[xmlsec] DigestValue for Enveloped Signatures
Dominic Steinitz
dominic.steinitz at blueyonder.co.uk
Sun Nov 13 01:46:08 PST 2005
On Saturday 12 Nov 2005 7:39 pm, Aleksey Sanin wrote:
> You will actually digests something like (see C14N spec)
>
> <t1 i="Foo" xmlns="urn:envelope" >Hello</t1>
>
> Note that xmlsec utility has an option "--store-references"
> that prints out all the pre-digest buffers.
>
> Aleksey
Aleksey,
Thanks.
I had been making the incorrect assumption that the signed document contained
the canonicalised xml as I had noticed that in one of my tests, an attribute
marked as NMTOKENS had been correctly canonicalised.
Of course, the signed document can't have all the canonical forms for
something like the example below as the namespaces get pushed to different
places depending on which element is being signed.
For example, in signing "Foo"
<t1 i="Foo"><t3 k="Baz">Hello</t3> is canonicalised to
<t1 xmlns:baz="http://baz" i="Foo"><t3 k="Baz">Hello</t3>
but in signing "Baz" the namespace must get pushed further down
<t3 k="Baz">Hello</t3> is canonicalised to
<t3 xmlns:baz="http://baz" k="Baz">Hello</t3>
Dominic.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE parent [
<!ELEMENT parent (t1,t2)>
<!ELEMENT t1 (t3,t4)>
<!ATTLIST t1 i ID #IMPLIED>
<!ATTLIST t2 j ID #IMPLIED>
<!ATTLIST t3 k ID #IMPLIED>
]>
<Something xmlns:baz="http://baz">
<parent>
<t1 i="Foo"><t3 k="Baz">Hello</t3>Hello</t1>
<t2 j="Bar">Goodbye</t2>
</parent>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo> <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Foo">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
<Reference URI="#Bar">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
<Reference URI="#Baz">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
</SignatureValue>
<KeyInfo>
<X509Data>
</X509Data>
</KeyInfo>
</Signature>
</Something>
More information about the xmlsec
mailing list