I am trying to validate the digital signature with given certificate files for the offline aadhaar KYC verification application.
This instruction is given in the docu
In cryptography, the devil is in the details, like what really is meant by:
remaining XML (without "s" tag)
We are lucky: this ridiculously vague specification comes came with a sample XML file and matching certificate, allowing to:
3031300d060960864801650304020105000420
characteristic of a Digestinfo with SHA-256 we extract the 32-byte value f4efef8c788058df45385ec65a49e92f806b9ffd6fc6d11b4f3c2cf89a81fe2f
, which thus is the expected hash for that example's signed data.So with a little trial and error we find what that signed data really is. We want to start from XML file and remove
s
tag=
(and, should there be any, whitespace between former s
tag and =
, and after =
as allowed by the XML syntax)"
(which contains the base64-encoded signature)s
tag and the one after the closing "
(alternatively, we might want to leave a single space where there are now several, probably three after the removals in bullet points 1-3).then hash what remains including < />
delimiters (as UTF-8), that is in the sample code pass it to BlockUpdate
or verify_update
. For that example:
Update: sample XML, certificate, and the above are in this zip archive.