[xmlsec] verifying with xml-exc-c14n

Aleksey Sanin aleksey at aleksey.com
Thu Jul 3 14:56:58 PDT 2008 

https://www.aleksey.com/xmlsec/api/xmlsec-xmldsig.html#XMLSEC-DSIG-FLAGS-STORE-SIGNEDINFO-REFERENCES-CAPS

Aleksey

Brian.Myers at zootweb.com wrote:
> 
> That example was signed after encryption and then attempted to verify 
> immediately after signing (though I have the functionality to reverse 
> those steps).
> I haven't used the command line utility for xmlsec, at all.  Is there a 
> way to dump the content before digest with the API?
> 
> Thanks,
> Brian
> ***************************************************************
> Brian S. Myers
> Systems Developer, Engineering
> brian.myers at zootweb.com
> Tel: 406-556-8924  Fax: 406-587-8414
> ***************************************************************
> This email, including any attachments, is confidential and may not be 
> redistributed without permission. If you are not an intended recipient, 
> you have received this message in error. Please notify us immediately by 
> replying to this message, and then delete it from your computer. Thank you.
> ***************************************************************
> 
> 
> *Aleksey Sanin <aleksey at aleksey.com>*
> Sent by: xmlsec-bounces at aleksey.com
> 
> 07/03/2008 03:49 PM
> 
> 	
> To
> 	Brian.Myers at zootweb.com
> cc
> 	xmlsec at aleksey.com
> Subject
> 	Re: [xmlsec] verifying with xml-exc-c14n
> 
> 
> 	
> 
> 
> 
> 
> 
> Are you signing before or after encryption? Are you verifying
> before or after encryption? Have you tried to use "--store-references"
> option to dump the content before doing digest?
> 
> Aleksey
> 
> Brian.Myers at zootweb.com wrote:
>  >
>  > Well, it can't be the http headers.  I now think the problem might be
>  > with canonicalization.
>  >
>  > I can verify when I sign with the transform:
>  > <dsig:Transform
>  > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>  > I can verify when I sign with the transform:
>  > <dsig:Transform
>  > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>  >
>  > but when I sign with the transform:
>  > <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>  > it fails to verify.
>  >
>  > And none of it verifies when I send to my server (which is some black
>  > box Microsoft implementation).
>  >
>  > It looks like the server is expecting Exclusive Canonicalization, but I
>  > can't even get that to work in my test environment.
>  >
>  > Attached is my xml document after signing (shortened the digest values,
>  > but otherwise unchanged).
>  > Please take a look at it and see if I am doing something stupid.
>  >
>  > Thanks in advance,
>  > Brian
>  >
>  >
>  >
>  >
>  >
>  > *Aleksey Sanin <aleksey at aleksey.com>*
>  > Sent by: xmlsec-bounces at aleksey.com
>  >
>  > 06/29/2008 08:19 PM
>  >
>  >                  
>  > To
>  >                  Brian.Myers at zootweb.com
>  > cc
>  >                  xmlsec at aleksey.com
>  > Subject
>  >                  Re: [xmlsec] Signing a document that will be altered
>  >
>  >
>  >                  
>  >
>  >
>  >
>  >
>  >
>  > I highly doubt that http headers are involved in the signatures...
>  > At least, not with xmlsec.
>  >
>  > Aleksey
>  >
>  > Brian.Myers at zootweb.com wrote:
>  >  >
>  >  > Hello,
>  >  > I think I'm running into a problem where the digital signature is 
> being
>  >  > made invalid due to an http post.
>  >  > Before I send my message to serverB I encrypt it and sign it, I then
>  >  > post the message to the server.
>  >  > The post obviously adds http headers to the beginning of the message,
>  >  > such as ContentType, ContentLength, ect.
>  >  > I'm guessing that even though these headers are not inside the xml
>  >  > document, they are still affecting my digest.
>  >  >
>  >  > Is there a way to force the sign method to only sign the xml as 
> opposed
>  >  > to the whole string? and also force
>  >  > the severB verifier to verify the xml?
>  >  >
>  >  > Thank you,
>  >  > Brian
>  >  >
>  >  >
>  >  > 
> ------------------------------------------------------------------------
>  >  >
>  >  > _______________________________________________
>  >  > xmlsec mailing list
>  >  > xmlsec at aleksey.com
>  >  > http://www.aleksey.com/mailman/listinfo/xmlsec
>  > _______________________________________________
>  > xmlsec mailing list
>  > xmlsec at aleksey.com
>  > http://www.aleksey.com/mailman/listinfo/xmlsec
>  >
>  >
>  > ------------------------------------------------------------------------
>  >
>  > _______________________________________________
>  > xmlsec mailing list
>  > xmlsec at aleksey.com
>  > http://www.aleksey.com/mailman/listinfo/xmlsec
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list