[xmlsec] How to reference KeyInfo and add SignedProperties?

Aleksey Sanin aleksey at aleksey.com
Thu Sep 6 08:34:13 PDT 2012


Yes, you just need to construct the right template to sign :) There was
a discussion a few years ago:

http://www.aleksey.com/pipermail/xmlsec/2008/008269.html

Aleksey

On 9/6/12 12:28 AM, Umberto Rustichelli aka Ubi wrote:
> 
> Ah! I forgot to fix...
> 
> The Reference URI is not URI="#SignedProperties-Signer-T-1345709484789"
> but URI="#sprop"
> 
> 
> On 09/06/2012 09:25 AM, Umberto Rustichelli aka Ubi wrote:
>>
>> Hi all,
>> I'm new to XMLSEC -and just giving up writing my own library (got lost
>> in the canonicalization labyrinth)...-
>>
>> Is it possible to use the current XMLSEC API for producing XML
>> signatures that comply with the ETSI specifications and the following:
>>
>> 1) have a Reference (in SignedInfo) to KeyInfo (KeyInfo obviously
>> needs an Id="...");
>>
>> 2) add the Object for QualifyingProperties (example later) and a
>> Reference to that too?
>>
>> Thanks a lot for any suggestion / explanation!
>>
>> This is an example of the aforementioned Object (target value is the
>> Id of the Signature):
>>
>>     <ds:Object>
>>       <xades:QualifyingProperties
>> xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#sig">
>>         <xades:SignedProperties Id="sprop">
>>           <xades:SignedSignatureProperties>
>> <xades:SigningTime>2012-08-23T10:11:24+02:00</xades:SigningTime>
>>           </xades:SignedSignatureProperties>
>>         </xades:SignedProperties>
>>       </xades:QualifyingProperties>
>>     </ds:Object>
>>
>> And this is how the whole should glue together:
>>
>> <Envelope>
>>   <ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>> Encoding="UTF-8" Id="orig" MimeType="text/xml">blah blah
>> blah...</ds:Object>
>>   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="sig">
>>     <ds:SignedInfo>
>>
>> <!-- the Reference to the object, must be expressed this way... -->
>>       <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"></ds:CanonicalizationMethod>
>>
>>       <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
>>
>>       <ds:Reference Type="http://uri.etsi.org/01903#SignedProperties"
>> URI="#SignedProperties-Signer-T-1345709484789">
>>         <ds:DigestMethod
>> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
>> <ds:DigestValue>dRkQKf/Kqv/V8SZej/41+T6z4+4Pxus8wyPAFUaJM5E=</ds:DigestValue>
>>
>>       </ds:Reference>
>>
>>       <ds:Reference URI="#orig">blah blah blah...</ds:Reference>
>>       <ds:Reference URI="#crt">blah blah blah...</ds:Reference>
>>
>>     </ds:SignedInfo>
>>
>>     <ds:SignatureValue>blah blah blah...</ds:SignatureValue>
>>
>>     <ds:KeyInfo Id="crt"><ds:X509Data><ds:X509Certificate>blah blah
>> blah...</ds:X509Certificate></ds:X509Data></ds:KeyInfo>
>>
>>     <ds:Object>(...as indicated above...)</ds:Object>
>>
>>   </ds:Signature>
>> </Envelope>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list