No subject
Wed Oct 29 15:04:47 PST 2008
calculated on the canonicalized SignedInfo node (after the digest value
has been inserted). This does appear to be so, when I step through the
xmlsec code in the debugger. I am trying to verify that I have got this
right by calculating this signature value using openssl on the command
line.
I would appreciate feedback showing me exactly what piece is being
signed in the example signed document below and if I am using openssl
properly.
=20
The openssl commands I am executing are:
Calculate the binary signature using my private key:
=20
openssl dgst -sign mykey.pem -out mysig.bin signedinfo.xml
=20
and then convert the result to base64
=20
openssl base64 -in mysig.bin
=20
The file signedinfo.xml contains the SignedInfo node from the full
document below.
In other words:
<SignedInfo>
<CanonicalizationMethod
Algorithm=3D"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Canonical=
i
zationMethod>
<SignatureMethod
Algorithm=3D"http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMetho=
d
>
<Reference URI=3D"">
<Transforms>
<Transform
Algorithm=3D"http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Tra=
n
sform>
</Transforms>
<DigestMethod
Algorithm=3D"http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>sUD7jzvAdt3liQEkrpGsJukqftU=3D</DigestValue>
</Reference>
</SignedInfo>
The example signed document is:
=20
<?xml-stylesheet type=3D"text/xsl" href=3D"myfile.xsl" ?>
<sales quarter=3D"2001-01">
<region name=3D"Northeast">
<units>374</units>
<amount>12500.26</amount>
</region>
<region name=3D"Southeast">
<units>512</units>
<amount>17692</amount>
</region>
<region name=3D"Southwest">
<units>161</units>
<amount>8349.72</amount>
</region>
<region name=3D"Northwest">
<units>465</units>
<amount>15239.6</amount>
</region>
<Signature xmlns=3D"http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm=3D"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Canonical=
i
zationMethod>
<SignatureMethod
Algorithm=3D"http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMetho=
d
>
<Reference URI=3D"">
<Transforms>
<Transform
Algorithm=3D"http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Tra=
n
sform>
</Transforms>
<DigestMethod
Algorithm=3D"http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>sUD7jzvAdt3liQEkrpGsJukqftU=3D</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>HB34BqrIo4511h072CpiTv2z48+/7NHq/T9laNlwiWOQtWLpIVipSfsq
jRx/QDoO
XguVyZGXc1v/jvik4B2OMmgyiFGIJMQ8n8N9LxnLToOYN8TUJjGXY2M1HRuGnCGb
vhyhXikITmlfFBqm29XewpFwSGO5jS4v0qmt5TNCX3YX5o7dAenMVtziK/r37JvY
ZFbDFusHCRJ3/phfae9mjWuIHPbIdypMayB5gF4wtT69nLVmjHykVV1PXHSDhbbn
sSNZTIN3W2w1UOadogBKwu4g/T9/hlbCkRsSranSGPPkCbN5tl6LnpWIRIPCFk1a
Y2ye8RfyO2u7akUjjCXTfw=3D=3D</SignatureValue>
<KeyInfo>
<X509Data></X509Data>
</KeyInfo>
</Signature></sales>
Thanks,
=20
-- Sanjay
=20
------_=_NextPart_001_01C39332.6D8C51B6
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1264" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial size=3D2>I =
would really=20
appreciate any help in how the signature value is=20
calculated.</FONT></SPAN></DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial size=3D2>From =
what I have=20
read, my understanding is that the signature value is calculated on the=20
canonicalized SignedInfo node (after the digest value has been =
inserted). This=20
does appear to be so, when I step through the xmlsec code in the =
debugger. I am=20
trying to verify that I have got this right by calculating this =
signature value=20
using openssl on the command line.</FONT></SPAN></DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial size=3D2>I =
would appreciate=20
feedback showing me exactly what piece is being signed in the example =
signed=20
document below and if I am using openssl properly.</FONT></SPAN></DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial size=3D2>The =
openssl commands=20
I am executing are:</FONT></SPAN></DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial =
size=3D2>Calculate the binary=20
signature using my private key:</FONT></SPAN></DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial =
size=3D2>openssl dgst -sign=20
mykey.pem -out mysig.bin signedinfo.xml</FONT></SPAN></DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial size=3D2>and =
then convert the=20
result to base64</FONT></SPAN></DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial =
size=3D2>openssl base64 -in=20
mysig.bin</FONT></SPAN></DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial size=3D2>The =
file=20
signedinfo.xml contains the SignedInfo node from the full document=20
below.</FONT></SPAN></DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial size=3D2>In =
other=20
words:</FONT></SPAN></DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial=20
size=3D2><SignedInfo><BR><CanonicalizationMethod =
Algorithm=3D"<A=20
href=3D'http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Canonicalizati=
onMethod'>http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Canoni=
calizationMethod</A>><BR><SignatureMethod=20
Algorithm=3D"<A=20
href=3D'http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod'>ht=
tp://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod</A>>=
<BR><Reference=20
URI=3D""><BR><Transforms><BR><Transform Algorithm=3D"<A=20
href=3D'http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transfor=
m'>http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transfo=
rm</A>><BR></Transforms><BR><DigestMethod=20
Algorithm=3D"<A=20
href=3D'http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod'>http://ww=
w.w3.org/2000/09/xmldsig#sha1"></DigestMethod</A>><BR><Digest=
Value>sUD7jzvAdt3liQEkrpGsJukqftU=3D</DigestValue><BR></Refer=
ence><BR></SignedInfo><BR></FONT></SPAN></DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial size=3D2>The =
example signed=20
document is:</FONT></SPAN></DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial =
size=3D2><?xml-stylesheet=20
type=3D"text/xsl" href=3D"myfile.xsl" ?><BR><sales=20
quarter=3D"2001-01"><BR> <region=20
name=3D"Northeast"><BR> =20
<units>374</units><BR> =20
<amount>12500.26</amount><BR> =20
</region><BR> <region=20
name=3D"Southeast"><BR> =20
<units>512</units><BR> =20
<amount>17692</amount><BR> =20
</region><BR> <region=20
name=3D"Southwest"><BR> =20
<units>161</units><BR> =20
<amount>8349.72</amount><BR> =20
</region><BR> <region=20
name=3D"Northwest"><BR> =20
<units>465</units><BR> =20
<amount>15239.6</amount><BR> =20
</region><BR><Signature xmlns=3D"<A=20
href=3D"http://www.w3.org/2000/09/xmldsig">http://www.w3.org/2000/09/xmld=
sig</A>#"><BR><SignedInfo><BR><CanonicalizationMethod=20
Algorithm=3D"<A=20
href=3D'http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Canonicalizati=
onMethod'>http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Canoni=
calizationMethod</A>><BR><SignatureMethod=20
Algorithm=3D"<A=20
href=3D'http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod'>ht=
tp://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod</A>>=
<BR><Reference=20
URI=3D""><BR><Transforms><BR><Transform Algorithm=3D"<A=20
href=3D'http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transfor=
m'>http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transfo=
rm</A>><BR></Transforms><BR><DigestMethod=20
Algorithm=3D"<A=20
href=3D'http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod'>http://ww=
w.w3.org/2000/09/xmldsig#sha1"></DigestMethod</A>><BR><Digest=
Value>sUD7jzvAdt3liQEkrpGsJukqftU=3D</DigestValue><BR></Refer=
ence><BR></SignedInfo><BR><SignatureValue>HB34BqrIo4511h07=
2CpiTv2z48+/7NHq/T9laNlwiWOQtWLpIVipSfsqjRx/QDoO<BR>XguVyZGXc1v/jvik4B2OM=
mgyiFGIJMQ8n8N9LxnLToOYN8TUJjGXY2M1HRuGnCGb<BR>vhyhXikITmlfFBqm29XewpFwSG=
O5jS4v0qmt5TNCX3YX5o7dAenMVtziK/r37JvY<BR>ZFbDFusHCRJ3/phfae9mjWuIHPbIdyp=
MayB5gF4wtT69nLVmjHykVV1PXHSDhbbn<BR>sSNZTIN3W2w1UOadogBKwu4g/T9/hlbCkRsS=
ranSGPPkCbN5tl6LnpWIRIPCFk1a<BR>Y2ye8RfyO2u7akUjjCXTfw=3D=3D</Signatur=
eValue><BR><KeyInfo><BR><X509Data></X509Data><BR><=
;/KeyInfo><BR></Signature></sales><BR></FONT></SPAN></DIV>=
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial=20
size=3D2>Thanks,</FONT></SPAN></DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D485512515-15102003><FONT face=3DArial size=3D2>--=20
Sanjay</FONT></SPAN></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>
=00
------_=_NextPart_001_01C39332.6D8C51B6--
More information about the xmlsec
mailing list