Thank you for answering. So if signing the node inside the xml file(same-document reference), first we have to get the XPath node-set, then do the Canonicalization on the node-set, and calculating Digest of the Canonicalization result. The original content of referenced node-set won't be changed.
But in the test case input <root> xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root> Canonicalization form obtained from libxml2(<CanonicalizationMethod> Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments";) <?xml version="1.0"?> <node> <node>text</node> <node> <node> <node>text</node> <node>text</node> </node> <node>text</node> </node> </node> Shouldn't digest value base on the second one? Thank you 2012/6/3 Aleksey Sanin <[email protected]> > " ... source xml file needs Canonicalization(applied to the entire xml) > ..." > > That's not quite correct. You can not use the "entire xml" because the > insertion of the signature changes it and the digest match during > verification would fail. > > This is the part of the spec that talks about it > > http://www.w3.org/TR/xmldsig-core1/#sec-ReferenceProcessingModel > > > Aleksey > > On 6/2/12 10:34 AM, Neko wrote: > > Dear Aleksey > > > > I have a question about Canonicalization and Digest while using xmlsec1 > > to sign template xml file. > > According to my understanding of xml signature spec provided by W3C, > > source xml file needs Canonicalization(applied to the entire xml) before > > calculating Digest. > > > > The template file looks like this: > > > > <?xml version="1.0"?> > > <root > > > xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node><Signature > > xmlns="http://www.w3.org/2000/09/xmldsig#";> > > <SignedInfo> > > <CanonicalizationMethod > > Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/> > > <SignatureMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > > <Reference URI=""> > > <Transforms> > > <Transform > > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> > > </Transforms> > > <DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <DigestValue></DigestValue> > > </Reference> > > </SignedInfo> > > <SignatureValue /> > > <KeyInfo> > > <KeyValue /> > > </KeyInfo> > > </Signature></root> > > (to verify my understanding, there's no space and line changing between > > data nodes) > > > > In the result, xmlsec1 put desired values into proper fields, while the > > original data remains the same, like: > > > > <root > > > xmlns="..."><node>text</node><node><node><node>text</node><node>dlink</node></node><node>text</node></node>...<root> > > > > However, I tried to do the Canonicalization with libxml, and the result > > is like:(neglect signature node) > > > > <?xml version="1.0"?> > > <node> > > <node>text</node> > > <node> > > <node> > > <node>text</node> > > <node>text</node> > > </node> > > <node>text</node> > > </node> > > </node> > > > > which leads to different digest value. > > Do I misunderstand something, or the way I used xmlsec1 is wrong? > > > > Thank you > > > > > > How I do the Canonicalization with libxml: > > get nodeset by: > > xmlXPathEvalExpression("/descendant-or-self::node()",context) > > then get Canonicalization by: > > xmlC14NDocSaveTo(doc, xpathresult->nodesetval, 2, NULL, 1, > > c14noutputbuffer); > > xmlDocPtr c14ndoc = > xmlParseMemory(c14nbuffer->content,c14nbuffer->use); > > > > > > > > _______________________________________________ > > xmlsec mailing list > > [email protected] > > http://www.aleksey.com/mailman/listinfo/xmlsec >
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
