[xmlsec] About Canonicalization and Digest

Neko akitsukineko at gmail.com
Sat Jun 2 12:33:13 PDT 2012


But the DigestValue is the digest of original xml content,
 <root
xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>

Does it mean that the Canonicalization result I got is not the correct one?
<?xml version="1.0"?>
<node>
  <node>text</node>
  <node>
    <node>
      <node>text</node>
      <node>text</node>
    </node>
    <node>text</node>
  </node>
</node>

Thank you for answering

2012/6/3 Aleksey Sanin <aleksey at aleksey.com>

> Yes
>
> Aleksey
>
> On 6/2/12 11:55 AM, Neko wrote:
> >
> > Thank you for answering.
> > So if signing the node inside the xml file(same-document reference),
> >  first we have to get the XPath node-set,
> >  then do the Canonicalization on the node-set,
> >  and calculating Digest of the Canonicalization result.
> > The original content of referenced node-set won't be changed.
> >
> > But in the test case
> > input
> >
> > <root>
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>
> >
> > Canonicalization form obtained from libxml2(<CanonicalizationMethod>
> > Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments")
> >
> > <?xml version="1.0"?>
> > <node>
> >   <node>text</node>
> >   <node>
> >     <node>
> >       <node>text</node>
> >       <node>text</node>
> >     </node>
> >     <node>text</node>
> >   </node>
> > </node>
> >
> > Shouldn't digest value base on the second one?
> >
> > Thank you
> >
> >
> > 2012/6/3 Aleksey Sanin <aleksey at aleksey.com <mailto:aleksey at aleksey.com
> >>
> >
> >     " ... source xml file needs Canonicalization(applied to the entire
> >     xml) ..."
> >
> >     That's not quite correct. You can not use the "entire xml" because
> the
> >     insertion of the signature changes it and the digest match during
> >     verification would fail.
> >
> >     This is the part of the spec that talks about it
> >
> >     http://www.w3.org/TR/xmldsig-core1/#sec-ReferenceProcessingModel
> >
> >
> >     Aleksey
> >
> >     On 6/2/12 10:34 AM, Neko wrote:
> >     > Dear Aleksey
> >     >
> >     > I have a question about Canonicalization and Digest while using
> >     xmlsec1
> >     > to sign template xml file.
> >     > According to my understanding of xml signature spec provided by
> W3C,
> >     > source xml file needs Canonicalization(applied to the entire xml)
> >     before
> >     > calculating Digest.
> >     >
> >     > The template file looks like this:
> >     >
> >     > <?xml version="1.0"?>
> >     > <root
> >     >
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node><Signature
> >     > xmlns="http://www.w3.org/2000/09/xmldsig#">
> >     >    <SignedInfo>
> >     >         <CanonicalizationMethod
> >     > Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>
> >     >         <SignatureMethod
> >     > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >     >         <Reference URI="">
> >     >             <Transforms>
> >     >                 <Transform
> >     > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
> />
> >     >             </Transforms>
> >     >             <DigestMethod
> >     > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >     >             <DigestValue></DigestValue>
> >     >         </Reference>
> >     >     </SignedInfo>
> >     >     <SignatureValue />
> >     >     <KeyInfo>
> >     >         <KeyValue />
> >     >     </KeyInfo>
> >     > </Signature></root>
> >     > (to verify my understanding, there's no space and line changing
> >     between
> >     > data nodes)
> >     >
> >     > In the result, xmlsec1 put desired values into proper fields,
> >     while the
> >     > original data remains the same, like:
> >     >
> >     > <root
> >     >
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>
> >     >
> >     > However, I tried to do the Canonicalization with libxml, and the
> >     result
> >     > is like:(neglect signature node)
> >     >
> >     > <?xml version="1.0"?>
> >     > <node>
> >     >   <node>text</node>
> >     >   <node>
> >     >     <node>
> >     >       <node>text</node>
> >     >       <node>text</node>
> >     >     </node>
> >     >     <node>text</node>
> >     >   </node>
> >     > </node>
> >     >
> >     > which leads to different digest value.
> >     > Do I misunderstand something, or the way I used xmlsec1 is wrong?
> >     >
> >     > Thank you
> >     >
> >     >
> >     > How I do the Canonicalization with libxml:
> >     >  get nodeset by:
> >     >   xmlXPathEvalExpression("/descendant-or-self::node()",context)
> >     >  then get Canonicalization by:
> >     >   xmlC14NDocSaveTo(doc, xpathresult->nodesetval, 2, NULL, 1,
> >     > c14noutputbuffer);
> >     >   xmlDocPtr c14ndoc =
> >     xmlParseMemory(c14nbuffer->content,c14nbuffer->use);
> >     >
> >     >
> >     >
> >     > _______________________________________________
> >     > xmlsec mailing list
> >     > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> >     > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
> >
> >
> >
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120603/a3c777b9/attachment.html>


More information about the xmlsec mailing list