer
== Manifest References List:
=== list size: 0
== Result - start buffer:
Z5TcE8gMjZ7RQrIlgDNaCSyYF6bhFGk7HlXbzs1ds8zJixpZ15y7eAsWXWEWwg6d
9FUOg8u7sGTVPqMBicVVBg==
== Result - end buffer
Log File 2:
C:\Documents and Settings\Pere\Escritorio\SED\APIs Factura\API Firma
XML\xmlsec>xmlsec sign --pkcs12 fc_1.p12 --pwd 669378673Pere
--store-references --output hota2output.xml hola2.xml
= SIGNATURE CONTEXT
== Status: succeeded
== flags: 0x00000006
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000002
==== keyUsage: 0x00000001
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Private
=== key usage: -1
=== rsa key: size = 512
=== list size: 1
=== X509 Data:
==== Key Certificate:
==== Subject Name: /CN=AECOC EDI - AECOC/emailAddress=aecocedi at terra.es
==== Issuer Name: /C=ES/ST=ESPANA/L=BARCELONA/O=AECOC/OU=AECOC/CN=CERT
AECOC PARA AECOC-DATA/emailAddress=info at aecoc.es
==== Issuer Serial: FC
==== Certificate:
==== Subject Name: /CN=AECOC EDI - AECOC/emailAddress=aecocedi at terra.es
==== Issuer Name: /C=ES/ST=ESPANA/L=BARCELONA/O=AECOC/OU=AECOC/CN=CERT
AECOC PARA AECOC-DATA/emailAddress=info at aecoc.es
==== Issuer Serial: FC
== SignedInfo References List:
=== list size: 1
= REFERENCE CALCULATION CONTEXT
== Status: succeeded
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: c14n
(href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: membuf-transform (href=NULL)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: base64 (href=http://www.w3.org/2000/09/xmldsig#base64)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== PreDigest data - start buffer:
<?xml-stylesheet type="text/xsl" href="xsl-file.xsl" ?>
<Example>
<Data>Hello, World!</Data>
</Example>
== PreDigest data - end buffer
== Result - start buffer:
E6byIDGW3hqmFSwdM8dsqnSzewk=
== Result - end buffer
== Manifest References List:
=== list size: 0
== Result - start buffer:
u8fD0c6rOc+XjA8QpUf3ADjSPCZGJiZBIIXrjWLi3OUnneHEs1+MLMe3qyKnlYcf
sJxnRVgsi+pueLncjBuQ6A==
== Result - end buffer
As part of the DSIG PROCESS, specially in Log File 2, the external
reference to the XSL file is used for DSIG.
== PreDigest data - start buffer:
<?xml-stylesheet type="text/xsl" href="xsl-file.xsl" ?>
<Example>
<Data>Hello, World!</Data>
</Example>
== PreDigest data - end buffer
As main consequence, the hash calculated are differente:
File 1:
== Result - start buffer:
8XnpfMjFME9M6TtRY1JfFWrBrrk=
== Result - end buffer
File 2:
== Result - start buffer:
E6byIDGW3hqmFSwdM8dsqnSzewk=
== Result - end buffer
And of course, the XML DSIG result is different.
I am not sure if it is a bug or I have a misundertanding on the way
Enveloped XML DSIGs work.
Thanks in advance for your help and I look forward to hearing from you
soon. Any assistance will be very welcome.
Kd regards,
Pere Rosell
More information about the xmlsec
mailing list