[xmlsec] About Canonicalization and Digest

Neko akitsukineko at gmail.com
Sat Jun 2 11:55:23 PDT 2012


Thank you for answering.
So if signing the node inside the xml file(same-document reference),
 first we have to get the XPath node-set,
 then do the Canonicalization on the node-set,
 and calculating Digest of the Canonicalization result.
The original content of referenced node-set won't be changed.

But in the test case
input

<root>
xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>

Canonicalization form obtained from libxml2(<CanonicalizationMethod>
Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments")

<?xml version="1.0"?>
<node>
  <node>text</node>
  <node>
    <node>
      <node>text</node>
      <node>text</node>
    </node>
    <node>text</node>
  </node>
</node>

Shouldn't digest value base on the second one?

Thank you


2012/6/3 Aleksey Sanin <aleksey at aleksey.com>

> " ... source xml file needs Canonicalization(applied to the entire xml)
> ..."
>
> That's not quite correct. You can not use the "entire xml" because the
> insertion of the signature changes it and the digest match during
> verification would fail.
>
> This is the part of the spec that talks about it
>
> http://www.w3.org/TR/xmldsig-core1/#sec-ReferenceProcessingModel
>
>
> Aleksey
>
> On 6/2/12 10:34 AM, Neko wrote:
> > Dear Aleksey
> >
> > I have a question about Canonicalization and Digest while using xmlsec1
> > to sign template xml file.
> > According to my understanding of xml signature spec provided by W3C,
> > source xml file needs Canonicalization(applied to the entire xml) before
> > calculating Digest.
> >
> > The template file looks like this:
> >
> > <?xml version="1.0"?>
> > <root
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node><Signature
> > xmlns="http://www.w3.org/2000/09/xmldsig#">
> >    <SignedInfo>
> >         <CanonicalizationMethod
> > Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>
> >         <SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >         <Reference URI="">
> >             <Transforms>
> >                 <Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> >             </Transforms>
> >             <DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >             <DigestValue></DigestValue>
> >         </Reference>
> >     </SignedInfo>
> >     <SignatureValue />
> >     <KeyInfo>
> >         <KeyValue />
> >     </KeyInfo>
> > </Signature></root>
> > (to verify my understanding, there's no space and line changing between
> > data nodes)
> >
> > In the result, xmlsec1 put desired values into proper fields, while the
> > original data remains the same, like:
> >
> > <root
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>
> >
> > However, I tried to do the Canonicalization with libxml, and the result
> > is like:(neglect signature node)
> >
> > <?xml version="1.0"?>
> > <node>
> >   <node>text</node>
> >   <node>
> >     <node>
> >       <node>text</node>
> >       <node>text</node>
> >     </node>
> >     <node>text</node>
> >   </node>
> > </node>
> >
> > which leads to different digest value.
> > Do I misunderstand something, or the way I used xmlsec1 is wrong?
> >
> > Thank you
> >
> >
> > How I do the Canonicalization with libxml:
> >  get nodeset by:
> >   xmlXPathEvalExpression("/descendant-or-self::node()",context)
> >  then get Canonicalization by:
> >   xmlC14NDocSaveTo(doc, xpathresult->nodesetval, 2, NULL, 1,
> > c14noutputbuffer);
> >   xmlDocPtr c14ndoc =
> xmlParseMemory(c14nbuffer->content,c14nbuffer->use);
> >
> >
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120603/f83ae01a/attachment.html>


More information about the xmlsec mailing list