
<br><div class="gmail_quote">Thank you for answering.<br>So if signing the node inside the xml file(same-document reference),<br> first we have to get the XPath node-set,<br> then do the Canonicalization on the node-set,<br>


 and calculating Digest of the Canonicalization result.<br>

The original content of referenced node-set won't be changed.<br><br>But in the test case<br>input<div class="im"><br><root> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root><br>


<br></div>Canonicalization form obtained from libxml2(<CanonicalizationMethod> Algorithm="<a href="http://www.w3.org/2006/12/xml-c14n11#WithComments" target="_blank">http://www.w3.org/2006/12/xml-c14n11#WithComments</a>")<div class="im">


<br><?xml version="1.0"?><br><node><br>

  <node>text</node><br>

  <node><br>

    <node><br>

      <node>text</node><br>

      <node>text</node><br>    </node><br>

    <node>text</node><br>

  </node><br></node><br><br></div>Shouldn't digest value base on the second one?<br><br>Thank you<div class="HOEnZb"><div class="h5"><br><br><div class="gmail_quote">2012/6/3 Aleksey Sanin <span dir="ltr"><<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>></span><br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

" ... source xml file needs Canonicalization(applied to the entire xml) ..."<br>

<br>

That's not quite correct. You can not use the "entire xml" because the<br>

insertion of the signature changes it and the digest match during<br>

verification would fail.<br>

<br>

This is the part of the spec that talks about it<br>

<br>

<a href="http://www.w3.org/TR/xmldsig-core1/#sec-ReferenceProcessingModel" target="_blank">http://www.w3.org/TR/xmldsig-core1/#sec-ReferenceProcessingModel</a><br>

<br>

<br>

Aleksey<br>

<div><div><br>

On 6/2/12 10:34 AM, Neko wrote:<br>

> Dear Aleksey<br>

><br>

> I have a question about Canonicalization and Digest while using xmlsec1<br>

> to sign template xml file.<br>

> According to my understanding of xml signature spec provided by W3C,<br>

> source xml file needs Canonicalization(applied to the entire xml) before<br>

> calculating Digest.<br>

><br>

> The template file looks like this:<br>

><br>

> <?xml version="1.0"?><br>

> <root<br>

> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node><Signature<br>

> xmlns="<a href="http://www.w3.org/2000/09/xmldsig#" target="_blank">http://www.w3.org/2000/09/xmldsig#</a>"><br>

>    <SignedInfo><br>

>         <CanonicalizationMethod<br>

> Algorithm="<a href="http://www.w3.org/2006/12/xml-c14n11#WithComments" target="_blank">http://www.w3.org/2006/12/xml-c14n11#WithComments</a>"/><br>

>         <SignatureMethod<br>

> Algorithm="<a href="http://www.w3.org/2000/09/xmldsig#rsa-sha1" target="_blank">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>"/><br>

>         <Reference URI=""><br>

>             <Transforms><br>

>                 <Transform<br>

> Algorithm="<a href="http://www.w3.org/2000/09/xmldsig#enveloped-signature" target="_blank">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>" /><br>

>             </Transforms><br>

>             <DigestMethod<br>

> Algorithm="<a href="http://www.w3.org/2000/09/xmldsig#sha1" target="_blank">http://www.w3.org/2000/09/xmldsig#sha1</a>"/><br>

>             <DigestValue></DigestValue><br>

>         </Reference><br>

>     </SignedInfo><br>

>     <SignatureValue /><br>

>     <KeyInfo><br>

>         <KeyValue /><br>

>     </KeyInfo><br>

> </Signature></root><br>

> (to verify my understanding, there's no space and line changing between<br>

> data nodes)<br>

><br>

> In the result, xmlsec1 put desired values into proper fields, while the<br>

> original data remains the same, like:<br>

><br>

> <root<br>

> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root><br>

><br>

> However, I tried to do the Canonicalization with libxml, and the result<br>

> is like:(neglect signature node)<br>

><br>

> <?xml version="1.0"?><br>

> <node><br>

>   <node>text</node><br>

>   <node><br>

>     <node><br>

>       <node>text</node><br>

>       <node>text</node><br>

>     </node><br>

>     <node>text</node><br>

>   </node><br>

> </node><br>

><br>

> which leads to different digest value.<br>

> Do I misunderstand something, or the way I used xmlsec1 is wrong?<br>

><br>

> Thank you<br>

><br>

><br>

> How I do the Canonicalization with libxml:<br>

>  get nodeset by:<br>

>   xmlXPathEvalExpression("/descendant-or-self::node()",context)<br>

>  then get Canonicalization by:<br>

>   xmlC14NDocSaveTo(doc, xpathresult->nodesetval, 2, NULL, 1,<br>

> c14noutputbuffer);<br>

>   xmlDocPtr c14ndoc = xmlParseMemory(c14nbuffer->content,c14nbuffer->use);<br>

><br>

><br>

><br>

</div></div>> _______________________________________________<br>

> xmlsec mailing list<br>

> <a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>

> <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>

</blockquote></div><br>

</div></div></div><br>