[xmlsec] About Canonicalization and Digest

Neko akitsukineko at gmail.com
Sat Jun 2 13:06:46 PDT 2012


Thank you very very much, the option will help me a lot!
And I just found the problem of my output from libxml.
The content of xmlOutputBuffer created by xmlC14NDocSaveTo is the same of
xmlsec's Canonicalization result.
But xmlParseMemory changes the content by adding whitespace and line
breaking to make it more readable. (API says nothing about this
Sorry, I should have checked the content all along the process.
Again, thank you very much.

2012/6/3 Aleksey Sanin <aleksey at aleksey.com>

> The xmlsec1 tool has an option --store-references that shows exactly
> what was digested. Run it and see for yourself.
>
> Aleksey
>
> On 6/2/12 12:33 PM, Neko wrote:
> > But the DigestValue is the digest of original xml content,
> >  <root
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>
> >
> > Does it mean that the Canonicalization result I got is not the correct
> one?
> > <?xml version="1.0"?>
> > <node>
> >   <node>text</node>
> >   <node>
> >     <node>
> >       <node>text</node>
> >       <node>text</node>
> >     </node>
> >     <node>text</node>
> >   </node>
> > </node>
> >
> > Thank you for answering
> >
> > 2012/6/3 Aleksey Sanin <aleksey at aleksey.com <mailto:aleksey at aleksey.com
> >>
> >
> >     Yes
> >
> >     Aleksey
> >
> >     On 6/2/12 11:55 AM, Neko wrote:
> >     >
> >     > Thank you for answering.
> >     > So if signing the node inside the xml file(same-document
> reference),
> >     >  first we have to get the XPath node-set,
> >     >  then do the Canonicalization on the node-set,
> >     >  and calculating Digest of the Canonicalization result.
> >     > The original content of referenced node-set won't be changed.
> >     >
> >     > But in the test case
> >     > input
> >     >
> >     > <root>
> >     >
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>
> >     >
> >     > Canonicalization form obtained from
> libxml2(<CanonicalizationMethod>
> >     > Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments")
> >     >
> >     > <?xml version="1.0"?>
> >     > <node>
> >     >   <node>text</node>
> >     >   <node>
> >     >     <node>
> >     >       <node>text</node>
> >     >       <node>text</node>
> >     >     </node>
> >     >     <node>text</node>
> >     >   </node>
> >     > </node>
> >     >
> >     > Shouldn't digest value base on the second one?
> >     >
> >     > Thank you
> >     >
> >     >
> >     > 2012/6/3 Aleksey Sanin <aleksey at aleksey.com
> >     <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> >     <mailto:aleksey at aleksey.com>>>
> >     >
> >     >     " ... source xml file needs Canonicalization(applied to the
> entire
> >     >     xml) ..."
> >     >
> >     >     That's not quite correct. You can not use the "entire xml"
> >     because the
> >     >     insertion of the signature changes it and the digest match
> during
> >     >     verification would fail.
> >     >
> >     >     This is the part of the spec that talks about it
> >     >
> >     >
> http://www.w3.org/TR/xmldsig-core1/#sec-ReferenceProcessingModel
> >     >
> >     >
> >     >     Aleksey
> >     >
> >     >     On 6/2/12 10:34 AM, Neko wrote:
> >     >     > Dear Aleksey
> >     >     >
> >     >     > I have a question about Canonicalization and Digest while
> using
> >     >     xmlsec1
> >     >     > to sign template xml file.
> >     >     > According to my understanding of xml signature spec provided
> >     by W3C,
> >     >     > source xml file needs Canonicalization(applied to the entire
> >     xml)
> >     >     before
> >     >     > calculating Digest.
> >     >     >
> >     >     > The template file looks like this:
> >     >     >
> >     >     > <?xml version="1.0"?>
> >     >     > <root
> >     >     >
> >     >
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node><Signature
> >     >     > xmlns="http://www.w3.org/2000/09/xmldsig#">
> >     >     >    <SignedInfo>
> >     >     >         <CanonicalizationMethod
> >     >     > Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments
> "/>
> >     >     >         <SignatureMethod
> >     >     > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >     >     >         <Reference URI="">
> >     >     >             <Transforms>
> >     >     >                 <Transform
> >     >     >
> >     Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> >     >     >             </Transforms>
> >     >     >             <DigestMethod
> >     >     > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >     >     >             <DigestValue></DigestValue>
> >     >     >         </Reference>
> >     >     >     </SignedInfo>
> >     >     >     <SignatureValue />
> >     >     >     <KeyInfo>
> >     >     >         <KeyValue />
> >     >     >     </KeyInfo>
> >     >     > </Signature></root>
> >     >     > (to verify my understanding, there's no space and line
> changing
> >     >     between
> >     >     > data nodes)
> >     >     >
> >     >     > In the result, xmlsec1 put desired values into proper fields,
> >     >     while the
> >     >     > original data remains the same, like:
> >     >     >
> >     >     > <root
> >     >     >
> >     >
> >
> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root>
> >     >     >
> >     >     > However, I tried to do the Canonicalization with libxml, and
> the
> >     >     result
> >     >     > is like:(neglect signature node)
> >     >     >
> >     >     > <?xml version="1.0"?>
> >     >     > <node>
> >     >     >   <node>text</node>
> >     >     >   <node>
> >     >     >     <node>
> >     >     >       <node>text</node>
> >     >     >       <node>text</node>
> >     >     >     </node>
> >     >     >     <node>text</node>
> >     >     >   </node>
> >     >     > </node>
> >     >     >
> >     >     > which leads to different digest value.
> >     >     > Do I misunderstand something, or the way I used xmlsec1 is
> >     wrong?
> >     >     >
> >     >     > Thank you
> >     >     >
> >     >     >
> >     >     > How I do the Canonicalization with libxml:
> >     >     >  get nodeset by:
> >     >     >
> xmlXPathEvalExpression("/descendant-or-self::node()",context)
> >     >     >  then get Canonicalization by:
> >     >     >   xmlC14NDocSaveTo(doc, xpathresult->nodesetval, 2, NULL, 1,
> >     >     > c14noutputbuffer);
> >     >     >   xmlDocPtr c14ndoc =
> >     >     xmlParseMemory(c14nbuffer->content,c14nbuffer->use);
> >     >     >
> >     >     >
> >     >     >
> >     >     > _______________________________________________
> >     >     > xmlsec mailing list
> >     >     > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> >     <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> >     >     > http://www.aleksey.com/mailman/listinfo/xmlsec
> >     >
> >     >
> >     >
> >     >
> >     >
> >     > _______________________________________________
> >     > xmlsec mailing list
> >     > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> >     > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120603/7bc1567c/attachment.html>


More information about the xmlsec mailing list