1

I am trying to sign XML file with PHP and xmlseclibs. However all validation tools say that my signature is invalid. XMLSpy says: "The calculated digest value doesn't match the digest of reference"

This is my XML:

<root><value>x</value></root>

This is the digest I get:

KaMTM32K5rXl9U6MgG2BXuzNxoQ=

Methods I used to get it:

1.) PHP:

$doc = new DOMDocument();
$doc->loadXML('<root><value>x</value></root>');
echo base64_encode(sha1($doc->documentElement->C14N(), true));

2.) OpenSSL:

openssl dgst -binary -sha1 test.xml | openssl enc -base64

3.) This website: http://hash.online-convert.com/sha1-generator

This is the digest that XMLSpy somehow gets and that works:

HedaN7TMgHgq2bRypzavMuFLoCg=

How do I get this digest?

Robert Zrinski
  • 134
  • 2
  • 7
  • The digest value may not depend only on the blob to sign but also on the Transforms of the Reference signing it in your xml signature. It would help if you can share your signature file. Note that I get the same hash value as you when signing this blob with the same canonicalization (C14N). – Moez Sep 03 '14 at 14:52

1 Answers1

1

XMLSpy formats XML before it signs it. It adds line feeds and tabs and C14N does not remove these. When you remove <Signature> you are left with this XML which is used to calculate digest:

<root>
    <value>x</value>

</root>

Another thing XMLSpy does is that it adds attribute URI="" to <Reference>. PHP library xmlseclibs doesn't do that by default. So I changed my code to this:

$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'), array('force_uri' => TRUE));
Robert Zrinski
  • 134
  • 2
  • 7
  • how do you fix the spaces and new line? – Diego Feb 15 '19 at 01:30
  • This was long time ago. I think you don't use XMLSpy for validation or you format XML like XMLSpy does it. More info here: https://groups.google.com/forum/?hl=en#!topic/xmlseclibs/R4QPNQKV5ko – Robert Zrinski Feb 15 '19 at 15:46