[xmlsec] how to use a special Signature Algorithm (rsa-sha512) or DigestMethod (sha512)

Lars Walther lwalther at novareto.de
Sat Feb 2 05:30:41 PST 2019

Hi, unfortunately I’m a newbie in signature and cryptograhical staff. Im not sure about the used signature algorithm..

At first I read the documenation of xmlsec and created a xml file to sign:

<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="http://uvbus.dguv.de/datatypes/v1">
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
                <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
              <DigestValue />
          <SignatureValue />
            <X509Data />

After this I signed the file with the following command:

xmlsec1 --sign --privkey-pem kuvbkey.pem,kuvbcert.pem,subca01.pem,interca01.pem,cnuvroot.pem --output uvsigned.xml mytosign.xml

… and after this I verified the file successfully with the following command:

xmlsec1 --verify --trusted-pem cnuvroot.pem uvsigned.xml
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

Now my Question: If I send the file in payload of an Webservice-Call I get an error from Server-side that the server isn’t able to verify my signature. All hints I got was:

Are you sure, that you use the correct Algorithm for sign the XML?? - no I’m not! Therfore my Questions:

How can I check which SignatureAlgorithm or DigestMethod was used to sign my XML-File?

All Example Files I found had SHA1 as SignatureAlgorithm...
What I have to do if I want to use explizit another SignatureAlgorithm then sha1. In my case I have to use rsa-sha512?
...and what I have to do if I want to use another DigestMethod - in my case sha512?
I cannot believe that it is enough to set other URL’s in the XML-Template..?? Or its determined through the Key-File that I use to sign the XML??

Thanks for any Hint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20190202/07f21150/attachment.html>

More information about the xmlsec mailing list