[xmlsec] How to control C14N

Rich Duzenbury duzenbury at gmail.com
Mon May 14 11:58:35 PDT 2012


I'm attempting to generate an identity provider assertion that will
work with RSA FIM.

Here is a recent assertion, ready to be signed:

Here is that same assertion, signed:

I use xmlsec to do the signing.  I can validate the signature via
xmlsec.  That is to say, the validation runs and returns a good
result.  If I change a byte in the output document, the signature
validation fails, as should be expected.  However, RSA FIM doesn't
like it, and throws a NULL exception.  I don't have access to more
than a stack trace.

I have doubt about whether I set up the signature block correctly.
Here is my <signature> template:

		<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
				<ds:Reference URI="">
						<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

I presume enveloped signature means to sign the whole message, right?
Is it enough to simply include <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> in the signature
method, and the conicalization will magically be done by the library?
Or do I have to signal xmlsec to do it in some way? or does it have to
be done with a different tool before the signing is completed?  Have I
built this correctly?

I'm using the command line for now, by the way, if that makes any real

Thank you.


More information about the xmlsec mailing list