SHA1 or SHA256 for Permission Artefact digest


#1

Following questions

  1. The DCGA guideline mention SHA256 to be used. but in the digital sky code SHA1 is used for PA digest.
  2. For the digest creation what are the PA XML elements used /all elements are used?
  3. Before the second question would like to know for the SHA digest if XML elements, values and open/close tags are used?

#2

For 2 and 3 we are using all the elements of XML but there is a canonisation method and all that which takes place. It is all in accordance to the W3C standard for signing and dealing with XML. You can find more info on it here


#3

We have generated some sample permission artifacts but have not been able to validate them. Can you post some sample permission artefacts and point to some sample code/online tool through which we can validate them so that we can check if we are doing things correctly?


#4

Hi,
We tried to generate the sample permission artifact and tried to verify them. But we are getting error message saying “signature is invalid”.

Following is the link consist of example of xml digital signature.
https://www.di-mgt.com.au/xmldsig-example.zip

and following is the link to verify the sha1-rsa encrypted xml
https://www.aleksey.com/xmlsec/xmldsig-verifier.html

xml verification is successful when we pass the xml which is given in the example. They are embedding the public key’s modulus and exponent part in xml file.

In case of permission artifact, it is using x509 certificate to validate the same.

Need clarification about how to validate the xml?

Best Regards,
Nikhil


#5

I am able to successfully verify the XML. check here: Open Source NPNT Implementation


#6

Hi,

Thank you for the update. I haven’t gone in details of the code but just thought of compiling and see the output.

While building the code on linux, got this error.

fix:
commented the following section in test_ifaces.c, didn’t go in depth to see the type of key (as i complied the code on command line)

temp_fix

  1. linker error for mxml library which in turn uses pthread library

fix:
add the “-lpthread” in lib section of makefile which is there in test folderpthread_lib

  1. with the new sample permission artifact(downloaded from DS replica), getting segfault error
    seg_fault_new_artifact
    tried with couple of permission artifacts, but getting the same error.

Will try to debug the code. Let us know in case you find the fix.

Thanks!


#7

@nikhil_ingale, can you respond to Open Source NPNT Implementation . So, it would be easy to track queries.
Thanks for testing. I will check this on my ubuntu machine.


#8

@nikhil_ingale I have fixed the issue. Please check.