How to properly sign XML, knowing xmlsec1 tool synthax
3,405 views
Skip to first unread message
Berry T.
Jan 1, 2013, 9:13:31 AM1/1/13
to xmlse...@googlegroups.com
Hello to everyone!
I am struggling a couple of days trying to figure out the proper way to sing a XML message using this great XmlSecLibs. I'm almost banging my head to the wall...
It's used for a government SOAP service that is poorly documented, and seems to be using "xmlsec1" tool to validate the message signature on the server side.
What I know for now is the method of signing with "xmlsec1" tool which works with this the service and validates :
xmlsec1 --sign --output signed.xml --pkcs12 certAndPrivateKey.pfx --pwd somePass --id-attr:Id NameOfTheID source.xml
The source.xml file has to contain this elements appended to the end of the root element :
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#nameOfTheID">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue></SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate></X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
I suppose this is for configuration purposes, <Signature> element is replaced with regenerated one at the output signed XML file.
Now, I am unable to get the same signature/result using XmlSecLibs and the document signed with this lib doesn't get validated on the server side :((
... (I suppose) I have to use source.xml without this inserted <Signature> element as input for XmlSecLibs ??
Here is my PHP code that tries to make the proper signing:
- - - - -
$doc = new DOMDocument();
$doc->load(dirname(__FILE__) . '/source.xml');
$objDSig = new XMLSecurityDSig();
$objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', 'http://www.w3.org/2001/10/xml-exc-c14n#'));
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
$objKey->loadKey(dirname(__FILE__) . 'privateKeyNoPass.pem', TRUE);
$objDSig->sign($objKey);
/* Add associated public key */
$objDSig->add509Cert(file_get_contents(dirname(__FILE__) . 'cert.pem'));
$objDSig->appendSignature($doc->documentElement);
$doc->save(dirname(__FILE__) . 'signed.xml');
- - - - -
Any ideas what I am doing wrong here? ... I suspect the "--id-attr:Id NameOfTheID" in the tool command, that might be the difference (or not) ?
Thank you very much for any idea, because I'm desperate to get the signing with this PHP lib right!
I am struggling a couple of days trying to figure out the proper way to sing a XML message using this great XmlSecLibs. I'm almost banging my head to the wall...
It's used for a government SOAP service that is poorly documented, and seems to be using "xmlsec1" tool to validate the message signature on the server side.
What I know for now is the method of signing with "xmlsec1" tool which works with this the service and validates :
xmlsec1 --sign --output signed.xml --pkcs12 certAndPrivateKey.pfx --pwd somePass --id-attr:Id NameOfTheID source.xml
The source.xml file has to contain this elements appended to the end of the root element :
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#nameOfTheID">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue></SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate></X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
I suppose this is for configuration purposes, <Signature> element is replaced with regenerated one at the output signed XML file.
Now, I am unable to get the same signature/result using XmlSecLibs and the document signed with this lib doesn't get validated on the server side :((
... (I suppose) I have to use source.xml without this inserted <Signature> element as input for XmlSecLibs ??
Here is my PHP code that tries to make the proper signing:
- - - - -
$doc = new DOMDocument();
$doc->load(dirname(__FILE__) . '/source.xml');
$objDSig = new XMLSecurityDSig();
$objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', 'http://www.w3.org/2001/10/xml-exc-c14n#'));
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
$objKey->loadKey(dirname(__FILE__) . 'privateKeyNoPass.pem', TRUE);
$objDSig->sign($objKey);
/* Add associated public key */
$objDSig->add509Cert(file_get_contents(dirname(__FILE__) . 'cert.pem'));
$objDSig->appendSignature($doc->documentElement);
$doc->save(dirname(__FILE__) . 'signed.xml');
- - - - -
Any ideas what I am doing wrong here? ... I suspect the "--id-attr:Id NameOfTheID" in the tool command, that might be the difference (or not) ?
Thank you very much for any idea, because I'm desperate to get the signing with this PHP lib right!
Rob Richards
Jan 5, 2013, 12:26:33 PM1/5/13
to xmlse...@googlegroups.com, Berry T.
You are correct about the source.xml.
It should *not* contain the Signature element as it is generated
by the library.
What part of your document are you trying to sign?
Would also be helpful if you posted what xmlsec produces as that will answer most of the questions I would have for you. Can just edit any of the values you need to to sanitize the data.
Rob
What part of your document are you trying to sign?
Would also be helpful if you posted what xmlsec produces as that will answer most of the questions I would have for you. Can just edit any of the values you need to to sanitize the data.
Rob
--
You received this message because you are subscribed to the Google Groups "xmlseclibs" group.
To view this discussion on the web visit https://groups.google.com/d/msg/xmlseclibs/-/rVG-8nUSSz0J.
To post to this group, send email to xmlse...@googlegroups.com.
To unsubscribe from this group, send email to xmlseclibs+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/xmlseclibs?hl=en.
Berry T.
Jan 5, 2013, 1:53:07 PM1/5/13
to xmlse...@googlegroups.com, Berry T.
Hello Rob,
thank you very much for your reply.
Here, my colleague has put a Gist repo so you can see everything https://gist.github.com/4461385
I think the filenames are self-explanatory ... but if needed, please ask!
I hope you can help, and thank you for your time in advance!!
thank you very much for your reply.
Here, my colleague has put a Gist repo so you can see everything https://gist.github.com/4461385
I think the filenames are self-explanatory ... but if needed, please ask!
I hope you can help, and thank you for your time in advance!!
Berry T.
Jan 5, 2013, 2:14:09 PM1/5/13
to xmlse...@googlegroups.com, Berry T.
Dana subota, 5. siječnja 2013. 18:26:33 UTC+1, korisnik Rob Richards napisao je:
What part of your document are you trying to sign?
It's the element with Id attribute "poslovniProstorId"
Here is the xmlsec1 command:
xmlsec1 --sign --output signed.xml --pkcs12 certAndPrivateKey.pfx --pwd somePass --id-attr:Id poslovniProstorId source.xml
Goran Juric
Jan 5, 2013, 2:41:23 PM1/5/13
to xmlse...@googlegroups.com, Berry T.
Hi all,
actually, the element has an Id="poslovniProstorId", but to sign it with xmlsec1 you have to use this syntax:
xmlsec1 --sign --output signed.xml --pkcs12 certAndPrivateKey.pfx --pwd somePass --id-attr:Id PoslovniProstorZahtjev source.xml
The elements name is
I believe that I've put the syntax I used to sign the document with xmlsec1 at the top of that gist as a comment. File names are when I think about it a little cryptic so let me recap:
https://gist.github.com/4461385
actually, the element has an Id="poslovniProstorId", but to sign it with xmlsec1 you have to use this syntax:
xmlsec1 --sign --output signed.xml --pkcs12 certAndPrivateKey.pfx --pwd somePass --id-attr:Id PoslovniProstorZahtjev source.xml
The elements name is
<f73:PoslovniProstorZahtjev xmlns:f73="http://www.apis-it.hr/fin/2012/types/f73" Id="poslovniProstorId">
I believe that I've put the syntax I used to sign the document with xmlsec1 at the top of that gist as a comment. File names are when I think about it a little cryptic so let me recap:
https://gist.github.com/4461385
- Correct output-xmlsec1.xml - signed with xmlsec1 from the special template with Signature element in it
- File passed to xmlsec1.xml - XML to bi signed with added Signature element so xmlsec1 knows what to do with it
- File to be signed.xml - original file that has to be signed
- Output-of-xmlseclibs-signing-the original file.xml - The result of signing with xmlseclibs
- Output-of-signing-the-xml-template-for-xmlsec1.xml - you can ignore this one, as you sed the <Signature> should not be in the document before signing the document
- Signing-with-xmlseclibs.php - PHP code used to sign the document with xmlseclibs
Regards,
Goran Jurić
Rob Richards
Jan 11, 2013, 7:49:22 AM1/11/13
to xmlse...@googlegroups.com, Goran Juric, Berry T.
I compared the two outputs and I see in
the xmlsec output that there are 2 signature elements where one of
them although pointing to an element is really just a shell (the
actually signatures are missing). Do you happen to know what error
the server is throwing and what type of server it is?
Also, was wondering since you are using SOAP in PHP, have you tried using my wse-php code?
http://code.google.com/p/wse-php/
Wrapper around the SOAP extension that adds WS-* support out of the box.
Rob
Also, was wondering since you are using SOAP in PHP, have you tried using my wse-php code?
http://code.google.com/p/wse-php/
Wrapper around the SOAP extension that adds WS-* support out of the box.
Rob
On 1/5/13 2:41 PM, Goran Juric wrote:
Hi all,
actually, the element has an Id="poslovniProstorId", but to sign it with xmlsec1 you have to use this syntax:
xmlsec1 --sign --output signed.xml --pkcs12 certAndPrivateKey.pfx --pwd somePass --id-attr:Id PoslovniProstorZahtjev source.xml
The elements name is
<f73:PoslovniProstorZahtjev xmlns:f73="http://www.apis-it.hr/fin/2012/types/f73" Id="poslovniProstorId">
I believe that I've put the syntax I used to sign the document with xmlsec1 at the top of that gist as a comment. File names are when I think about it a little cryptic so let me recap:
https://gist.github.com/4461385
- Correct output-xmlsec1.xmlďż˝ - signed with xmlsec1 from the special template with Signature element in it
- File passed to xmlsec1.xml - XML to bi signed with added Signature element so xmlsec1 knows what to do with it
- File to be signed.xml - original file that has to be signed
- Output-of-xmlseclibs-signing-the original file.xml - The result of signing with xmlseclibs
- Output-of-signing-the-xml-template-for-xmlsec1.xml - you can ignore this one, as you sed the <Signature> should not be in the document before signing the document
- Signing-with-xmlseclibs.php - PHP code used to sign the document with xmlseclibs
Regards,
Goran Juriďż˝
On Saturday, January 5, 2013 8:14:09 PM UTC+1, Berry T. wrote:
Dana subota, 5. sije�nja 2013. 18:26:33 UTC+1, korisnik Rob Richards napisao je:
What part of your document are you trying to sign?
ďż˝
It's the element with Id attribute "poslovniProstorId"
Here is the xmlsec1 command:
xmlsec1 --sign --output signed.xml --pkcs12 certAndPrivateKey.pfx --pwd somePass --id-attr:Id poslovniProstorId source.xml
--
You received this message because you are subscribed to the Google Groups "xmlseclibs" group.
To view this discussion on the web visit https://groups.google.com/d/msg/xmlseclibs/-/Hemsqk3CPW8J.
Reply all
Reply to author
Forward
0 new messages