[xmlsec] Verifying detached signatures with exclusive c14n

Aleksey Sanin aleksey at aleksey.com
Thu Aug 8 10:04:05 PDT 2019 

Please read the spec and my reply.

Aleksey

On 8/8/19 9:59 AM, Nimish Telang wrote:
> Thanks --
> 
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> 
> Is present in the SignedInfo -- does this not force the use of exc-c14n?
> 
> Or does that also need to be present in the <Reference /> ?
> 
> 
> 
> 
> On 8/8/19, 12:47 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
> 
>      https://www.w3.org/TR/xmldsig-core1/#sec-CanonicalizationMethod
>      
>      "CanonicalizationMethod is a required element that specifies the
>      canonicalization algorithm applied to the SignedInfo element prior to
>      performing signature calculations."
>      
>      If you want to apply exc-c14n to the Reference, then you need to
>      specify it as a transform in the Reference itself.
>      
>      Best,
>      
>      Aleksey
>      
>      On 8/8/19 9:17 AM, Nimish Telang wrote:
>      > Hi,
>      >
>      > Consider the following XML
>      > doc:https://gist.github.com/nimish/b00fb8a75a8b4c424553783c7adb7656
>      >
>      > I’m trying to verify the wsu:Timestamp element using the sibling
>      > detached signature.
>      >
>      > xmlsec1 --verify --id-attr:ID
>      > "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd:Timestamp"
>      > --print-debug --store-references ./timestamp-wrapped.xml
>      >
>      > will fail signature verification.
>      > Output:https://gist.github.com/nimish/868029115e41fee5fe56b0b5b40872f4
>      >
>      > I don’t see a “=== Transform: exc-c14n
>      > (href=http://www.w3.org/2001/10/xml-exc-c14n#)” under the “REFERENCE
>      > VERIFICATION CONTEXT” as I’d expect, which is likely what’s causing the
>      > verification to fail. The only defined c14n algo is xml-exc-c14n.
>      >
>      > The python package signxml, which was used to generate this signature,
>      > can verify this just fine. I am not sure if this is signxml behaving
>      > badly, or xmlsec1.
>      >
>      > Any idea what I’m doing wrong?
>      >
>      > Nimish
>      >
>      >
>      > _______________________________________________
>      > xmlsec mailing list
>      > xmlsec at aleksey.com
>      > http://www.aleksey.com/mailman/listinfo/xmlsec
>      >
>      
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>

More information about the xmlsec mailing list