[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: XML digital signature verification
- From: Sam Roberts <vieuxtech@...>
- Date: Wed, 27 May 2009 16:48:55 -0700
On Wed, May 27, 2009 at 3:40 PM, gary ng <email@example.com> wrote:
> Out of curiosity, how can you embedd the signature into a body for something you want to sign ?
The xml document has an element which is signed, and the element which
contains the signature.
To the OP:
xml signature validation is hard because it requires canonicalization
of the xml prior to digest calculation (it's the digest which is
I suggest finding a C library that does this for you, writing a simple
C function on top that does the sig verification, then binding that
simple function into lua. I'd start by looking at libxml2, I think
they have canonicalization support, and somebody should have
implemented xml-sig on top of it by now.
Remember to verify the x.509 certificate, too, signatures mean nothing
if the signer isn't authenticated.