[xmlsec] Canonicalization and sha1 of a document part with xmlsec1

Aleksey Sanin aleksey at aleksey.com
Fri Nov 11 10:07:00 PST 2011


Run the xmlsec1 utility with --store-references to see what exactly is sha'd

Aleksey

On 11/11/11 10:05 AM, Si St wrote:
> Is sha1 in xmlsec1 after the canonicalization of the xmlfile-docpart to
> sign identical to this:
>
> cat xmlfile-docpart | openssl dgst -sha1 -binary | openssl enc -base64>
> xmlfile-docpart-digest
> ?
> If xmlfile-docpart is as simple as the following (letting out the
> signaturepart):
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <MsgHead>
>    <Document>
>      <Krav/>
>    </Document>
> </MsgHead>
>
>
> then the C14N of it cannot give anything more than this:
>
> <MsgHead>
>    <Document>
>      <Krav></Krav>
>    </Document>
> </MsgHead>
>
> but doing the sha1 with openssl on this postC14N file (done with xmllint
> --c14n),we get this digestvalue :
> tkuyB5MHizGiQsl9ljG+YcPogOA=
> the digestvalue from running xmlsec1 sign on the preC14N+sigpart file
> give this:
> pKl5h5ALLpm57qM8FeuQSaa4Ogk=
>
> Does this mean the xmldsig#sha1 is something different from 'sha1sum'
> and 'openssl -sha1'?
> In case, what is the difference? That C14N puts in (empty) elements from
> a xsd-scheme, or what?
>
> I am talking about the DigestValue from the document part here, not the
> DigestValue of the SignedInfo that disappears in the SignatureValue.
>
> I thought that SHA1 = SHA1. Period.


More information about the xmlsec mailing list