[xmlsec] How to reference KeyInfo and add SignedProperties?

Umberto Rustichelli aka Ubi opensc at secure-edge.com
Thu Sep 6 00:25:36 PDT 2012 

Hi all,
I'm new to XMLSEC -and just giving up writing my own library (got lost 
in the canonicalization labyrinth)...-

Is it possible to use the current XMLSEC API for producing XML 
signatures that comply with the ETSI specifications and the following:

1) have a Reference (in SignedInfo) to KeyInfo (KeyInfo obviously needs 
an Id="...");

2) add the Object for QualifyingProperties (example later) and a 
Reference to that too?

Thanks a lot for any suggestion / explanation!

This is an example of the aforementioned Object (target value is the Id 
of the Signature):

     <ds:Object>
       <xades:QualifyingProperties 
xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#sig">
         <xades:SignedProperties Id="sprop">
           <xades:SignedSignatureProperties>
<xades:SigningTime>2012-08-23T10:11:24+02:00</xades:SigningTime>
           </xades:SignedSignatureProperties>
         </xades:SignedProperties>
       </xades:QualifyingProperties>
     </ds:Object>

And this is how the whole should glue together:

<Envelope>
   <ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
Encoding="UTF-8" Id="orig" MimeType="text/xml">blah blah blah...</ds:Object>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="sig">
     <ds:SignedInfo>

<!-- the Reference to the object, must be expressed this way... -->
       <ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"></ds:CanonicalizationMethod>
       <ds:SignatureMethod 
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
       <ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" 
URI="#SignedProperties-Signer-T-1345709484789">
         <ds:DigestMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
<ds:DigestValue>dRkQKf/Kqv/V8SZej/41+T6z4+4Pxus8wyPAFUaJM5E=</ds:DigestValue>
       </ds:Reference>

       <ds:Reference URI="#orig">blah blah blah...</ds:Reference>
       <ds:Reference URI="#crt">blah blah blah...</ds:Reference>

     </ds:SignedInfo>

     <ds:SignatureValue>blah blah blah...</ds:SignatureValue>

     <ds:KeyInfo Id="crt"><ds:X509Data><ds:X509Certificate>blah blah 
blah...</ds:X509Certificate></ds:X509Data></ds:KeyInfo>

     <ds:Object>(...as indicated above...)</ds:Object>

   </ds:Signature>
</Envelope>

More information about the xmlsec mailing list