Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > Re: Digitally Signing a XML Document (using SHA1+RSA or SHA1+DSA)

Reply
Thread Tools

Re: Digitally Signing a XML Document (using SHA1+RSA or SHA1+DSA)

 
 
Adam Tauno Williams
Guest
Posts: n/a
 
      12-28-2010
On Tue, 2010-12-28 at 03:25 +0530, Anurag Chourasia wrote:
> Hi All,


> I have a requirement to digitally sign a XML Document using SHA1+RSA
> or SHA1+DSA
> Could someone give me a lead on a library that I can use to fulfill
> this requirement?


<http://stuvel.eu/rsa> Never used it though.

> The XML Document has values such as
> <RSASK>-----BEGIN RSA PRIVATE KEY-----
> MIIBOgIBAAJBANWzHfF5Bppe4JKlfZDqFUpNLrwNQqguw76g/jmeO6f4i31rDLVQ
> n7sYilu65C8vN+qnEGnPB824t/A3yfMu1G0CAQMCQQCOd2lLpgRm6esMblO18WOG
> 3h8oCNcaydfUa1QmaX0apHlDFnI7UDXpYaHp2VL9gvtSJT5L3Z ASMzxRPXJSvzcT
> AiEA/16jQh18BAD4q3yk1gKw19I8OuJOYAxFYX9noCEFWUMCIQDWOiY fPtxK3A1s
> AFARsDnnHTL4FbRPpiZ79vP+VgqojwIhAKo/F4Fo/VgApceobeQByzqMKCdBiZVd
> g5ZU78AWA5DXAiEAjtFuv389hz1eSAA1YSAmmhN3UA54NRlu/U9NVDlccF8CIBkc
> Z52oGxy/skwVwI5TBcB1YqXJTT47/6/hTAVMTwaA -----END RSA PRIVATE
> KEY-----</RSASK>
> <RSAPUBK>-----BEGIN PUBLIC KEY-----
> MFowDQYJKoZIhvcNAQEBBQADSQAwRgJBANWzHfF5Bppe4JKlfZ DqFUpNLrwNQqgu
> w76g/jmeO6f4i31rDLVQn7sYilu65C8vN+qnEGnPB824t/A3yfMu1G0CAQM= -----END
> PUBLIC KEY-----</RSAPUBK>


Is this any kind of standard or just something someone made up? Is
there a namespace for the document?

It seems quite odd that the document contains a *private* key.

If all you need to do is parse to document to retrieve the values that
seems straight-forward enough.

> And the XML also has another node that has a Public Key with Modules
> and Exponents etc that I apparently need to utilize.
> <RSAPK>
> <M>1bMd8XkGml7gkqV9kOoVSk0uvA1CqC7DvqD
> +OZ47p/iLfWsMtVCfuxiKW7rkLy836qcQac8Hzbi38DfJ8y7UbQ==</M>
> <E>Aw==</E>
> </RSAPK>


> I am a little thin on this concept and expecting if you could guide me
> to a library/documentation that I could utilize.




 
Reply With Quote
 
 
 
 
Jorgen Grahn
Guest
Posts: n/a
 
      12-30-2010
On Tue, 2010-12-28, Adam Tauno Williams wrote:
> On Tue, 2010-12-28 at 03:25 +0530, Anurag Chourasia wrote:
>> Hi All,

>
>> I have a requirement to digitally sign a XML Document using SHA1+RSA
>> or SHA1+DSA
>> Could someone give me a lead on a library that I can use to fulfill
>> this requirement?

>
> <http://stuvel.eu/rsa> Never used it though.
>
>> The XML Document has values such as
>> <RSASK>-----BEGIN RSA PRIVATE KEY-----
>> MIIBOgIBAAJBANWzHfF5Bppe4JKlfZDqFUpNLrwNQqguw76g/jmeO6f4i31rDLVQ
>> n7sYilu65C8vN+qnEGnPB824t/A3yfMu1G0CAQMCQQCOd2lLpgRm6esMblO18WOG

....

> Is this any kind of standard or just something someone made up? Is
> there a namespace for the document?
>
> It seems quite odd that the document contains a *private* key.
>
> If all you need to do is parse to document to retrieve the values that
> seems straight-forward enough.
>
>> And the XML also has another node that has a Public Key with Modules
>> and Exponents etc that I apparently need to utilize.
>> <RSAPK>
>> <M>1bMd8XkGml7gkqV9kOoVSk0uvA1CqC7DvqD
>> +OZ47p/iLfWsMtVCfuxiKW7rkLy836qcQac8Hzbi38DfJ8y7UbQ==</M>
>> <E>Aw==</E>
>> </RSAPK>

>
>> I am a little thin on this concept and expecting if you could guide me
>> to a library/documentation that I could utilize.


[The original posting by Anurag Chourasia did not reach my news server.]

I'd simply invoke GnuPG. A simple example:

% gpg --sign --armor foo
You need a passphrase to unlock the secret key for
user: ...

% head foo.asc
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (GNU/Linux)

owGs+TuuLdGWRQu9B1hTwsAHaRUhPjN+DjVAWBRgxs+nGAgHA5 8aUA88RHVw6K3N
2PfefJn5Mg2ko6N99lkrYn7G6KN//m//6//l//C/+N/8X/5P/6//+//u//r/+P/+
...

The result isn't XML, but it *is* a standardized file format readable
by anyone. That's worth a lot. You can also create a detached signature
and ship it together with the original file, or skip the '--armor' and
get a binary signed file.

If you really *do* have a requirement to make the result XML-like and
incompatible with anything else, I'm afraid you're on your own, and
will have a lot of extra work testing and making sure it's all secure.

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
 
Reply With Quote
 
 
 
 
Stefan Behnel
Guest
Posts: n/a
 
      12-30-2010
Jorgen Grahn, 30.12.2010 10:41:
> If you really *do* have a requirement to make the result XML-like and
> incompatible with anything else, I'm afraid you're on your own


Well, there's always xmlsec if you need it.

http://www.aleksey.com/xmlsec/

Stefan

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Digitally signing XML document and delivering via httpsin a c++application rudupa@easylink.com C++ 1 02-07-2008 11:36 PM
digitally signing XML document and delivering via https in c++ rudupa@easylink.com Java 1 02-06-2008 07:28 PM
Digitally signing XML files Roedy Green Java 7 02-08-2006 06:58 AM
Digitally signing a J2ME application so that it runs in Operator domain O S Java 0 03-06-2004 07:08 PM
Help on including one XML document within another XML document using XML Schemas Tony Prichard XML 0 12-12-2003 03:18 PM



Advertisments