[xmlsec] Embedded signature: canonicalization issues
Aleksey Sanin
aleksey at aleksey.com
Mon Jul 7 00:33:45 PDT 2014
RTFM
http://www.w3.org/TR/xml-c14n#Terminology
http://www.w3.org/TR/xml-c14n#Example-WhitespaceInContent
Aleksey
On 7/7/14, 12:17 AM, Thomas Elstner wrote:
> Hello,
>
> I¹m trying to adopt the examples given in sign3.c and verify3.c to sign
> and verify subnodes of a xml document using embedded signatures.
> The templated XML I¹m signing looks like this:
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
> <!DOCTYPE test [
> <!ATTLIST License Id ID #IMPLIED>
> ]>
> <LicenseList>
> <License Id="base">
> <Component>base</Component>
> <ValidFrom>2012-01-01T00:00:00</ValidFrom>
> <ValidTo>3000-12-31T00:00:00</ValidTo>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
> Id="SIG-base">
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="#base">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
> />
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue/>
> </Reference>
> </SignedInfo>
> <SignatureValue/>
> <KeyInfo>
> <X509Data/>
> </KeyInfo>
> </Signature>
> </License>
> <License Id="bookmarks">
> <Component>bookmarks</Component>
> <ValidFrom>2012-01-01T00:00:00</ValidFrom>
> <ValidTo>3000-12-31T00:00:00</ValidTo>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
> Id="SIG-bookmarks">
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="#bookmarks">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
> />
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue/>
> </Reference>
> </SignedInfo>
> <SignatureValue/>
> <KeyInfo>
> <X509Data/>
> </KeyInfo>
> </Signature>
> </License>
> </LicenseList>
>
> The signed XML my code produces looks like this:
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <!DOCTYPE test [
> <!ATTLIST License Id ID #IMPLIED>
> ]>
> <LicenseList><License
> Id="base"><Component>base</Component><ValidFrom>2012-01-01T00:00:00</ValidF
> rom><ValidTo>3000-12-31T00:00:00</ValidTo><Signature
> xmlns="http://www.w3.org/2000/09/xmldsig#"
> Id="SIG-base"><SignedInfo><CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMetho
> d><SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><R
> eference URI="#base"><Transforms><Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transfo
> rm></Transforms><DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestVa
> lue>W4FWJ3y4LDVvDqZrFXvMzNaIAq0=</DigestValue></Reference></SignedInfo><Sig
> natureValue>PeTwPHH1ncQ0vVevOXWW0ZQTj4BmdqVNivqNRgIiQ0mHW8s/Fd93WOaPJ7sTF+j
> X
> GKYY/9L3DsQG/8qIwhQSGR52vM6FoorNKopZ1ld31B6+d7y4sn45G7Lm9l4geFG6
> s42ahK823UVNQQppNE1Se3+IhUPd5yepZM77IqaT4VQ=</SignatureValue><KeyInfo><X509
> Data>
> <X509Certificate>Šblablabla...</X509Certificate>
> </X509Data></KeyInfo></Signature></License><License
> Id="bookmarks"><Component>bookmarks</Component><ValidFrom>2012-01-01T00:00:
> 00</ValidFrom><ValidTo>3000-12-31T00:00:00</ValidTo><Signature
> xmlns="http://www.w3.org/2000/09/xmldsig#"
> Id="SIG-bookmarks"><SignedInfo><CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMetho
> d><SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><R
> eference URI="#bookmarks"><Transforms><Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transfo
> rm></Transforms><DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestVa
> lue>q20LUJoSDkpF1uyCNx+htvUhMxY=</DigestValue></Reference></SignedInfo><Sig
> natureValue>E0VUK9iVIO9weJIQ4fSC151O1kCl6ZZ9vvPmPwiwHa2g32dTv4eZPFktptaRORp
> 2
> S3o9FtFk5UUB8lp8TXxvhp2G9Dor5Sk/iOyrfhiDqhZCQyOR5HVnnAEDEldtSoW1
> 6wpqBxJwzglK6nUdc+6baV1/Oat/YaO6agIAKaR0CLU=</SignatureValue><KeyInfo><X509
> Data>
> <X509Certificate>Šblablabla...</X509Certificate>
> </X509Data></KeyInfo></Signature></License></LicenseList>
>
> I can successfully sign & verify the XML for each License node, however,
> the DigestValue and the SignatureValues are different from what I achieve
> using the xmlsec1 command line tool
> (using this commandline: xmlsec1 --sign --privkey-pem base.key,base.pem
> --node-id base --output signed.xml tosign.xml and similar for the
> bookmarks-node):
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <!DOCTYPE test [
> <!ATTLIST License Id ID #IMPLIED>
> ]>
> <LicenseList>
> <License Id="base">
> <Component>base</Component>
> <ValidFrom>2012-01-01T00:00:00</ValidFrom>
> <ValidTo>3000-12-31T00:00:00</ValidTo>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
> Id="SIG-base">
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="#base">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>Sbk/adhAenj+cbDJ+L0V6ZO3ukg=</DigestValue>
> </Reference>
> </SignedInfo>
>
> <SignatureValue>RF9jZrnIaOqJLMRIQq0eG2Yo/9y+bsMDwMOMxEDJYRjWJ6ZCdniyRbwRw4M
> IdsPs
> fq95khfvTTJdpaDXMEl6qIqEsJZHc/g6OlHnjcsK+ZIOnvbBUEwB3jugvCecaM0W
> kkIrUdsuqOwqhg8IByk0pRKDJh5f6NSzxz+P7MH5rlg=</SignatureValue>
> <KeyInfo>
> <X509Data>
> <X509Certificate>Šblablabla...</X509Certificate>
> </X509Data>
> </KeyInfo>
> </Signature>
> </License>
> <License Id="bookmarks">
> <Component>bookmarks</Component>
> <ValidFrom>2012-01-01T00:00:00</ValidFrom>
> <ValidTo>3000-12-31T00:00:00</ValidTo>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
> Id="SIG-bookmarks">
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="#bookmarks">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>rjn86scL4vVK0rRB6WAOanjZ7TA=</DigestValue>
> </Reference>
> </SignedInfo>
>
> <SignatureValue>h/lEvsYx2edALXiFyRB7HtIStKH/T8vsdcO+2keNIsU1k4vlwqSYoShRpNj
> 8My7y
> 6jjrdX8Ne42KvDgLrK41QSW8INt0/PRqrNdf1pM+V0KC91bWlDVOtCNV1lY2dLpc
> S3zdqgAUyHsl5eJ9u0Lw++joPfpuv1Z45MEXmfsNTjY=</SignatureValue>
> <KeyInfo>
> <X509Data>
> <X509Certificate>Šblablabla...</X509Certificate>
> </X509Data>
> </KeyInfo>
> </Signature>
> </License>
> </LicenseList>
>
>
> Also I have noticed that my signed XML is very sensitive against
> reformatting (just look at the compact nodes, if I pretty print this, the
> validation fails), so I guess something is wrong with the way I am
> applying the canonicalization.
> Actually, I am not adding any particular code to the example code in
> sign3.c and verify3.c to perform the canonicalization except for having a
> CanonicalizationMethod in my template - maybe that¹s the problem?
>
> Thanks in advance for any help,
> Thomas
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
More information about the xmlsec
mailing list