XML Digital Signature with Inclusive Canonicalization

Question

I am trying to implement a routine for XML Digital Signature, and I am able to correcty calculate the hash of the information to be signed. However, I am facing problems with the signature itself, since I do not manage to create the real string to be signed.

Right now I have this:

<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">&lt;/CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>eDSx9uS7oB++bnG/6tGiD/l8374=</DigestValue>
</Reference>
</SignedInfo>

Using only CR instead of CRLF. No spaces for indentation (Where the post shows an space between tags, there is a CR)

Any suggestions to calculate a valid signature ?

P.D. I have changed the Canonicalization Algorithm to EXCLUSIVE and it works, but the requirement is to use INCLUSIVE.

Thanks a lot in advance.

Answer 1

Here is a suggestion: make sure you copy the correct namespace defs for all tags and attributes. Here is some more info.

http://anilsaldhana.blogspot.com/2009/07/exclusive-versus-inclusive.html http://lists.oasis-open.org/archives/wss/200311/msg00058.html

Of course, you really should not be implementing your own XML DigSig lib in the first place. I would highly recommend you to take a look at some open source libraries before you continue. There should be ample examples of libs that do this kind of canonicalization. You might want to test against them anyway.