TechQA.

Generating xml signature with "ds" prefix

6.6k views Asked by At

I have generated an xml signature with signedxml ,, and validation is work well. My signaturexml is like below

<Signature Id="orderSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <SignedInfo>
                        <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                        <Reference URI="">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                            <DigestValue>0r1BZecYgC4FzPIxuU9DYIbVqUE=</DigestValue>
                        </Reference>
                    </SignedInfo>
                    <SignatureValue>B+SreGOR7+QEnvo0zMgJsNgZ4gbA1leOifLGd09HG8lZD0ZxsBkcR0aauTgwRgeOefKSwah+KEqAlZvRNykgPjBmY9BJ2g6OfRdvm/mSj7ecDuq/Ic1vo5bHeFJHzr8qbS7IKS/hl/BOx+06yg5rFbVeQGYypznNLIKrjS5cfDbo11e6tpLWswZMxhly8c+FHuMKzAJKOw4spbebgVT4p/vGYsPekTRtvtLtqp1yVl1za8xWkqXmbPPxwio7rXFpKWAqdLQiHYW0cs8ARXUo2jSjete+m4+wQ3QpN4Wfj8Cs3+bYsh01r1XHUG48w3PGt11+trlIEABCaQrhgj9xzg==</SignatureValue>
                    <KeyInfo>
                        <KeyValue>
                            <RSAKeyValue>
                                <Modulus>z9KDoRUO4alAwhL2Nq2fIAwsbecLuWYnzwKEX2WsUOWmhXksD+uYqjRqrKpV9j2tWFf6Ba87zEEa5xPOgD9Jj5naq6tDuH9q48u2gosC3vohPTNXL1I1sj9NTYIFNN+xcf/hi7fPQa/yq5lPOwN45kblee8Z6MqVt6Jk5ytQ+jMT6ZMStL6dOASKbwROfb0uhdmOieX60CGNAbdrn/ei2Vr2EOVmHSB1ZqZ0EhaFTKK5PPuiDlptl+bH0KBqkYEcMgzGMgxNJbDM/MlHgXWh9IWTS/A64awy8xUEQwq9QCibYzI5WCDceyTiNSAVhBQDMEX4YyWDj52sceKEK/q9NQ==</Modulus>
                                <Exponent>AQAB</Exponent>
                            </RSAKeyValue>
                        </KeyValue>
                        <X509Data>
                            <X509IssuerSerial>
                                <X509IssuerName>CN=Mali Mühür Elektronik Sertifika Hizmet Sağlayıcısı - Sürüm 1, C=TR</X509IssuerName>
                                <X509SerialNumber>97806797770378</X509SerialNumber>
                            </X509IssuerSerial>
                            <X509SubjectName>CN=Bimtel İletişim Ve Bilişim Ticaret Limited Şirketi, SERIALNUMBER=1750422091</X509SubjectName>
                            <X509Certificate>MIIFrTCCBJWgAwIBAgIGWPRrcA6KMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAlRSMU0wSwYDVQQDDERNYWxpIE3DvGjDvHIgRWxla3Ryb25payBTZXJ0aWZpa2EgSGl6bWV0IFNhxJ9sYXnEsWPEsXPEsSAtIFPDvHLDvG0gMTAeFw0xMTEwMTkxMjQ1NDVaFw0xNjEwMTcxMjQ1NDVaMFYxEzARBgNVBAUTCjE3NTA0MjIwOTExPzA9BgNVBAMMNkJpbXRlbCDEsGxldGnFn2ltIFZlIEJpbGnFn2ltIFRpY2FyZXQgTGltaXRlZCDFnmlya2V0aTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM/Sg6EVDuGpQMIS9jatnyAMLG3nC7lmJ88ChF9lrFDlpoV5LA/rmKo0aqyqVfY9rVhX+gWvO8xBGucTzoA/SY+Z2qurQ7h/auPLtoKLAt76IT0zVy9SNbI/TU2CBTTfsXH/4Yu3z0Gv8quZTzsDeOZG5XnvGejKlbeiZOcrUPozE+mTErS+nTgEim8ETn29LoXZjonl+tAhjQG3a5/3otla9hDlZh0gdWamdBIWhUyiuTz7og5abZfmx9CgapGBHDIMxjIMTSWwzPzJR4F1ofSFk0vwOuGsMvMVBEMKvUAom2MyOVgg3Hsk4jUgFYQUAzBF+GMlg4+drHHihCv6vTUCAwEAAaOCAnkwggJ1MB8GA1UdIwQYMBaAFEYgqVMbKAwcrvIoUYOzHr7yUxR8MB0GA1UdDgQWBBRv135w613ZEQPsNPW+8TDIFkKEDzAOBgNVHQ8BAf8EBAMCB4AwggEzBgNVHSAEggEqMIIBJjCCASIGC2CGGAECAQEFBwQBMIIBETAqBggrBgEFBQcCARYeaHR0cDovL2RlcG8ua2FtdXNtLmdvdi50ci9pbGtlMIHiBggrBgEFBQcCAjCB1R6B0gBCAHUAIABzAGUAcgB0AGkAZgBpAGsAYQAgAGkAbABlACAAaQBsAGcAaQBsAGkAIABzAGUAcgB0AGkAZgBpAGsAYQAgAHUAeQBnAHUAbABhAG0AYQAgAGUAcwBhAHMAbABhAHIBMQBuATEAIABvAGsAdQBtAGEAawAgAGkA5wBpAG4AIABiAGUAbABpAHIAdABpAGwAZQBuACAAdwBlAGIAIABzAGkAdABlAHMAaQBuAGkAIAB6AGkAeQBhAHIAZQB0ACAAZQBkAGkAbgBpAHoALjAMBgNVHRMBAf8EAjAAMBYGA1UdJQQPMA0GC2CGGAECAQEFBzIBMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9kZXBvLmthbXVzbS5nb3YudHIva3VydW1zYWwvbW1lc2hzLXMxLmNybDCBggYIKwYBBQUHAQEEdjB0MDwGCCsGAQUFBzAChjBodHRwOi8vZGVwby5rYW11c20uZ292LnRyL2t1cnVtc2FsL21tZXNocy1zMS5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly9jaXNkdXBtbXMxLmt1cnVtc2FsLmthbXVzbS5nb3YudHIwDQYJKoZIhvcNAQELBQADggEBAFX0arwcDDLRbYHOkxb3Os4t3kMxPG7VzBAcgiPCV/ph1xda1S7IyXTk54L6OsXtsW/JBvf9+mjufAQXPwUl1AoqndBOkzYuOYv5ZXpK0Uzb1yV+XiLZtKp44wv2FeaEN5D/nyMAwi6ckGE959/JnXV5AAURBwgrnuOcksryJwOyRV78JAu28UL0fflDdmLR8qZKUUDdDzAhHTZzXBjF1GtHyEGtg3nJKO13ZZba6HXbv6dP2J7ZgFTTeyobTh5MsnBIedSItxfAxUhls7M8L3h0X42Dkx28nZw7zG1n55TIPrahihjR99qYGVnf5lnfYOt5/dhkeOazxam+QookoBI=</X509Certificate>
                        </X509Data>
                    </KeyInfo>
                </Signature>

But I need to generate xml signature with "ds:" prefix.

I couldnt find the sollution in stackoverflow about this issue.

How to get xml signature with prefix ? Is it possible with signedxml (System.Security.Cryptography.Xml) library ,,

Or is there any library that I can generate ?

Thanks for any advice..

xml security cryptography signedxml
Original Q&A
3

There are 3 answers

2
albciff On

I don't really understand why do you want to add ds prefix in the namespace.

Having this:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature">
  <ds:SignedInfo Id="SignedInfo">
 <ds:CanonicalizationMethod ...

Is totally equivalent to:

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Signature">
   <SignedInfo Id="SignedInfo">
 <CanonicalizationMethod ...

In the first case you have to specify ds for elements in http://www.w3.org/2000/09/xmldsig# namespace, in the second case this namespace is the default namespace so each element in the xml without declared prefix is from this namespace.

Furthermore you say that you need to add ds prefix in order to have a XAdES-BES, and you comment something about difference between xmldsig and xades signatures. You have to know that XAdES is only a specification which says what attributes are needed by an XMLDSIG signature to become XAdES signature. Roughly XAdES is an XMLDSIG signature which incorporates:<Object http://www.w3.org/2000/09/xmldsig#> that will be the bag for the whole set of qualifying properties, some of them signed (signedProperties) and some of them unsigned (unsignedProperties). For a XAdES-BES case you must add <xades:SigningCertificate xmlns:xades="http://uri.etsi.org/01903/v1.3.2#"> inside <xades:SignedProperties> element.

Here I give you an example of XAdES-BES signature "without" ds prefix.

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Signature">
<SignedInfo Id="SignedInfo">
    <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <Reference Id="SignedProperties-Reference" Type="http://uri.etsi.org/01903/v1.2.2#SignedProperties" URI="#SignedProperties">
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>fiKTaqJzLSmC73cMXZSzjhd877w=</DigestValue>
    </Reference>
    <Reference Id="SignedDataObject-Reference-1" URI="DetachedObjectReference-1">
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>8ruIS/4MRp2wAwVX4/pTCYxTyWc=</DigestValue>
    </Reference>
</SignedInfo>
<SignatureValue Id="DocumentSignatureValue">
    R40YdEEEl0YIZVdl4pm3yyF7qGAG8ZN8PPf0aBRXbvRgdIcvJZtI5AS5NexaO5T4O0gMHWRIKjNb
    2QzlfwxlQ3/KqMW4W0QkMLpF4csBpXt9bJ3t+smEeTnxkBcQRXAw5v9kwf20mfz1LtIUhbsU/PMd
    YwaGCsItF2rzl3rtcq4=
</SignatureValue>
<KeyInfo Id="KeyInfo">
    <X509Data>
        <X509Certificate>
            MIIIUTCCBzmgAwI...
        </X509Certificate>
    </X509Data>
    <KeyValue>
        <RSAKeyValue>
            <Modulus>
              pb0cJiodddCDVe/t+7...
            </Modulus>
            <Exponent>AQAB</Exponent>
        </RSAKeyValue>
    </KeyValue>
</KeyInfo>
<Object>
    <xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Id="QualifyingProperties" Target="#Signature">
        <xades:SignedProperties Id="SignedProperties">
            <xades:SignedSignatureProperties>
                <xades:SigningCertificate>
                    <xades:Cert>
                        <xades:CertDigest>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                            <DigestValue>UZq4NIL9eVVA7aJixPeiUTM3nOM=</DigestValue>
                        </xades:CertDigest>
                        <xades:IssuerSerial>
                            <X509IssuerName>XXXXXXXXXXXX....</X509IssuerName>
                            <X509SerialNumber>705964899...</X509SerialNumber>
                        </xades:IssuerSerial>
                    </xades:Cert>
                </xades:SigningCertificate>
            </xades:SignedSignatureProperties>
            <xades:SignedDataObjectProperties/>
        </xades:SignedProperties>
    </xades:QualifyingProperties>
</Object>

Hope this helps,

0
Petr Dokoupil On

try to add this attribute xmlns:ds="http://www.w3.org/2000/09/xmldsig#" to the root tag of your XML document before you sign it. I my case it helped for the enveloped-signature, but I am using Crypto API. Hope this helps you.

2
sAlfaro On

After a lot of research, I found this answer. Basically it's necessary modify the SignedXml class to add the prefix before getting the digest value of the SignedInfo node.

The ComputeSignature method will be modify to add the prefix parameter

public void ComputeSignature(string prefix){...}

When this method is called it calculates the Signature Value by digesting the value of the SignedInfo node, if you get this value without the "ds" prefix and then add the prefix you will get an invalid signature, so you will have to add the prefix BEFORE getting the digest value of the signedinfo node.

This digest value is generated in the method GetC14NDigest, so this method will be modify to add the prefix parameter and to add the prefix BEFORE getting the digest value

private byte[] GetC14NDigest(HashAlgorithm hash, string prefix)
{
    XmlDocument document = new XmlDocument();
    document.PreserveWhitespace = false;
    XmlElement e = this.SignedInfo.GetXml(); //get the signedinfo nodes
    document.AppendChild(document.ImportNode(e, true));        
    Transform canonicalizationMethodObject = this.SignedInfo.CanonicalizationMethodObject;       
    SetPrefix(prefix, document.DocumentElement); /*Set the prefix before getting the HASH*/
    canonicalizationMethodObject.LoadInput(document);
    return canonicalizationMethodObject.GetDigestedOutput(hash);
}

Ok, so now you have the Signature Value of the SignedInfo nodes WITH the "ds" prefix, that being said you still DON'T have the xml with the prefix yet, so if you just call the GetXml method you will not see the "ds" prefix and of course because the signature value was calculated considering the ds prefix you will have an invalid signature. To avoid that and get the xml structure with the prefix you have to modify the GetXml method, add the prefix parameter, and call the SetPrefix method wich will add the "ds" prefix to all the nodes in the Signature Xml

public XmlElement GetXml(string prefix)
{
    XmlElement e = this.GetXml();
    SetPrefix(prefix, e); //return the xml structure with the prefix
    return e;
}

I'll leave here the class with those modifications

CUSTOM CLASS

internal sealed class CustomSignedXml : SignedXml
{
    XmlElement obj = null;
    public CustomSignedXml (XmlDocument xml)
        : base(xml)
    {
    }

    public CustomSignedXml (XmlElement xmlElement)
        : base(xmlElement)
    {

    }

    public XmlElement GetXml(string prefix)
    {
        XmlElement e = this.GetXml();
        SetPrefix(prefix, e);
        return e;
    }

    public void ComputeSignature(string prefix)
    {
        this.BuildDigestedReferences();
        AsymmetricAlgorithm signingKey = this.SigningKey;
        if (signingKey == null)
        {
            throw new CryptographicException("Cryptography_Xml_LoadKeyFailed");
        }
        if (this.SignedInfo.SignatureMethod == null)
        {
            if (!(signingKey is DSA))
            {
                if (!(signingKey is RSA))
                {
                    throw new CryptographicException("Cryptography_Xml_CreatedKeyFailed");
                }
                if (this.SignedInfo.SignatureMethod == null)
                {
                    this.SignedInfo.SignatureMethod = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
                }
            }
            else
            {
                this.SignedInfo.SignatureMethod = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
            }
        }
        SignatureDescription description = CryptoConfig.CreateFromName(this.SignedInfo.SignatureMethod) as SignatureDescription;
        if (description == null)
        {
            throw new CryptographicException("Cryptography_Xml_SignatureDescriptionNotCreated");
        }
        HashAlgorithm hash = description.CreateDigest();
        if (hash == null)
        {
            throw new CryptographicException("Cryptography_Xml_CreateHashAlgorithmFailed");
        }
        this.GetC14NDigest(hash, prefix);
        this.m_signature.SignatureValue = description.CreateFormatter(signingKey).CreateSignature(hash);
    }         

    private byte[] GetC14NDigest(HashAlgorithm hash, string prefix)
    {

        XmlDocument document = new XmlDocument();
        document.PreserveWhitespace = false;
        XmlElement e = this.SignedInfo.GetXml();
        document.AppendChild(document.ImportNode(e, true));               

        Transform canonicalizationMethodObject = this.SignedInfo.CanonicalizationMethodObject;            
        SetPrefix(prefix, document.DocumentElement); //Set the prefix before getting the HASH
        canonicalizationMethodObject.LoadInput(document);
        return canonicalizationMethodObject.GetDigestedOutput(hash);
    }

    private void BuildDigestedReferences()
    {
        Type t = typeof(SignedXml);
        MethodInfo m = t.GetMethod("BuildDigestedReferences", BindingFlags.NonPublic | BindingFlags.Instance);
        m.Invoke(this, new object[] { });
    }

    private void SetPrefix(string prefix, XmlNode node)
    {
       foreach (XmlNode n in node.ChildNodes)
          SetPrefix(prefix, n);
       node.Prefix = prefix;
    }
}

And the way to use it

CustomSignedXml signedXml = new CustomSignedXml();

//compute the signature with the "ds" prefix

signedXml.ComputeSignature("ds");

//get the xml of the signature with the "ds" prefix

XmlElement xmlDigitalSignature = signedXml.GetXml("ds");

Related Questions in XML

Related Questions in SECURITY

Related Questions in CRYPTOGRAPHY

Related Questions in SIGNEDXML

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions