[xmlsec] Verifying detached signatures with exclusive c14n
Nimish Telang
nimish at telang.net
Thu Aug 8 09:59:22 PDT 2019
Thanks --
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
Is present in the SignedInfo -- does this not force the use of exc-c14n?
Or does that also need to be present in the <Reference /> ?
On 8/8/19, 12:47 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
https://www.w3.org/TR/xmldsig-core1/#sec-CanonicalizationMethod
"CanonicalizationMethod is a required element that specifies the
canonicalization algorithm applied to the SignedInfo element prior to
performing signature calculations."
If you want to apply exc-c14n to the Reference, then you need to
specify it as a transform in the Reference itself.
Best,
Aleksey
On 8/8/19 9:17 AM, Nimish Telang wrote:
> Hi,
>
> Consider the following XML
> doc:https://gist.github.com/nimish/b00fb8a75a8b4c424553783c7adb7656
>
> I’m trying to verify the wsu:Timestamp element using the sibling
> detached signature.
>
> xmlsec1 --verify --id-attr:ID
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd:Timestamp"
> --print-debug --store-references ./timestamp-wrapped.xml
>
> will fail signature verification.
> Output:https://gist.github.com/nimish/868029115e41fee5fe56b0b5b40872f4
>
> I don’t see a “=== Transform: exc-c14n
> (href=http://www.w3.org/2001/10/xml-exc-c14n#)” under the “REFERENCE
> VERIFICATION CONTEXT” as I’d expect, which is likely what’s causing the
> verification to fail. The only defined c14n algo is xml-exc-c14n.
>
> The python package signxml, which was used to generate this signature,
> can verify this just fine. I am not sure if this is signxml behaving
> badly, or xmlsec1.
>
> Any idea what I’m doing wrong?
>
> Nimish
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
More information about the xmlsec
mailing list