http://www.w3.org/TR/xmldsig-core/#sec-CoreGeneration
Sections 3.1.1 and 3.1.2. Basically you first *sign* an empty KeyValue and then then insert data there thus invalidating the signature. Aleksey On 3/6/14, 12:21 AM, Peter wrote: > That's what the other party wants to receive. The digested Resource and > KeyInfo elements are placed into the SignedInfo element, which is then > signed as a whole. > Does XmlSec support this? And is what I'm doing basically correct for this > approach? > > See also this image: http://nl.tinypic.com/r/nx3w1w/8 > > Thanks, Peter > > -----Oorspronkelijk bericht----- > Van: Aleksey Sanin [mailto:[email protected]] > Verzonden: woensdag 5 maart 2014 17:45 > Aan: Peter; [email protected] > Onderwerp: Re: [xmlsec] Signing and validating fails > > You should probably start from reading the XMLDsig spec... > > I am not sure what are you trying to achieve by putting keyvalue element > into the signature and then signing it. > > Aleksey > > On 3/4/14, 11:42 PM, Peter wrote: >> Hi, I have a piece of XML I would like to sign. >> >> >> >> The commands I use are: >> >> xmlsec1 sign --privkey-pem key.pem --output signedfile.xml test.xml >> >> xmlsec1 --verify signedfile.xml >> >> >> >> The XML template (test.xml) to be signed is: >> >> >> >> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"; >> Id="Signature001"> >> >> <dsig:SignedInfo> >> >> <dsig:CanonicalizationMethod >> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></dsig:Can >> onicalizationMethod> >> >> <dsig:SignatureMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></dsig:Signatur >> eMethod> >> >> <dsig:Reference URI="#KeyInfo001"> >> >> <dsig:DigestMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></dsig:DigestMethod >>> >> >> <dsig:DigestValue></dsig:DigestValue> >> >> </dsig:Reference> >> >> <dsig:Reference URI="#Resource1"> >> >> <dsig:DigestMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></dsig:DigestMethod >>> >> >> <dsig:DigestValue></dsig:DigestValue> >> >> </dsig:Reference> >> >> </dsig:SignedInfo> >> >> <dsig:SignatureValue></dsig:SignatureValue> >> >> <dsig:KeyInfo Id="KeyInfo001"> >> >> <dsig:KeyValue></dsig:KeyValue> >> >> </dsig:KeyInfo> >> >> <dsig:Object Id="Resource1">hello world</dsig:Object> >> >> </dsig:Signature> >> >> >> >> >> >> The verification outputs: >> >> func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:sub >> j=unknown:error=12:invalid >> data:data and digest do not match >> >> FAIL >> >> SignedInfo References (ok/all): 0/1 >> >> Manifests References (ok/all): 0/0 >> >> Error: failed to verify file "signedfile.xml" >> >> >> >> I don't understand what I'm doing wrong. It's something with the C14N >> I suppose, but what to do about it? Can anyone give me a hint? >> >> >> >> Thanks, Peter >> >> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec >> > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
