[xmlsec] DigestValue for Enveloped Signatures
Dominic Steinitz
dominic.steinitz at blueyonder.co.uk
Sat Nov 12 11:04:39 PST 2005
Apologies if this is the wrong list - if it is could someone direct me to the
right list.
I have been trying to check a DigestValue for an enveloped signature. Here's
the template:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE parent [
<!ATTLIST t1 i ID #IMPLIED>
]>
<Envelope xmlns="urn:envelope">
<t1 i="Foo">Hello</t1>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo> <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Foo">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
</SignatureValue>
<KeyInfo>
<X509Data>
</X509Data>
</KeyInfo>
</Signature>
</Envelope>
Using
xmlsec1 sign --privkey-pem key.pem,cert.pem --output signed1.xml template1.xml
gives
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE parent [
<!ATTLIST t1 i ID #IMPLIED>
]>
<Envelope xmlns="urn:envelope">
<t1 i="Foo">Hello</t1>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo> <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Foo">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>mFMc4cpTQ76zyhuNnZaC7TfkFNw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</Envelope>
My understanding is that sha1 on
<t1 i="Foo">Hello</t1>
should give the DigestValue. However, sha1sum (base64 encoded) gives
v5zrZxB/ZXbzlWQhbs9bw1LL4HQ=
When I use a detached signatures everything works out and the DigestValue
matches what sha1sum gives. Here's the template:
<?xml version="1.0" encoding="UTF-8"?>
<Envelope xmlns="urn:envelope">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo> <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="file:///home/dom/xmldsig/test1.xml#Foo">
<Transforms>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
</SignatureValue>
<KeyInfo>
<X509Data>
</X509Data>
</KeyInfo>
</Signature>
</Envelope>
and test1.xml contains
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE parent [
<!ATTLIST t1 i ID #IMPLIED>
]>
<t1 i="Foo">Hello</t1>
Using
xmlsec1 sign --privkey-pem key.pem,cert.pem --output signed1.xml template1.xml
gives
<?xml version="1.0" encoding="UTF-8"?>
<Envelope xmlns="urn:envelope">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo> <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="file:///home/dom/xmldsig/test1.xml#Foo">
<Transforms>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>v5zrZxB/ZXbzlWQhbs9bw1LL4HQ=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</Envelope>
sha1sum on the canonicalised version of test1.xml:
<t1 i="Foo">Hello</t1>
gives (base64 encoded):
v5zrZxB/ZXbzlWQhbs9bw1LL4HQ=
(the same as what I expected for the enveloped signature).
Does this mean there is a problem with xmlsec1 for enveloped signatures or
(much more likely) I am applying sha1sum to the wrong input in the case of
enveloped signatures?
Many thanks, Dominic.
More information about the xmlsec
mailing list