Let’s say we have a certification path like the following:
- Root CA
- Intermediate CA 1
- Intermediate CA 2
- End entity signer
- Intermediate CA 2
- Intermediate CA 1
And we want to sign sample.xml
:
<?xml version="1.0" encoding="UTF-8"?> <sample> <data>Lorem ipsum dolor sit amet, consectetur adipiscing elit.</data> </sample>
You will need to modify sample.xml
adding to it the highlighted signature template:
<?xml version="1.0" encoding="UTF-8"?> <sample> <data>Lorem ipsum dolor sit amet, consectetur adipiscing elit.</data> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue/> </Reference> </SignedInfo> <SignatureValue/> <KeyInfo> <X509Data/> </KeyInfo> </Signature> </sample>
Then you can sign it using the following command:
$ xmlsec1 --sign --privkey-pem end_entity_privkey.pem,end_entity_cert.pem --output sample-signed.xml sample.xml
And verify the signature with the following command:
$ xmlsec1 --verify --trusted-pem root_ca.pem --untrusted-pem intermediate_ca_1.pem --untrusted-pem intermediate_ca_2.pem sample-signed.xml OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0
From the previous command note that you have to add only one --trusted-pem
for the root CA and one --untrusted-pem
for each intermediate CA.
It is very important to realize that xmlsec1
is expecting only one certificate in each PEM file, irrespective of the common practice to group several certificates in one PEM file and because of this --untrusted-pem
is repeated for every intermediate CA.
Another useful post on this topic can be found on http://sgros.blogspot.pe/2013/01/signing-xml-document-using-xmlsec1.html.
Note: xmlsec1 in Windows
From some time already xmlsec1
can be easily installed on Windows as a regular Cygwin package:
See http://cygwin.1069669.n5.nabble.com/ANNOUNCEMENT-xmlsec1-1-2-22-1-td129718.html.