Page 1 of 1
Digital signature by Oxygen
Posted: Fri Jun 22, 2012 6:18 pm
by DmitryK
Hi All.
I would like to get to know how Oxigyn sign XML.
I use the following sign options:
Envelope
ID: Body
Here is my original file:
<soapenv:Envelope xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="
http://www.w3.org/2001/XMLSchema" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instan ... apenv:Body Id="Body"><sml:search xmlns:sml="urn:1:0" xmlns:sub="urn:SUB:1:0"><version>v1</version><base><objectclass>Sub</objectclass><alias name="im" value="1111" xsi:type="sub:SubType"></alias></base></sml:search></soapenv:Body></soapenv:Envelope>
Could anybody indicate my which exactly part of file is being used during signing process?
Re: Digital signature by Oxygen
Posted: Mon Jun 25, 2012 1:00 pm
by adrian
Hi,
Given your sign options, the signed region of the document is:
Code: Select all
<soapenv:Body Id="Body"><sml:search xmlns:sml="urn:1:0" xmlns:sub="urn:SUB:1:0"><version>v1</version><base><objectclass>Sub</objectclass><alias name="im" value="1111" xsi:type="sub:SubType"/></base></sml:search></soapenv:Body>
This is because of the Id="Body" attribute from soapenv:Body.
Regards,
Adrian
Re: Digital signature by Oxygen
Posted: Mon Jun 25, 2012 2:24 pm
by DmitryK
Hi,
thanks for answer. for me it's logical. But I'm a little bit puzzled.
If I don't use ID, message hash is:
<ds:DigestValue xmlns:ds="
http://www.w3.org/2000/09/xmldsig#">Ddr ... igestValue>
And this result is the same as compared with third party translator(for example
http://home.paulschou.net/tools/xlate/):
SHA1 hex: 0ddaf43598bf5eb9710e816c000ef6912ec5d997
or base64: Ddr0NZi/XrlxDoFsAA72kS7F2Zc=
But if ID "Body" is being used results are different:
<ds:DigestValue xmlns:ds="
http://www.w3.org/2000/09/xmldsig#">/0Z ... igestValue>
SHA1 hex: cf7021aa46976aa25b685bc13af3fb1d97f453e7
or base64: z3AhqkaXaqJbaFvBOvP7HZf0U+c=
It suggests that something different is being used during sign procedure.
Re: Digital signature by Oxygen
Posted: Mon Jun 25, 2012 3:08 pm
by adrian
Something different is being used, since this is XML and not plain text. I thought you were just interested in what region of the XML document is being signed, not literally the exact text content that's being signed. The snippet I mentioned does not hold on its own as XML, so it's being augmented with the namespace declarations.
Like this:
Code: Select all
<soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Id="Body"><sml:search xmlns:sml="urn:1:0" xmlns:sub="urn:SUB:1:0"><version>v1</version><base><objectclass>Sub</objectclass><alias name="im" value="1111" xsi:type="sub:SubType"></alias></base></sml:search></soapenv:Body>
This seems to translate to exactly what you see in the signed XML:
SHA1: ff466297817dec87d392e42fc82fa89de8d24e7d
Base64: /0Zil4F97IfTkuQvyC+onejSTn0=
Oxygen uses the Apache XML Security libraries, so you might want to check the details of the implementation on the Apache project page (now renamed to Santuario) :
http://santuario.apache.org/
Regards,
Adrian