[xmlsec] Digest Method & Canonicalization
Aleksey Sanin
aleksey at aleksey.com
Wed Jun 3 07:31:09 PDT 2009
From an example in WD widgets spec
<Reference URI="config.xml">
<DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>...</DigestValue>
</Reference>
Aleksey
Ashish Agrawal wrote:
> Hi Aleksey,
>
> This URl is again based on the new widget spec 1.1,
> when i try to verify using this method i get error as:
>
> xmlsec1 --verify --trusted-pem Root.pem signature.xml
> error : Unknown IO error
> func=xmlSecTransformNodeRead:file=transforms.c:line=1511:obj=unknown:subj=xmlSecTransformIdListFindByHref:error=1:xmlsec
> library function failed:href=http://www.w3.org/2000/09/xmldsig#sha256
> func=xmlSecTransformCtxNodeRead:file=transforms.c:line=666:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec
> library function failed:name=DigestMethod
> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1505:obj=unknown:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec
> library function failed:node=DigestMethod
> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=817:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
> library function failed:node=Reference
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=560:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
> Error: signature failed
> ERROR
> SignedInfo References (ok/all): 0/1
> Manifests References (ok/all): 0/0
> Error: failed to verify file "signature.xml"
>
> Regards,
> Ashish
>
> On Tue, Jun 2, 2009 at 9:43 PM, Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> wrote:
>
> xmlsec support SHA256, your URL is incorrect:
>
> http://www.aleksey.com/pipermail/xmlsec/2005/007037.html
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> ok , thanks for pointing.
>
> also i need to provide support for the digest method as :
> http://www.w3.org/200009/xmldsig#sha256
> <http://www.w3.org/2000/09/xmldsig#sha256>
>
>
> for supporting this do i need to modify xmlsec ?
>
> Regards,
> Ashish
>
> On Tue, Jun 2, 2009 at 8:01 PM, Aleksey Sanin
> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>
> Look at LibXML2 library, file c14n.c
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> Hi Aleksey,
>
> I would like to work on providing the latest canonical
> support,
> can u give me some pointers on the areas in the code where i
> need to foucs for the changes.
>
> Regards,
> Ashish
>
> On Mon, Jun 1, 2009 at 9:06 PM, Aleksey Sanin
> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>> wrote:
>
> Sure, I see your point. Well, I haven't seen a lot of
> interest
> in C14N 1.1 support so far. BTW, C14N is a part of
> LibXML2.
> If you need C14N 1.1, then I am sure that Daniel will
> be happy
> to apply your patches to the main tree.
>
> Aleksey
>
>
> Ashish Agrawal wrote:
>
> Hi Aleksey,
>
> Thanks for prompt reply.
>
> The basis of my argument is the newer Widgets DSig
> specifies
> certain fixed values for Canonicalizationmethod &
> Digest
> Method.
>
> Eg:
> <?xml version="1.0" encoding="UTF-8"?>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod
>
> Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
> <SignatureMethod
>
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
> <Reference URI="config.xml">
> <DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> <DigestValue>j6...8nk=</DigestValue>
> </Reference>
> <Reference URI="index.html">
> <DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> <DigestValue>lm...34=</DigestValue>
> </Reference>
> <Reference URI="icon.png">
> <DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> <DigestValue>pq...56=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>MC0E~LE=</SignatureValue>
> <KeyInfo>
> <X509Data>
> <X509Certificate>MI...lVN</X509Certificate>
> </X509Data>
> </KeyInfo>
> </Signature>
>
>
> So when i create a signature file with the abov
> mentioned
> canonicalizaiton and Digest method, xmlsec fails.
> Pls clarify.
>
> Regards,
> Ashish
>
> On Mon, Jun 1, 2009 at 8:55 PM, Aleksey Sanin
> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>> wrote:
>
> xmlsec implements XML DSig and the Widgets DSig
> is just
> a profile of XML DSig. Thus, I don't see why
> you claim
> that xmlsec doesn't support it.
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> Hi Aleksey,
>
> I need to support
>
> *http://www.w3.org/TR/2009/WD-widgets-digsig-20090331/*
> and seems that current version of xmlsec
> doesn't
> support
> it, Is
> there any plan for it.
>
> Regards,
> Ashish
>
> On Mon, Jun 1, 2009 at 8:02 PM, Aleksey Sanin
> <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>> wrote:
>
> https://www.aleksey.com/xmlsec/xmldsig.html
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> Hi Aleksey,
>
> i want to know which standards of
> DigestMethod and
> Canonicalization Method is supported
> by xmlsec
> currently.
>
> I ve a requirement where i ve the Digest
> method as:
>
> http://www.w3.org/2000/09/xmldsig#sha256 and
> Canonicalization
> methord as :
> http://www.w3.org/2006/12/xml-c14n11.
> Will this be supported ?
>
> ~Ashish
>
>
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>>
>
>
>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list