[xmlsec] How to control C14N

Aleksey Sanin aleksey at aleksey.com
Tue May 15 21:02:59 PDT 2012 

You probably want to contact RSA FIM to figure out what this
exception means.

Aleksey

On 5/14/12 11:58 AM, Rich Duzenbury wrote:
> Hi,
> 
> I'm attempting to generate an identity provider assertion that will
> work with RSA FIM.
> 
> Here is a recent assertion, ready to be signed:
> http://pastie.org/private/gobkuozf0asjpqw3rekavq
> 
> Here is that same assertion, signed:
> http://pastie.org/private/yrrlqgxqcwkn7tqorva44a
> 
> I use xmlsec to do the signing.  I can validate the signature via
> xmlsec.  That is to say, the validation runs and returns a good
> result.  If I change a byte in the output document, the signature
> validation fails, as should be expected.  However, RSA FIM doesn't
> like it, and throws a NULL exception.  I don't have access to more
> than a stack trace.
> 
> I have doubt about whether I set up the signature block correctly.
> Here is my <signature> template:
> 
> 		<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> 			<ds:SignedInfo>
> 				<ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> 				<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> 				<ds:Reference URI="">
> 					<ds:Transforms>
> 						<ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> 						<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> 					</ds:Transforms>
> 					<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> 					<ds:DigestValue></ds:DigestValue>
> 				</ds:Reference>
> 			</ds:SignedInfo>
> 			<ds:SignatureValue></ds:SignatureValue>
> 			<ds:KeyInfo>
> 				<ds:X509Data>
> 					<ds:X509Certificate></ds:X509Certificate>
> 				</ds:X509Data>
> 			</ds:KeyInfo>
> 		</ds:Signature>
> 
> I presume enveloped signature means to sign the whole message, right?
> Is it enough to simply include <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> in the signature
> method, and the conicalization will magically be done by the library?
> Or do I have to signal xmlsec to do it in some way? or does it have to
> be done with a different tool before the signing is completed?  Have I
> built this correctly?
> 
> I'm using the command line for now, by the way, if that makes any real
> difference.
> 
> --
> Thank you.
> 
> Regards,
> Rich
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list