Thank you very very much, the option will help me a lot!<br>And I just found the problem of my output from libxml.<br>The content of xmlOutputBuffer created by xmlC14NDocSaveTo is the same of xmlsec's Canonicalization result.<br>
But xmlParseMemory changes the content by adding whitespace and line breaking to make it more readable. (API says nothing about this<br>Sorry, I should have checked the content all along the process.<br>Again, thank you very much.<br>
<br><div class="gmail_quote">2012/6/3 Aleksey Sanin <span dir="ltr"><<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The xmlsec1 tool has an option --store-references that shows exactly<br>
what was digested. Run it and see for yourself.<br>
<br>
Aleksey<br>
<div class="im"><br>
On 6/2/12 12:33 PM, Neko wrote:<br>
> But the DigestValue is the digest of original xml content,<br>
> <root<br>
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root><br>
><br>
> Does it mean that the Canonicalization result I got is not the correct one?<br>
> <?xml version="1.0"?><br>
> <node><br>
> <node>text</node><br>
> <node><br>
> <node><br>
> <node>text</node><br>
> <node>text</node><br>
> </node><br>
> <node>text</node><br>
> </node><br>
> </node><br>
><br>
> Thank you for answering<br>
><br>
</div>> 2012/6/3 Aleksey Sanin <<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>>><br>
<div><div class="h5">><br>
> Yes<br>
><br>
> Aleksey<br>
><br>
> On 6/2/12 11:55 AM, Neko wrote:<br>
> ><br>
> > Thank you for answering.<br>
> > So if signing the node inside the xml file(same-document reference),<br>
> > first we have to get the XPath node-set,<br>
> > then do the Canonicalization on the node-set,<br>
> > and calculating Digest of the Canonicalization result.<br>
> > The original content of referenced node-set won't be changed.<br>
> ><br>
> > But in the test case<br>
> > input<br>
> ><br>
> > <root><br>
> ><br>
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root><br>
> ><br>
> > Canonicalization form obtained from libxml2(<CanonicalizationMethod><br>
> > Algorithm="<a href="http://www.w3.org/2006/12/xml-c14n11#WithComments" target="_blank">http://www.w3.org/2006/12/xml-c14n11#WithComments</a>")<br>
> ><br>
> > <?xml version="1.0"?><br>
> > <node><br>
> > <node>text</node><br>
> > <node><br>
> > <node><br>
> > <node>text</node><br>
> > <node>text</node><br>
> > </node><br>
> > <node>text</node><br>
> > </node><br>
> > </node><br>
> ><br>
> > Shouldn't digest value base on the second one?<br>
> ><br>
> > Thank you<br>
> ><br>
> ><br>
> > 2012/6/3 Aleksey Sanin <<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a><br>
</div></div>> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a><br>
<div><div class="h5">> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>>>><br>
> ><br>
> > " ... source xml file needs Canonicalization(applied to the entire<br>
> > xml) ..."<br>
> ><br>
> > That's not quite correct. You can not use the "entire xml"<br>
> because the<br>
> > insertion of the signature changes it and the digest match during<br>
> > verification would fail.<br>
> ><br>
> > This is the part of the spec that talks about it<br>
> ><br>
> > <a href="http://www.w3.org/TR/xmldsig-core1/#sec-ReferenceProcessingModel" target="_blank">http://www.w3.org/TR/xmldsig-core1/#sec-ReferenceProcessingModel</a><br>
> ><br>
> ><br>
> > Aleksey<br>
> ><br>
> > On 6/2/12 10:34 AM, Neko wrote:<br>
> > > Dear Aleksey<br>
> > ><br>
> > > I have a question about Canonicalization and Digest while using<br>
> > xmlsec1<br>
> > > to sign template xml file.<br>
> > > According to my understanding of xml signature spec provided<br>
> by W3C,<br>
> > > source xml file needs Canonicalization(applied to the entire<br>
> xml)<br>
> > before<br>
> > > calculating Digest.<br>
> > ><br>
> > > The template file looks like this:<br>
> > ><br>
> > > <?xml version="1.0"?><br>
> > > <root<br>
> > ><br>
> ><br>
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node><Signature<br>
> > > xmlns="<a href="http://www.w3.org/2000/09/xmldsig#" target="_blank">http://www.w3.org/2000/09/xmldsig#</a>"><br>
> > > <SignedInfo><br>
> > > <CanonicalizationMethod<br>
> > > Algorithm="<a href="http://www.w3.org/2006/12/xml-c14n11#WithComments" target="_blank">http://www.w3.org/2006/12/xml-c14n11#WithComments</a>"/><br>
> > > <SignatureMethod<br>
> > > Algorithm="<a href="http://www.w3.org/2000/09/xmldsig#rsa-sha1" target="_blank">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>"/><br>
> > > <Reference URI=""><br>
> > > <Transforms><br>
> > > <Transform<br>
> > ><br>
> Algorithm="<a href="http://www.w3.org/2000/09/xmldsig#enveloped-signature" target="_blank">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>" /><br>
> > > </Transforms><br>
> > > <DigestMethod<br>
> > > Algorithm="<a href="http://www.w3.org/2000/09/xmldsig#sha1" target="_blank">http://www.w3.org/2000/09/xmldsig#sha1</a>"/><br>
> > > <DigestValue></DigestValue><br>
> > > </Reference><br>
> > > </SignedInfo><br>
> > > <SignatureValue /><br>
> > > <KeyInfo><br>
> > > <KeyValue /><br>
> > > </KeyInfo><br>
> > > </Signature></root><br>
> > > (to verify my understanding, there's no space and line changing<br>
> > between<br>
> > > data nodes)<br>
> > ><br>
> > > In the result, xmlsec1 put desired values into proper fields,<br>
> > while the<br>
> > > original data remains the same, like:<br>
> > ><br>
> > > <root<br>
> > ><br>
> ><br>
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root><br>
> > ><br>
> > > However, I tried to do the Canonicalization with libxml, and the<br>
> > result<br>
> > > is like:(neglect signature node)<br>
> > ><br>
> > > <?xml version="1.0"?><br>
> > > <node><br>
> > > <node>text</node><br>
> > > <node><br>
> > > <node><br>
> > > <node>text</node><br>
> > > <node>text</node><br>
> > > </node><br>
> > > <node>text</node><br>
> > > </node><br>
> > > </node><br>
> > ><br>
> > > which leads to different digest value.<br>
> > > Do I misunderstand something, or the way I used xmlsec1 is<br>
> wrong?<br>
> > ><br>
> > > Thank you<br>
> > ><br>
> > ><br>
> > > How I do the Canonicalization with libxml:<br>
> > > get nodeset by:<br>
> > > xmlXPathEvalExpression("/descendant-or-self::node()",context)<br>
> > > then get Canonicalization by:<br>
> > > xmlC14NDocSaveTo(doc, xpathresult->nodesetval, 2, NULL, 1,<br>
> > > c14noutputbuffer);<br>
> > > xmlDocPtr c14ndoc =<br>
> > xmlParseMemory(c14nbuffer->content,c14nbuffer->use);<br>
> > ><br>
> > ><br>
> > ><br>
> > > _______________________________________________<br>
> > > xmlsec mailing list<br>
> > > <a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>><br>
</div></div>> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>>><br>
<div class="im">> > > <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > xmlsec mailing list<br>
</div>> > <a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>><br>
> > <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
><br>
><br>
</blockquote></div><br>