[xmlsec] enveloped-signature Transform

R Zaghi rzaghi at mosaic3dx.com
Wed May 16 14:23:33 PDT 2018 

Hi

I am familiarizing myself with XML signatures using XMLSEC and I have found
a few of the standards' definitions slightly confusing.
So I joined here to ask and also to figure out some of the details of how
the library works too.

With regards to "enveloped-signature Transform", how exactly are we
supposed to check the signature?

I found an example on the internet.
Can you please see if my explanations of the overall process are correct
here?

The enveloped XML that we are checking is:

<Envelope xmlns="urn:envelope">
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/
2001/REC-xml-c14n-20010315#WithComments"/>
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#dsa-sha1"/>
      <Reference URI="">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
signature"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>uooqbWYa5VCqcJCbuymBKqm17vY=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>KedJuTob5gtvYx9qM3k3gm7kbLBwVbEQRl26S2tmXjqNND7MRGtoew==
</SignatureValue>
  </Signature>
</Envelope>


And my understanding of the overall validation process is:

1- First we remove all lines from <Signature> to </Signature>

2- We calculate the hash digest of what is left after applying
all CanonicalizationMethod transformations and using the DigestMethod in
SignedInfo:
<Envelope xmlns="urn:envelope">
</Envelope>

3- If the base64 encoding of this digest matches the specified DigestValue
then we continue and take everything from <SignedInfo> to </SignedInfo> and
apply the CanonicalizationMethod transformations to it.

4- We will calculate the digest of this transformed SignedInfo using
the SignatureMethod hash algorithm

5- Finally we take SignatureValue and decode it using a provided public key
or a provided public certificate to see if the result matches the
calculated result of step (4)


Is this correct in this example?






Ramin Zaghi

*Mosaic3DX™ | User Interface Technology*
http://linkedin.com/in/raminzaghi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20180516/d68eb9be/attachment.html>

More information about the xmlsec mailing list