Home/ Questions/Q 8493215
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T22:56:37+00:00

I have 2 signature file that only different in namespace. Both these file provide

  • 0

I have 2 signature file that only different in namespace. Both these file provide the same message digest. I use the same key to sign with the same algo RSA-SHA1. But there are 2 different signature. I think that as long as the message digest, key and algo is the same, the signature should be the same, no matter how the origin file is.

I use python-xmlsec1 lib with openssl1.0.1.

The first file with namespace:

<?xml version="1.0" encoding="UTF-8"?>
<myns:MyElement xmlns:myns="urn:abc" ID="1">
    <myns:SubElement AssertionID="2" attr1="value1"/>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>zzIulx6UyIN9BrYp0gpW9cCx05k=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>Gpcf/Yy1U9M6jvQL024pfMNHqB0+3kpUvFK9XF8wglgKIo9kPi2eyZ0qDEBm93ecXD1CfHLyHZc3gKR4cMsfobOkWDCoT5VA6FYwjyASnGlEyJE7dpvqU1BE7wDuCxDznI1NQsRTw4Ix8jFx20Cd91bbDibYG8Fn9ACVZdHRo=</ds:SignatureValue>
    </ds:Signature>
</myns:MyElement>

The second file with no namespace:

<?xml version="1.0" encoding="UTF-8"?>
<myns:MyElement xmlns:myns="urn:abc" ID="1">
    <myns:SubElement AssertionID="2" attr1="value1"/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <Reference>
            <Transforms>
                <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue>zzIulx6UyIN9BrYp0gpW9cCx05k=</DigestValue>
        </Reference>
    </SignedInfo>
    <SignatureValue>gs3U/ea2KmLbAy5Tle0196W+AcW7ftS2POgZHYaGLUX0QgPXRx5+a0ZhJ4d0NitzaTgXQtnPaMfqcsw8ZMBEQxYLdeulErtosX5bpiOt9SQpbRre7hB8VJPjb2ZT+Vu5V4SkAf1LI624JjeVUr0xrSjoCSP5ppxW87gQDPU=</SignatureValue>
    <KeyInfo>
        <KeyName/>
    </KeyInfo>
</Signature>
</myns:MyElement>

Both file can be verified by the xmlsec (given the public key).

Could anyone please explain how this can occur?

Many thanks,

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I see that the signature value does not depend on digest value only. it is calculated based on the whole SignedInfo node.
    http://www.mismo.org/files/InformationSecurityGuidelines/XML_Signature_Section_for_General_I-Guide-1.pdf

    • 0