I am analyzing an XML-DSIG file in order to know how to write my piece of software code that generates XML-DSIGnatures. I am having this trouble and desperately need help...
This is a bit I am trying to understand from an attached signatures0.xml:
<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> [...deleted...] <Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#SignedPropertiesElem_0" xmlns="http://www.w3.org/2000/09/xmldsig#"> <Transforms xmlns="http://www.w3.org/2000/09/xmldsig#"> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <DigestValue>kOlNXyBs6oSP9hbh+4niZMNQ9OsOCzYhkSYYG4YdHQU=</DigestValue> </Reference></SignedInfo>
From what I understand, this refers to a SignedPropertiesElem_0 element in the same file. I am trying to determine exactly what it refers to - what piece of code should be selected and used later on for canonicalization and then calculating a digest value. Is it this:
<SignedProperties Id="SignedPropertiesElem_0"> <SignedSignatureProperties> <SigningTime>2014-08-21T06:09:55Z</SigningTime> <SigningCertificate> <Cert> <CertDigest> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns="http://www.w3.org/2000/09/xmldsig#"/> <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue> </CertDigest> <IssuerSerial> <X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-,OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName> <X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber> </IssuerSerial> </Cert> </SigningCertificate> <SignaturePolicyIdentifier> <SignaturePolicyImplied/> </SignaturePolicyIdentifier> </SignedSignatureProperties> </SignedProperties>
Or this:
<SignedSignatureProperties> <SigningTime>2014-08-21T06:09:55Z</SigningTime> <SigningCertificate> <Cert> <CertDigest> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns="http://www.w3.org/2000/09/xmldsig#"/> <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue> </CertDigest> <IssuerSerial> <X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-,OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName> <X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber> </IssuerSerial> </Cert> </SigningCertificate> <SignaturePolicyIdentifier> <SignaturePolicyImplied/> </SignaturePolicyIdentifier> </SignedSignatureProperties>
Or this:
<SigningTime>2014-08-21T06:09:55Z</SigningTime> <SigningCertificate> <Cert> <CertDigest> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns="http://www.w3.org/2000/09/xmldsig#"/> <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue> </CertDigest> <IssuerSerial> <X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-,OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName> <X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber> </IssuerSerial> </Cert> </SigningCertificate> <SignaturePolicyIdentifier> <SignaturePolicyImplied/> </SignaturePolicyIdentifier>
Or some other part of it?
I tried the first one, then letting it through a StylusStudio canonicalization OR http://www.soapclient.com/xmlcanon.html (both seem to return identical results), which results in this:
<SignedProperties Id="SignedPropertiesElem_0"> <SignedSignatureProperties> <SigningTime>2014-08-21T06:09:55Z</SigningTime> <SigningCertificate> <Cert> <CertDigest> <DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod> <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue> </CertDigest> <IssuerSerial> <X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-,OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName> <X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber> </IssuerSerial> </Cert> </SigningCertificate> <SignaturePolicyIdentifier> <SignaturePolicyImplied></SignaturePolicyImplied> </SignaturePolicyIdentifier> </SignedSignatureProperties> </SignedProperties>
and then calculating the digest value using these tools:
http://www.webutils.pl/index.php?idx=sha1
http://hash.online-convert.com/sha256-generator
http://www.freeformatter.com/message-digest.html#ad-output
They all returned the same result, but that result is different from the one in the xml file: kOlNXyBs6oSP9hbh+4niZMNQ9OsOCzYhkSYYG4YdHQU=.
What am I doing wrong? What part of the xml document should I copy and paste into the canonicalizer and then into digest calculator? I've spent several days trying different things and looking for answers and haven't got anything... I am sure I missed something, therefore I am asking for your help.