Sign XML with key and cert

Question

I want to sign my xml files so that the persons I give them to can be certain that they are not tampered with and that I guarantee that these are XML files from me. Im using xmlseclib (php which seems to work). I have som questions I hope you could answer for me:

In the library I send a private RSA key and a certificate. How should I handle the certificate? If I use my cert I bought for my https server it is only valid for 1 year? I want my signed documents to valid forever. Should I generate my own cert? How do I do that in openssl?
Could someone please give me an overview of what goes into ds:SignatureValue, ds:DigestValue and ds:X509Certificate and how they are used?

My auto-added tag:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-  exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference>
<ds:Transforms>
<ds:TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>  
</ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
<ds:DigestValue>WHAT_GOES_HERE</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>WHAT_GOES_HERE</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>WHAT_GOES_HERE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>

Thanks

Have you solved this problem? – Glavić Jan 15 '13 at 10:28 — Glavić, Jan 15 '13 at 10:28

score 1 · Answer 1 · answered May 16 '13 at 22:39

1

The certificate should be included in field #3. It can help building a trusted chain of certificates so that the receiver can determine that the signature is valid.

If it the signature is still valid depends on the person doing the verification. Normally you would not use a SSL certificate for signing data though. Establishing another trust relationship is basically PKI, and is outside of scope for Stackoverflow.

Field #1 simply contains a secure hash in base64 encoding over the data that is signed. Multiple hashes may be present.

Field #2 is the signature over the SignedInfo part. The signature consists of another secure hash over the SignedInfo and an asymmetric function like the modular exponentiation for RSA. It's in binary so it will be base 64 encoded as well.

answered May 16 '13 at 22:39

Maarten Bodewes

80,169
13
121
225

how do you generate the hash in base64 for Field #1? – Omar Gonzales Jan 03 '20 at 20:35
Uh, you follow the digsig standards? Sorry, but that includes things like canonicalization, which is a bit much to explain here. – Maarten Bodewes Jan 03 '20 at 20:36
Could you please explain this, in this new question I've made? https://stackoverflow.com/questions/59585385/how-to-generate-the-hash-in-base64-for-dsdigestvalue-dssignaturevalue-and-ds – Omar Gonzales Jan 03 '20 at 21:09

Sign XML with key and cert

1 Answers1