[Interest] validate xml dsig signature in c++ (qt?)
adrian.stern at screenfood.com
Wed May 29 15:24:50 CEST 2013
My Question is not really Qt Relatet since i would prefer a non Qt solution to it. But if Qt would provide me with the appropriate tools, I would be happy too.
So. My program downloads an xml which is signed using the w3c dsig standard. (rsa key pair). I have to check the validity of this file using the <Signature> tag which holds all the necessary information.
Since 3 days now I'm looking at xml-security-c, which is an apache project, but I just can't get anything to work. Sadly they do not provide any examples to analyse. Only some helper command line tools (with source) but I cannot start analysing them if I'm not sure they work.
What I do (a copy from my mailing list question):
1. Creating an rsa key pair with openssl:
openssl genrsa -out key.pem 1288
openssl rsa -in key.pem -pubout > key.pub
2. Add modulus and exponent:
openssl rsa -modulus -pubin <key.pub
openssl rsa -pubin -inform PEM -text -noout <key.pub
3. Signig my example:
Templatesign -r key.pem pass123 test.lic > signed.lic
4. Check for changes:
Digest and SignedValue differ!
Exponent and modulus not - as expected
5. Check signature:
checksig signed.lic || echo $?
Signature failed verification
Validation of <SignedInfo> failed
+ Exit 1 checksig signed.lic
The exit code 1 means "Signature Bad" 0 would be ok and >1 would be some error. Exit code from signing is also 0.
Is you can see, the singing does work, but the validation does not.
Ideas and especially examples are very welcome.
Freundliche Grüsse / Best Regards / Meilleures salutations
Diese E-Mail und ihre Anhänge enthalten vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail inklusive Anhänge. Das unerlaubte Kopieren sowie die unbefugte Weitergabe der Inhalte dieser Mail ist nicht gestattet.
This e-mail and any attachments may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail including the attachments. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
More information about the Interest