[xmlsec] About Canonicalization and Digest

Neko akitsukineko at gmail.com
Sat Jun 2 10:34:47 PDT 2012

Dear Aleksey

I have a question about Canonicalization and Digest while using xmlsec1 to
sign template xml file.
According to my understanding of xml signature spec provided by W3C, source
xml file needs Canonicalization(applied to the entire xml) before
calculating Digest.

The template file looks like this:

<?xml version="1.0"?>
<root xmlns="..."><node>text</node><node><node><node>text</node><node
>dlink</node></node><node>text</node></node><Signature xmlns="
        <CanonicalizationMethod Algorithm="
        <SignatureMethod Algorithm="
        <Reference URI="">
                <Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
    <SignatureValue />
        <KeyValue />
(to verify my understanding, there's no space and line changing between
data nodes)

In the result, xmlsec1 put desired values into proper fields, while the
original data remains the same, like:

<root xmlns="..."><node>text</node><node><node><node>text</node><node

However, I tried to do the Canonicalization with libxml, and the result is
like:(neglect signature node)

<?xml version="1.0"?>

which leads to different digest value.
Do I misunderstand something, or the way I used xmlsec1 is wrong?

Thank you

How I do the Canonicalization with libxml:
 get nodeset by:
 then get Canonicalization by:
  xmlC14NDocSaveTo(doc, xpathresult->nodesetval, 2, NULL, 1,
  xmlDocPtr c14ndoc = xmlParseMemory(c14nbuffer->content,c14nbuffer->use);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120603/a1220041/attachment.html>

More information about the xmlsec mailing list