[xmlsec] About Canonicalization and Digest
Neko
akitsukineko at gmail.com
Sat Jun 2 11:55:23 PDT 2012
Thank you for answering.
So if signing the node inside the xml file(same-document reference),
first we have to get the XPath node-set,
then do the Canonicalization on the node-set,
and calculating Digest of the Canonicalization result.
The original content of referenced node-set won't be changed.
But in the test case
input
<root>
xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>
Canonicalization form obtained from libxml2(<CanonicalizationMethod>
Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments")
<?xml version="1.0"?>
<node>
<node>text</node>
<node>
<node>
<node>text</node>
<node>text</node>
</node>
<node>text</node>
</node>
</node>
Shouldn't digest value base on the second one?
Thank you
2012/6/3 Aleksey Sanin <aleksey at aleksey.com>
> " ... source xml file needs Canonicalization(applied to the entire xml)
> ..."
>
> That's not quite correct. You can not use the "entire xml" because the
> insertion of the signature changes it and the digest match during
> verification would fail.
>
> This is the part of the spec that talks about it
>
> http://www.w3.org/TR/xmldsig-core1/#sec-ReferenceProcessingModel
>
>
> Aleksey
>
> On 6/2/12 10:34 AM, Neko wrote:
> > Dear Aleksey
> >
> > I have a question about Canonicalization and Digest while using xmlsec1
> > to sign template xml file.
> > According to my understanding of xml signature spec provided by W3C,
> > source xml file needs Canonicalization(applied to the entire xml) before
> > calculating Digest.
> >
> > The template file looks like this:
> >
> > <?xml version="1.0"?>
> > <root
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node><Signature
> > xmlns="http://www.w3.org/2000/09/xmldsig#">
> > <SignedInfo>
> > <CanonicalizationMethod
> > Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>
> > <SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> > <Reference URI="">
> > <Transforms>
> > <Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> > </Transforms>
> > <DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > <DigestValue></DigestValue>
> > </Reference>
> > </SignedInfo>
> > <SignatureValue />
> > <KeyInfo>
> > <KeyValue />
> > </KeyInfo>
> > </Signature></root>
> > (to verify my understanding, there's no space and line changing between
> > data nodes)
> >
> > In the result, xmlsec1 put desired values into proper fields, while the
> > original data remains the same, like:
> >
> > <root
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>
> >
> > However, I tried to do the Canonicalization with libxml, and the result
> > is like:(neglect signature node)
> >
> > <?xml version="1.0"?>
> > <node>
> > <node>text</node>
> > <node>
> > <node>
> > <node>text</node>
> > <node>text</node>
> > </node>
> > <node>text</node>
> > </node>
> > </node>
> >
> > which leads to different digest value.
> > Do I misunderstand something, or the way I used xmlsec1 is wrong?
> >
> > Thank you
> >
> >
> > How I do the Canonicalization with libxml:
> > get nodeset by:
> > xmlXPathEvalExpression("/descendant-or-self::node()",context)
> > then get Canonicalization by:
> > xmlC14NDocSaveTo(doc, xpathresult->nodesetval, 2, NULL, 1,
> > c14noutputbuffer);
> > xmlDocPtr c14ndoc =
> xmlParseMemory(c14nbuffer->content,c14nbuffer->use);
> >
> >
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120603/f83ae01a/attachment.html>
More information about the xmlsec
mailing list