This library deals with XMLDSIG, RSA signed XML documents.
- See also
- - http://www.di-mgt.com.au/xmldsig.html
- - https://www.bmt-online.org/geekisms/RSA_verify
- - http://stackoverflow.com/questions/5576777/whats-the-difference-between-nid-sha-and-nid-sha1-in-openssl
- xmld_signed_DOM(+DOM, -SignedDOM, +Options) is det
- Translate an XML DOM structure in a signed version. Options:
- key_file(+File)
- File holding the private key needed to sign
- key_password(+Password)
- String holding the password to op the private key.
The SignedDOM must be emitted using xml_write/3 or
xml_write_canonical/3. If xml_write/3 is used, the option
layout(false)
is needed to avoid changing the layout of the
SignedInfo
element and the signed DOM, which will cause the
signature to be invalid.
- dom_hash(+DOM, -ODOM, -Hash, +Options) is det[private]
- Compute the digest for DOM.
- Arguments:
-
Hash | - is the base64 encoded version of the selected SHA
algorithm. |
- signed_info(+Hash, -Signature, -SDOM, -KeyDOM, +Options)[private]
- signed_info_dom(+Hash, -SDOM, +Options) is det[private]
- True when SDOM is the xmldsign:Signature DOM for an object with
the given Hash.
- rsa_signature(+SignedInfo:string, -Signature, -KeyDOM, +Options)[private]
- rsa_key_dom(+Key, -DOM) is det[private]
- Produce the KeyInfo node from the private key.
- key_info(+Key, -Info) is det[private]
- Extract the RSA modulus and exponent from a private key. These
are the first end second field of the rsa term. They are
represented as hexadecimal encoded bytes. We must recode this to
base64.
- To be done
- - Provide better support from library(ssl).
- xmld_verify_signature(+DOM, +SignatureDOM, -Certificate, +Options) is det
- Confirm that an
ds:Signature
element contains a valid
signature. Certificate is bound to the certificate that appears
in the element if the signature is valid. It is up to the caller
to determine if the certificate is trusted or not.
Note: The DOM and SignatureDOM must have been obtained using
the load_structure/3 option keep_prefix(true)
otherwise it is
impossible to generate an identical document for checking the
signature. See also xml_write_canonical/3.