[xmlsec] enveloped-signature Transform

R Zaghi rzaghi at mosaic3dx.com
Wed May 16 14:23:33 PDT 2018


I am familiarizing myself with XML signatures using XMLSEC and I have found
a few of the standards' definitions slightly confusing.
So I joined here to ask and also to figure out some of the details of how
the library works too.

With regards to "enveloped-signature Transform", how exactly are we
supposed to check the signature?

I found an example on the internet.
Can you please see if my explanations of the overall process are correct

The enveloped XML that we are checking is:

<Envelope xmlns="urn:envelope">
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/
      <Reference URI="">
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

And my understanding of the overall validation process is:

1- First we remove all lines from <Signature> to </Signature>

2- We calculate the hash digest of what is left after applying
all CanonicalizationMethod transformations and using the DigestMethod in
<Envelope xmlns="urn:envelope">

3- If the base64 encoding of this digest matches the specified DigestValue
then we continue and take everything from <SignedInfo> to </SignedInfo> and
apply the CanonicalizationMethod transformations to it.

4- We will calculate the digest of this transformed SignedInfo using
the SignatureMethod hash algorithm

5- Finally we take SignatureValue and decode it using a provided public key
or a provided public certificate to see if the result matches the
calculated result of step (4)

Is this correct in this example?

Ramin Zaghi

*Mosaic3DX™ | User Interface Technology*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20180516/d68eb9be/attachment.html>

More information about the xmlsec mailing list