xmlsec

XML Security Library is a C library based on LibXML2. The library supports major XML security standards:

https://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html

Slackbuild

   1 wget https://slackbuilds.org/slackbuilds/14.2/libraries/xmlsec.tar.gz
   2 tar xvzf xmlsec.tar.gz 
   3 cd xmlsec
   4 wget https://www.aleksey.com/xmlsec/download/xmlsec1-1.2.29.tar.gz
   5 ./xmlsec.SlackBuild 
   6 installpkg  /tmp/xmlsec-1.2.29-i586-1_SBo.tgz

Sign with certificate test.xml

openssl req -new -x509 -days 3650 -nodes -out cert.pem -keyout privkey.pem
xmlsec1 --sign --privkey-pem privkey.pem --output test_signed.xml test.xml
xmlsec1 --verify test_signed.xml

test.xml

   1 <a>
   2         <b Id="tosign">
   3                 <c>test</c>
   4         </b>
   5 <!-- signature template -->
   6 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
   7   <SignedInfo>
   8    <CanonicalizationMethod Algorithm=
   9     "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
  10    <SignatureMethod Algorithm=
  11     "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  12    <Reference URI="">
  13     <Transforms>
  14      <Transform Algorithm=
  15       "http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
  16     </Transforms>
  17     <DigestMethod Algorithm=
  18       "http://www.w3.org/2000/09/xmldsig#sha1"/>
  19     <DigestValue></DigestValue>
  20    </Reference>
  21   </SignedInfo>
  22   <SignatureValue />
  23   <KeyInfo>
  24    <X509Data >
  25     <X509SubjectName/>
  26     <X509IssuerSerial/>
  27     <X509Certificate/>
  28    </X509Data>
  29    <KeyValue />
  30   </KeyInfo>
  31  </Signature>
  32 </a>

test_rsa_sha256.xml

xmlsec1 --sign --privkey-pem privkey.pem,cert.pem --output test_rsa_sha256_signed.xml test_rsa_sha256.xml
xmlsec1 --verify --insecure test_rsa_sha256_signed.xml # self-signed certificate

   1 <a>
   2         <b Id="tosign">
   3                 <c>test</c>
   4         </b>
   5 <!-- signature template -->
   6 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
   7   <SignedInfo>
   8    <CanonicalizationMethod Algorithm=
   9     "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
  10    <SignatureMethod Algorithm=
  11     "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
  12    <Reference URI="">
  13     <Transforms>
  14      <Transform Algorithm=
  15       "http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
  16     </Transforms>
  17     <DigestMethod Algorithm=
  18       "http://www.w3.org/2001/04/xmlenc#sha256"/>
  19     <DigestValue></DigestValue>
  20    </Reference>
  21   </SignedInfo>
  22   <SignatureValue />
  23   <KeyInfo>
  24    <X509Data >
  25     <X509SubjectName/>
  26     <X509IssuerSerial/>
  27     <X509Certificate/>
  28    </X509Data>
  29    <KeyValue />
  30   </KeyInfo>
  31  </Signature>
  32 </a>

test_rsa_sha256_uri.xml

xmlsec1 --sign --id-attr:Id c --privkey-pem privkey.pem,cert.pem --output test_rsa_sha256_uri_signed.xml test_rsa_sha256_uri.xml

2019-10-21T22:47 vitor@nb200:/tmp

xmlsec1 --verify --id-attr:Id c --insecure test_rsa_sha256_uri_signed.xml

   1 <a>
   2         <b>
   3                 <c Id="tosign">test</c>
   4         </b>
   5 <!-- signature template -->
   6 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
   7   <SignedInfo>
   8    <CanonicalizationMethod Algorithm=
   9     "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
  10    <SignatureMethod Algorithm=
  11     "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
  12    <Reference URI="#tosign">
  13     <Transforms>
  14      <Transform Algorithm=
  15       "http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
  16     </Transforms>
  17     <DigestMethod Algorithm=
  18       "http://www.w3.org/2001/04/xmlenc#sha256"/>
  19     <DigestValue></DigestValue>
  20    </Reference>
  21   </SignedInfo>
  22   <SignatureValue />
  23   <KeyInfo>
  24    <X509Data >
  25     <X509SubjectName/>
  26     <X509IssuerSerial/>
  27     <X509Certificate/>
  28    </X509Data>
  29   </KeyInfo>
  30  </Signature>
  31 </a>

test_rsa_sha256_uri_ns.xml

Add the template nodes to the original message to sign.

https://www.w3.org/TR/xmldsig-core1/
openssl req -new -x509 -days 3650 -nodes -out cert.pem -keyout privkey.pem
xmlsec1 --sign --id-attr:Id c --privkey-pem privkey.pem,cert.pem --output test_rsa_sha256_uri_ns_signed.xml test_rsa_sha256_uri_ns.xml
xmlsec1 --verify --id-attr:Id c --insecure test_rsa_sha256_uri_ns_signed.xml

   1 <bit:a xmlns:bit="http://bitarus.allowed.org/test">
   2         <bit:b>
   3                 <bit:c Id="tosign">test</bit:c>
   4         </bit:b>
   5 <!-- signature template -->
   6 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
   7   <SignedInfo>
   8    <CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
   9    <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
  10    <Reference URI="#tosign">
  11     <Transforms>
  12      <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
  13     </Transforms>
  14     <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
  15     <DigestValue />
  16    </Reference>
  17   </SignedInfo>
  18   <SignatureValue />
  19   <KeyInfo>
  20    <X509Data >
  21     <X509Certificate/>
  22    </X509Data>
  23   </KeyInfo>
  24  </Signature>
  25 <!-- signature template -->
  26 </bit:a>