[xmlsec] verifying with xml-exc-c14n

Aleksey Sanin aleksey at aleksey.com
Thu Jul 3 14:49:11 PDT 2008 

Are you signing before or after encryption? Are you verifying
before or after encryption? Have you tried to use "--store-references"
option to dump the content before doing digest?

Aleksey

Brian.Myers at zootweb.com wrote:
> 
> Well, it can't be the http headers.  I now think the problem might be 
> with canonicalization.
> 
> I can verify when I sign with the transform:
> <dsig:Transform 
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> I can verify when I sign with the transform:
> <dsig:Transform 
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> 
> but when I sign with the transform:
> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> it fails to verify.
> 
> And none of it verifies when I send to my server (which is some black 
> box Microsoft implementation).
> 
> It looks like the server is expecting Exclusive Canonicalization, but I 
> can't even get that to work in my test environment.
> 
> Attached is my xml document after signing (shortened the digest values, 
> but otherwise unchanged).
> Please take a look at it and see if I am doing something stupid.
> 
> Thanks in advance,
> Brian
> 
> 
> 
> 
> 
> *Aleksey Sanin <aleksey at aleksey.com>*
> Sent by: xmlsec-bounces at aleksey.com
> 
> 06/29/2008 08:19 PM
> 
> 	
> To
> 	Brian.Myers at zootweb.com
> cc
> 	xmlsec at aleksey.com
> Subject
> 	Re: [xmlsec] Signing a document that will be altered
> 
> 
> 	
> 
> 
> 
> 
> 
> I highly doubt that http headers are involved in the signatures...
> At least, not with xmlsec.
> 
> Aleksey
> 
> Brian.Myers at zootweb.com wrote:
>  >
>  > Hello,
>  > I think I'm running into a problem where the digital signature is being
>  > made invalid due to an http post.
>  > Before I send my message to serverB I encrypt it and sign it, I then
>  > post the message to the server.
>  > The post obviously adds http headers to the beginning of the message,
>  > such as ContentType, ContentLength, ect.
>  > I'm guessing that even though these headers are not inside the xml
>  > document, they are still affecting my digest.
>  >
>  > Is there a way to force the sign method to only sign the xml as opposed
>  > to the whole string? and also force
>  > the severB verifier to verify the xml?
>  >
>  > Thank you,
>  > Brian
>  >
>  >
>  > ------------------------------------------------------------------------
>  >
>  > _______________________________________________
>  > xmlsec mailing list
>  > xmlsec at aleksey.com
>  > http://www.aleksey.com/mailman/listinfo/xmlsec
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list