Are you signing before or after encryption? Are you verifying
before or after encryption? Have you tried to use "--store-references"
option to dump the content before doing digest?
Aleksey
[EMAIL PROTECTED] wrote:
Well, it can't be the http headers. I now think the problem might be
with canonicalization.
I can verify when I sign with the transform:
<dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
I can verify when I sign with the transform:
<dsig:Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
but when I sign with the transform:
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
it fails to verify.
And none of it verifies when I send to my server (which is some black
box Microsoft implementation).
It looks like the server is expecting Exclusive Canonicalization, but I
can't even get that to work in my test environment.
Attached is my xml document after signing (shortened the digest values,
but otherwise unchanged).
Please take a look at it and see if I am doing something stupid.
Thanks in advance,
Brian
*Aleksey Sanin <[EMAIL PROTECTED]>*
Sent by: [EMAIL PROTECTED]
06/29/2008 08:19 PM
To
[EMAIL PROTECTED]
cc
xmlsec@aleksey.com
Subject
Re: [xmlsec] Signing a document that will be altered
I highly doubt that http headers are involved in the signatures...
At least, not with xmlsec.
Aleksey
[EMAIL PROTECTED] wrote:
>
> Hello,
> I think I'm running into a problem where the digital signature is being
> made invalid due to an http post.
> Before I send my message to serverB I encrypt it and sign it, I then
> post the message to the server.
> The post obviously adds http headers to the beginning of the message,
> such as ContentType, ContentLength, ect.
> I'm guessing that even though these headers are not inside the xml
> document, they are still affecting my digest.
>
> Is there a way to force the sign method to only sign the xml as opposed
> to the whole string? and also force
> the severB verifier to verify the xml?
>
> Thank you,
> Brian
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec@aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
------------------------------------------------------------------------
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
