FW: Digital Signatures rsa-sha1

Sat, 03 Feb 2007 07:27:02 -0800 

-----Original Message-----
From: WCR [mailto:[EMAIL PROTECTED]
Sent: 31 January 2007 14:37
To: openssl-users@openssl.org
Subject: Digital Signatures rsa-sha1


I am sending a message to a web service and I need to apply a digital
signature.  I have been issued with a .P12 certificate and my public key. I
need to insert various bits into the xml message.

I have converted the P12 to PEM doing this:

    openssl pkcs12 -in mycert.p12 -out mycert.pem -passin
file:mypassword -nodes

I then extract the token between -----BEGIN CERTIFICATE----- and -----END
CERTIFICATE----- from mycert.pem and create a Base64 encoded
BinarySecurityToken element.

So far so good. The specification states:

////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
///////////////////////////////

Canonicalization:  The Canonicalization Algorithm should be XML-EXC-C14N
(Exclusive Canonicalization)  -http://www.w3.org/2001/10/xml-exc-c14n#



Signature Algorithm:  The Signature Algorithm should be SHA1withRSA -
http://www.w3.org/2000/09/xmldsig#rsa-sha1



References:  There must be a Reference element
(Envelope/Header/Security/Signature/SignedInfo/Reference) corresponding to
the signed Body element within the message. This should have an Id attribute
with a value of ‘MsgBody’.  The Reference should have a single transform -
Exclusive Canonicalization (see the URI above).  The Digest Algorithm should
be SHA1 - http://www.w3.org/2000/09/xmldsig#sha1

////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
///////////////////////////////


I can create the digest of the message doing:

    openssl dgst -sha1 mymessage > mymessage.sha

But I now need to sign it. I have tried:

    openssl dgst -sha1 -sign mycert.pem -out mysign.sig mymessage.sha

But I don't think this correct as it is not RSA-SHA1.  If I insert the
signature into the xml message it causes an xml fault. Is something like "
openssl dgst -rsasha1 " provided at the command level of openssl?

Any assistance would be appreciated.

Regards
David

Reply via email to