[xmlsec] How to reference KeyInfo and add SignedProperties?

Umberto Rustichelli aka Ubi opensc at secure-edge.com
Wed Sep 19 03:43:44 PDT 2012 

On 09/06/2012 05:34 PM, Aleksey Sanin wrote:
> Yes, you just need to construct the right template to sign :)

Sorry, Sanin, yet the discussion you pointed to was a bit unhelpful.
Now, I'm trying to write my code based on example 2 but there is 
something for sure that I'm missing, probably because I quite don't know 
much about XML.
Just for starting, I intended to skip the use of SignedProperties and 
SHA256, I wrote this trivial content (well, two, but they both failed):

---
<?xml version="1.0" encoding="UTF-8" ?>
<Envelope xmlns="urn:envelope"><Data Id="orig">my stuff</Data></Envelope>
---
(also tried this one)
<?xml version="1.0" encoding="UTF-8" ?>
<Envelope xmlns="urn:envelope">
   <ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
Encoding="UTF-8" Id="orig" MimeType="text/xml"><test>my 
stuff</test></ds:Object>
</Envelope>
---

and used the following code:

doc = xmlParseFile(xml_file);

// create signature template for RSA-SHA1 enveloped signature
signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId, 
xmlSecTransformRsaSha1Id, NULL);

// add <dsig:Signature/> node to the doc
xmlAddChild(xmlDocGetRootElement(doc), signNode);

// add reference -Ubi: to what??? Let's say our node has Id 'orig'
refNode = xmlSecTmplSignatureAddReference(signNode, 
xmlSecTransformSha1Id, NULL, "#orig", NULL);

// add enveloped transform
xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId);

// add <dsig:KeyInfo/> -Ubi, we also want an ID
keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, "UbiKey");

// add reference to the key
refNode = xmlSecTmplSignatureAddReference(signNode, 
xmlSecTransformSha1Id, NULL, "#UbiKey", NULL);

// Ubi: can I do this? Put PEM-format certificate here
xmlNodeSetContent(x509DataCrtNode, crtpem);

// create signature context
dsigCtx = xmlSecDSigCtxCreate(NULL);

// load private key, assuming that there is not password
dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file, 
xmlSecKeyDataFormatPem, NULL, NULL, NULL);

// Ubi: is this required? Set key name to the file name, this is just an 
example!
xmlSecKeySetName(dsigCtx->signKey, "UbiKey");

// sign the template
if (xmlSecDSigCtxSign(dsigCtx, signNode) < 0)
     { fprintf(stderr,"Error: signature failed\n"); goto done; }

I omitted the checks but they are in the code and there is no error 
reported (before "sign the template").
I thought that the idea of the tamplate was to put the Reference URIs so 
that the API will look for the related objects.

But running, I get (seems that passing the Id in the URI is not what I 
muast do):

func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 
library function failed:expr=xpointer(id('orig'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec 
library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec 
library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec 
library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec 
library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec 
library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec 
library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec 
library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec 
library function failed:
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec 
library function failed:
Error: signature failed

What is the issue?
Also, I seem to remember there is a function in libxml to set which is 
the ID attribute, because it may not be "Id", but I cannot find it any 
more. Has it anything to do with this?
Where am I wrong?

On 9/6/12 12:28 AM, Umberto Rustichelli aka Ubi wrote:
>> Ah! I forgot to fix...
>>
>> The Reference URI is not URI="#SignedProperties-Signer-T-1345709484789"
>> but URI="#sprop"
>>
>>
>> On 09/06/2012 09:25 AM, Umberto Rustichelli aka Ubi wrote:
>>> Hi all,
>>> I'm new to XMLSEC -and just giving up writing my own library (got lost
>>> in the canonicalization labyrinth)...-
>>>
>>> Is it possible to use the current XMLSEC API for producing XML
>>> signatures that comply with the ETSI specifications and the following:
>>>
>>> 1) have a Reference (in SignedInfo) to KeyInfo (KeyInfo obviously
>>> needs an Id="...");
>>>
>>> 2) add the Object for QualifyingProperties (example later) and a
>>> Reference to that too?
>>>
>>> Thanks a lot for any suggestion / explanation!
>>>
>>> This is an example of the aforementioned Object (target value is the
>>> Id of the Signature):
>>>
>>>      <ds:Object>
>>>        <xades:QualifyingProperties
>>> xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#sig">
>>>          <xades:SignedProperties Id="sprop">
>>>            <xades:SignedSignatureProperties>
>>> <xades:SigningTime>2012-08-23T10:11:24+02:00</xades:SigningTime>
>>>            </xades:SignedSignatureProperties>
>>>          </xades:SignedProperties>
>>>        </xades:QualifyingProperties>
>>>      </ds:Object>
>>>
>>> And this is how the whole should glue together:
>>>
>>> <Envelope>
>>>    <ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>>> Encoding="UTF-8" Id="orig" MimeType="text/xml">blah blah
>>> blah...</ds:Object>
>>>    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="sig">
>>>      <ds:SignedInfo>
>>>
>>> <!-- the Reference to the object, must be expressed this way... -->
>>>        <ds:CanonicalizationMethod
>>> Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"></ds:CanonicalizationMethod>
>>>
>>>        <ds:SignatureMethod
>>> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
>>>
>>>        <ds:Reference Type="http://uri.etsi.org/01903#SignedProperties"
>>> URI="#SignedProperties-Signer-T-1345709484789">
>>>          <ds:DigestMethod
>>> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
>>> <ds:DigestValue>dRkQKf/Kqv/V8SZej/41+T6z4+4Pxus8wyPAFUaJM5E=</ds:DigestValue>
>>>
>>>        </ds:Reference>
>>>
>>>        <ds:Reference URI="#orig">blah blah blah...</ds:Reference>
>>>        <ds:Reference URI="#crt">blah blah blah...</ds:Reference>
>>>
>>>      </ds:SignedInfo>
>>>
>>>      <ds:SignatureValue>blah blah blah...</ds:SignatureValue>
>>>
>>>      <ds:KeyInfo Id="crt"><ds:X509Data><ds:X509Certificate>blah blah
>>> blah...</ds:X509Certificate></ds:X509Data></ds:KeyInfo>
>>>
>>>      <ds:Object>(...as indicated above...)</ds:Object>
>>>
>>>    </ds:Signature>
>>> </Envelope>
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list