Using external signing service with xmlsec

[svanschu]

Use case is to use an external signing service which is set on our side and can't be changed. This signing service takes a hash value and delivers a signature back.

My current approach is to use xmlsec1 cmd line on Linux to

• create a local signature on a tmp file
• extract the DigestValue
• use the extracted DigestValue to create a signature with openssl cmd line
• add the created signature with xmlstarlet to the to be signed xml

The signature can be verified by openssl and is valid, but I noticed that the format of the signature is different between openssl and xmlsec. Xmlsec can't verify the signature which I created with openSSL.

The signature from openssl always starts wit MI and the signature of xmlsec1 mostly with A. If I'm not wrong openssl seems to create DER and xmlsec1 something not DER.

Is there a way I can

• extract the hash
• sign it externaly
• if needed reformate the signature to a specific format
• add the signature

with the xmlsec1 cmd line

I'm on the right path or tottaly wrong and evil?

[lsh123]

XMLSec library implements XML DSig spec (https://www.w3.org/TR/xmldsig-core1/). If the external signing service follows the spec then XMLSec library should be able to verify / sign compatible signatures. If it is something custom and doesn't follow the spec -- then you will have to write something compatible yourself.