I have been successfully using xmlseclibs package up until one point. I had to sign xml and one specific c# endpoint had to validate it, and validation was failing. No matter my signed xml document passed internal xmlseclibs validation, even validation in java endpoint and online http://tools.chilkat.io/xmlDsigVerify.cshtml web checker.
I've spent many hours on debugging this issue and finally found out that culprit for failing checks was a whitespace in signature template, namely:
If xml you are trying to sign xml that has whitespace = false, and this signature with whitespace is added - it freaks out DOTNETs System.Security.Cryptography.Xml.SignedXml;CheckSignature method if DOTNET side does not have whitespace or significantWhitespace properties defined (my working theory, maybe it's also connected with something how DOTNET handles EXC_C14N cannonization ):
using System.Security.Cryptography.X509Certificates;
using static System.Security.Cryptography.Xml.SignedXml;
using System.Security.Cryptography.Xml;
...
// Load the signature node into a new XML document
XmlDocument signatureXmlDoc = new XmlDocument();
signatureXmlDoc.LoadXml(nodeList[0].OuterXml);
// Create a new instance of the XML signature object
SignedXml signedXml = new SignedXml(xmlDoc);
// Load the signature node into the signed XML object
signedXml.LoadXml(signatureXmlDoc.DocumentElement);
// Verify the signature
return signedXml.CheckSignature(rsaKey);
...
So the solution is to strip whitespace out of everything before signing:
xml you are trying to sign
added signature node
Simplified example on how I signed this document with XMLSecurityDSig:
I have been successfully using
xmlseclibs
package up until one point. I had to sign xml and one specific c# endpoint had to validate it, and validation was failing. No matter my signed xml document passed internalxmlseclibs
validation, even validation in java endpoint and online http://tools.chilkat.io/xmlDsigVerify.cshtml web checker.I've spent many hours on debugging this issue and finally found out that culprit for failing checks was a whitespace in signature template, namely:
If xml you are trying to sign xml that has whitespace = false, and this signature with whitespace is added - it freaks out DOTNETs
System.Security.Cryptography.Xml.SignedXml;
CheckSignature
method if DOTNET side does not have whitespace or significantWhitespace properties defined (my working theory, maybe it's also connected with something how DOTNET handles EXC_C14N cannonization ):So the solution is to strip whitespace out of everything before signing:
Simplified example on how I signed this document with
XMLSecurityDSig
:edit: php/c# examples