Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Python (http://www.velocityreviews.com/forums/f43-python.html)
-   -   Re: Digitally Signing a XML Document (using SHA1+RSA or SHA1+DSA) (http://www.velocityreviews.com/forums/t740966-re-digitally-signing-a-xml-document-using-sha1-rsa-or-sha1-dsa.html)

Adam Tauno Williams 12-28-2010 01:06 AM
Re: Digitally Signing a XML Document (using SHA1+RSA or SHA1+DSA)
 
On Tue, 2010-12-28 at 03:25 +0530, Anurag Chourasia wrote:
> Hi All,

> I have a requirement to digitally sign a XML Document using SHA1+RSA
> or SHA1+DSA
> Could someone give me a lead on a library that I can use to fulfill
> this requirement?

<http://stuvel.eu/rsa> Never used it though.

> The XML Document has values such as
> <RSASK>-----BEGIN RSA PRIVATE KEY-----
> MIIBOgIBAAJBANWzHfF5Bppe4JKlfZDqFUpNLrwNQqguw76g/jmeO6f4i31rDLVQ
> n7sYilu65C8vN+qnEGnPB824t/A3yfMu1G0CAQMCQQCOd2lLpgRm6esMblO18WOG
> 3h8oCNcaydfUa1QmaX0apHlDFnI7UDXpYaHp2VL9gvtSJT5L3Z ASMzxRPXJSvzcT
> AiEA/16jQh18BAD4q3yk1gKw19I8OuJOYAxFYX9noCEFWUMCIQDWOiY fPtxK3A1s
> AFARsDnnHTL4FbRPpiZ79vP+VgqojwIhAKo/F4Fo/VgApceobeQByzqMKCdBiZVd
> g5ZU78AWA5DXAiEAjtFuv389hz1eSAA1YSAmmhN3UA54NRlu/U9NVDlccF8CIBkc
> Z52oGxy/skwVwI5TBcB1YqXJTT47/6/hTAVMTwaA -----END RSA PRIVATE
> KEY-----</RSASK>
> <RSAPUBK>-----BEGIN PUBLIC KEY-----
> MFowDQYJKoZIhvcNAQEBBQADSQAwRgJBANWzHfF5Bppe4JKlfZ DqFUpNLrwNQqgu
> w76g/jmeO6f4i31rDLVQn7sYilu65C8vN+qnEGnPB824t/A3yfMu1G0CAQM= -----END
> PUBLIC KEY-----</RSAPUBK>

Is this any kind of standard or just something someone made up? Is
there a namespace for the document?

It seems quite odd that the document contains a *private* key.

If all you need to do is parse to document to retrieve the values that
seems straight-forward enough.

> And the XML also has another node that has a Public Key with Modules
> and Exponents etc that I apparently need to utilize.
> <RSAPK>
> <M>1bMd8XkGml7gkqV9kOoVSk0uvA1CqC7DvqD
> +OZ47p/iLfWsMtVCfuxiKW7rkLy836qcQac8Hzbi38DfJ8y7UbQ==</M>
> <E>Aw==</E>
> </RSAPK>

> I am a little thin on this concept and expecting if you could guide me
> to a library/documentation that I could utilize.

Jorgen Grahn 12-30-2010 09:41 AM
Re: Digitally Signing a XML Document (using SHA1+RSA or SHA1+DSA)
 
On Tue, 2010-12-28, Adam Tauno Williams wrote:
> On Tue, 2010-12-28 at 03:25 +0530, Anurag Chourasia wrote:
>> Hi All,
>
>> I have a requirement to digitally sign a XML Document using SHA1+RSA
>> or SHA1+DSA
>> Could someone give me a lead on a library that I can use to fulfill
>> this requirement?
>
> <http://stuvel.eu/rsa> Never used it though.
>
>> The XML Document has values such as
>> <RSASK>-----BEGIN RSA PRIVATE KEY-----
>> MIIBOgIBAAJBANWzHfF5Bppe4JKlfZDqFUpNLrwNQqguw76g/jmeO6f4i31rDLVQ
>> n7sYilu65C8vN+qnEGnPB824t/A3yfMu1G0CAQMCQQCOd2lLpgRm6esMblO18WOG
....

> Is this any kind of standard or just something someone made up? Is
> there a namespace for the document?
>
> It seems quite odd that the document contains a *private* key.
>
> If all you need to do is parse to document to retrieve the values that
> seems straight-forward enough.
>
>> And the XML also has another node that has a Public Key with Modules
>> and Exponents etc that I apparently need to utilize.
>> <RSAPK>
>> <M>1bMd8XkGml7gkqV9kOoVSk0uvA1CqC7DvqD
>> +OZ47p/iLfWsMtVCfuxiKW7rkLy836qcQac8Hzbi38DfJ8y7UbQ==</M>
>> <E>Aw==</E>
>> </RSAPK>
>
>> I am a little thin on this concept and expecting if you could guide me
>> to a library/documentation that I could utilize.

[The original posting by Anurag Chourasia did not reach my news server.]

I'd simply invoke GnuPG. A simple example:

% gpg --sign --armor foo
You need a passphrase to unlock the secret key for
user: ...

% head foo.asc
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (GNU/Linux)

owGs+TuuLdGWRQu9B1hTwsAHaRUhPjN+DjVAWBRgxs+nGAgHA5 8aUA88RHVw6K3N
2PfefJn5Mg2ko6N99lkrYn7G6KN//m//6//l//C/+N/8X/5P/6//+//u//r/+P/+
...

The result isn't XML, but it *is* a standardized file format readable
by anyone. That's worth a lot. You can also create a detached signature
and ship it together with the original file, or skip the '--armor' and
get a binary signed file.

If you really *do* have a requirement to make the result XML-like and
incompatible with anything else, I'm afraid you're on your own, and
will have a lot of extra work testing and making sure it's all secure.

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

Stefan Behnel 12-30-2010 10:23 AM
Re: Digitally Signing a XML Document (using SHA1+RSA or SHA1+DSA)
 
Jorgen Grahn, 30.12.2010 10:41:
> If you really *do* have a requirement to make the result XML-like and
> incompatible with anything else, I'm afraid you're on your own

Well, there's always xmlsec if you need it.

http://www.aleksey.com/xmlsec/

Stefan


All times are GMT. The time now is 09:38 PM.

Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57