How to calculate XML Digestvalue?

Asked

Viewed 3,916 times

3

When signing an XML, the signature generates the Digestvalue tag containing a Hash. I can generate Digest value with a digital certificate, but I would like to generate this hash without the need for a certificate...

I have seen in some documentation, that it is necessary to use SHA1 and Base64, but whenever I use these two algorithms, the hash that returns me is not the one I am expecting.

Does anyone know the complete algorithm to generate this value?

Setting:

  • Input is any XML
  • I use the SHA1 encryption algorithm, then
  • I turn the return of encryption into Base64
  • The return of Base64 should be the correct hash, but comes a different hash.
  • 1

    How is the code you use to generate and compare the hash? Can you post it? It’s hard to know what’s wrong without knowing exactly how you did it.

  • I would like to know what the algorithm to generate this hash... I will edit the question describing the steps I make.

  • 2

    An important step is to canonize XML. I recommend using the class Canonicalizer of the project Apache Santuario (actually, I wouldn’t do anything on hand, use this library for everything). On the algorithm just apply an SHA1 to get the bits (not the HEX signature) and on top of those bits get the Base64 of the signature. The library Apache Commons Codec has everything you need for the second part.

  • It is to encode in SHA1 and Conveter in Base64 I use these libraries you quoted.

1 answer

2

The process of calculating the DigestValue of an XML file is not just to calculate the hash of that file, but has other intermediate steps:

  1. Put the document in canonical form, as pointed out by @Anthony Accioly;
  2. Apply any specified transformations in Reference/Transforms. If there is no element Transforms, or the same is empty (no sub-elements), so nothing needs to be done.

Make sure that these steps have been correctly adopted and, if you still have problems getting a correct result, add more details to your question so that we can help more (if possible by showing the SignedInfo you want to reach, a link to the XML file and a description of the steps and tools you used).

Note: my previous answer (on file) does not apply here, because in fact the DigestValue is a simple hash and not a digital signature (therefore invariant to the presence or not of a certificate).

  • 1

    Huum, thank you for your answer. I said that it is a different digestvalue because I already have the XML containing the correct digestvalue and I need a function that generates this digestValue. Digestvalue is independent of the certificate, because I can generate digestvalue without having the certificate.

  • 1

    @fymoribe From what I’m reading, you’re right, DigestValue is a thing and SignatureValue It’s another... but I still can’t understand exactly what he is or what his purpose is. I’ll investigate some more, if I discover something update my answer.

  • Really missed canonizing the string before doing the encryption, thank you very much.

  • 1

    fymoribe, don’t forget to accept the answer ;)

Browser other questions tagged

You are not signed in. Login or sign up in order to post.