Jump to content
tufffta

Help: How does URI reference work in xml dsig? Calculating digestvalue?

Recommended Posts

I am analyzing an XML-DSIG file in order to know how to write my piece of software code that generates XML-DSIGnatures. I am having this trouble and desperately need help...

This is a bit I am trying to understand from an attached signatures0.xml:

<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                [...deleted...]		<Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#SignedPropertiesElem_0" xmlns="http://www.w3.org/2000/09/xmldsig#">			<Transforms xmlns="http://www.w3.org/2000/09/xmldsig#">				<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>			</Transforms>			<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>			<DigestValue>kOlNXyBs6oSP9hbh+4niZMNQ9OsOCzYhkSYYG4YdHQU=</DigestValue>		</Reference></SignedInfo>

From what I understand, this refers to a SignedPropertiesElem_0 element in the same file. I am trying to determine exactly what it refers to - what piece of code should be selected and used later on for canonicalization and then calculating a digest value. Is it this:

<SignedProperties Id="SignedPropertiesElem_0">				<SignedSignatureProperties>					<SigningTime>2014-08-21T06:09:55Z</SigningTime>					<SigningCertificate>						<Cert>							<CertDigest>								<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns="http://www.w3.org/2000/09/xmldsig#"/>								<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue>							</CertDigest>							<IssuerSerial>								<X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-,OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName>								<X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber>							</IssuerSerial>						</Cert>					</SigningCertificate>					<SignaturePolicyIdentifier>						<SignaturePolicyImplied/>					</SignaturePolicyIdentifier>				</SignedSignatureProperties>			</SignedProperties>

Or this:

<SignedSignatureProperties>					<SigningTime>2014-08-21T06:09:55Z</SigningTime>					<SigningCertificate>						<Cert>							<CertDigest>								<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns="http://www.w3.org/2000/09/xmldsig#"/>								<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue>							</CertDigest>							<IssuerSerial>								<X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-,OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName>								<X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber>							</IssuerSerial>						</Cert>					</SigningCertificate>					<SignaturePolicyIdentifier>						<SignaturePolicyImplied/>					</SignaturePolicyIdentifier>				</SignedSignatureProperties>

Or this:

<SigningTime>2014-08-21T06:09:55Z</SigningTime>					<SigningCertificate>						<Cert>							<CertDigest>								<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns="http://www.w3.org/2000/09/xmldsig#"/>								<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue>							</CertDigest>							<IssuerSerial>								<X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-,OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName>								<X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber>							</IssuerSerial>						</Cert>					</SigningCertificate>					<SignaturePolicyIdentifier>						<SignaturePolicyImplied/>					</SignaturePolicyIdentifier>

Or some other part of it?

 

I tried the first one, then letting it through a StylusStudio canonicalization OR http://www.soapclient.com/xmlcanon.html (both seem to return identical results), which results in this:

<SignedProperties Id="SignedPropertiesElem_0">				<SignedSignatureProperties>					<SigningTime>2014-08-21T06:09:55Z</SigningTime>					<SigningCertificate>						<Cert>							<CertDigest>								<DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>								<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue>							</CertDigest>							<IssuerSerial>								<X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-,OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName>								<X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber>							</IssuerSerial>						</Cert>					</SigningCertificate>					<SignaturePolicyIdentifier>						<SignaturePolicyImplied></SignaturePolicyImplied>					</SignaturePolicyIdentifier>				</SignedSignatureProperties>			</SignedProperties>

and then calculating the digest value using these tools:

http://www.webutils.pl/index.php?idx=sha1

http://hash.online-convert.com/sha256-generator

http://www.freeformatter.com/message-digest.html#ad-output

 

They all returned the same result, but that result is different from the one in the xml file: kOlNXyBs6oSP9hbh+4niZMNQ9OsOCzYhkSYYG4YdHQU=.

 

What am I doing wrong? What part of the xml document should I copy and paste into the canonicalizer and then into digest calculator? I've spent several days trying different things and looking for answers and haven't got anything... I am sure I missed something, therefore I am asking for your help.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...