[xmlsec] XML Sig

Aleksey Sanin aleksey at aleksey.com
Fri Nov 1 00:02:29 PST 2002 

If you re using xmlsec command line utility tool then you might use 
"--print-all" option to see
what exactly XMLSec digests and signs.  I know almost nothing about MS 
Crypto API.
Does it supports XMLDsig or it's only low level crypto functions 
(rsa/dsa/hmac/sha/...)?
In the second case, I don't understand what do you mean by "the same 
digest with MS Cryptoapi
and with xmlsig". If you are digesting the text by itself then most 
likely you have different
"end-of-line" symbols.

BTW, I do see at least one problem with your document. Please read the 
section 3.2 of the FAQ:
    http://www.aleksey.com/xmlsec/faq.htm

Aleksey


Gregor Ibic wrote:

>Hi, Aleksey!
>
>Sure Im interesting in participating with crpypto abstration. Have been
>doing a lot of crypro stuff with different API's for a long time (MS
>cryptoapi, cryptlib, openssl, ...) so probably I could help.
>
>But for this xmlsig Im really puzzled.
>Let use this xml for test. Im verifying digests for now. If I digest this
>xml I get the same digest with MS Cryptoapi and with xmlsig (openssl). But
>if I rearange Object element :-> check second xml document
>
>*************************************************
>
><?xml version="1.0" encoding="UTF-8" ?>
><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>  <SignedInfo>
>    <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
>    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>    <Reference URI="#object">
>      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>      <DigestValue></DigestValue>
>    </Reference>
>  </SignedInfo>
>  <SignatureValue>
>  </SignatureValue>
>  <KeyInfo>
>    <KeyName></KeyName>
>  </KeyInfo>
>  <Object Id="object"><Request>abcš</Request></Object>
></Signature>
>
>
>*************************************************
>
><?xml version="1.0" encoding="UTF-8" ?>
><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>  <SignedInfo>
>    <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
>    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>    <Reference URI="#object">
>      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>      <DigestValue></DigestValue>
>    </Reference>
>  </SignedInfo>
>  <SignatureValue>
>  </SignatureValue>
>  <KeyInfo>
>    <KeyName></KeyName>
>  </KeyInfo>
>  <Object Id="object">
>     <Request>abcš</Request>
>  </Object>
></Signature>
>
>*************************************************
>
>
>Then the signature is not the same any more. I do a C14N on <Object> node
>before doing digest. Is this OK? If I get xml signature standard right it
>specifies that SignInfo have to be C14N but not data objects.
>
>
>Regards,
>Gregor
>
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>  
>

More information about the xmlsec mailing list