[Mono-list] SignedXML: Where does the digest come from
Sebastien Pouliot
sebastien.pouliot at gmail.com
Thu May 29 07:56:25 EDT 2008
Hello Mathias,
On Thu, 2008-05-29 at 11:16 +0200, Mathias Tausig wrote:
> Hy!
>
> I am creating a signed xml document using:
>
> XmlDocument objdoc=new XmlDocument();
> objdoc.Load("test.xhtml");
> DataObject dObj=new DataObject();
> dObj.Id="xmldsig-dataobj";
> dObj.Data=objdoc.ChildNodes;
> Reference dRef=new Reference("#xmldsig-dataobj");
> SignedXml xmlsig=new SignedXml();
> xmlsig.AddObject(dObj);
> xmlsig.AddReference(dRef);
> RSA rsa=new RSASignatureCard(SigCard);
> KeyInfo keyinfo=new KeyInfo();
> keyinfo.AddClause(new RSAKeyValue(rsa));
> xmlsig.KeyInfo=keyinfo;
> xmlsig.SigningKey=rsa;
> xmlsig.ComputeSignature();
>
> (RSASignatureCard is a self-written class derived from RSA which uses a
> smartcard)
Pretty cool :-) The model always allowed this (expect that fx 1.x made
it harder with some bugs) but still it's pretty rare to find someone
using it.
> This works fine, the signature can be calculated and is also verified
> correctly.
> But if I look at the data that has actually been signed
> via rsa.EncryptValue(xmlsig.Signature.SignatureValue);
> the digest that can be found there is different from the one residing in
>
> sigref=xmlsig.Signature.SignedInfo.References[0] as Reference;
> sigref.DigestValue;
> Weird, isn't it?
It's been years since I looked into xmldsig (and I've been trying, hard,
to reclaim those neurons for other duties ;-) but IIRC each reference is
digested then the "header", including all the references digest, is
digested too. Only the later, not part of the XML itself, is signed.
Of course the perfect answer is in the specification itself...
Sebastien
>
> cheers
> Mathias
>
> _______________________________________________
> Mono-list maillist - Mono-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-list
More information about the Mono-list
mailing list