Digitally Signing a XML Document (using SHA1+RSA or SHA1+DSA)
Jorgen Grahn
grahn+nntp at snipabacken.se
Thu Dec 30 04:41:25 EST 2010
On Tue, 2010-12-28, Adam Tauno Williams wrote:
> On Tue, 2010-12-28 at 03:25 +0530, Anurag Chourasia wrote:
>> Hi All,
>
>> I have a requirement to digitally sign a XML Document using SHA1+RSA
>> or SHA1+DSA
>> Could someone give me a lead on a library that I can use to fulfill
>> this requirement?
>
> <http://stuvel.eu/rsa> Never used it though.
>
>> The XML Document has values such as
>> <RSASK>-----BEGIN RSA PRIVATE KEY-----
>> MIIBOgIBAAJBANWzHfF5Bppe4JKlfZDqFUpNLrwNQqguw76g/jmeO6f4i31rDLVQ
>> n7sYilu65C8vN+qnEGnPB824t/A3yfMu1G0CAQMCQQCOd2lLpgRm6esMblO18WOG
...
> Is this any kind of standard or just something someone made up? Is
> there a namespace for the document?
>
> It seems quite odd that the document contains a *private* key.
>
> If all you need to do is parse to document to retrieve the values that
> seems straight-forward enough.
>
>> And the XML also has another node that has a Public Key with Modules
>> and Exponents etc that I apparently need to utilize.
>> <RSAPK>
>> <M>1bMd8XkGml7gkqV9kOoVSk0uvA1CqC7DvqD
>> +OZ47p/iLfWsMtVCfuxiKW7rkLy836qcQac8Hzbi38DfJ8y7UbQ==</M>
>> <E>Aw==</E>
>> </RSAPK>
>
>> I am a little thin on this concept and expecting if you could guide me
>> to a library/documentation that I could utilize.
[The original posting by Anurag Chourasia did not reach my news server.]
I'd simply invoke GnuPG. A simple example:
% gpg --sign --armor foo
You need a passphrase to unlock the secret key for
user: ...
% head foo.asc
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (GNU/Linux)
owGs+TuuLdGWRQu9B1hTwsAHaRUhPjN+DjVAWBRgxs+nGAgHA58aUA88RHVw6K3N
2PfefJn5Mg2ko6N99lkrYn7G6KN//m//6//l//C/+N/8X/5P/6//+//u//r/+P/+
...
The result isn't XML, but it *is* a standardized file format readable
by anyone. That's worth a lot. You can also create a detached signature
and ship it together with the original file, or skip the '--armor' and
get a binary signed file.
If you really *do* have a requirement to make the result XML-like and
incompatible with anything else, I'm afraid you're on your own, and
will have a lot of extra work testing and making sure it's all secure.
/Jorgen
--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
More information about the Python-list
mailing list