" ... source xml file needs Canonicalization(applied to the entire xml) ..."
That's not quite correct. You can not use the "entire xml" because the insertion of the signature changes it and the digest match during verification would fail. This is the part of the spec that talks about it http://www.w3.org/TR/xmldsig-core1/#sec-ReferenceProcessingModel Aleksey On 6/2/12 10:34 AM, Neko wrote: > Dear Aleksey > > I have a question about Canonicalization and Digest while using xmlsec1 > to sign template xml file. > According to my understanding of xml signature spec provided by W3C, > source xml file needs Canonicalization(applied to the entire xml) before > calculating Digest. > > The template file looks like this: > > <?xml version="1.0"?> > <root > xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node><Signature > xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo> > <CanonicalizationMethod > Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/> > <SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <Reference URI=""> > <Transforms> > <Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> > </Transforms> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue></DigestValue> > </Reference> > </SignedInfo> > <SignatureValue /> > <KeyInfo> > <KeyValue /> > </KeyInfo> > </Signature></root> > (to verify my understanding, there's no space and line changing between > data nodes) > > In the result, xmlsec1 put desired values into proper fields, while the > original data remains the same, like: > > <root > xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root> > > However, I tried to do the Canonicalization with libxml, and the result > is like:(neglect signature node) > > <?xml version="1.0"?> > <node> > <node>text</node> > <node> > <node> > <node>text</node> > <node>text</node> > </node> > <node>text</node> > </node> > </node> > > which leads to different digest value. > Do I misunderstand something, or the way I used xmlsec1 is wrong? > > Thank you > > > How I do the Canonicalization with libxml: > get nodeset by: > xmlXPathEvalExpression("/descendant-or-self::node()",context) > then get Canonicalization by: > xmlC14NDocSaveTo(doc, xpathresult->nodesetval, 2, NULL, 1, > c14noutputbuffer); > xmlDocPtr c14ndoc = xmlParseMemory(c14nbuffer->content,c14nbuffer->use); > > > > _______________________________________________ > xmlsec mailing list > xmlsec@aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
