[xmlsec] How to control C14N

Rich Duzenbury duzenbury at gmail.com
Wed May 16 06:40:47 PDT 2012

On Tue, May 15, 2012 at 11:02 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> You probably want to contact RSA FIM to figure out what this
> exception means.

RSA responded with: You must get the partner to change so that they
are signing the responses only.

Based on the template I mentioned previously, and the fact that the
reference URI is emtpy, doesn't that mean that I'm signing the entire
response?  As a test, I used the online validator successfully.  If I
update the issueinstant in the <response> tag, the validator then
fails the message as I expect.

I'm still unclear on the following, as well:

I presume enveloped signature means to sign the whole message, right?
Is it enough to simply include <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> in the signature
method, and the conicalization will magically be done by the library?
Or do I have to signal xmlsec to do it in some way? or does it have
tobe done with a different tool before the signing is completed?

Thank you.


More information about the xmlsec mailing list