Signing and verifying XML with xmlsec1

Leave a comment

Let’s say we have a certification path like the following:

  • Root CA
    • Intermediate CA 1
      • Intermediate CA 2
        • End entity signer

And we want to sign sample.xml:

<?xml version="1.0" encoding="UTF-8"?>
<sample>
    <data>Lorem ipsum dolor sit amet, consectetur adipiscing elit.</data>
</sample>

You will need to modify sample.xml adding to it the highlighted signature template:

<?xml version="1.0" encoding="UTF-8"?>
<sample>
    <data>Lorem ipsum dolor sit amet, consectetur adipiscing elit.</data>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <Reference>
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <DigestValue/>
            </Reference>
        </SignedInfo>
        <SignatureValue/>
        <KeyInfo>
            <X509Data/>
        </KeyInfo>
    </Signature>
</sample>

Then you can sign it using the following command:

$ xmlsec1 --sign --privkey-pem end_entity_privkey.pem,end_entity_cert.pem --output sample-signed.xml sample.xml

And verify the signature with the following command:

$ xmlsec1 --verify --trusted-pem root_ca.pem --untrusted-pem intermediate_ca_1.pem --untrusted-pem intermediate_ca_2.pem sample-signed.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

From the previous command note that you have to add only one --trusted-pem for the root CA and one --untrusted-pem for each intermediate CA.

It is very important to realize that xmlsec1 is expecting only one certificate in each PEM file, irrespective of the common practice to group several certificates in one PEM file and because of this --untrusted-pem is repeated for every intermediate CA.

Another useful post on this topic can be found on http://sgros.blogspot.pe/2013/01/signing-xml-document-using-xmlsec1.html.

Note: xmlsec1 in Windows

From some time already xmlsec1 can be easily installed on Windows as a regular Cygwin package:

See http://cygwin.1069669.n5.nabble.com/ANNOUNCEMENT-xmlsec1-1-2-22-1-td129718.html.

Leave a Reply

Your email address will not be published. Required fields are marked *