3

My XML digital signature has the following excerpts: 

    <Signature Id="idPackageSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <Reference URI="#idOfficeObject" Type="http://www.w3.org/2000/09/xmldsig#Object">
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

                <DigestValue>ofqf9+Tj0qTkkExCEOwFz0V4aNo=</DigestValue>

            </Reference>
        </SignedInfo>

    <Object Id="idOfficeObject"><SignatureProperties><SignatureProperty Id="idOfficeV1Details" Target="#idPackageSignature"><SignatureInfoV1 xmlns="http://schemas.microsoft.com/office/2006/digsig"><SetupID/><SignatureText/><SignatureImage/><SignatureComments>test</SignatureComments><WindowsVersion>6.1</WindowsVersion><OfficeVersion>14.0</OfficeVersion><ApplicationVersion>14.0</ApplicationVersion><Monitors>1</Monitors><HorizontalResolution>1920</HorizontalResolution><VerticalResolution>1200</VerticalResolution><ColorDepth>32</ColorDepth><SignatureProviderId>{00000000-0000-0000-0000-000000000000}</SignatureProviderId><SignatureProviderUrl/><SignatureProviderDetails>9</SignatureProviderDetails><ManifestHashAlgorithm>http://www.w3.org/2000/09/xmldsig#sha1</ManifestHashAlgorithm><SignatureType>1</SignatureType></SignatureInfoV1></SignatureProperty></SignatureProperties></Object>

The referenced Object element is supposed to have the digest value ofqf9+Tj0qTkkExCEOwFz0V4aNo=. I canonicalize the Object element, and get the following output, which seems correct to me:

<Object Id="idOfficeObject"><SignatureProperties><SignatureProperty Id="idOfficeV1Details" Target="#idPackageSignature"><SignatureInfoV1 xmlns="http://schemas.microsoft.com/office/2006/digsig"><SetupID></SetupID><SignatureText></SignatureText><SignatureImage></SignatureImage><SignatureComments>test</SignatureComments><WindowsVersion>6.1</WindowsVersion><OfficeVersion>14.0</OfficeVersion><ApplicationVersion>14.0</ApplicationVersion><Monitors>1</Monitors><HorizontalResolution>1920</HorizontalResolution><VerticalResolution>1200</VerticalResolution><ColorDepth>32</ColorDepth><SignatureProviderId>{00000000-0000-0000-0000-000000000000}</SignatureProviderId><SignatureProviderUrl></SignatureProviderUrl><SignatureProviderDetails>9</SignatureProviderDetails><ManifestHashAlgorithm>http://www.w3.org/2000/09/xmldsig#sha1</ManifestHashAlgorithm><SignatureType>1</SignatureType></SignatureInfoV1></SignatureProperty></SignatureProperties></Object>

I store it in a file 'inputxml', and try to get the base64 encoded version of the sha1 digest using the following command:

% shasum inputxml | cut -f 1 -d ' ' | xxd -r -p | base64
/zTi8HGHX9X+csjULYLt6FLrm3g=

The computed digest value does not match what is in the XML signature. What am I doing wrong? I have tried multiple various methods and tweaks, but cannot get the correct digest value.

Note: The XML Signature verifies correctly. So the value is correct, but I am missing some step or detail. Thanks for your help. Please let me know how can I elaborate or clarify my question further if it is not very clear.

SkypeMeSM
  • 3,197
  • 8
  • 43
  • 61
  • The complete signature would help. However, at least one step is missing in your computation: the canonicalization. When no transform/canonicalization is specified in the Reference, you should do the default one (see xmldsig spec). The default one would add the namespace declaration to the element "Object". This will give: " – Moez Jan 29 '16 at 08:55
  • @Moez *at least one step is missing in your computation: the canonicalization.* - You might have overlooked that the OP wrote **I canonicalize the Object element, and get the following output, which seems correct to me**... – mkl Jan 29 '16 at 10:09
  • @mkl Yes I missed it. However, the canonicalization output is not correct. The namespace declaration is missing. – Moez Jan 29 '16 at 10:11
  • @Moez great, that should be the answer to the question. – mkl Jan 29 '16 at 10:56
  • I have tried all the combinations as suggested. but even with the namespaces rewritten into the canonical form, I am not getting the correct digest value. – SkypeMeSM Feb 02 '16 at 01:53
  • Am I using the correct command/technique to calculate the digest value from the canonical XML value? – SkypeMeSM Feb 02 '16 at 01:54

1 Answers1

1

Finally I got it to work. There were two issues with my canonicalized markup:

a] The namespace string was incorrectly placed. It had to be <Object xmlns="http://www.w3.org/2000/09/xmldsig#" Id="idOfficeObject">

b] There was an errant newline at the end of the file, since I was modifying these files in a text editor.

Fixing these issues, and running shasum on it gave me the correct output. Thanks for your help, folks.

SkypeMeSM
  • 3,197
  • 8
  • 43
  • 61