[xmlsec] XML Sig
Aleksey Sanin
aleksey at aleksey.com
Thu Oct 31 23:23:34 PST 2002
Hi, Gregor!
I assume that you are asking not about cannonicalization but about
signing a given Object.
There are multiple ways to sign particular part of the XML document
(i.e. sign its digest)
using an XPath transofrm(s). I think you'll find useful to read
annotated example from
the XMLDSig spec:
http://www.w3.org/TR/xmldsig-core/#sec-o-SignatureProperty
Also the XMLSec sources distribution package contains a lot of test
vectors (look in
xmlsec-x.x.x/tests folder) that are very helpful in understanding how
does this work
(most of these tests could also be found on the W3C web site:
http://www.w3.org/Signature/2001/04/05-xmldsig-interop.html
When you add Reference element to the Signature, you can specify
particular cannonicalization
method by just adding c14n transform to it. If no c14n is specified and
an XML to binary
data conversion is required (for example, when a digest for an XML nodes
set is calculated)
then default c14n is used.
The enveloped Signature could be created by using an Enveloped Signature
transform.
You do not need to use XPath expressions for this. In most cases (for
example, in XMLSec
cases), using Enveloping transform is *much* faster.
The current XMLSec implementation has a crypto layer (xmlSecKey,
xmlSecBinTransform,
xmlSecKyeManager, xmlSecX509Manager) that abstracts the low level crypto
stuff. In order
to replace OpenSSL with a new crypto engine you just need to
re-implement rsa.c, dsa.c, ... files.
Another problem is that currently the crypto stuff is not clear
separated. I thought about doing the
separation soon but I just had no time for this yet. If you are
interested in participating in doing this
then we can discuss what needs to be done in more details.
With best regards,
Aleksey
Gregor Ibic wrote:
>Hi!
>
>Im writing a xmlsig with MS cryptoapi support. I use your library for
>verification of digests and signatures.
>It turns out that I have do redo some of your work and now Im stuck with
>proper canonization.
>How can I embed a data object in Signature element and request to canonize
>it.
>I found out that Enveloping signature does not canonize (C14N) that <Object>
>element.
>But I would like to have a transparent solution.
>
>Also I have to remove Signature element with XPath before doing digests if I
>use Enveloped signature, right?
>
>What about doing a wrapper for crypto support? In this way other crypto libs
>could be used.
>
>Regards,
>Gregor
>
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
More information about the xmlsec
mailing list