[xmlsec] Problem with SignedInfo block

Antoine Girard antoine at anyware-tech.com
Fri Sep 23 00:26:55 PDT 2005 

Hello everyone,

I have to develop a program which signs xml files like xmlsec. 
Unfortunately I can't use it in my working context.
My program is almost working but I'm still experiencing a problem which 
I hope you can help me to solve.
I actually can't get the same hash value than xmlsec for the 
<signedInfo> block. Everything instead of that seems to be ok.
Here is the final signed file I get with xmlsec :

<?xml version="1.0"?>
<ELOGBOOK>
<LASTNAME>ADM</LASTNAME>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference 
URI=""><ds:Transforms><ds:Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/></ds:Transforms><ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>J8fCJ85jpSs/YUSouyMIxwg6TxE=</ds:DigestValue></ds:Reference></ds:SignedInfo> 

<ds:SignatureValue>WG0JXYTU0gB79tHkMUBlIiH1oGjMLuvWypY5LTJ72xyKtUt40Pv68vsvYZPL9+rZwjLMo/2NQoFMx/0xQLz4Cg==</ds:SignatureValue> 

<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>tLzRCnoRfyzMDfgmTj+ve/goIlstlbhhWZLjCoTn4R3dIP5gcIM/+kldrYxR+0V5g6NMKwj+ftfErKSbW1/79w==</ds:Modulus> 

<ds:Exponent>EQ==</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature></ELOGBOOK>

As I don't get the same signatureValue than xmlsec (I used the same key 
of course) I tried to find out where the problem was coming from.
Using the public key I got the following "padded ASN.1 with prefix" value :
  
01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003021300906052B0E03021A0500041473CE2A0596699B230D78ABE4A21149A557D42936 


which gives me 73CE2A0596699B230D78ABE4A21149A557D42936 ( or 
c84qBZZpmyMNeKvkohFJpVfUKTY=     in MIME64) as <signedInfo> hash value.

With my program I have the following <signedInfo> block :

<SignedInfo><CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod><SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference 
URI=""><Transforms><Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform><Transform 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Transform></Transforms><DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>J8fCJ85jpSs/YUSouyMIxwg6TxE=</DigestValue></Reference></SignedInfo> 


(everything on the same line)

which gives me CF0BA03D8B20618BBC22D681E589DC7B22983B02 (or 
zwugPYsgYYu8ItaB5YnceyKYOwI= ) for its hash value.

It seems the problem comes from my <SignedInfo> block that is maybe not 
properly c14nized .... I tried many variants of this block (with 
namespace ds:, without c14n, etc....) but nothing gave me the "right" 
hash value.

I've spent many days on that problem but didn't manage to solve it :(

Can anyone explain me why we can't get the same hash for that block and 
how to get the correct hash value ? Thanks a lot in advance.

Antoine.

-- 
Antoine GIRARD
Systèmes d'Information
ANYWARE TECHNOLOGIES
Tél. : +33 (0)5 61 00 73 42
Fax : +33 (0)5 61 00 51 46
www.anyware-tech.com

More information about the xmlsec mailing list