[xmlsec] enveloped-signature Transform
R Zaghi
rzaghi at mosaic3dx.com
Wed May 16 14:23:33 PDT 2018
Hi
I am familiarizing myself with XML signatures using XMLSEC and I have found
a few of the standards' definitions slightly confusing.
So I joined here to ask and also to figure out some of the details of how
the library works too.
With regards to "enveloped-signature Transform", how exactly are we
supposed to check the signature?
I found an example on the internet.
Can you please see if my explanations of the overall process are correct
here?
The enveloped XML that we are checking is:
<Envelope xmlns="urn:envelope">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/
2001/REC-xml-c14n-20010315#WithComments"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#dsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>uooqbWYa5VCqcJCbuymBKqm17vY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>KedJuTob5gtvYx9qM3k3gm7kbLBwVbEQRl26S2tmXjqNND7MRGtoew==
</SignatureValue>
</Signature>
</Envelope>
And my understanding of the overall validation process is:
1- First we remove all lines from <Signature> to </Signature>
2- We calculate the hash digest of what is left after applying
all CanonicalizationMethod transformations and using the DigestMethod in
SignedInfo:
<Envelope xmlns="urn:envelope">
</Envelope>
3- If the base64 encoding of this digest matches the specified DigestValue
then we continue and take everything from <SignedInfo> to </SignedInfo> and
apply the CanonicalizationMethod transformations to it.
4- We will calculate the digest of this transformed SignedInfo using
the SignatureMethod hash algorithm
5- Finally we take SignatureValue and decode it using a provided public key
or a provided public certificate to see if the result matches the
calculated result of step (4)
Is this correct in this example?
Ramin Zaghi
*Mosaic3DX™ | User Interface Technology*
http://linkedin.com/in/raminzaghi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20180516/d68eb9be/attachment.html>
More information about the xmlsec
mailing list