Signing xml file with a private key

Hello everyone,


I have an xml file that I have to sign. My way was to turn it into a String, then Data and then sign it with SecKeyCreateSignature using my private key. Signing method should be: RSA SHA256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

I am stuck trying different methods of hashing and signing but nothing is working.

The question is: Is there a way of doing this the right way at all?

All help is appreciated.


(I will provide more info if necessary)

Accepted Reply

This very much depends on exactly how the signature is supposed to be generated. There are numerous ways that you can combine RSA and SHA-255 to form a signature.

The most common approach is to use PKCS#1 v1.5 padding, which is embodied by

kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256
. You can find an example of this in CryptoCompatibility sample code, and specifically in the
QCCRSASHASignature
class.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

A "file" can be read in as an NSData object. XML could have different encodings. It is just a sequence of bytes. It is possible that attempting to convert into into a String or Data could alter those bytes. I say it is "possible" because you are probably testing is simple data. There are many cases where this would be virtually guaranteed. So, forget the String stuff. This is a byte sequence.


There seems to be a large number of resources available for signing XML files. I can't imagine there are many Mac or iOS users doing that. But it should be fairly easy to use those existing projects and techniques for verification if nothing else. Some of them might be open source with liberal licenses that you can just re-compile. Once you figure out the basics, you may be able to convert it into Swift if you really want.

It's a mistake on my part for not explaining my situation properly, but I am the one who has to make XML files and then sign them. I am using AEXML from cocoapods to do it. I have to send it for validation and I get error for wrong signature value every time, even though my signature looks similar (in terms of the amount of data).

This very much depends on exactly how the signature is supposed to be generated. There are numerous ways that you can combine RSA and SHA-255 to form a signature.

The most common approach is to use PKCS#1 v1.5 padding, which is embodied by

kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256
. You can find an example of this in CryptoCompatibility sample code, and specifically in the
QCCRSASHASignature
class.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

That is the one I am using. Just wanted to check if I was maybe doing something wrong. The problem is probably elsewhere.

Thank you for the help.

The description of AEXML says "This is not a robust full featured XML parser, but rather simple, lightweight and easy to use utility for casual XML handling." And it doesn't say anything about adding signatures.


XML can be tricky. You'll find lots of these "basic" tools. But an organization that requires signed XML is probably using XML in a more professional fashion. Those quick-n-dirty projects aren't going to cut it.


There are plenty of resources, including online validators, that you can use to check your signatures. But that is going to be a waste of time until you start with a known, valid signed XML document and you are able to reproduce the signature. You are going to have to step out of the Swift comfort zone for this. Maybe you could write Swift wrappers around existing libraries. But it would be a waste of time to try to reimplement this from scratch.