I am trying to sign XML file with PHP and xmlseclibs. However all validation tools say that my signature is invalid. XMLSpy says: "The calculated digest value doesn't match the digest of reference"
This is my XML:
<root><value>x</value></root>
This is the digest I get:
KaMTM32K5rXl9U6MgG2BXuzNxoQ=
Methods I used to get it:
1.) PHP:
$doc = new DOMDocument();
$doc->loadXML('<root><value>x</value></root>');
echo base64_encode(sha1($doc->documentElement->C14N(), true));
2.) OpenSSL:
openssl dgst -binary -sha1 test.xml | openssl enc -base64
3.) This website: http://hash.online-convert.com/sha1-generator
This is the digest that XMLSpy somehow gets and that works:
HedaN7TMgHgq2bRypzavMuFLoCg=
How do I get this digest?
XMLSpy formats XML before it signs it. It adds line feeds and tabs and C14N does not remove these. When you remove <Signature>
you are left with this XML which is used to calculate digest:
<root>
<value>x</value>
</root>
Another thing XMLSpy does is that it adds attribute URI="" to <Reference>
. PHP library xmlseclibs doesn't do that by default. So I changed my code to this:
$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'), array('force_uri' => TRUE));