[xmlsec] Embedded signature: canonicalization issues

Thomas Elstner Thomas.Elstner at xonion.net
Mon Jul 7 01:45:21 PDT 2014


OK, that actually really helped :-)
Any idea why DigestValues and SignatureValues are different or should I
ignore that as long as both can verify the results?


Best regards,
Thomas

Am 07.07.14 09:33 schrieb "Aleksey Sanin" unter <aleksey at aleksey.com>:

>RTFM
>
>http://www.w3.org/TR/xml-c14n#Terminology
>http://www.w3.org/TR/xml-c14n#Example-WhitespaceInContent
>
>Aleksey
>
>On 7/7/14, 12:17 AM, Thomas Elstner wrote:
>> Hello,
>> 
>> I¹m trying to adopt the examples given in sign3.c and verify3.c to sign
>> and verify subnodes of a xml document using embedded signatures.
>> The templated XML I¹m signing looks like this:
>> 
>> <?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
>> <!DOCTYPE test [
>> <!ATTLIST License Id ID #IMPLIED>
>> ]>
>> <LicenseList>
>>     <License Id="base">
>>         <Component>base</Component>
>>         <ValidFrom>2012-01-01T00:00:00</ValidFrom>
>>         <ValidTo>3000-12-31T00:00:00</ValidTo>
>>         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
>> Id="SIG-base">
>>             <SignedInfo>
>>                 <CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>                 <SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>                 <Reference URI="#base">
>>                     <Transforms>
>>                         <Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
>>                         />
>>                     </Transforms>
>>                     <DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>                     <DigestValue/>
>>                 </Reference>
>>             </SignedInfo>
>>             <SignatureValue/>
>>             <KeyInfo>
>>                 <X509Data/>
>>             </KeyInfo>
>>         </Signature>
>>     </License>
>>     <License Id="bookmarks">
>>         <Component>bookmarks</Component>
>>         <ValidFrom>2012-01-01T00:00:00</ValidFrom>
>>         <ValidTo>3000-12-31T00:00:00</ValidTo>
>>         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
>> Id="SIG-bookmarks">
>>             <SignedInfo>
>>                 <CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>                 <SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>                 <Reference URI="#bookmarks">
>>                     <Transforms>
>>                         <Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
>>                         />
>>                     </Transforms>
>>                     <DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>                     <DigestValue/>
>>                 </Reference>
>>             </SignedInfo>
>>             <SignatureValue/>
>>             <KeyInfo>
>>                 <X509Data/>
>>             </KeyInfo>
>>         </Signature>
>>     </License>
>> </LicenseList>
>> 
>> The signed XML my code produces looks like this:
>> 
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> <!DOCTYPE test [
>> <!ATTLIST License Id ID #IMPLIED>
>> ]>
>> <LicenseList><License
>> 
>>Id="base"><Component>base</Component><ValidFrom>2012-01-01T00:00:00</Vali
>>dF
>> rom><ValidTo>3000-12-31T00:00:00</ValidTo><Signature
>> xmlns="http://www.w3.org/2000/09/xmldsig#"
>> Id="SIG-base"><SignedInfo><CanonicalizationMethod
>> 
>>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMet
>>ho
>> d><SignatureMethod
>> 
>>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
>><R
>> eference URI="#base"><Transforms><Transform
>> 
>>Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Trans
>>fo
>> rm></Transforms><DigestMethod
>> 
>>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><Digest
>>Va
>> 
>>lue>W4FWJ3y4LDVvDqZrFXvMzNaIAq0=</DigestValue></Reference></SignedInfo><S
>>ig
>> 
>>natureValue>PeTwPHH1ncQ0vVevOXWW0ZQTj4BmdqVNivqNRgIiQ0mHW8s/Fd93WOaPJ7sTF
>>+j
>> X
>> GKYY/9L3DsQG/8qIwhQSGR52vM6FoorNKopZ1ld31B6+d7y4sn45G7Lm9l4geFG6
>> 
>>s42ahK823UVNQQppNE1Se3+IhUPd5yepZM77IqaT4VQ=</SignatureValue><KeyInfo><X5
>>09
>> Data>
>> <X509Certificate>Šblablabla...</X509Certificate>
>> </X509Data></KeyInfo></Signature></License><License
>> 
>>Id="bookmarks"><Component>bookmarks</Component><ValidFrom>2012-01-01T00:0
>>0:
>> 00</ValidFrom><ValidTo>3000-12-31T00:00:00</ValidTo><Signature
>> xmlns="http://www.w3.org/2000/09/xmldsig#"
>> Id="SIG-bookmarks"><SignedInfo><CanonicalizationMethod
>> 
>>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMet
>>ho
>> d><SignatureMethod
>> 
>>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
>><R
>> eference URI="#bookmarks"><Transforms><Transform
>> 
>>Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Trans
>>fo
>> rm></Transforms><DigestMethod
>> 
>>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><Digest
>>Va
>> 
>>lue>q20LUJoSDkpF1uyCNx+htvUhMxY=</DigestValue></Reference></SignedInfo><S
>>ig
>> 
>>natureValue>E0VUK9iVIO9weJIQ4fSC151O1kCl6ZZ9vvPmPwiwHa2g32dTv4eZPFktptaRO
>>Rp
>> 2
>> S3o9FtFk5UUB8lp8TXxvhp2G9Dor5Sk/iOyrfhiDqhZCQyOR5HVnnAEDEldtSoW1
>> 
>>6wpqBxJwzglK6nUdc+6baV1/Oat/YaO6agIAKaR0CLU=</SignatureValue><KeyInfo><X5
>>09
>> Data>
>> <X509Certificate>Šblablabla...</X509Certificate>
>> </X509Data></KeyInfo></Signature></License></LicenseList>
>> 
>> I can successfully sign & verify the XML for each License node, however,
>> the DigestValue and the SignatureValues are different from what I
>>achieve
>> using the xmlsec1 command line tool
>> (using this commandline: xmlsec1 --sign --privkey-pem base.key,base.pem
>> --node-id base --output signed.xml tosign.xml and similar for the
>> bookmarks-node):
>> 
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> <!DOCTYPE test [
>> <!ATTLIST License Id ID #IMPLIED>
>> ]>
>> <LicenseList>
>>     <License Id="base">
>>         <Component>base</Component>
>>         <ValidFrom>2012-01-01T00:00:00</ValidFrom>
>>         <ValidTo>3000-12-31T00:00:00</ValidTo>
>>         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
>> Id="SIG-base">
>>             <SignedInfo>
>>                 <CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>                 <SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>                 <Reference URI="#base">
>>                     <Transforms>
>>                         <Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>                     </Transforms>
>>                     <DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>                 
>><DigestValue>Sbk/adhAenj+cbDJ+L0V6ZO3ukg=</DigestValue>
>>                 </Reference>
>>             </SignedInfo>
>>             
>> 
>><SignatureValue>RF9jZrnIaOqJLMRIQq0eG2Yo/9y+bsMDwMOMxEDJYRjWJ6ZCdniyRbwRw
>>4M
>> IdsPs
>> fq95khfvTTJdpaDXMEl6qIqEsJZHc/g6OlHnjcsK+ZIOnvbBUEwB3jugvCecaM0W
>> kkIrUdsuqOwqhg8IByk0pRKDJh5f6NSzxz+P7MH5rlg=</SignatureValue>
>>             <KeyInfo>
>>                 <X509Data>
>> <X509Certificate>Šblablabla...</X509Certificate>
>> </X509Data>
>>             </KeyInfo>
>>         </Signature>
>>     </License>
>>     <License Id="bookmarks">
>>         <Component>bookmarks</Component>
>>         <ValidFrom>2012-01-01T00:00:00</ValidFrom>
>>         <ValidTo>3000-12-31T00:00:00</ValidTo>
>>         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
>> Id="SIG-bookmarks">
>>             <SignedInfo>
>>                 <CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>                 <SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>                 <Reference URI="#bookmarks">
>>                     <Transforms>
>>                         <Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>                     </Transforms>
>>                     <DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>                 
>><DigestValue>rjn86scL4vVK0rRB6WAOanjZ7TA=</DigestValue>
>>                 </Reference>
>>             </SignedInfo>
>>             
>> 
>><SignatureValue>h/lEvsYx2edALXiFyRB7HtIStKH/T8vsdcO+2keNIsU1k4vlwqSYoShRp
>>Nj
>> 8My7y
>> 6jjrdX8Ne42KvDgLrK41QSW8INt0/PRqrNdf1pM+V0KC91bWlDVOtCNV1lY2dLpc
>> S3zdqgAUyHsl5eJ9u0Lw++joPfpuv1Z45MEXmfsNTjY=</SignatureValue>
>>             <KeyInfo>
>>                 <X509Data>
>> <X509Certificate>Šblablabla...</X509Certificate>
>> </X509Data>
>>             </KeyInfo>
>>         </Signature>
>>     </License>
>> </LicenseList>
>> 
>> 
>> Also I have noticed that my signed XML is very sensitive against
>> reformatting (just look at the compact nodes, if I pretty print this,
>>the
>> validation fails), so I guess something is wrong with the way I am
>> applying the canonicalization.
>> Actually, I am not adding any particular code to the example code in
>> sign3.c and verify3.c to perform the canonicalization except for having
>>a
>> CanonicalizationMethod in my template - maybe that¹s the problem?
>> 
>> Thanks in advance for any help,
>> Thomas
>> 
>> 
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>> 



More information about the xmlsec mailing list