Jump to content

Help: How does URI reference work in xml dsig? Calculating digestvalue?


tufffta
 Share

Recommended Posts

I am analyzing an XML-DSIG file in order to know how to write my piece of software code that generates XML-DSIGnatures. I am having this trouble and desperately need help...

This is a bit I am trying to understand from an attached signatures0.xml:

<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                [...deleted...]		<Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#SignedPropertiesElem_0" xmlns="http://www.w3.org/2000/09/xmldsig#">			<Transforms xmlns="http://www.w3.org/2000/09/xmldsig#">				<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>			</Transforms>			<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>			<DigestValue>kOlNXyBs6oSP9hbh+4niZMNQ9OsOCzYhkSYYG4YdHQU=</DigestValue>		</Reference></SignedInfo>

From what I understand, this refers to a SignedPropertiesElem_0 element in the same file. I am trying to determine exactly what it refers to - what piece of code should be selected and used later on for canonicalization and then calculating a digest value. Is it this:

<SignedProperties Id="SignedPropertiesElem_0">				<SignedSignatureProperties>					<SigningTime>2014-08-21T06:09:55Z</SigningTime>					<SigningCertificate>						<Cert>							<CertDigest>								<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns="http://www.w3.org/2000/09/xmldsig#"/>								<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue>							</CertDigest>							<IssuerSerial>								<X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-,OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName>								<X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber>							</IssuerSerial>						</Cert>					</SigningCertificate>					<SignaturePolicyIdentifier>						<SignaturePolicyImplied/>					</SignaturePolicyIdentifier>				</SignedSignatureProperties>			</SignedProperties>

Or this:

<SignedSignatureProperties>					<SigningTime>2014-08-21T06:09:55Z</SigningTime>					<SigningCertificate>						<Cert>							<CertDigest>								<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns="http://www.w3.org/2000/09/xmldsig#"/>								<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue>							</CertDigest>							<IssuerSerial>								<X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-,OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName>								<X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber>							</IssuerSerial>						</Cert>					</SigningCertificate>					<SignaturePolicyIdentifier>						<SignaturePolicyImplied/>					</SignaturePolicyIdentifier>				</SignedSignatureProperties>

Or this:

<SigningTime>2014-08-21T06:09:55Z</SigningTime>					<SigningCertificate>						<Cert>							<CertDigest>								<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns="http://www.w3.org/2000/09/xmldsig#"/>								<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue>							</CertDigest>							<IssuerSerial>								<X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-,OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName>								<X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber>							</IssuerSerial>						</Cert>					</SigningCertificate>					<SignaturePolicyIdentifier>						<SignaturePolicyImplied/>					</SignaturePolicyIdentifier>

Or some other part of it?

 

I tried the first one, then letting it through a StylusStudio canonicalization OR http://www.soapclient.com/xmlcanon.html (both seem to return identical results), which results in this:

<SignedProperties Id="SignedPropertiesElem_0">				<SignedSignatureProperties>					<SigningTime>2014-08-21T06:09:55Z</SigningTime>					<SigningCertificate>						<Cert>							<CertDigest>								<DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>								<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">JQ0kZvd0mtXQPA/RTuYV9iuc346tznvN9MoAd/0jNyM=</DigestValue>							</CertDigest>							<IssuerSerial>								<X509IssuerName xmlns="http://www.w3.org/2000/09/xmldsig#">CN=Nacionalinis sertifikavimo centras (IssuingCA-,OU=Nacionalinis sertifikavimo centras (NSC),O=Gyventoju registro tarnyba prie LR VRM - i.k. 188756767,C=LT</X509IssuerName>								<X509SerialNumber xmlns="http://www.w3.org/2000/09/xmldsig#">1315010063538360283821765366094690</X509SerialNumber>							</IssuerSerial>						</Cert>					</SigningCertificate>					<SignaturePolicyIdentifier>						<SignaturePolicyImplied></SignaturePolicyImplied>					</SignaturePolicyIdentifier>				</SignedSignatureProperties>			</SignedProperties>

and then calculating the digest value using these tools:

http://www.webutils.pl/index.php?idx=sha1

http://hash.online-convert.com/sha256-generator

http://www.freeformatter.com/message-digest.html#ad-output

 

They all returned the same result, but that result is different from the one in the xml file: kOlNXyBs6oSP9hbh+4niZMNQ9OsOCzYhkSYYG4YdHQU=.

 

What am I doing wrong? What part of the xml document should I copy and paste into the canonicalizer and then into digest calculator? I've spent several days trying different things and looking for answers and haven't got anything... I am sure I missed something, therefore I am asking for your help.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...