search

robrichards / xmlseclibs

A PHP library for XML Security
BSD 3-Clause "New" or "Revised" License
387 stars 181 forks source link

How to know exactly what's been signed? #194

Closed langaro closed 5 years ago

langaro commented 5 years ago

Hello, it's me again. Is there a way to know exactly what I'm passing to the class to generate the signature? I need to know this to be sure I'm sending the corrent request to the server.

Thanks in advice

robrichards commented 5 years ago

I'm not sure I follow the question. The references you add indicate what in the document is being signed. Are you trying to see the final xml document post signature?

langaro commented 5 years ago

Actually, I'm trying to be sure that the only tag I sign is the 'InfDeclaracaoPrestacaoServico' tag. I have more tags in the complete XML but I need to sign only this one.

Here's my code:

$objDSig->addReference( $doc->getElementsByTagName('InfDeclaracaoPrestacaoServico')->item(0), XMLSecurityDSig::SHA1, ['http://www.w3.org/2000/09/xmldsig#enveloped-signature', 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315'], array('force_uri'=>true, 'overwrite'=>false) );

With it, can I assure that the content of the signature is only the 'InfDeclaracaoPrestacaoServico' tag.?

I had attched the xml to sign and the signed one.

xmls.zip

langaro commented 5 years ago

Hello @robrichards. I'm deeply sorry for asking it again, but, I'm right in my assumption?

robrichards commented 5 years ago

On 3/27/19 2:31 PM, Adriano Langaro wrote:

Actually, I'm trying to be sure that the only tag I sign is the 'InfDeclaracaoPrestacaoServico' tag. I have more tags in the complete XML but I need to sign only this one.

Here's my code:

|$objDSig->addReference( $doc->getElementsByTagName('InfDeclaracaoPrestacaoServico')->item(0), XMLSecurityDSig::SHA1, ['http://www.w3.org/2000/09/xmldsig#enveloped-signature', 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315'], array('force_uri'=>true, 'overwrite'=>false) );|

With it, can I assure that the content of the signature is only the 'InfDeclaracaoPrestacaoServico' tag.?

I had attched the xml to sign and the signed one.

xmls.zip https://github.com/robrichards/xmlseclibs/files/3014760/xmls.zip

Yes and you can see that in the signed output.

The URI is pointing to the Id of the InfDeclaracaoPrestacaoServico element Rob
langaro commented 5 years ago

OK. Just what I need. Thank you so much @robrichards.