[xmlsec] Digest Method & Canonicalization
Ashish Agrawal
meetashish at gmail.com
Wed Jun 3 04:25:30 PDT 2009
Hi Aleksey,
This URl is again based on the new widget spec 1.1,
when i try to verify using this method i get error as:
xmlsec1 --verify --trusted-pem Root.pem signature.xml
error : Unknown IO error
func=xmlSecTransformNodeRead:file=transforms.c:line=1511:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec
library function failed:href=http://www.w3.org/2000/09/xmldsig#sha256
func=xmlSecTransformCtxNodeRead:file=transforms.c:line=666:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec
library function failed:name=DigestMethod
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1505:obj=unknown:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec
library function failed:node=DigestMethod
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=817:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=560:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "signature.xml"
Regards,
Ashish
On Tue, Jun 2, 2009 at 9:43 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> xmlsec support SHA256, your URL is incorrect:
>
> http://www.aleksey.com/pipermail/xmlsec/2005/007037.html
>
> Aleksey
>
> Ashish Agrawal wrote:
>
>> ok , thanks for pointing.
>>
>> also i need to provide support for the digest method as :
>> http://www.w3.org/200009/xmldsig#sha256 <
>> http://www.w3.org/2000/09/xmldsig#sha256>
>>
>> for supporting this do i need to modify xmlsec ?
>>
>> Regards,
>> Ashish
>>
>> On Tue, Jun 2, 2009 at 8:01 PM, Aleksey Sanin <aleksey at aleksey.com<mailto:
>> aleksey at aleksey.com>> wrote:
>>
>> Look at LibXML2 library, file c14n.c
>>
>> Aleksey
>>
>> Ashish Agrawal wrote:
>>
>> Hi Aleksey,
>>
>> I would like to work on providing the latest canonical support,
>> can u give me some pointers on the areas in the code where i
>> need to foucs for the changes.
>>
>> Regards,
>> Ashish
>>
>> On Mon, Jun 1, 2009 at 9:06 PM, Aleksey Sanin
>> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>>
>> Sure, I see your point. Well, I haven't seen a lot of interest
>> in C14N 1.1 support so far. BTW, C14N is a part of LibXML2.
>> If you need C14N 1.1, then I am sure that Daniel will be happy
>> to apply your patches to the main tree.
>>
>> Aleksey
>>
>>
>> Ashish Agrawal wrote:
>>
>> Hi Aleksey,
>>
>> Thanks for prompt reply.
>>
>> The basis of my argument is the newer Widgets DSig specifies
>> certain fixed values for Canonicalizationmethod & Digest
>> Method.
>>
>> Eg:
>> <?xml version="1.0" encoding="UTF-8"?>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>> <SignedInfo>
>> <CanonicalizationMethod
>> Algorithm="
>> http://www.w3.org/2006/12/xml-c14n11"/>
>> <SignatureMethod
>> Algorithm="
>> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
>> <Reference URI="config.xml">
>> <DigestMethod
>> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>> <DigestValue>j6...8nk=</DigestValue>
>> </Reference>
>> <Reference URI="index.html">
>> <DigestMethod
>> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>> <DigestValue>lm...34=</DigestValue>
>> </Reference>
>> <Reference URI="icon.png">
>> <DigestMethod
>> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>> <DigestValue>pq...56=</DigestValue>
>> </Reference>
>> </SignedInfo>
>> <SignatureValue>MC0E~LE=</SignatureValue>
>> <KeyInfo>
>> <X509Data>
>> <X509Certificate>MI...lVN</X509Certificate>
>> </X509Data>
>> </KeyInfo>
>> </Signature>
>>
>>
>> So when i create a signature file with the abov mentioned
>> canonicalizaiton and Digest method, xmlsec fails.
>> Pls clarify.
>>
>> Regards,
>> Ashish
>>
>> On Mon, Jun 1, 2009 at 8:55 PM, Aleksey Sanin
>> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>> wrote:
>>
>> xmlsec implements XML DSig and the Widgets DSig is just
>> a profile of XML DSig. Thus, I don't see why you claim
>> that xmlsec doesn't support it.
>>
>> Aleksey
>>
>> Ashish Agrawal wrote:
>>
>> Hi Aleksey,
>>
>> I need to support
>> *
>> http://www.w3.org/TR/2009/WD-widgets-digsig-20090331/*
>> and seems that current version of xmlsec doesn't
>> support
>> it, Is
>> there any plan for it.
>>
>> Regards,
>> Ashish
>>
>> On Mon, Jun 1, 2009 at 8:02 PM, Aleksey Sanin
>> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>> <mailto:aleksey at aleksey.com
>> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>> <mailto:aleksey at aleksey.com>>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>
>> wrote:
>>
>> https://www.aleksey.com/xmlsec/xmldsig.html
>>
>> Aleksey
>>
>> Ashish Agrawal wrote:
>>
>> Hi Aleksey,
>>
>> i want to know which standards of
>> DigestMethod and
>> Canonicalization Method is supported by xmlsec
>> currently.
>>
>> I ve a requirement where i ve the Digest
>> method as:
>> http://www.w3.org/2000/09/xmldsig#sha256 and
>> Canonicalization
>> methord as :
>> http://www.w3.org/2006/12/xml-c14n11.
>> Will this be supported ?
>>
>> ~Ashish
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>> <mailto:xmlsec at aleksey.com>>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>> <mailto:xmlsec at aleksey.com
>> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>> <mailto:xmlsec at aleksey.com>>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
>>
>>
>>
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20090603/fd576b97/attachment.htm
More information about the xmlsec
mailing list