[xmlsec] [EXTERNAL]: Re: Hi Aleksey - thx for the great work on xmlsec - a question about how xmlsec signs
Hans Kessock
hans at ionicsecurity.com
Tue May 23 10:09:00 PDT 2017
Apologies, I e-mailed xmlsec at aleksey.com on March 28th – but it never showed up. I am subscribed to the list and do receive periodic e-mails (at least the recent ones of the past two weeks.)
Previously I used libxml2 to output the c14n version of the submitted xml (which I then turned into a parameterized assertion template.)
I’ll try to use the –store-references option.
Thanks,
Hans
-----Original Message-----
From: Aleksey Sanin <aleksey at aleksey.com>
Date: Tuesday, May 23, 2017 at 12:55 PM
To: Hans Kessock <hans at ionicsecurity.com>, "xmlsec at aleksey.com" <xmlsec at aleksey.com>
Subject: [EXTERNAL]: Re: Hi Aleksey - thx for the great work on xmlsec - a question about how xmlsec signs
In the future, it is best to use xmlsec mailing list.
You might want to read the spec (https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fxmldsig-core%2F&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411106461&sdata=nxmYksKU0Hi2DM3REwftW3juR0MaGdhoYE7RteLiiwQ%3D&reserved=0)
and in particular regarding your question, you will need to
understand the c14n process
(https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c14n-20010315&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411106461&sdata=JHO91P%2BATT1l1t2uzC7W1PH1iZgq5uHocvj4o1qaMXo%3D&reserved=0 and
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fxml-exc-c14n%2F&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411106461&sdata=s%2BlnGI36CSKVoIaBX%2BFkJS4FTgSZiKt4aTNrYlq%2FoSA%3D&reserved=0).
You might also want to try --store-references option for xmlsec1
command line tool to view the exact dump of what was signed.
Best,
Aleksey
On 5/23/17 4:38 AM, Hans Kessock wrote:
> I’ve got a linux box using xmlsec to validate SAML assertion that are
> returned to it (it being the service provider in this scenario) and
> everything works GREAT. I validate Ping IDP response, my own custom IDP
> responses (because that test IDP uses xmlsec to sign assertions) –
> everything works very well.
>
>
>
> I’ve now got an administrator tool I need to create that is as small and
> dependency free as possible – that also needs to be able to produce
> signed assertions.
>
>
>
> My problem is that I’ve tried to reproduce the digest value hash
> produced by xmlsec when signing and I’ve never been able to do so. I’ve
> read so much stuff about xml digital signatures and SAML 2.0 by now that
> my eyes are crossed.
>
> My next step was to look through the xmlsec code to see how it was you
> produce a signed xml doc; however, ironically, it’s so well written and
> extensible (as an execution buffer) that I can’t figure out exactly what
> it does! Lol.
>
>
>
> If you’ve the time and patience, I wanted to present a piece of Xml
> below and ask you – what exactly does xmlsec do with it if I tell it to
> sign a specific ID?
>
>
>
> If I sign the following Xml (apologies for the form – I wanted to show
> it exactly as I pass it to xmlsec) and specify: --id-attr:ID Assertion
>
>
>
> <samlp:Response xmlns:saml = "urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmastereng-enrollment.in.ionicsecurity.com%2Fkeyspace%2FC7DV%2Fsp%2F55d34e208e66393e53551b79%2Fdefault%2Fsaml&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=Vx74bOY8Dp68TKHLgW7ehQuLqIh4OncHZf%2FRTkiecMw%3D&reserved=0"
> ID="r4aaaa888-6607-4d06-bd00-b6e31386f497"
> InResponseTo="ie3a8fdfc-7162-42e2-820f-ebe6a2f52428"
> IssueInstant="2017-05-23T11:08:51Z"
> Version="2.0"><saml:Issuer>ionic-headless/saml</saml:Issuer><samlp:Status><samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion
> xmlns:xs="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=HKUOEsdx79cVJW%2BjutBW67%2FUINQv5z3dnb8ZpV2S7uY%3D&reserved=0"
> xmlns:xsi="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=6tv5gEGEpPt1FL7qHTLw%2BFMzHpytPuwgpLpobX3gQ4g%3D&reserved=0"
> ID="a3452e5ef-74cb-4559-8236-5a4994a73f9c"
> IssueInstant="2017-05-23T11:08:51Z"
> Version="2.0"><saml:Issuer>ionic-headless/saml</saml:Issuer><saml:Subject><saml:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
> SPNameQualifier="">email</saml:NameID><saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
> InResponseTo="ie3a8fdfc-7162-42e2-820f-ebe6a2f52428"
> NotOnOrAfter="2017-05-23T11:23:51Z"
> Recipient="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmastereng-enrollment.in.ionicsecurity.com%2Fkeyspace%2FC7DV%2Fsp%2F55d34e208e66393e53551b79%2Fdefault%2Fsaml&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=Vx74bOY8Dp68TKHLgW7ehQuLqIh4OncHZf%2FRTkiecMw%3D&reserved=0"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions
> NotBefore="2017-05-23T11:08:51Z"
> NotOnOrAfter="2017-05-23T11:23:51Z"><saml:AudienceRestriction><saml:Audience>ionic</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement
> AuthnInstant="authnstatement_instant"
> SessionIndex="r4aaaa888-6607-4d06-bd00-b6e31386f497"
> SessionNotOnOrAfter="2017-05-23T11:23:51Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute
> Name="email"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue
> xsi:type="xs:string">hans at ionic.com</saml:AttributeValue></saml:Attribute><saml:Attribute
> Name="upn"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue
> xsi:type="xs:string">hans at ionic.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><ds:Signature
> xmlns:ds="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=kMVZECrp5AkX8pRNCMUNtLcpgOPJXSOaEsfv65BIkM4%3D&reserved=0"><ds:SignedInfo><ds:CanonicalizationMethod
> Algorithm="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=b5yxIh8mGyp5bbSsMglPxwCYAPL56oBzh119BEBO7bQ%3D&reserved=0"/><ds:SignatureMethod
> Algorithm="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=KN1emGlJoPOgmzGhYor18pKufNd0uJuEbRlc5ayX07Q%3D&reserved=0"/><ds:Reference
> URI="#a3452e5ef-74cb-4559-8236-5a4994a73f9c"><ds:Transforms><ds:Transform Algorithm="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23enveloped-signature&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=zPnHERhNgaLvMnsuBLtxs6v34d1eUMlSii8ndFXqEjo%3D&reserved=0"/><ds:Transform
> Algorithm="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=b5yxIh8mGyp5bbSsMglPxwCYAPL56oBzh119BEBO7bQ%3D&reserved=0"/></ds:Transforms><ds:DigestMethod
> Algorithm="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=C1tQcSR%2BUyPrMoafSxNDgRyA1fwB7Y8q8gc3YyDJZm4%3D&reserved=0"/><ds:DigestValue></ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue/><ds:KeyInfo><ds:KeyValue/></ds:KeyInfo></ds:Signature></saml:Assertion></samlp:Response>
>
>
>
> I get the following from xmlsec (which is accepted by my xmlsec backend
> of course):
>
>
>
> <?xml version="1.0"?>
>
> <samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmastereng-enrollment.in.ionicsecurity.com%2Fkeyspace%2FC7DV%2Fsp%2F55d34e208e66393e53551b79%2Fdefault%2Fsaml&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=Vx74bOY8Dp68TKHLgW7ehQuLqIh4OncHZf%2FRTkiecMw%3D&reserved=0"
> ID="r4aaaa888-6607-4d06-bd00-b6e31386f497"
> InResponseTo="ie3a8fdfc-7162-42e2-820f-ebe6a2f52428"
> IssueInstant="2017-05-23T11:08:51Z"
> Version="2.0"><saml:Issuer>ionic-headless/saml</saml:Issuer><samlp:Status><samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion
> xmlns:xs="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=HKUOEsdx79cVJW%2BjutBW67%2FUINQv5z3dnb8ZpV2S7uY%3D&reserved=0"
> xmlns:xsi="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=6tv5gEGEpPt1FL7qHTLw%2BFMzHpytPuwgpLpobX3gQ4g%3D&reserved=0"
> ID="a3452e5ef-74cb-4559-8236-5a4994a73f9c"
> IssueInstant="2017-05-23T11:08:51Z"
> Version="2.0"><saml:Issuer>ionic-headless/saml</saml:Issuer><saml:Subject><saml:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
> SPNameQualifier="">email</saml:NameID><saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
> InResponseTo="ie3a8fdfc-7162-42e2-820f-ebe6a2f52428"
> NotOnOrAfter="2017-05-23T11:23:51Z"
> Recipient="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmastereng-enrollment.in.ionicsecurity.com%2Fkeyspace%2FC7DV%2Fsp%2F55d34e208e66393e53551b79%2Fdefault%2Fsaml&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=Vx74bOY8Dp68TKHLgW7ehQuLqIh4OncHZf%2FRTkiecMw%3D&reserved=0"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions
> NotBefore="2017-05-23T11:08:51Z"
> NotOnOrAfter="2017-05-23T11:23:51Z"><saml:AudienceRestriction><saml:Audience>ionic</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement
> AuthnInstant="authnstatement_instant"
> SessionIndex="r4aaaa888-6607-4d06-bd00-b6e31386f497"
> SessionNotOnOrAfter="2017-05-23T11:23:51Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute
> Name="email"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue
> xsi:type="xs:string">hans at ionic.com</saml:AttributeValue></saml:Attribute><saml:Attribute
> Name="upn"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue
> xsi:type="xs:string">hans at ionic.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><ds:Signature
> xmlns:ds="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=kMVZECrp5AkX8pRNCMUNtLcpgOPJXSOaEsfv65BIkM4%3D&reserved=0"><ds:SignedInfo><ds:CanonicalizationMethod
> Algorithm="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=b5yxIh8mGyp5bbSsMglPxwCYAPL56oBzh119BEBO7bQ%3D&reserved=0"/><ds:SignatureMethod
> Algorithm="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=KN1emGlJoPOgmzGhYor18pKufNd0uJuEbRlc5ayX07Q%3D&reserved=0"/><ds:Reference
> URI="#a3452e5ef-74cb-4559-8236-5a4994a73f9c"><ds:Transforms><ds:Transform Algorithm="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23enveloped-signature&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=zPnHERhNgaLvMnsuBLtxs6v34d1eUMlSii8ndFXqEjo%3D&reserved=0"/><ds:Transform
> Algorithm="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=b5yxIh8mGyp5bbSsMglPxwCYAPL56oBzh119BEBO7bQ%3D&reserved=0"/></ds:Transforms><ds:DigestMethod
> Algorithm="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411116466&sdata=C1tQcSR%2BUyPrMoafSxNDgRyA1fwB7Y8q8gc3YyDJZm4%3D&reserved=0"/><ds:DigestValue>vZsVj16MJpcpg34UlutAHAcHqrE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>weFHX1LPALmbCcy756YzdEDnqyPXI/URZsvFA5KE50a2L07hDcDkNSfe9FLcwRTm
>
> wjecs2eJNFAvlPR1QqHtjLlCaI/QUeSPyhOkCvVsrCaQWBH9AbmQRMR1VzEm5nEa
>
> sXOyF8hsp/sdsW2zGpuJxOfFg/q3tksuJzbOR7cF5GBscEfZRZNmuuI/fJ8p62Lf
>
> 4dN9dGFSMFzd3nhQ3tpWTi9XZAwD6qJ+15QF7gMsXx1q0tZnj3DClMf+QX4Qh/xt
>
> 5mhSKvEii8ognd+mJxRLc90pzRdojzQdGIgB2gboP6jWHsGFy+DfPyTFQQ0YO0R2
>
> 6rQ7u1MIvRjD9bliSNCEaEh/rtPLfcqGwDQF3wyYjiBF7ZmscWOu+k3YeqNYRWu6
>
> Bh0SCUzeAtlRjB8lmhjWj7iwaXtEqIFX2B/B/W9ToLqrtBHTtPMgIKI4UwA/+dJh
>
> ZFJef0dJ7RmZmIAWYAn7XctKT4oSPBydTHLifZuSyf5fxtNnmo0bu2NtlIv7NdP4
>
> o1xh6AAy+zleXsR4MAyJTYX2KurSh1FffIhbxkmNjfR9cq8xcR49xbuSMn3yoPDD
>
> HxDCmby5D1Nrh6dUb1/9haTeulEfT+eCncgJ/2oWHs89rh813X0kuoWXZwv+4umU
>
> weNuVA7z90sFklZ+qfANfNH5QiAWwsZfCgkIE4Y3alU=</ds:SignatureValue><ds:KeyInfo><ds:KeyValue>
>
> <ds:RSAKeyValue>
>
> <ds:Modulus>
>
> zlZSZixErcVurJ9puM+51AU8xqu5dvZUpnvV51ozaxmE7cK3SZV5mWS6GdWjz9ix
>
> fgWxFLcGOEVM/VOAV9MYjsHsIrktZ3zY7qYAEvEIqgCv1++cuI9ChholYHy0Z4r/
>
> +LXniSLGUV/GAecPeYndof+igQTNgK+kNqT8ohcsO9VptvqZtETg25GyiK/vIsK3
>
> 5n3h8CLdj6y7hPfYPYZJKjAGbTZ0GrvUV5q5fuNHoBUnl0+D6snfJfEHj/vVtU2O
>
> 1dhkktoPO0jyOWHyVpLgTT4Yyk2cFgkyyIdO9MDyOLPepxgg4hWS9gIuPBZAZcw1
>
> 8bPNqenLMyD3h2nz+nvi1towBq6OD7FPJSkNMzhn2rjfXfVoh03N93cvQekRjU/5
>
> In7H8nfQEo2zqxa1EYSEoEscqOcHT8f4NzQUD0j/7PXIfWiqPh048qSbCJifj9vW
>
> WnmXdFN3Bt/ThceqXnuIHCCVT4JSEJYLd+FO/ktZngh2p/eTJS2iQrd5Yvpw6RwR
>
> oSYlSexwwJFa0c2P/iIRO/daaE0Mx6rSPGDthmyR1ue//KCrh/V8JYjDifUVMwOt
>
> VH1z8K6Qot438tPh25itOo2EAu9fzYXMcoLOlYQSxpwprtfpgMa/gWyXtDusFd5t
>
> TDGMu8Jt4gti6C8LCO90/8dJ8anMiPT8PuL763yKgis=
>
> </ds:Modulus>
>
> <ds:Exponent>
>
> AQAB
>
> </ds:Exponent>
>
> </ds:RSAKeyValue>
>
> </ds:KeyValue></ds:KeyInfo></ds:Signature></saml:Assertion></samlp:Response>
>
>
>
> What I am wondering is – how precisely did
> <ds:DigestValue>vZsVj16MJpcpg34UlutAHAcHqrE=</ds:DigestValue> get computed?
>
>
>
> One thing I was surprised by when I started using xmlsec was that I had
> to seed the assertion with extra xml before signing such as:
>
>
>
> <ds:Signature xmlns:ds="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411126475&sdata=xI1V45m40jTNbiClY%2FLem9w2EfkRYG1cEm7LiVqH%2BEE%3D&reserved=0">
>
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod
> Algorithm="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411126475&sdata=4UQFaBBDcRjvXfEHIsrgQKb%2Fb910wrmMinY5mH0hmXk%3D&reserved=0"/>
>
> <ds:SignatureMethod
> Algorithm="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411126475&sdata=aCM3UIpo4AnFejCEPIcODuPOr9RpCUWbmZHmHnHMcRE%3D&reserved=0"/>
>
> <ds:Reference URI="#@reference_uri">
>
> <ds:Transforms>
>
>
> <ds:Transform
> Algorithm="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23enveloped-signature&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411126475&sdata=VkTi8Ot%2FREfCRPhx0%2BXihHBS6R40dwRAUxIphMcbHTU%3D&reserved=0"/>
>
>
> <ds:Transform Algorithm="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411126475&sdata=4UQFaBBDcRjvXfEHIsrgQKb%2Fb910wrmMinY5mH0hmXk%3D&reserved=0"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod
> Algorithm="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1&data=02%7C01%7Chans%40ionicsecurity.com%7Cbbcb9c5b141d487706af08d4a1fc89b3%7Cf9b3e198d0264fdfbe05375e9316d276%7C0%7C0%7C636311553411126475&sdata=dq1n4nCi48Gj2%2FQqivsywDuAmTAoBHov7sjiopFz640%3D&reserved=0"/>
>
>
> <ds:DigestValue></ds:DigestValue>
>
> </ds:Reference>
>
> </ds:SignedInfo>
>
> <ds:SignatureValue/>
>
> <ds:KeyInfo>
>
> <ds:KeyValue/>
>
> </ds:KeyInfo>
>
> </ds:Signature>
>
>
>
> When trying to compute my own digest hash (which I could never get to
> match xmlsec’s) – is this Xml supposed to be taken into account?
>
>
>
> Sorry, I’m just trying to figure out how to produce a signed assertion
> that my xmlsec driven backend will accept. Following all of the
> examples and guidelines I could find have failed.
>
>
>
> Much appreciated,
>
>
>
> Hans
>
More information about the xmlsec
mailing list