I'm trying to figure out how to verify an XML digital signature.
I have received a signed XML response (in string) in following format:
<?xml version="1.0" encoding="UTF-8"?>
<ROOT>
<HEADER>
<tag1 />
</HEADER>
<Body />
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>hTKE4DcevU+1LWf78hwVjGJvjwA=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tmuTneoW6tHNAv13Z2mybXx/8M+AfF8Qa44DUFZEVk2kdztUiEjk589WJVDecEBsRA2tTQEBhKol/5Bv8bS9Nc1XrS8gKF5vjj14vnFKpSpsNvyooKfv3w50jrOaZeYd5PXWTxB4BT9wL8ogU51/plT6T8A8EdMoLw5zOPO6noTLdi2tAGF3OzLQla+BOtlrxliCfwWkWisBOwWO0kpgsQjxqx2dIS69JHuz5V/aj3tCXLzr2lX9P/S+urn6NU1YEHlVYYs+fFXnKCeHtBhwnz7hDLEB2bovW0rfft3bSNkvylrOfuGbAhRE/ey8g4M3pA5wpufu3eqZv0s4e1uYag==</SignatureValue>
</Signature>
</ROOT>
I have the RSA public key of the sender in .pem format and the digital certificate in .cer format. This is what I've tried till now to verify the signature by reading various resources online:
- Converted the
<SignedInfo>root element into canonical format - Computed the SHA1 digest of the canonicalised XML
- Encrypted the digest with the public key available with me as mentioned above
- Compare the encrypted value with the value present in
<SignatureValue>element in the above XML
However, the two values do not match. Does this mean that the verification has failed? Or am I doing something wrong? (I have a feeling the latter is true)
