[xmlsec] verifying with xml-exc-c14n

Brian.Myers at zootweb.com Brian.Myers at zootweb.com
Thu Jul 3 14:54:45 PDT 2008


That example was signed after encryption and then attempted to verify 
immediately after signing (though I have the functionality to reverse 
those steps).
I haven't used the command line utility for xmlsec, at all.  Is there a 
way to dump the content before digest with the API?

Thanks,
Brian
***************************************************************
Brian S. Myers
Systems Developer, Engineering
brian.myers at zootweb.com
Tel: 406-556-8924  Fax: 406-587-8414
***************************************************************
This email, including any attachments, is confidential and may not be 
redistributed without permission. If you are not an intended recipient, 
you have received this message in error. Please notify us immediately by 
replying to this message, and then delete it from your computer. Thank 
you.
***************************************************************



Aleksey Sanin <aleksey at aleksey.com> 
Sent by: xmlsec-bounces at aleksey.com
07/03/2008 03:49 PM

To
Brian.Myers at zootweb.com
cc
xmlsec at aleksey.com
Subject
Re: [xmlsec] verifying with xml-exc-c14n






Are you signing before or after encryption? Are you verifying
before or after encryption? Have you tried to use "--store-references"
option to dump the content before doing digest?

Aleksey

Brian.Myers at zootweb.com wrote:
> 
> Well, it can't be the http headers.  I now think the problem might be 
> with canonicalization.
> 
> I can verify when I sign with the transform:
> <dsig:Transform 
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> I can verify when I sign with the transform:
> <dsig:Transform 
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> 
> but when I sign with the transform:
> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> it fails to verify.
> 
> And none of it verifies when I send to my server (which is some black 
> box Microsoft implementation).
> 
> It looks like the server is expecting Exclusive Canonicalization, but I 
> can't even get that to work in my test environment.
> 
> Attached is my xml document after signing (shortened the digest values, 
> but otherwise unchanged).
> Please take a look at it and see if I am doing something stupid.
> 
> Thanks in advance,
> Brian
> 
> 
> 
> 
> 
> *Aleksey Sanin <aleksey at aleksey.com>*
> Sent by: xmlsec-bounces at aleksey.com
> 
> 06/29/2008 08:19 PM
> 
> 
> To
>                Brian.Myers at zootweb.com
> cc
>                xmlsec at aleksey.com
> Subject
>                Re: [xmlsec] Signing a document that will be altered
> 
> 
> 
> 
> 
> 
> 
> 
> I highly doubt that http headers are involved in the signatures...
> At least, not with xmlsec.
> 
> Aleksey
> 
> Brian.Myers at zootweb.com wrote:
>  >
>  > Hello,
>  > I think I'm running into a problem where the digital signature is 
being
>  > made invalid due to an http post.
>  > Before I send my message to serverB I encrypt it and sign it, I then
>  > post the message to the server.
>  > The post obviously adds http headers to the beginning of the message,
>  > such as ContentType, ContentLength, ect.
>  > I'm guessing that even though these headers are not inside the xml
>  > document, they are still affecting my digest.
>  >
>  > Is there a way to force the sign method to only sign the xml as 
opposed
>  > to the whole string? and also force
>  > the severB verifier to verify the xml?
>  >
>  > Thank you,
>  > Brian
>  >
>  >
>  > 
------------------------------------------------------------------------
>  >
>  > _______________________________________________
>  > xmlsec mailing list
>  > xmlsec at aleksey.com
>  > http://www.aleksey.com/mailman/listinfo/xmlsec
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
xmlsec at aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080703/2327dc83/attachment-0002.htm


More information about the xmlsec mailing list