[xmlsec] How to control C14N

Rich Duzenbury duzenbury at gmail.com
Mon May 14 11:58:35 PDT 2012 

Hi,

I'm attempting to generate an identity provider assertion that will
work with RSA FIM.

Here is a recent assertion, ready to be signed:
http://pastie.org/private/gobkuozf0asjpqw3rekavq

Here is that same assertion, signed:
http://pastie.org/private/yrrlqgxqcwkn7tqorva44a

I use xmlsec to do the signing.  I can validate the signature via
xmlsec.  That is to say, the validation runs and returns a good
result.  If I change a byte in the output document, the signature
validation fails, as should be expected.  However, RSA FIM doesn't
like it, and throws a NULL exception.  I don't have access to more
than a stack trace.

I have doubt about whether I set up the signature block correctly.
Here is my <signature> template:

		<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
			<ds:SignedInfo>
				<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
				<ds:Reference URI="">
					<ds:Transforms>
						<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
						<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					</ds:Transforms>
					<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
					<ds:DigestValue></ds:DigestValue>
				</ds:Reference>
			</ds:SignedInfo>
			<ds:SignatureValue></ds:SignatureValue>
			<ds:KeyInfo>
				<ds:X509Data>
					<ds:X509Certificate></ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</ds:Signature>

I presume enveloped signature means to sign the whole message, right?
Is it enough to simply include <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> in the signature
method, and the conicalization will magically be done by the library?
Or do I have to signal xmlsec to do it in some way? or does it have to
be done with a different tool before the signing is completed?  Have I
built this correctly?

I'm using the command line for now, by the way, if that makes any real
difference.

--
Thank you.

Regards,
Rich

More information about the xmlsec mailing list