Archived Forum Post

Index of archived forum posts

Question:

XML Digital Signatures according to XMLDSig

Dec 13 '12 at 08:58

I need to sign a XML code according with XMLDsig instructions (in ANDROID).


Answer

I'm sorry to say that Chilkat does not provide an XMLDSig implementation. Chilkat provides the ability to create/verify PKCS7 signatures, and also the ability for S/MIME, but the not for the XMLDSig specification as defined here: http://www.w3.org/TR/xmldsig-core/

The big problem with XMLDSig has to do with the XML canonicalization. See this from Wikipedia (http://en.wikipedia.org/wiki/XML_Signature)

XML Canonicalization

The creation of XML Signatures is substantially more complex than the creation of an ordinary digital signature because a given XML Document (an "Infoset", in common usage among XML developers) may have more than one legal serialized representation. For example, whitespace inside an XML Element is not syntactically significant, so that <elem> is syntactically identical to <elem>.

Since the digital signature is created by using an asymmetric key algorithm (typically RSA) to encrypt the results of running the serialized XML document through a Cryptographic hash function (typically SHA1), a single-byte difference would cause the digital signature to vary.

Moreover, if an XML document is transferred from computer to computer, the line terminator may be changed from CR to LF to CR LF, etc. A program that digests and validates an XML document may later render the XML document in a different way, e.g. adding excess space between attribute definitions with an element definition, or using relative (vs. absolute) URLs, or by reordering namespace definitions. Canonical XML is especially important when an XML Signature refers to a remote document, which may be rendered in time-varying ways by an errant remote server.

To avoid these problems and guarantee that logically-identical XML documents give identical digital signatures, an XML canonicalization transform (frequently abbreviated C14n) is employed when signing XML documents (for signing the SignedInfo, a canonicalization is mandatory). These algorithms guarantee that logically-identical documents produce exactly identical serialized representations.

Another complication arises because of the way that the default canonicalization algorithm handles namespace declarations; frequently a signed XML document needs to be embedded in another document; in this case the original canonicalization algorithm will not yield the same result as if the document is treated alone. For this reason, the so-called Exclusive Canonicalization, which serializes XML namespace declarations independently of the surrounding XML, was created.

Chilkat has investigated implementing this technology in the past, but concluded that it's a giant can-of-worms best not to be opened. My only advice to anyone considering an implementation: Good Luck, you'll need it.


Answer

Dear. I resolved a C14N problem in my app. The new question is: If I send one xml to the Chilkat to sign, it will open the certificates storage, sign and return a SignatureValue? Thanks