[xmlsec] How to reference KeyInfo and add SignedProperties?

Umberto Rustichelli aka Ubi opensc at secure-edge.com
Wed Sep 19 03:43:44 PDT 2012

On 09/06/2012 05:34 PM, Aleksey Sanin wrote:
> Yes, you just need to construct the right template to sign :)

Sorry, Sanin, yet the discussion you pointed to was a bit unhelpful.
Now, I'm trying to write my code based on example 2 but there is 
something for sure that I'm missing, probably because I quite don't know 
much about XML.
Just for starting, I intended to skip the use of SignedProperties and 
SHA256, I wrote this trivial content (well, two, but they both failed):

<?xml version="1.0" encoding="UTF-8" ?>
<Envelope xmlns="urn:envelope"><Data Id="orig">my stuff</Data></Envelope>
(also tried this one)
<?xml version="1.0" encoding="UTF-8" ?>
<Envelope xmlns="urn:envelope">
   <ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
Encoding="UTF-8" Id="orig" MimeType="text/xml"><test>my 

and used the following code:

doc = xmlParseFile(xml_file);

// create signature template for RSA-SHA1 enveloped signature
signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId, 
xmlSecTransformRsaSha1Id, NULL);

// add <dsig:Signature/> node to the doc
xmlAddChild(xmlDocGetRootElement(doc), signNode);

// add reference -Ubi: to what??? Let's say our node has Id 'orig'
refNode = xmlSecTmplSignatureAddReference(signNode, 
xmlSecTransformSha1Id, NULL, "#orig", NULL);

// add enveloped transform
xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId);

// add <dsig:KeyInfo/> -Ubi, we also want an ID
keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, "UbiKey");

// add reference to the key
refNode = xmlSecTmplSignatureAddReference(signNode, 
xmlSecTransformSha1Id, NULL, "#UbiKey", NULL);

// Ubi: can I do this? Put PEM-format certificate here
xmlNodeSetContent(x509DataCrtNode, crtpem);

// create signature context
dsigCtx = xmlSecDSigCtxCreate(NULL);

// load private key, assuming that there is not password
dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file, 
xmlSecKeyDataFormatPem, NULL, NULL, NULL);

// Ubi: is this required? Set key name to the file name, this is just an 
xmlSecKeySetName(dsigCtx->signKey, "UbiKey");

// sign the template
if (xmlSecDSigCtxSign(dsigCtx, signNode) < 0)
     { fprintf(stderr,"Error: signature failed\n"); goto done; }

I omitted the checks but they are in the code and there is no error 
reported (before "sign the template").
I thought that the idea of the tamplate was to put the Reference URIs so 
that the API will look for the related objects.

But running, I get (seems that passing the Id in the URI is not what I 
muast do):

library function failed:expr=xpointer(id('orig'))
library function failed:
library function failed:
library function failed:
library function failed:transform=xpointer
library function failed:
library function failed:
library function failed:node=Reference
library function failed:
library function failed:
Error: signature failed

What is the issue?
Also, I seem to remember there is a function in libxml to set which is 
the ID attribute, because it may not be "Id", but I cannot find it any 
more. Has it anything to do with this?
Where am I wrong?

On 9/6/12 12:28 AM, Umberto Rustichelli aka Ubi wrote:
>> Ah! I forgot to fix...
>> The Reference URI is not URI="#SignedProperties-Signer-T-1345709484789"
>> but URI="#sprop"
>> On 09/06/2012 09:25 AM, Umberto Rustichelli aka Ubi wrote:
>>> Hi all,
>>> I'm new to XMLSEC -and just giving up writing my own library (got lost
>>> in the canonicalization labyrinth)...-
>>> Is it possible to use the current XMLSEC API for producing XML
>>> signatures that comply with the ETSI specifications and the following:
>>> 1) have a Reference (in SignedInfo) to KeyInfo (KeyInfo obviously
>>> needs an Id="...");
>>> 2) add the Object for QualifyingProperties (example later) and a
>>> Reference to that too?
>>> Thanks a lot for any suggestion / explanation!
>>> This is an example of the aforementioned Object (target value is the
>>> Id of the Signature):
>>>      <ds:Object>
>>>        <xades:QualifyingProperties
>>> xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#sig">
>>>          <xades:SignedProperties Id="sprop">
>>>            <xades:SignedSignatureProperties>
>>> <xades:SigningTime>2012-08-23T10:11:24+02:00</xades:SigningTime>
>>>            </xades:SignedSignatureProperties>
>>>          </xades:SignedProperties>
>>>        </xades:QualifyingProperties>
>>>      </ds:Object>
>>> And this is how the whole should glue together:
>>> <Envelope>
>>>    <ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>>> Encoding="UTF-8" Id="orig" MimeType="text/xml">blah blah
>>> blah...</ds:Object>
>>>    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="sig">
>>>      <ds:SignedInfo>
>>> <!-- the Reference to the object, must be expressed this way... -->
>>>        <ds:CanonicalizationMethod
>>> Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"></ds:CanonicalizationMethod>
>>>        <ds:SignatureMethod
>>> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
>>>        <ds:Reference Type="http://uri.etsi.org/01903#SignedProperties"
>>> URI="#SignedProperties-Signer-T-1345709484789">
>>>          <ds:DigestMethod
>>> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
>>> <ds:DigestValue>dRkQKf/Kqv/V8SZej/41+T6z4+4Pxus8wyPAFUaJM5E=</ds:DigestValue>
>>>        </ds:Reference>
>>>        <ds:Reference URI="#orig">blah blah blah...</ds:Reference>
>>>        <ds:Reference URI="#crt">blah blah blah...</ds:Reference>
>>>      </ds:SignedInfo>
>>>      <ds:SignatureValue>blah blah blah...</ds:SignatureValue>
>>>      <ds:KeyInfo Id="crt"><ds:X509Data><ds:X509Certificate>blah blah
>>> blah...</ds:X509Certificate></ds:X509Data></ds:KeyInfo>
>>>      <ds:Object>(...as indicated above...)</ds:Object>
>>>    </ds:Signature>
>>> </Envelope>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list