login about faq

I need to sign a XML code according with XMLDsig instructions (in ANDROID).

asked Dec 03 '12 at 14:06

chilkat's gravatar image

chilkat ♦♦
11.8k316358421


I'm sorry to say that Chilkat does not provide an XMLDSig implementation. Chilkat provides the ability to create/verify PKCS7 signatures, and also the ability for S/MIME, but the not for the XMLDSig specification as defined here: http://www.w3.org/TR/xmldsig-core/

The big problem with XMLDSig has to do with the XML canonicalization. See this from Wikipedia (http://en.wikipedia.org/wiki/XML_Signature)

XML Canonicalization

The creation of XML Signatures is substantially more complex than the creation of an ordinary digital signature because a given XML Document (an "Infoset", in common usage among XML developers) may have more than one legal serialized representation. For example, whitespace inside an XML Element is not syntactically significant, so that <elem> is syntactically identical to <elem>.

Since the digital signature is created by using an asymmetric key algorithm (typically RSA) to encrypt the results of running the serialized XML document through a Cryptographic hash function (typically SHA1), a single-byte difference would cause the digital signature to vary.

Moreover, if an XML document is transferred from computer to computer, the line terminator may be changed from CR to LF to CR LF, etc. A program that digests and validates an XML document may later render the XML document in a different way, e.g. adding excess space between attribute definitions with an element definition, or using relative (vs. absolute) URLs, or by reordering namespace definitions. Canonical XML is especially important when an XML Signature refers to a remote document, which may be rendered in time-varying ways by an errant remote server.

To avoid these problems and guarantee that logically-identical XML documents give identical digital signatures, an XML canonicalization transform (frequently abbreviated C14n) is employed when signing XML documents (for signing the SignedInfo, a canonicalization is mandatory). These algorithms guarantee that logically-identical documents produce exactly identical serialized representations.

Another complication arises because of the way that the default canonicalization algorithm handles namespace declarations; frequently a signed XML document needs to be embedded in another document; in this case the original canonicalization algorithm will not yield the same result as if the document is treated alone. For this reason, the so-called Exclusive Canonicalization, which serializes XML namespace declarations independently of the surrounding XML, was created.

Chilkat has investigated implementing this technology in the past, but concluded that it's a giant can-of-worms best not to be opened. My only advice to anyone considering an implementation: Good Luck, you'll need it.

link

answered Dec 03 '12 at 14:13

chilkat's gravatar image

chilkat ♦♦
11.8k316358421

Dear. I resolved a C14N problem in my app. The new question is: If I send one xml to the Chilkat to sign, it will open the certificates storage, sign and return a SignatureValue? Thanks

(Dec 12 '12 at 13:49) mbarbiero

Dear. I resolved a C14N problem in my app. The new question is: If I send one xml to the Chilkat to sign, it will open the certificates storage, sign and return a SignatureValue? Thanks

link

answered Dec 12 '12 at 13:34

mbarbiero's gravatar image

mbarbiero
1335

I think the answer to this question is Yes. But I would need a more specific question -- perhaps one that asks about a specific method call..

(Dec 13 '12 at 08:58) chilkat ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×1

Asked: Dec 03 '12 at 14:06

Seen: 2,258 times

Last updated: Dec 13 '12 at 08:58

Related questions

powered by OSQA