Coming from this,
I was able to finally produce a correct detached signature.
However:
- when I'm trying to produce an enveloped signature, it says that the generated digest value from object is incorrect
- when I'm trying to sign a relationship object, it says that the relationship file is not valid(ly processed).
So we have 2 questions here:
- What value should I exactly digest for an enveloped signature(Or what value to digest from an object if we are referencing an object in our signedinfo data) ?
- How to process a correct relationship transform and what value should I digest of it?
BTW, a detached signature looks like this(which I'm able to correctly sign):
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="idPackageSignature"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <Reference URI="/word/document.xml?ContentType=application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <DigestValue> </DigestValue> </Reference> <Reference URI="/word/webSettings.xml?ContentType=application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <DigestValue> </DigestValue> </Reference> <Reference URI="/word/settings.xml?ContentType=application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <DigestValue> </DigestValue> </Reference> <Reference URI="/word/styles.xml?ContentType=application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <DigestValue> </DigestValue> </Reference> <Reference URI="/word/theme/theme1.xml?ContentType=application/vnd.openxmlformats-officedocument.theme+xml"> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <DigestValue> </DigestValue> </Reference> <Reference URI="/word/fontTable.xml?ContentType=application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <DigestValue> </DigestValue> </Reference> </SignedInfo> <SignatureValue> </SignatureValue> <KeyInfo> <X509Data> <X509Certificate> </X509Certificate> </X509Data> </KeyInfo> </Signature> But an enveloped signature looks like this(which I can't reproduce correct digest value of object):
<?xml version="1.0" encoding="utf-8" standalone="yes"?> <Signature Id="SignatureIdValue" xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#idPackageObject" Type="http://www.w3.org/2000/09/xmldsig#Object"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue> </DigestValue> </Reference> </SignedInfo> <SignatureValue> </SignatureValue> <KeyInfo> <X509Data> <X509Certificate> </X509Certificate> </X509Data> </KeyInfo> <Object Id="idPackageObject"> <Manifest> <Reference URI="/word/document.xml?ContentType=application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue> </DigestValue> </Reference> <Reference URI="/word/webSettings.xml?ContentType=application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue> </DigestValue> </Reference> <Reference URI="/word/settings.xml?ContentType=application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue> </DigestValue> </Reference> <Reference URI="/word/styles.xml?ContentType=application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue> </DigestValue> </Reference> <Reference URI="/word/theme/theme1.xml?ContentType=application/vnd.openxmlformats-officedocument.theme+xml"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue> </DigestValue> </Reference> <Reference URI="/word/fontTable.xml?ContentType=application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue> </DigestValue> </Reference> </Signature> Tried digesting the content inside of the object node without luck.
Remember though that although I can produce a valid detached signature, it's considered logically invalid as stated in the ECMA standard.
finally, a relationship reference looks like this(which I also should be able to digest and sign):
<Reference URI="/word/_rels/document.xml.rels?ContentType=application/vnd.openxmlformats-package.relationships+xml"> <Transforms> <Transform Algorithm="http://schemas.openxmlformats.org/package/2006/RelationshipTransform"> <xdssi:RelationshipReference xmlns:xdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" SourceId="rId3"/> <xdssi:RelationshipReference xmlns:xdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" SourceId="rId2"/> <xdssi:RelationshipReference xmlns:xdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" SourceId="rId1"/> <xdssi:RelationshipReference xmlns:xdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" SourceId="rId5"/> <xdssi:RelationshipReference xmlns:xdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" SourceId="rId4"/> </Transform> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <DigestValue> </DigestValue> </Reference>
No comments:
Post a Comment