[xmlsec] About Canonicalization and Digest
Aleksey Sanin
aleksey at aleksey.com
Sat Jun 2 12:06:09 PDT 2012
Yes
Aleksey
On 6/2/12 11:55 AM, Neko wrote:
>
> Thank you for answering.
> So if signing the node inside the xml file(same-document reference),
> first we have to get the XPath node-set,
> then do the Canonicalization on the node-set,
> and calculating Digest of the Canonicalization result.
> The original content of referenced node-set won't be changed.
>
> But in the test case
> input
>
> <root>
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>
>
> Canonicalization form obtained from libxml2(<CanonicalizationMethod>
> Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments")
>
> <?xml version="1.0"?>
> <node>
> <node>text</node>
> <node>
> <node>
> <node>text</node>
> <node>text</node>
> </node>
> <node>text</node>
> </node>
> </node>
>
> Shouldn't digest value base on the second one?
>
> Thank you
>
>
> 2012/6/3 Aleksey Sanin <aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>
> " ... source xml file needs Canonicalization(applied to the entire
> xml) ..."
>
> That's not quite correct. You can not use the "entire xml" because the
> insertion of the signature changes it and the digest match during
> verification would fail.
>
> This is the part of the spec that talks about it
>
> http://www.w3.org/TR/xmldsig-core1/#sec-ReferenceProcessingModel
>
>
> Aleksey
>
> On 6/2/12 10:34 AM, Neko wrote:
> > Dear Aleksey
> >
> > I have a question about Canonicalization and Digest while using
> xmlsec1
> > to sign template xml file.
> > According to my understanding of xml signature spec provided by W3C,
> > source xml file needs Canonicalization(applied to the entire xml)
> before
> > calculating Digest.
> >
> > The template file looks like this:
> >
> > <?xml version="1.0"?>
> > <root
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node><Signature
> > xmlns="http://www.w3.org/2000/09/xmldsig#">
> > <SignedInfo>
> > <CanonicalizationMethod
> > Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>
> > <SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> > <Reference URI="">
> > <Transforms>
> > <Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> > </Transforms>
> > <DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > <DigestValue></DigestValue>
> > </Reference>
> > </SignedInfo>
> > <SignatureValue />
> > <KeyInfo>
> > <KeyValue />
> > </KeyInfo>
> > </Signature></root>
> > (to verify my understanding, there's no space and line changing
> between
> > data nodes)
> >
> > In the result, xmlsec1 put desired values into proper fields,
> while the
> > original data remains the same, like:
> >
> > <root
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>
> >
> > However, I tried to do the Canonicalization with libxml, and the
> result
> > is like:(neglect signature node)
> >
> > <?xml version="1.0"?>
> > <node>
> > <node>text</node>
> > <node>
> > <node>
> > <node>text</node>
> > <node>text</node>
> > </node>
> > <node>text</node>
> > </node>
> > </node>
> >
> > which leads to different digest value.
> > Do I misunderstand something, or the way I used xmlsec1 is wrong?
> >
> > Thank you
> >
> >
> > How I do the Canonicalization with libxml:
> > get nodeset by:
> > xmlXPathEvalExpression("/descendant-or-self::node()",context)
> > then get Canonicalization by:
> > xmlC14NDocSaveTo(doc, xpathresult->nodesetval, 2, NULL, 1,
> > c14noutputbuffer);
> > xmlDocPtr c14ndoc =
> xmlParseMemory(c14nbuffer->content,c14nbuffer->use);
> >
> >
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list