[xmlsec] About Canonicalization and Digest

Aleksey Sanin aleksey at aleksey.com
Sat Jun 2 10:48:28 PDT 2012 

" ... source xml file needs Canonicalization(applied to the entire xml) ..."

That's not quite correct. You can not use the "entire xml" because the
insertion of the signature changes it and the digest match during
verification would fail.

This is the part of the spec that talks about it

http://www.w3.org/TR/xmldsig-core1/#sec-ReferenceProcessingModel


Aleksey

On 6/2/12 10:34 AM, Neko wrote:
> Dear Aleksey
> 
> I have a question about Canonicalization and Digest while using xmlsec1
> to sign template xml file.
> According to my understanding of xml signature spec provided by W3C,
> source xml file needs Canonicalization(applied to the entire xml) before
> calculating Digest.
> 
> The template file looks like this:
> 
> <?xml version="1.0"?>
> <root
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node><Signature
> xmlns="http://www.w3.org/2000/09/xmldsig#">
>    <SignedInfo>
>         <CanonicalizationMethod
> Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>
>         <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>         <Reference URI="">
>             <Transforms>
>                 <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>             </Transforms>
>             <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>             <DigestValue></DigestValue>
>         </Reference>
>     </SignedInfo>
>     <SignatureValue />
>     <KeyInfo>
>         <KeyValue />
>     </KeyInfo>
> </Signature></root>
> (to verify my understanding, there's no space and line changing between
> data nodes)
> 
> In the result, xmlsec1 put desired values into proper fields, while the
> original data remains the same, like:
> 
> <root
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>
> 
> However, I tried to do the Canonicalization with libxml, and the result
> is like:(neglect signature node)
> 
> <?xml version="1.0"?>
> <node>
>   <node>text</node>
>   <node>
>     <node>
>       <node>text</node>
>       <node>text</node>
>     </node>
>     <node>text</node>
>   </node>
> </node>
> 
> which leads to different digest value.
> Do I misunderstand something, or the way I used xmlsec1 is wrong?
> 
> Thank you
> 
> 
> How I do the Canonicalization with libxml:
>  get nodeset by:
>   xmlXPathEvalExpression("/descendant-or-self::node()",context)
>  then get Canonicalization by:
>   xmlC14NDocSaveTo(doc, xpathresult->nodesetval, 2, NULL, 1,
> c14noutputbuffer);
>   xmlDocPtr c14ndoc = xmlParseMemory(c14nbuffer->content,c14nbuffer->use);
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list