[xmlsec] How to control C14N
aleksey at aleksey.com
Tue May 15 21:02:59 PDT 2012
You probably want to contact RSA FIM to figure out what this
On 5/14/12 11:58 AM, Rich Duzenbury wrote:
> I'm attempting to generate an identity provider assertion that will
> work with RSA FIM.
> Here is a recent assertion, ready to be signed:
> Here is that same assertion, signed:
> I use xmlsec to do the signing. I can validate the signature via
> xmlsec. That is to say, the validation runs and returns a good
> result. If I change a byte in the output document, the signature
> validation fails, as should be expected. However, RSA FIM doesn't
> like it, and throws a NULL exception. I don't have access to more
> than a stack trace.
> I have doubt about whether I set up the signature block correctly.
> Here is my <signature> template:
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="">
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> I presume enveloped signature means to sign the whole message, right?
> Is it enough to simply include <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> in the signature
> method, and the conicalization will magically be done by the library?
> Or do I have to signal xmlsec to do it in some way? or does it have to
> be done with a different tool before the signing is completed? Have I
> built this correctly?
> I'm using the command line for now, by the way, if that makes any real
> Thank you.
> xmlsec mailing list
> xmlsec at aleksey.com
More information about the xmlsec