[xmlsec] Canonicalization and sha1 of a document part with xmlsec1

Si St sigbj-st at operamail.com
Fri Nov 11 10:05:05 PST 2011

Is sha1 in xmlsec1 after the canonicalization of the xmlfile-docpart to
sign identical to this:

cat xmlfile-docpart | openssl dgst -sha1 -binary | openssl enc -base64 >
If xmlfile-docpart is as simple as the following (letting out the

<?xml version="1.0" encoding="ISO-8859-1"?>

then the C14N of it cannot give anything more than this:


but doing the sha1 with openssl on this postC14N file (done with xmllint
--c14n),we get this digestvalue :
the digestvalue from running xmlsec1 sign on the preC14N+sigpart file
give this:

Does this mean the xmldsig#sha1 is something different from 'sha1sum'
and 'openssl -sha1'?
In case, what is the difference? That C14N puts in (empty) elements from
a xsd-scheme, or what?

I am talking about the DigestValue from the document part here, not the
DigestValue of the SignedInfo that disappears in the SignatureValue.

I thought that SHA1 = SHA1. Period.
  Si St
  sigbj-st at operamail.com

http://www.fastmail.fm - Choose from over 50 domains or use your own

More information about the xmlsec mailing list