XML Canonicalization and signing

[Shivli Srivastava]

I have the task of generating the digital signature of an xml, enveloping it in a PKCS7 packet and attaching it to the xml . I decided to use https://pkg.go.dev/go.mozilla.org/pkcs7 , and was able to generate the sign but it is not matching with the expected output . It seems to me that xml has to be canonicalized before signing . Do we have any reference how to do it in golang ?

[Karlovsky Alexey]

It's a strange task, because for xml there is a XMLDSIG standard for signing XML documents. I recommend trying https://github.com/russellhaering/goxmldsig for this.

If XMLDSig is not suitable and you definitely want to create a digital signature of an xml - you should think about xml normalization and also about embedding empty tag for signature in the same format for signer and verifier.

For example, you can use http://www.w3.org/2001/10/xml-exc-c14n# canonicalization algorithm. Check https://github.com/russellhaering/goxmldsig/blob/main/canonicalize.go for details.

On Wed, Feb 14, 2024 at 10:18 PM Shivli Srivastava <shivlisri...@gmail.com> wrote:

I have the task of generating the digital signature of an xml, enveloping it in a PKCS7 packet and attaching it to the xml . I decided to use https://pkg.go.dev/go.mozilla.org/pkcs7 , and was able to generate the sign but it is not matching with the expected output . It seems to me that xml has to be canonicalized before signing . Do we have any reference how to do it in golang ?

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/eeeb47db-8bca-4883-8cf5-342c55e4f836n%40googlegroups.com.

--

Kind regards,

Alexey

[Shivli Srivastava]

Hi Karlovsly

Thanks for the prompt reply . Let me try it out and get back to you.

Kind regards,
Shivli