Re: Digitally Signing a XML Document (using SHA1+RSA or SHA1+DSA)

Discussion in 'Python' started by Adam Tauno Williams, Dec 28, 2010.

  1. On Tue, 2010-12-28 at 03:25 +0530, Anurag Chourasia wrote:
    > Hi All,


    > I have a requirement to digitally sign a XML Document using SHA1+RSA
    > or SHA1+DSA
    > Could someone give me a lead on a library that I can use to fulfill
    > this requirement?


    <http://stuvel.eu/rsa> Never used it though.

    > The XML Document has values such as
    > <RSASK>-----BEGIN RSA PRIVATE KEY-----
    > MIIBOgIBAAJBANWzHfF5Bppe4JKlfZDqFUpNLrwNQqguw76g/jmeO6f4i31rDLVQ
    > n7sYilu65C8vN+qnEGnPB824t/A3yfMu1G0CAQMCQQCOd2lLpgRm6esMblO18WOG
    > 3h8oCNcaydfUa1QmaX0apHlDFnI7UDXpYaHp2VL9gvtSJT5L3ZASMzxRPXJSvzcT
    > AiEA/16jQh18BAD4q3yk1gKw19I8OuJOYAxFYX9noCEFWUMCIQDWOiYfPtxK3A1s
    > AFARsDnnHTL4FbRPpiZ79vP+VgqojwIhAKo/F4Fo/VgApceobeQByzqMKCdBiZVd
    > g5ZU78AWA5DXAiEAjtFuv389hz1eSAA1YSAmmhN3UA54NRlu/U9NVDlccF8CIBkc
    > Z52oGxy/skwVwI5TBcB1YqXJTT47/6/hTAVMTwaA -----END RSA PRIVATE
    > KEY-----</RSASK>
    > <RSAPUBK>-----BEGIN PUBLIC KEY-----
    > MFowDQYJKoZIhvcNAQEBBQADSQAwRgJBANWzHfF5Bppe4JKlfZDqFUpNLrwNQqgu
    > w76g/jmeO6f4i31rDLVQn7sYilu65C8vN+qnEGnPB824t/A3yfMu1G0CAQM= -----END
    > PUBLIC KEY-----</RSAPUBK>


    Is this any kind of standard or just something someone made up? Is
    there a namespace for the document?

    It seems quite odd that the document contains a *private* key.

    If all you need to do is parse to document to retrieve the values that
    seems straight-forward enough.

    > And the XML also has another node that has a Public Key with Modules
    > and Exponents etc that I apparently need to utilize.
    > <RSAPK>
    > <M>1bMd8XkGml7gkqV9kOoVSk0uvA1CqC7DvqD
    > +OZ47p/iLfWsMtVCfuxiKW7rkLy836qcQac8Hzbi38DfJ8y7UbQ==</M>
    > <E>Aw==</E>
    > </RSAPK>


    > I am a little thin on this concept and expecting if you could guide me
    > to a library/documentation that I could utilize.
    Adam Tauno Williams, Dec 28, 2010
    #1
    1. Advertising

  2. Adam Tauno Williams

    Jorgen Grahn Guest

    On Tue, 2010-12-28, Adam Tauno Williams wrote:
    > On Tue, 2010-12-28 at 03:25 +0530, Anurag Chourasia wrote:
    >> Hi All,

    >
    >> I have a requirement to digitally sign a XML Document using SHA1+RSA
    >> or SHA1+DSA
    >> Could someone give me a lead on a library that I can use to fulfill
    >> this requirement?

    >
    > <http://stuvel.eu/rsa> Never used it though.
    >
    >> The XML Document has values such as
    >> <RSASK>-----BEGIN RSA PRIVATE KEY-----
    >> MIIBOgIBAAJBANWzHfF5Bppe4JKlfZDqFUpNLrwNQqguw76g/jmeO6f4i31rDLVQ
    >> n7sYilu65C8vN+qnEGnPB824t/A3yfMu1G0CAQMCQQCOd2lLpgRm6esMblO18WOG

    ....

    > Is this any kind of standard or just something someone made up? Is
    > there a namespace for the document?
    >
    > It seems quite odd that the document contains a *private* key.
    >
    > If all you need to do is parse to document to retrieve the values that
    > seems straight-forward enough.
    >
    >> And the XML also has another node that has a Public Key with Modules
    >> and Exponents etc that I apparently need to utilize.
    >> <RSAPK>
    >> <M>1bMd8XkGml7gkqV9kOoVSk0uvA1CqC7DvqD
    >> +OZ47p/iLfWsMtVCfuxiKW7rkLy836qcQac8Hzbi38DfJ8y7UbQ==</M>
    >> <E>Aw==</E>
    >> </RSAPK>

    >
    >> I am a little thin on this concept and expecting if you could guide me
    >> to a library/documentation that I could utilize.


    [The original posting by Anurag Chourasia did not reach my news server.]

    I'd simply invoke GnuPG. A simple example:

    % gpg --sign --armor foo
    You need a passphrase to unlock the secret key for
    user: ...

    % head foo.asc
    -----BEGIN PGP MESSAGE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    owGs+TuuLdGWRQu9B1hTwsAHaRUhPjN+DjVAWBRgxs+nGAgHA58aUA88RHVw6K3N
    2PfefJn5Mg2ko6N99lkrYn7G6KN//m//6//l//C/+N/8X/5P/6//+//u//r/+P/+
    ...

    The result isn't XML, but it *is* a standardized file format readable
    by anyone. That's worth a lot. You can also create a detached signature
    and ship it together with the original file, or skip the '--armor' and
    get a binary signed file.

    If you really *do* have a requirement to make the result XML-like and
    incompatible with anything else, I'm afraid you're on your own, and
    will have a lot of extra work testing and making sure it's all secure.

    /Jorgen

    --
    // Jorgen Grahn <grahn@ Oo o. . .
    \X/ snipabacken.se> O o .
    Jorgen Grahn, Dec 30, 2010
    #2
    1. Advertising

  3. Jorgen Grahn, 30.12.2010 10:41:
    > If you really *do* have a requirement to make the result XML-like and
    > incompatible with anything else, I'm afraid you're on your own


    Well, there's always xmlsec if you need it.

    http://www.aleksey.com/xmlsec/

    Stefan
    Stefan Behnel, Dec 30, 2010
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. O S
    Replies:
    0
    Views:
    729
  2. Replies:
    2
    Views:
    4,902
  3. Roedy Green

    Digitally signing XML files

    Roedy Green, Feb 7, 2006, in forum: Java
    Replies:
    7
    Views:
    3,927
    Roedy Green
    Feb 8, 2006
  4. Replies:
    1
    Views:
    534
    Daniel Pitts
    Feb 6, 2008
  5. Replies:
    1
    Views:
    354
    red floyd
    Feb 7, 2008
Loading...

Share This Page