[xmlsec] Embedded signature: canonicalization issues
Aleksey Sanin
aleksey at aleksey.com
Mon Jul 7 09:17:14 PDT 2014
The digests are different because one document has spaces and another
doesn't.
Aleksey
On 7/7/14, 1:45 AM, Thomas Elstner wrote:
> OK, that actually really helped :-)
> Any idea why DigestValues and SignatureValues are different or should I
> ignore that as long as both can verify the results?
>
>
> Best regards,
> Thomas
>
> Am 07.07.14 09:33 schrieb "Aleksey Sanin" unter <aleksey at aleksey.com>:
>
>> RTFM
>>
>> http://www.w3.org/TR/xml-c14n#Terminology
>> http://www.w3.org/TR/xml-c14n#Example-WhitespaceInContent
>>
>> Aleksey
>>
>> On 7/7/14, 12:17 AM, Thomas Elstner wrote:
>>> Hello,
>>>
>>> I¹m trying to adopt the examples given in sign3.c and verify3.c to sign
>>> and verify subnodes of a xml document using embedded signatures.
>>> The templated XML I¹m signing looks like this:
>>>
>>> <?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
>>> <!DOCTYPE test [
>>> <!ATTLIST License Id ID #IMPLIED>
>>> ]>
>>> <LicenseList>
>>> <License Id="base">
>>> <Component>base</Component>
>>> <ValidFrom>2012-01-01T00:00:00</ValidFrom>
>>> <ValidTo>3000-12-31T00:00:00</ValidTo>
>>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
>>> Id="SIG-base">
>>> <SignedInfo>
>>> <CanonicalizationMethod
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>> <SignatureMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>> <Reference URI="#base">
>>> <Transforms>
>>> <Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
>>> />
>>> </Transforms>
>>> <DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>> <DigestValue/>
>>> </Reference>
>>> </SignedInfo>
>>> <SignatureValue/>
>>> <KeyInfo>
>>> <X509Data/>
>>> </KeyInfo>
>>> </Signature>
>>> </License>
>>> <License Id="bookmarks">
>>> <Component>bookmarks</Component>
>>> <ValidFrom>2012-01-01T00:00:00</ValidFrom>
>>> <ValidTo>3000-12-31T00:00:00</ValidTo>
>>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
>>> Id="SIG-bookmarks">
>>> <SignedInfo>
>>> <CanonicalizationMethod
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>> <SignatureMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>> <Reference URI="#bookmarks">
>>> <Transforms>
>>> <Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
>>> />
>>> </Transforms>
>>> <DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>> <DigestValue/>
>>> </Reference>
>>> </SignedInfo>
>>> <SignatureValue/>
>>> <KeyInfo>
>>> <X509Data/>
>>> </KeyInfo>
>>> </Signature>
>>> </License>
>>> </LicenseList>
>>>
>>> The signed XML my code produces looks like this:
>>>
>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>> <!DOCTYPE test [
>>> <!ATTLIST License Id ID #IMPLIED>
>>> ]>
>>> <LicenseList><License
>>>
>>> Id="base"><Component>base</Component><ValidFrom>2012-01-01T00:00:00</Vali
>>> dF
>>> rom><ValidTo>3000-12-31T00:00:00</ValidTo><Signature
>>> xmlns="http://www.w3.org/2000/09/xmldsig#"
>>> Id="SIG-base"><SignedInfo><CanonicalizationMethod
>>>
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMet
>>> ho
>>> d><SignatureMethod
>>>
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
>>> <R
>>> eference URI="#base"><Transforms><Transform
>>>
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Trans
>>> fo
>>> rm></Transforms><DigestMethod
>>>
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><Digest
>>> Va
>>>
>>> lue>W4FWJ3y4LDVvDqZrFXvMzNaIAq0=</DigestValue></Reference></SignedInfo><S
>>> ig
>>>
>>> natureValue>PeTwPHH1ncQ0vVevOXWW0ZQTj4BmdqVNivqNRgIiQ0mHW8s/Fd93WOaPJ7sTF
>>> +j
>>> X
>>> GKYY/9L3DsQG/8qIwhQSGR52vM6FoorNKopZ1ld31B6+d7y4sn45G7Lm9l4geFG6
>>>
>>> s42ahK823UVNQQppNE1Se3+IhUPd5yepZM77IqaT4VQ=</SignatureValue><KeyInfo><X5
>>> 09
>>> Data>
>>> <X509Certificate>Šblablabla...</X509Certificate>
>>> </X509Data></KeyInfo></Signature></License><License
>>>
>>> Id="bookmarks"><Component>bookmarks</Component><ValidFrom>2012-01-01T00:0
>>> 0:
>>> 00</ValidFrom><ValidTo>3000-12-31T00:00:00</ValidTo><Signature
>>> xmlns="http://www.w3.org/2000/09/xmldsig#"
>>> Id="SIG-bookmarks"><SignedInfo><CanonicalizationMethod
>>>
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMet
>>> ho
>>> d><SignatureMethod
>>>
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
>>> <R
>>> eference URI="#bookmarks"><Transforms><Transform
>>>
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Trans
>>> fo
>>> rm></Transforms><DigestMethod
>>>
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><Digest
>>> Va
>>>
>>> lue>q20LUJoSDkpF1uyCNx+htvUhMxY=</DigestValue></Reference></SignedInfo><S
>>> ig
>>>
>>> natureValue>E0VUK9iVIO9weJIQ4fSC151O1kCl6ZZ9vvPmPwiwHa2g32dTv4eZPFktptaRO
>>> Rp
>>> 2
>>> S3o9FtFk5UUB8lp8TXxvhp2G9Dor5Sk/iOyrfhiDqhZCQyOR5HVnnAEDEldtSoW1
>>>
>>> 6wpqBxJwzglK6nUdc+6baV1/Oat/YaO6agIAKaR0CLU=</SignatureValue><KeyInfo><X5
>>> 09
>>> Data>
>>> <X509Certificate>Šblablabla...</X509Certificate>
>>> </X509Data></KeyInfo></Signature></License></LicenseList>
>>>
>>> I can successfully sign & verify the XML for each License node, however,
>>> the DigestValue and the SignatureValues are different from what I
>>> achieve
>>> using the xmlsec1 command line tool
>>> (using this commandline: xmlsec1 --sign --privkey-pem base.key,base.pem
>>> --node-id base --output signed.xml tosign.xml and similar for the
>>> bookmarks-node):
>>>
>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>> <!DOCTYPE test [
>>> <!ATTLIST License Id ID #IMPLIED>
>>> ]>
>>> <LicenseList>
>>> <License Id="base">
>>> <Component>base</Component>
>>> <ValidFrom>2012-01-01T00:00:00</ValidFrom>
>>> <ValidTo>3000-12-31T00:00:00</ValidTo>
>>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
>>> Id="SIG-base">
>>> <SignedInfo>
>>> <CanonicalizationMethod
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>> <SignatureMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>> <Reference URI="#base">
>>> <Transforms>
>>> <Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>> </Transforms>
>>> <DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>
>>> <DigestValue>Sbk/adhAenj+cbDJ+L0V6ZO3ukg=</DigestValue>
>>> </Reference>
>>> </SignedInfo>
>>>
>>>
>>> <SignatureValue>RF9jZrnIaOqJLMRIQq0eG2Yo/9y+bsMDwMOMxEDJYRjWJ6ZCdniyRbwRw
>>> 4M
>>> IdsPs
>>> fq95khfvTTJdpaDXMEl6qIqEsJZHc/g6OlHnjcsK+ZIOnvbBUEwB3jugvCecaM0W
>>> kkIrUdsuqOwqhg8IByk0pRKDJh5f6NSzxz+P7MH5rlg=</SignatureValue>
>>> <KeyInfo>
>>> <X509Data>
>>> <X509Certificate>Šblablabla...</X509Certificate>
>>> </X509Data>
>>> </KeyInfo>
>>> </Signature>
>>> </License>
>>> <License Id="bookmarks">
>>> <Component>bookmarks</Component>
>>> <ValidFrom>2012-01-01T00:00:00</ValidFrom>
>>> <ValidTo>3000-12-31T00:00:00</ValidTo>
>>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
>>> Id="SIG-bookmarks">
>>> <SignedInfo>
>>> <CanonicalizationMethod
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>> <SignatureMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>> <Reference URI="#bookmarks">
>>> <Transforms>
>>> <Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>> </Transforms>
>>> <DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>
>>> <DigestValue>rjn86scL4vVK0rRB6WAOanjZ7TA=</DigestValue>
>>> </Reference>
>>> </SignedInfo>
>>>
>>>
>>> <SignatureValue>h/lEvsYx2edALXiFyRB7HtIStKH/T8vsdcO+2keNIsU1k4vlwqSYoShRp
>>> Nj
>>> 8My7y
>>> 6jjrdX8Ne42KvDgLrK41QSW8INt0/PRqrNdf1pM+V0KC91bWlDVOtCNV1lY2dLpc
>>> S3zdqgAUyHsl5eJ9u0Lw++joPfpuv1Z45MEXmfsNTjY=</SignatureValue>
>>> <KeyInfo>
>>> <X509Data>
>>> <X509Certificate>Šblablabla...</X509Certificate>
>>> </X509Data>
>>> </KeyInfo>
>>> </Signature>
>>> </License>
>>> </LicenseList>
>>>
>>>
>>> Also I have noticed that my signed XML is very sensitive against
>>> reformatting (just look at the compact nodes, if I pretty print this,
>>> the
>>> validation fails), so I guess something is wrong with the way I am
>>> applying the canonicalization.
>>> Actually, I am not adding any particular code to the example code in
>>> sign3.c and verify3.c to perform the canonicalization except for having
>>> a
>>> CanonicalizationMethod in my template - maybe that¹s the problem?
>>>
>>> Thanks in advance for any help,
>>> Thomas
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
More information about the xmlsec
mailing list