CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Advanced:
Trying to add a digital signature to an XML with XML::Sig

 



Zippy1970
Novice

Jan 30, 2014, 6:50 PM

Post #1 of 16 (12873 views)
Trying to add a digital signature to an XML with XML::Sig Can't Post

...and failing hopelessly.

It starts with the fact I can't install the XML::Sig module without errors. I'm not sure the final error in my Perl program is because of that, so please allow me to explain.

First of all the problem at hand. I need to add a digital signature to an XML::Sig apparently is exactly what I need. XML::Sig isn't installed on my system so I first tried to install it manually. That failed because it was missing a lot of prerequisites. so I tried to install it through


Code
perl -MCPAN -e shell 

cpan> install XML::Sig


That eventually gave an error when it tried to install the Crypt::OpenSSL::X509 prerequisite:


Code
Running make test 
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'inc', 'blib/lib', 'blib/arch')" t/pod.t t/utf8.t t/
x509.t
t/pod.....skipped
all skipped: Test::Pod 1.00 required for testing POD
t/utf8....NOK 10/11
# Failed test 'subject is utf8'
# at t/utf8.t line 50.
t/utf8....NOK 11/11
# Failed test 'utf8 subject as expected'
# at t/utf8.t line 51.
Wide character in print at /usr/local/share/perl/5.10.0/Test/Builder.pm line 1821.
# got: 'C=PL, ST=mazowieckie, L=Warszawa, O=D.A.S. Towarzystwo Ubezpieczen Ochrony Prawnej S.A., OU=Dzia³ï¿½ Informatyk
i, CN=das.pl'
# expected: 'C=PL, ST=mazowieckie, L=Warszawa, O=D.A.S. Towarzystwo Ubezpieczen Ochrony Prawnej S.A., OU=Dzi� Informatyki, CN=
das.pl'
# Looks like you failed 2 tests of 11.
t/utf8....dubious
Test returned status 2 (wstat 512, 0x200)
DIED. FAILED tests 10-11
Failed 2/11 tests, 81.82% okay
t/x509....ok
Failed Test Stat Wstat Total Fail List of Failed
-------------------------------------------------------------------------------
t/utf8.t 2 512 11 2 10-11
1 test skipped.
Failed 1/3 test scripts. 2/61 subtests failed.
Files=3, Tests=61, 1 wallclock secs ( 0.10 cusr + 0.01 csys = 0.11 CPU)
Failed 1/3 test programs. 2/61 subtests failed.
make: *** [test_dynamic] Error 255
DANIEL/Crypt-OpenSSL-X509-1.804.tar.gz
/usr/bin/make test -- NOT OK
//hint// to see the cpan-testers results for installing this module, try:
reports DANIEL/Crypt-OpenSSL-X509-1.804.tar.gz
Warning (usually harmless): 'YAML' not installed, will not store persistent state
Running make install
make test had returned bad status, won't install without force


It then continues to (try to) install XML::Sig, but that fails too:


Code
  CPAN.pm: Going to build B/BY/BYRNE/XML-Sig-0.22.tar.gz 

Warning: Prerequisite 'Crypt::OpenSSL::X509 => 0' for 'B/BY/BYRNE/XML-Sig-0.22.tar.gz' failed when processing 'D/DA/DANIEL/Crypt-Ope
nSSL-X509-1.804.tar.gz' with 'make_test => NO'. Continuing, but chances to succeed are limited.
cp lib/XML/Sig.pm blib/lib/XML/Sig.pm
Manifying blib/man3/XML::Sig.3pm
BYRNE/XML-Sig-0.22.tar.gz
/usr/bin/make -- OK
Warning (usually harmless): 'YAML' not installed, will not store persistent state
Running make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/001_load...........ok 1/2Can't locate object method "bless_pointer" via package "Crypt::OpenSSL::Bignum" at blib/lib/Crypt/OpenSSL
/RSA.pm (autosplit into blib/lib/auto/Crypt/OpenSSL/RSA/get_key_parameters.al) line 297.
# Looks like you planned 2 tests but ran 1.
# Looks like your test exited with 2 just after 1.
t/001_load...........dubious
Test returned status 2 (wstat 512, 0x200)
DIED. FAILED test 2
Failed 1/2 tests, 50.00% okay
t/002_xmlsec.........ok
4/5 skipped: various reasons
t/003_params.........ok 1/5Can't locate object method "bless_pointer" via package "Crypt::OpenSSL::Bignum" at blib/lib/Crypt/OpenSSL
/RSA.pm (autosplit into blib/lib/auto/Crypt/OpenSSL/RSA/get_key_parameters.al) line 297.
# Looks like you planned 5 tests but ran 1.
# Looks like your test exited with 2 just after 1.
t/003_params.........dubious
Test returned status 2 (wstat 512, 0x200)
DIED. FAILED tests 2-5
Failed 4/5 tests, 20.00% okay
t/004_keyhandling....ok 1/4Can't locate object method "bless_pointer" via package "Crypt::OpenSSL::Bignum" at blib/lib/Crypt/OpenSSL
/RSA.pm (autosplit into blib/lib/auto/Crypt/OpenSSL/RSA/get_key_parameters.al) line 297.
# Looks like you planned 4 tests but ran 1.
# Looks like your test exited with 2 just after 1.
t/004_keyhandling....dubious
Test returned status 2 (wstat 512, 0x200)
DIED. FAILED tests 2-4
Failed 3/4 tests, 25.00% okay
t/005_rsakeys........ok 1/5Can't locate object method "bless_pointer" via package "Crypt::OpenSSL::Bignum" at blib/lib/Crypt/OpenSSL
/RSA.pm (autosplit into blib/lib/auto/Crypt/OpenSSL/RSA/get_key_parameters.al) line 297.
# Looks like you planned 5 tests but ran 1.
# Looks like your test exited with 2 just after 1.
t/005_rsakeys........dubious
Test returned status 2 (wstat 512, 0x200)
DIED. FAILED tests 2-5
Failed 4/5 tests, 20.00% okay
t/006_signing........ok 1/13Can't locate object method "bless_pointer" via package "Crypt::OpenSSL::Bignum" at blib/lib/Crypt/OpenSS
L/RSA.pm (autosplit into blib/lib/auto/Crypt/OpenSSL/RSA/get_key_parameters.al) line 297.
# Looks like you planned 13 tests but ran 1.
# Looks like your test exited with 2 just after 1.
t/006_signing........dubious
Test returned status 2 (wstat 512, 0x200)
DIED. FAILED tests 2-13
Failed 12/13 tests, 7.69% okay
Failed Test Stat Wstat Total Fail List of Failed
-------------------------------------------------------------------------------
t/001_load.t 2 512 2 2 2
t/003_params.t 2 512 5 8 2-5
t/004_keyhandling.t 2 512 4 6 2-4
t/005_rsakeys.t 2 512 5 8 2-5
t/006_signing.t 2 512 13 24 2-13
4 subtests skipped.
Failed 5/6 test scripts. 24/34 subtests failed.
Files=6, Tests=34, 0 wallclock secs ( 0.42 cusr + 0.06 csys = 0.48 CPU)
Failed 5/6 test programs. 24/34 subtests failed.
make: *** [test_dynamic] Error 2
BYRNE/XML-Sig-0.22.tar.gz
/usr/bin/make test -- NOT OK
//hint// to see the cpan-testers results for installing this module, try:
reports BYRNE/XML-Sig-0.22.tar.gz
Warning (usually harmless): 'YAML' not installed, will not store persistent state
Running make install
make test had returned bad status, won't install without force
Failed during this command:
DANIEL/Crypt-OpenSSL-X509-1.804.tar.gz : make_test NO
BYRNE/XML-Sig-0.22.tar.gz : make_test NO


Not sure where to go from here... Can anyone offer some help/pointers?


FishMonger
Veteran / Moderator

Jan 31, 2014, 7:04 AM

Post #2 of 16 (12842 views)
Re: [Zippy1970] Trying to add a digital signature to an XML with XML::Sig [In reply to] Can't Post

I have not used or tried to install XML::Sig, but I have a couple suggestions.

To begin with, perl 5.10.0 is known to be buggy. I don't recall what the bugs were and they may not be related to your issue, but you might want to consider upgrading to a newer version.

Are you receiving any other errors/warnings prior to the ones you've posted?

I assume your prerequisites_policy setting in CPAN is set to "follow". If it isn't, you should change it.

After that, I'd start by installing the missing modules Test::Pod and YAML as well as any other missing modules that are mentioned but are not included in the required prerequisites.

When I check CPAN, I see 2 different XML::Sig modules, v0.22 released in 2009 and v0.23 released in 2012. It appears that you're installing the older release. Try installing the newer one.
http://search.cpan.org/~chrisa/Net-SAML2-0.17/lib/Net/SAML2/XML/Sig.pm

What version of Crypt::OpenSSL::Bignum do you have installed?


Zippy1970
Novice

Jan 31, 2014, 9:09 AM

Post #3 of 16 (12832 views)
Re: [FishMonger] Trying to add a digital signature to an XML with XML::Sig [In reply to] Can't Post


In Reply To
To begin with, perl 5.10.0 is known to be buggy. I don't recall what the bugs were and they may not be related to your issue, but you might want to consider upgrading to a newer version.


Solid advice. Will look into that for sure.


In Reply To
Are you receiving any other errors/warnings prior to the ones you've posted?


Not that I noticed. But I didn't really pay any attention to that while it was still "doing its stuff".


In Reply To
I assume your prerequisites_policy setting in CPAN is set to "follow". If it isn't, you should change it.


It was actually set to "ask" but I've changed that to "follow" now (since I always answered "yes" anyway).


In Reply To
After that, I'd start by installing the missing modules Test::Pod and YAML as well as any other missing modules that are mentioned but are not included in the required prerequisites.


Ok, did that.


In Reply To
When I check CPAN, I see 2 different XML::Sig modules, v0.22 released in 2009 and v0.23 released in 2012. It appears that you're installing the older release. Try installing the newer one.
http://search.cpan.org/~chrisa/Net-SAML2-0.17/lib/Net/SAML2/XML/Sig.pm


I tried both. XML::Sig only needs a few prerequisites while when I tried NET-SAML2 it installed over a hundred new packages before I simply cancelled it.


In Reply To
What version of Crypt::OpenSSL::Bignum do you have installed?


It wasn't installed at all. But that only got rid of one part of the problem when I did.


Zippy1970
Novice

Jan 31, 2014, 9:26 AM

Post #4 of 16 (12827 views)
Re: [Zippy1970] Trying to add a digital signature to an XML with XML::Sig [In reply to] Can't Post

Perhaps I should explain what I'm trying to do.

I'm trying to implement an online payment system using "IDeal" (which is what we use here in the Netherlands). Communication between the "Merchant" (me) and the "Aquirer" (the bank) is done by sending XML messages.

These messages needs to be digitally signed for obvious reasons.

So the original XMS message is something like this:


Code
<?xml version="1.0" encoding="UTF-8"?> 
<DirectoryReq xmlns=" http://www.idealdesk.com/ideal/messages/mer-acq/3.3.1" version="3.3.1">
<createDateTimestamp>2012-02-17T09:30:47.0Z</createDateTimestamp>
<Merchant>
<merchantID>100000001</merchantID>
<subID>1</subID>
</Merchant>
</DirectoryReq>



Then it needs to be digitally signed which makes it look like this:


Code
 
<?xml version="1.0" encoding="UTF-8"?>
<DirectoryReq xmlns=" http://www.idealdesk.com/ideal/messages/mer-acq/3.3.1" version="3.3.1">
<createDateTimestamp>2012-02-17T09:30:47.0Z</createDateTimestamp>
<Merchant>
<merchantID>100000001</merchantID>
<subID>1</subID>
</Merchant>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>I7JHyxH/KHcF3KM2xWGVMzSXVQ1MBnD9vInj1XWVNpw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
oMve3wVdMSRIMYfMxNfQ8S34BAGebJ0nntobesvTkSaT6pJxhunHjQUQhAt9nIhcwkg3UzdQJZw6UgjX6Pet2tM
L2nY63mBBgAC0WMsUOn47s+yI+zOMsNa7rS2RpdhYwka642rlotiHFuaPWCHGK11GrvtgKf+Kl4J6oNd4Jug=
</SignatureValue>
<KeyInfo>
<KeyName>7D665C81ABBE1A7D0E525BFC171F04D276F07BF2</KeyName>
</KeyInfo>
</Signature>
</DirectoryReq>


XML::Sig (and Net-SAML2) supposedly makes this "easy". But I can't even get them installed.


FishMonger
Veteran / Moderator

Jan 31, 2014, 9:44 AM

Post #5 of 16 (12823 views)
Re: [Zippy1970] Trying to add a digital signature to an XML with XML::Sig [In reply to] Can't Post

When building, you might want to redirect the output (both stdout and stderr) to a file so that you can review it in more detail if the build fails.

Always start with the very first error/warning when troubleshooting. Often a single problem can/will propagate down the chain and cause additional errors/warnings.

Look at the test file source code when a test fails to see what it was doing. Sometimes a failure of an "insignificant" test can cause the entire build to fail, which is one of the reasons why the "force" option is available when building. Sometimes the test itself is buggy and causes false negative (i.e., failure).

Check the module's bug report to see if any of the issues you're having have been reported and have open bug.
https://rt.cpan.org/Public/Dist/Display.html?Name=XML-Sig


Zippy1970
Novice

Jan 31, 2014, 12:49 PM

Post #6 of 16 (12813 views)
Re: [FishMonger] Trying to add a digital signature to an XML with XML::Sig [In reply to] Can't Post


In Reply To
When building, you might want to redirect the output (both stdout and stderr) to a file so that you can review it in more detail if the build fails.


I redirected both stdout and stderr to a file and looked at the complete output. The only two modules that fail are Crypt::OpenSSL::X509 and XML::Sig. The messages I'm getting are exactly what can be seen in my first post.

I did a forced build of Crypt::OpenSSL::X509 (since I don't need X509 anyway) but then I still get an error trying to build XML::Sig :


Code
 
cpan> install XML::Sig
Running install for module 'XML::Sig'
Running make for B/BY/BYRNE/XML-Sig-0.22.tar.gz
Has already been unwrapped into directory /root/.cpan/build/XML-Sig-0.22-vICRro
Has already been made
Running make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/001_load.t ......... ok
t/002_xmlsec.t ....... ok
t/003_params.t ....... ok
t/004_keyhandling.t .. ok
t/005_rsakeys.t ...... ok
t/006_signing.t ...... 1/13 RSA.xs:178: OpenSSL error: bad base64 decode at blib/lib/Crypt/OpenSSL/RSA.pm (autosplit into blib/lib/auto/Crypt/OpenSSL/RSA/new_public_key.al) line 91.
# Looks like you planned 13 tests but ran 6.
# Looks like your test exited with 2 just after 6.
t/006_signing.t ...... Dubious, test returned 2 (wstat 512, 0x200)
Failed 7/13 subtests

Test Summary Report
-------------------
t/006_signing.t (Wstat: 512 Tests: 6 Failed: 0)
Non-zero exit status: 2
Parse errors: Bad plan. You planned 13 tests but ran 6.
Files=6, Tests=27, 0 wallclock secs ( 0.06 usr 0.00 sys + 0.53 cusr 0.05 csys = 0.64 CPU)
Result: FAIL
Failed 1/6 test programs. 0/27 subtests failed.
make: *** [test_dynamic] Error 2
BYRNE/XML-Sig-0.22.tar.gz
/usr/bin/make test -- NOT OK
//hint// to see the cpan-testers results for installing this module, try:
reports BYRNE/XML-Sig-0.22.tar.gz
Running make install
make test had returned bad status, won't install without force
Failed during this command:
BYRNE/XML-Sig-0.22.tar.gz : make_test NO


(PS: I was able to get rid of this error by editing Sig.pm and uncommenting line 192-194. These lines split the certificate in 64 char long lines. But that did not make a difference in the error below)

So I did a forced build of XML::Sig. When I run my Perl code, I get the following error message:


Code
 
RSA.xs:178: OpenSSL error: unsupported encryption at /usr/local/share/perl/5.10.0/XML/Sig.pm line 313.


Line 313 of Sig.pm:


Code
 
my $rsaKey = Crypt::OpenSSL::RSA->new_private_key( $key_text );



FishMonger
Veteran / Moderator

Jan 31, 2014, 1:11 PM

Post #7 of 16 (12810 views)
Re: [Zippy1970] Trying to add a digital signature to an XML with XML::Sig [In reply to] Can't Post


Quote
RSA.xs:178: OpenSSL error: bad base64 decode at blib/lib/Crypt/OpenSSL/RSA.pm


That's the same issue in bug report 84833 from last April.
https://rt.cpan.org/Public/Bug/Display.html?id=84833

Do you have the latest version of Crypt::OpenSSL::RSA ?

You could try sending an email to the author Byrne Reese <byrne@majordojo.com> requesting his input.


Zippy1970
Novice

Jan 31, 2014, 1:34 PM

Post #8 of 16 (12807 views)
Re: [FishMonger] Trying to add a digital signature to an XML with XML::Sig [In reply to] Can't Post


In Reply To
Do you have the latest version of Crypt::OpenSSL::RSA ?


Yes...


Zippy1970
Novice

Jan 31, 2014, 2:02 PM

Post #9 of 16 (12802 views)
Re: [Zippy1970] Trying to add a digital signature to an XML with XML::Sig [In reply to] Can't Post

Apparently, I can get rid of this error:


Code
RSA.xs:178: OpenSSL error: unsupported encryption at /usr/local/share/perl/5.10.0/XML/Sig.pm line 313.


by NOT encrypting my private key. So instead of creating my private key like this:


Code
openssl genrsa -aes128 -out priv.pem -passout pass:[password] 2048


I need to create it like this:


Code
openssl genrsa -out priv.pem -passout pass:[password] 2048


No idea why.


FishMonger
Veteran / Moderator

Jan 31, 2014, 2:13 PM

Post #10 of 16 (12800 views)
Re: [Zippy1970] Trying to add a digital signature to an XML with XML::Sig [In reply to] Can't Post

Does that mean that you were able to install the modules and get them to work "satisfactorily"?


Zippy1970
Novice

Jan 31, 2014, 3:32 PM

Post #11 of 16 (12793 views)
Re: [FishMonger] Trying to add a digital signature to an XML with XML::Sig [In reply to] Can't Post

Well... I don't know.

It looks like XML::Sig is working... although I can't get it to work with my code so I can't be sure.

Like I said, I'm trying to digitally sign this:


Code
<DirectoryReq xmlns=" http://www.idealdesk.com/ideal/messages/mer-acq/3.3.1" version="3.3.1">  
<createDateTimestamp>2012-02-17T09:30:47.0Z</createDateTimestamp>
<Merchant>
<merchantID>100000001</merchantID>
<subID>1</subID>
</Merchant>
</DirectoryReq>


Now in order for XML::Sig->sign() to work (see: http://search.cpan.org/~byrne/XML-Sig-0.22/lib/XML/Sig.pm#METHODS, I need to add an ID:


Code
<DirectoryReq xmlns=" http://www.idealdesk.com/ideal/messages/mer-acq/3.3.1" ID="someID" version="3.3.1">  
<createDateTimestamp>2012-02-17T09:30:47.0Z</createDateTimestamp>
<Merchant>
<merchantID>100000001</merchantID>
<subID>1</subID>
</Merchant>
</DirectoryReq>


But the problem is, that changes what the bank expects and it returns the following error:


Code
        <errorMessage>Received XML not valid</errorMessage> 
<errorDetail>Field generating error: DirectoryReq xmlns="http:www.idealdesk.comidealmessagesmer-acq3.3.1" ID="DR" version="3.3.1"</errorDetail>


So I just hit another wall. I have no idea how to simply sign the entire XML.


(This post was edited by Zippy1970 on Jan 31, 2014, 3:35 PM)


Zippy1970
Novice

Feb 2, 2014, 1:06 PM

Post #12 of 16 (12698 views)
Re: [Zippy1970] Trying to add a digital signature to an XML with XML::Sig [In reply to] Can't Post

As it turns out, I can't use XML::Sig to digitally sign my XML for several reasons. So I just wrote my own code to sign the XML. But whenever I send the signed XML to the bank, it returns an "invalid electronic signature" error. And I can't figure out why.

"SignedInfo" is the node that needs to be signed using RSAWithSHA256. My code looks like this:


Code
 
my $signedInfo = <<EOH;
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>$digest</DigestValue>
</Reference>
</SignedInfo>
EOH

# Sign SignedInfo
my $key_string = _SlurpFile( $privateKey );
my $rsa_priv = Crypt::OpenSSL::RSA->new_private_key( $key_string );
$rsa_priv->use_pkcs1_padding();
$rsa_priv->use_sha256_hash();
# sign the exclusive canonicalized version of SignedInfo
my $sig = $rsa_priv->sign( _CanonicalizeXML( $signedInfo, 1 ) );

$sig = encode_base64( $sig );
chomp( $sig );

my $signatureValue = <<EOH;
<SignatureValue>
$sig
</SignatureValue>
EOH


Apparently, this results in an invalid signature...


Zippy1970
Novice

Feb 2, 2014, 4:01 PM

Post #13 of 16 (12688 views)
Re: [Zippy1970] Trying to add a digital signature to an XML with XML::Sig [In reply to] Can't Post

To make sure I'm signing correctly, I signed "SignedInfo" using OpenSSL directly:


Code
openssl sha -sha256 -sign priv.pem < data.txt > sig


where data.txt contains the above "SignedInfo" string. I then manually encoded it:


Code
openssl enc -base64 -in sig


The result was the exact same signature I got from my code. So apparently the signing is OK, but I'm making some mistake in what I'm signing...


Laurent_R
Veteran / Moderator

Feb 2, 2014, 11:54 PM

Post #14 of 16 (12667 views)
Re: [Zippy1970] Trying to add a digital signature to an XML with XML::Sig [In reply to] Can't Post

Well, I do not know anything about what you are doing, but if the bank says "invalid electronic signature", I would not rule out a problem in the signature. The bank's message could certainly be wrong, but you can't be sure until you've found the actual problem.


Zippy1970
Novice

Feb 3, 2014, 3:49 AM

Post #15 of 16 (12659 views)
Re: [Laurent_R] Trying to add a digital signature to an XML with XML::Sig [In reply to] Can't Post


In Reply To
Well, I do not know anything about what you are doing, but if the bank says "invalid electronic signature", I would not rule out a problem in the signature. The bank's message could certainly be wrong, but you can't be sure until you've found the actual problem.


Yes, I realize something must be wrong with the signature. ;)

But what I meant is that apparently the way I sign the data is correct. But I'm probably signing the wrong thing. And I can't figure out where I go wrong.

According to the documentation:

* The entire XML must be signed as described by the W3C XMLdsig specifications
* For the purpose of generating the signature value, the exclusive canonicalization algorithm must be used.
* The syntax for an enveloped signature must be used. The signature itself must be removed from the XML message using the default transformation prescribed for this purpose.
* For signature purposes the RSAWithSHA256 algorithm must be used. RSA keys must be 2,048 bits long.

Now as I understand XML signing, only the SignedInfo node is signed (because it contains - inside "References" - digest values of XML content thats needs signed). I am 100% sure the SignedInfo I generate is correct. I'm also pretty sure I'm signing the correct way (see code above). Yet the resulting signature is not accepted. The flow is this:

Generate node to be signed (SignedInfo) -> Correct
Canonicalize (using exclusive canonicalization) SignedInfo
Sign SignedInfo -> Probably correct

So the only step I'm not sure about is the conversion from my generated SignedInfo to what I'm sending to the signing routine.

Here's the complete code again:


Code
 
my $signedInfo = <<EOH;
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>$digest</DigestValue>
</Reference>
</SignedInfo>
EOH


# Sign SignedInfo
my $key_string = _SlurpFile( $privateKey );
my $rsa_priv = Crypt::OpenSSL::RSA->new_private_key( $key_string );

$rsa_priv->use_pkcs1_padding();
$rsa_priv->use_sha256_hash();

# sign the canonicalized version of SignedInfo
my $sig = $rsa_priv->sign( _CanonicalizeXML( $signedInfo, 1 ) );

$sig = encode_base64( $sig );
chomp( $sig );

my $signatureValue = <<EOH;
<SignatureValue>
$sig
</SignatureValue>
EOH


sub _SlurpFile {
my $file = shift;
my $retval = "";

# Unset $/, the Input Record Separator, to make <> give you the whole file at once.
local $/ = undef;
if( open( FILE, $file ) ) {
binmode FILE;
$retval = <FILE>;
close FILE;
}
return $retval;
}

sub _CanonicalizeXML {
my ($xml, $exclusive) = @_;

my $xpath = '<XPath>(//. | //@* | //namespace::*)</XPath>';
return XML::CanonicalizeXML::canonicalize( $xml, $xpath, [], $exclusive, 0 );
}





Zippy1970
Novice

Feb 3, 2014, 5:36 AM

Post #16 of 16 (12653 views)
Re: [Zippy1970] Trying to add a digital signature to an XML with XML::Sig [In reply to] Can't Post

After reading some more, I'm getting more and more convinced the error is in the canonicalization step. I simply don't understand canonicalization very well. I understand its purpose but I don't understand what it is supposed to do (exactly).

In my code, canonicalization of this:


Code
    <SignedInfo>  
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>dqvBs1+qhcASaxo+hm6DhjE7ZDdhro76Gn1PWMkAMS4=</DigestValue>
</Reference>
</SignedInfo>


results in this:


Code
<SignedInfo> 
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
<DigestValue>dqvBs1+qhcASaxo+hm6DhjE7ZDdhro76Gn1PWMkAMS4=</DigestValue>
</Reference>
</SignedInfo>


Yes, that's canonicalized - but is it exclusive canonicalized? I don't know because I have no idea what the end result of exclusive canonicalization should be...

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives