how to verify a signed xml
176 views
Skip to first unread message
qq54...@gmail.com
Nov 9, 2016, 8:26:13 AM11/9/16
to golang-nuts
i know there is pem base64 x509 rsa in go library ,but how to use them to verify a signed xml like this
var xmlstr = Bytes("<?xml version=\"1.0\"?><Receipt Version=\"2.0\" CertificateId=\"A656B9B1B3AA509EEA30222E6D5E7DBDA9822DCD\" xmlns=\"http://schemas.microsoft.com/windows/2012/store/receipt\"><ProductReceipt PurchasePrice=\"CNY6.0\" PurchaseDate=\"2016-11-08T03:39:04.876Z\" Id=\"918cb98b-ed9e-4133-bef0-59992186d6b9\" AppId=\"73fa393e-bfcc-4c66-8c19-dfeacf4477b8\" ProductId=\"xxxxdiamond1_winstore\" ProductType=\"Consumable\" PublisherUserId=\"/uuPdfertpI/uxVEn2adfdGQApbLcuUhTKujcAKOQ=\" MicrosoftProductId=\"73fa39de-bfcc-4c66-8c19-98f9cf4477b8\" MicrosoftAppId=\"73fa39de-bfcc-4c66-8c19-98f9cf4477b8\" ExpirationDate=\"9999-12-31T23:59:59.999Z\" /><Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><SignedInfo><CanonicalizationMethod Algorithm=\"http://www.w3.org/TR/2001/REC-xml-c14n-20010315\" /><SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\" /><Reference URI=\"\"><Transforms><Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\" /></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\" /><DigestValue>odlAczuG7bdfeaDmm7LHgN6R4tq97l6OpbcSDfj/s=</DigestValue></Reference></SignedInfo><SignatureValue>Yz9GEAtSp0sg9MKMgp2SeujoQZf/UxPF9rNOB1vI40/PaLV2QTst/aq8nmH1WhMDt6ZM6EO8EWCcdiddpUD3yZe2zhvSygA6ra6AkdfeaemhqAS2OtHqGPXNvVWoShiP3Cl13R5HlYVuL/rtGVinhD13M3M0zDfcfPFbNI0K9rMv3sHpVepfSY5El8KguYvheSuksxsYtneeVWk/egRkTM9Y1HwMAwEgtJWVq6q/MnVMScKu3T9ZhzAmW3gxElHpWWAR3yObgiNcjDb2a/kh4SuNnK7Tqng9WNcZrghtwrlh6DZADmf+xdfdutm5K3b2wJLRYZgNuWxteuMoWEeNQ==</SignatureValue></Signature></Receipt>")
i already have a certificate
var cert Certificate
andrey mirtchovski
Nov 9, 2016, 9:13:05 AM11/9/16
to qq54...@gmail.com, golang-nuts
XML signing is such a mess that the only way to support it fully, in
my opinion, is to use the "definitive" canonical implementation from
the non-go world: libxml and xmlsec.
i have had good success with https://github.com/treetopllc/xml I've
only added one function to it that serves my purpose, called
"VerifySignaturePubkey" which calls xmlsec's xmlVerifyPubkey.
> --
> You received this message because you are subscribed to the Google Groups
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-nuts...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
my opinion, is to use the "definitive" canonical implementation from
the non-go world: libxml and xmlsec.
i have had good success with https://github.com/treetopllc/xml I've
only added one function to it that serves my purpose, called
"VerifySignaturePubkey" which calls xmlsec's xmlVerifyPubkey.
> You received this message because you are subscribed to the Google Groups
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-nuts...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages