[xmlsec] About Canonicalization and Digest
Aleksey Sanin
aleksey at aleksey.com
Sat Jun 2 12:44:07 PDT 2012
The xmlsec1 tool has an option --store-references that shows exactly
what was digested. Run it and see for yourself.
Aleksey
On 6/2/12 12:33 PM, Neko wrote:
> But the DigestValue is the digest of original xml content,
> <root
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>
>
> Does it mean that the Canonicalization result I got is not the correct one?
> <?xml version="1.0"?>
> <node>
> <node>text</node>
> <node>
> <node>
> <node>text</node>
> <node>text</node>
> </node>
> <node>text</node>
> </node>
> </node>
>
> Thank you for answering
>
> 2012/6/3 Aleksey Sanin <aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>
> Yes
>
> Aleksey
>
> On 6/2/12 11:55 AM, Neko wrote:
> >
> > Thank you for answering.
> > So if signing the node inside the xml file(same-document reference),
> > first we have to get the XPath node-set,
> > then do the Canonicalization on the node-set,
> > and calculating Digest of the Canonicalization result.
> > The original content of referenced node-set won't be changed.
> >
> > But in the test case
> > input
> >
> > <root>
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>
> >
> > Canonicalization form obtained from libxml2(<CanonicalizationMethod>
> > Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments")
> >
> > <?xml version="1.0"?>
> > <node>
> > <node>text</node>
> > <node>
> > <node>
> > <node>text</node>
> > <node>text</node>
> > </node>
> > <node>text</node>
> > </node>
> > </node>
> >
> > Shouldn't digest value base on the second one?
> >
> > Thank you
> >
> >
> > 2012/6/3 Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>
> >
> > " ... source xml file needs Canonicalization(applied to the entire
> > xml) ..."
> >
> > That's not quite correct. You can not use the "entire xml"
> because the
> > insertion of the signature changes it and the digest match during
> > verification would fail.
> >
> > This is the part of the spec that talks about it
> >
> > http://www.w3.org/TR/xmldsig-core1/#sec-ReferenceProcessingModel
> >
> >
> > Aleksey
> >
> > On 6/2/12 10:34 AM, Neko wrote:
> > > Dear Aleksey
> > >
> > > I have a question about Canonicalization and Digest while using
> > xmlsec1
> > > to sign template xml file.
> > > According to my understanding of xml signature spec provided
> by W3C,
> > > source xml file needs Canonicalization(applied to the entire
> xml)
> > before
> > > calculating Digest.
> > >
> > > The template file looks like this:
> > >
> > > <?xml version="1.0"?>
> > > <root
> > >
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node><Signature
> > > xmlns="http://www.w3.org/2000/09/xmldsig#">
> > > <SignedInfo>
> > > <CanonicalizationMethod
> > > Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>
> > > <SignatureMethod
> > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> > > <Reference URI="">
> > > <Transforms>
> > > <Transform
> > >
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> > > </Transforms>
> > > <DigestMethod
> > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > > <DigestValue></DigestValue>
> > > </Reference>
> > > </SignedInfo>
> > > <SignatureValue />
> > > <KeyInfo>
> > > <KeyValue />
> > > </KeyInfo>
> > > </Signature></root>
> > > (to verify my understanding, there's no space and line changing
> > between
> > > data nodes)
> > >
> > > In the result, xmlsec1 put desired values into proper fields,
> > while the
> > > original data remains the same, like:
> > >
> > > <root
> > >
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>
> > >
> > > However, I tried to do the Canonicalization with libxml, and the
> > result
> > > is like:(neglect signature node)
> > >
> > > <?xml version="1.0"?>
> > > <node>
> > > <node>text</node>
> > > <node>
> > > <node>
> > > <node>text</node>
> > > <node>text</node>
> > > </node>
> > > <node>text</node>
> > > </node>
> > > </node>
> > >
> > > which leads to different digest value.
> > > Do I misunderstand something, or the way I used xmlsec1 is
> wrong?
> > >
> > > Thank you
> > >
> > >
> > > How I do the Canonicalization with libxml:
> > > get nodeset by:
> > > xmlXPathEvalExpression("/descendant-or-self::node()",context)
> > > then get Canonicalization by:
> > > xmlC14NDocSaveTo(doc, xpathresult->nodesetval, 2, NULL, 1,
> > > c14noutputbuffer);
> > > xmlDocPtr c14ndoc =
> > xmlParseMemory(c14nbuffer->content,c14nbuffer->use);
> > >
> > >
> > >
> > > _______________________________________________
> > > xmlsec mailing list
> > > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> > > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
> >
> >
> >
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
More information about the xmlsec
mailing list