2

I am trying to implement a routine for XML Digital Signature, and I am able to correcty calculate the hash of the information to be signed. However, I am facing problems with the signature itself, since I do not manage to create the real string to be signed.

Right now I have this:

<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">&lt;/CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>eDSx9uS7oB++bnG/6tGiD/l8374=</DigestValue>
</Reference>
</SignedInfo>

Using only CR instead of CRLF. No spaces for indentation (Where the post shows an space between tags, there is a CR)

Any suggestions to calculate a valid signature ?

P.D. I have changed the Canonicalization Algorithm to EXCLUSIVE and it works, but the requirement is to use INCLUSIVE.

Thanks a lot in advance.

mosg
  • 12,041
  • 12
  • 65
  • 87
crypto
  • 19
  • 2

1 Answers1

2

Here is a suggestion: make sure you copy the correct namespace defs for all tags and attributes. Here is some more info.

http://anilsaldhana.blogspot.com/2009/07/exclusive-versus-inclusive.html http://lists.oasis-open.org/archives/wss/200311/msg00058.html

Of course, you really should not be implementing your own XML DigSig lib in the first place. I would highly recommend you to take a look at some open source libraries before you continue. There should be ample examples of libs that do this kind of canonicalization. You might want to test against them anyway.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263