[xmlsec] How to reference KeyInfo and add SignedProperties?

Aleksey Sanin aleksey at aleksey.com
Wed Sep 19 08:27:47 PDT 2012 

Read the FAQ :)

http://www.aleksey.com/xmlsec/faq.html

Aleksey

On 9/19/12 3:43 AM, Umberto Rustichelli aka Ubi wrote:
> On 09/06/2012 05:34 PM, Aleksey Sanin wrote:
>> Yes, you just need to construct the right template to sign :)
> 
> Sorry, Sanin, yet the discussion you pointed to was a bit unhelpful.
> Now, I'm trying to write my code based on example 2 but there is
> something for sure that I'm missing, probably because I quite don't know
> much about XML.
> Just for starting, I intended to skip the use of SignedProperties and
> SHA256, I wrote this trivial content (well, two, but they both failed):
> 
> ---
> <?xml version="1.0" encoding="UTF-8" ?>
> <Envelope xmlns="urn:envelope"><Data Id="orig">my stuff</Data></Envelope>
> ---
> (also tried this one)
> <?xml version="1.0" encoding="UTF-8" ?>
> <Envelope xmlns="urn:envelope">
>   <ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> Encoding="UTF-8" Id="orig" MimeType="text/xml"><test>my
> stuff</test></ds:Object>
> </Envelope>
> ---
> 
> and used the following code:
> 
> doc = xmlParseFile(xml_file);
> 
> // create signature template for RSA-SHA1 enveloped signature
> signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId,
> xmlSecTransformRsaSha1Id, NULL);
> 
> // add <dsig:Signature/> node to the doc
> xmlAddChild(xmlDocGetRootElement(doc), signNode);
> 
> // add reference -Ubi: to what??? Let's say our node has Id 'orig'
> refNode = xmlSecTmplSignatureAddReference(signNode,
> xmlSecTransformSha1Id, NULL, "#orig", NULL);
> 
> // add enveloped transform
> xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId);
> 
> // add <dsig:KeyInfo/> -Ubi, we also want an ID
> keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, "UbiKey");
> 
> // add reference to the key
> refNode = xmlSecTmplSignatureAddReference(signNode,
> xmlSecTransformSha1Id, NULL, "#UbiKey", NULL);
> 
> // Ubi: can I do this? Put PEM-format certificate here
> xmlNodeSetContent(x509DataCrtNode, crtpem);
> 
> // create signature context
> dsigCtx = xmlSecDSigCtxCreate(NULL);
> 
> // load private key, assuming that there is not password
> dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file,
> xmlSecKeyDataFormatPem, NULL, NULL, NULL);
> 
> // Ubi: is this required? Set key name to the file name, this is just an
> example!
> xmlSecKeySetName(dsigCtx->signKey, "UbiKey");
> 
> // sign the template
> if (xmlSecDSigCtxSign(dsigCtx, signNode) < 0)
>     { fprintf(stderr,"Error: signature failed\n"); goto done; }
> 
> I omitted the checks but they are in the code and there is no error
> reported (before "sign the template").
> I thought that the idea of the tamplate was to put the Reference URIs so
> that the API will look for the related objects.
> 
> But running, I get (seems that passing the Id in the URI is not what I
> muast do):
> 
> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
> library function failed:expr=xpointer(id('orig'))
> func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
> library function failed:
> func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec
> library function failed:
> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
> library function failed:
> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec
> library function failed:transform=xpointer
> func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
> library function failed:
> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
> library function failed:node=Reference
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
> Error: signature failed
> 
> What is the issue?
> Also, I seem to remember there is a function in libxml to set which is
> the ID attribute, because it may not be "Id", but I cannot find it any
> more. Has it anything to do with this?
> Where am I wrong?
> 
> On 9/6/12 12:28 AM, Umberto Rustichelli aka Ubi wrote:
>>> Ah! I forgot to fix...
>>>
>>> The Reference URI is not URI="#SignedProperties-Signer-T-1345709484789"
>>> but URI="#sprop"
>>>
>>>
>>> On 09/06/2012 09:25 AM, Umberto Rustichelli aka Ubi wrote:
>>>> Hi all,
>>>> I'm new to XMLSEC -and just giving up writing my own library (got lost
>>>> in the canonicalization labyrinth)...-
>>>>
>>>> Is it possible to use the current XMLSEC API for producing XML
>>>> signatures that comply with the ETSI specifications and the following:
>>>>
>>>> 1) have a Reference (in SignedInfo) to KeyInfo (KeyInfo obviously
>>>> needs an Id="...");
>>>>
>>>> 2) add the Object for QualifyingProperties (example later) and a
>>>> Reference to that too?
>>>>
>>>> Thanks a lot for any suggestion / explanation!
>>>>
>>>> This is an example of the aforementioned Object (target value is the
>>>> Id of the Signature):
>>>>
>>>>      <ds:Object>
>>>>        <xades:QualifyingProperties
>>>> xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#sig">
>>>>          <xades:SignedProperties Id="sprop">
>>>>            <xades:SignedSignatureProperties>
>>>> <xades:SigningTime>2012-08-23T10:11:24+02:00</xades:SigningTime>
>>>>            </xades:SignedSignatureProperties>
>>>>          </xades:SignedProperties>
>>>>        </xades:QualifyingProperties>
>>>>      </ds:Object>
>>>>
>>>> And this is how the whole should glue together:
>>>>
>>>> <Envelope>
>>>>    <ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>>>> Encoding="UTF-8" Id="orig" MimeType="text/xml">blah blah
>>>> blah...</ds:Object>
>>>>    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>>>> Id="sig">
>>>>      <ds:SignedInfo>
>>>>
>>>> <!-- the Reference to the object, must be expressed this way... -->
>>>>        <ds:CanonicalizationMethod
>>>> Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"></ds:CanonicalizationMethod>
>>>>
>>>>
>>>>        <ds:SignatureMethod
>>>> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
>>>>
>>>>
>>>>        <ds:Reference Type="http://uri.etsi.org/01903#SignedProperties"
>>>> URI="#SignedProperties-Signer-T-1345709484789">
>>>>          <ds:DigestMethod
>>>> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
>>>> <ds:DigestValue>dRkQKf/Kqv/V8SZej/41+T6z4+4Pxus8wyPAFUaJM5E=</ds:DigestValue>
>>>>
>>>>
>>>>        </ds:Reference>
>>>>
>>>>        <ds:Reference URI="#orig">blah blah blah...</ds:Reference>
>>>>        <ds:Reference URI="#crt">blah blah blah...</ds:Reference>
>>>>
>>>>      </ds:SignedInfo>
>>>>
>>>>      <ds:SignatureValue>blah blah blah...</ds:SignatureValue>
>>>>
>>>>      <ds:KeyInfo Id="crt"><ds:X509Data><ds:X509Certificate>blah blah
>>>> blah...</ds:X509Certificate></ds:X509Data></ds:KeyInfo>
>>>>
>>>>      <ds:Object>(...as indicated above...)</ds:Object>
>>>>
>>>>    </ds:Signature>
>>>> </Envelope>
>>>>
>>>>
>>>> _______________________________________________
>>>> xmlsec mailing list
>>>> xmlsec at aleksey.com
>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list