This page is a more detailed explanation of the function MakeSignedXml() in TestSc14nPki.cs and TestSc14nPKI.c and the Python function make_signed_xml() in test_sc14n_pki.py. The code has been tailored for a specific set of conditions, but could easily be adapted for other situations.
The code does all of the substitution operations in memory, starting with a base file, and finally writes the completed document to a file. You could alternatively do these operations using the command line and a text editor.
The base document (olamundo-base.xml
) with %% parameters to be completed.
1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <Envelope xmlns="http://example.org/envelope"> 3 <Body> 4 Olá mundo 5 </Body> 6 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> 7 <SignedInfo> 8 <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> 9 <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 10 <Reference URI=""> 11 <Transforms> 12 <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 13 </Transforms> 14 <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 15 <DigestValue>%digval%</DigestValue> 16 </Reference> 17 </SignedInfo> 18 <SignatureValue>%sigval%</SignatureValue> 19 <KeyInfo> 20 <KeyValue>%keyval%</KeyValue> 21 </KeyInfo> 22 </Signature> 23 </Envelope>
> sc14n -d -x Signature olamundo-base.xml UWuYTYug10J1k5hKfonxthgrAR8=In C#:
digval = C14n.ToDigest(baseFile, "Signature", Tran.ExcludeByTag, DigAlg.Sha1);
%digval%
parameter in line 15.
7 <SignedInfo> 8 <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> 9 <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 10 <Reference URI=""> 11 <Transforms> 12 <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 13 </Transforms> 14 <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 15 <DigestValue>UWuYTYug10J1k5hKfonxthgrAR8=</DigestValue> 16 </Reference> 17 </SignedInfo>
> sc14n -d -s SignedInfo olamundo-inter.xml oloG0znWi2Jc1zg6kyNXiJlWpU4=In C#, where
s
contains the updated <SignedInfo> element:
digval_si = C14n.ToDigest(System.Text.Encoding.UTF8.GetBytes(s), DigAlg.Sha1);
>>> sigval = pki.Sig.sign_data(s, myprikey, mypassword, pki.Sig.Alg.RSA_SHA1)
string sigval = Pki.Sig.SignDigest(Pki.Cnv.FromBase64(digval), priKey, password, Pki.SigAlgorithm.Rsa_Sha1);
%sigval%
parameter in line 18.%keyval%
parameter in line 20. The signed document is now complete.
In practice, also, you'd normally be using the same key info, so you could just hard code the details in your base file (note that white space and newlines inside the <KeyInfo> element do not affect the signature).
<KeyInfo> <KeyValue> <RSAKeyValue> <Modulus>4IlzOY3Y9fXoh3Y5f06wBbtTg94Pt6vcfcd1KQ0FLm0S36aGJtTSb6pYKfyX7PqCUQ8wgL6xUJ5GRPEsu9gyz8Zo bwfZsGCsvu40CWoT9fcFBZPfXro1Vtlh/xl/yYHm+Gzqh0Bw76xtLHSfLfpVOrmZdwKmSFKMTvNXOFd0V18=</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> </KeyInfo>
We use <RSAKeyValue> in our examples because we want to test them on Alexey's XML validator site. In practice, you'd probably be using an <X509Certificate> element instead, perhaps with an <X509IssuerSerial> and <X509SubjectName>. The following contains the same public key information as above, but inside an X509 certificate.
<KeyInfo> <X509Data> <X509Certificate> MIICLDCCAZWgAwIBAgIQRjRrx4AAVrwR024uxBCzsDANBgkqhkiG9w0BAQUFADAS MRAwDgYDVQQDEwdDYXJsUlNBMB4XDTk5MDkxOTAxMDg0N1oXDTM5MTIzMTIzNTk1 OVowEzERMA8GA1UEAxMIQWxpY2VSU0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBAOCJczmN2PX16Id2OX9OsAW7U4PeD7er3H3HdSkNBS5tEt+mhibU0m+qWCn8 l+z6glEPMIC+sVCeRkTxLLvYMs/GaG8H2bBgrL7uNAlqE/X3BQWT3166NVbZYf8Z f8mB5vhs6odAcO+sbSx0ny36VTq5mXcCpkhSjE7zVzhXdFdfAgMBAAGjgYEwfzAM BgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBTp4JAnrHgg eprTTPJCN04irp44uzAdBgNVHQ4EFgQUd9K00bdMioqjzkWdzuw8oDrj/1AwHwYD VR0RBBgwFoEUQWxpY2VSU0FAZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEA PnBHqEjME1iPylFxa042GF0EfoCxjU3MyqOPzH1WyLzPbrMcWakgqgWBqE4lradw FHUv9ceb0Q7pY9Jkt8ZmbnMhVN/0uiVdfUnTlGsiNnRzuErsL2Tt0z3Sp0LF6DeK tNufZ+S9n/n+dO/q+e5jatg/SyUJtdgadq7rm9tJsCI= </X509Certificate> </X509Data> </KeyInfo>
The zip examples-base.zip contains the base, intermediate and final versions of olamundo.xml, plus the private key and certificate used to do the signing.
Included in the distribution download or the Python download.
For further information or to comment on this page, please send us a message.
This page last updated 9 June 2020.