[xmlsec] Canonicalization and sha1 of a document part with xmlsec1

Si St sigbj-st at operamail.com
Sat Nov 12 05:40:55 PST 2011


Thank You Aleksey.
I finally understood by changing your sha'd to sha1'ed. 
I can clearly see what is sha1'ed of the input-file. Between </Document>
and </MsgHead> where <Signature/> belongs, there are 2 spaces, 0x20.
That is the only difference between the result from xmlsec1
canonalization and the 'xmllint --c14n' canonalization. But still,
trying to run the 
openssl dsgt -sha1 -binary | openssl enc -base64 
on the exactly hex-controlled copy of the --store-references dumped
PreDigest buffer part does not give the same DigestValue, and I so far
do not understand why.
-- 
  Si St
  sigbj-st at operamail.com


On Friday, November 11, 2011 10:49 AM, "Si St" <sigbj-st at operamail.com>
wrote:
> Well, of course I notice the reference here, but sorry, I am not able to
> understand how to use the information from that w3.org page, eventually
> what collides with the command openssl dgst -sha1.
> Sorry, my brain is njet harasjà; ploche.
> == Digest Method:
> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> -- 
>   Si St
>   sigbj-st at operamail.com
> 
> 
> On Friday, November 11, 2011 10:07 AM, "Aleksey Sanin"
> <aleksey at aleksey.com> wrote:
> > Run the xmlsec1 utility with --store-references to see what exactly is
> > sha'd
> > 
> > Aleksey
> > 
> > On 11/11/11 10:05 AM, Si St wrote:
> > > Is sha1 in xmlsec1 after the canonicalization of the xmlfile-docpart to
> > > sign identical to this:
> > >
> > > cat xmlfile-docpart | openssl dgst -sha1 -binary | openssl enc -base64>
> > > xmlfile-docpart-digest
> > > ?
> > > If xmlfile-docpart is as simple as the following (letting out the
> > > signaturepart):
> > >
> > > <?xml version="1.0" encoding="ISO-8859-1"?>
> > > <MsgHead>
> > >    <Document>
> > >      <Krav/>
> > >    </Document>
> > > </MsgHead>
> > >
> > >
> > > then the C14N of it cannot give anything more than this:
> > >
> > > <MsgHead>
> > >    <Document>
> > >      <Krav></Krav>
> > >    </Document>
> > > </MsgHead>
> > >
> > > but doing the sha1 with openssl on this postC14N file (done with xmllint
> > > --c14n),we get this digestvalue :
> > > tkuyB5MHizGiQsl9ljG+YcPogOA=
> > > the digestvalue from running xmlsec1 sign on the preC14N+sigpart file
> > > give this:
> > > pKl5h5ALLpm57qM8FeuQSaa4Ogk=
> > >
> > > Does this mean the xmldsig#sha1 is something different from 'sha1sum'
> > > and 'openssl -sha1'?
> > > In case, what is the difference? That C14N puts in (empty) elements from
> > > a xsd-scheme, or what?
> > >
> > > I am talking about the DigestValue from the document part here, not the
> > > DigestValue of the SignedInfo that disappears in the SignatureValue.
> > >
> > > I thought that SHA1 = SHA1. Period.
> > 
> 
> -- 
> http://www.fastmail.fm - Send your email first class
> 

-- 
http://www.fastmail.fm - One of many happy users:
  http://www.fastmail.fm/docs/quotes.html



More information about the xmlsec mailing list