You should probably start from reading the XMLDsig spec... I am not sure what are you trying to achieve by putting keyvalue element into the signature and then signing it.
Aleksey On 3/4/14, 11:42 PM, Peter wrote: > Hi, I have a piece of XML I would like to sign. > > > > The commands I use are: > > xmlsec1 sign --privkey-pem key.pem --output signedfile.xml test.xml > > xmlsec1 --verify signedfile.xml > > > > The XML template (test.xml) to be signed is: > > > > <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"; > Id="Signature001"> > > <dsig:SignedInfo> > > <dsig:CanonicalizationMethod > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></dsig:CanonicalizationMethod> > > <dsig:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></dsig:SignatureMethod> > > <dsig:Reference URI="#KeyInfo001"> > > <dsig:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></dsig:DigestMethod> > > <dsig:DigestValue></dsig:DigestValue> > > </dsig:Reference> > > <dsig:Reference URI="#Resource1"> > > <dsig:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></dsig:DigestMethod> > > <dsig:DigestValue></dsig:DigestValue> > > </dsig:Reference> > > </dsig:SignedInfo> > > <dsig:SignatureValue></dsig:SignatureValue> > > <dsig:KeyInfo Id="KeyInfo001"> > > <dsig:KeyValue></dsig:KeyValue> > > </dsig:KeyInfo> > > <dsig:Object Id="Resource1">hello world</dsig:Object> > > </dsig:Signature> > > > > > > The verification outputs: > > func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid > data:data and digest do not match > > FAIL > > SignedInfo References (ok/all): 0/1 > > Manifests References (ok/all): 0/0 > > Error: failed to verify file "signedfile.xml" > > > > I don’t understand what I’m doing wrong. It’s something with the C14N I > suppose, but what to do about it? Can anyone give me a hint? > > > > Thanks, Peter > > > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
