This folder contains some sample documents with XML digital signatures in
different formats.  These signatures were generated independently of the
Authen::NZRealMe module to ensure interoperability.

The 'xmlsec' tool (https://www.aleksey.com/xmlsec/) was used from the
command-line as follows:

1. Install debian package 'xmlsec1'.

2. Create an unsigned XML document (e.g.: doc.xml).

3. Add a template <Signature /> element like this (vary as required):

   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
     <SignedInfo>
       <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
       <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
       <Reference URI="">
         <Transforms>
           <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
           <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         </Transforms>
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
         <DigestValue/>
       </Reference>
     </SignedInfo>
     <SignatureValue/>
   </Signature>

4. Fill in the URI attribute of the <Reference> element with "#id-value" where
   "id-value" matches an attribute called (for example) "ID".

5. Sign using a command like this (in this example, the ID attribute was on an
   <Attribute /> element):

   xmlsec1 --sign --output doc-signed.xml \
      --privkey-pem t/test-conf/idp-assertion-sign-key.pem \
      --id-attr:ID Assertion \
      doc.xml

6. Move the resulting doc-signed.xml into t/signed-docs

The sample command above works with documents that do not use namespaces.  For
documents which do have namespaces it is necessary to be more specific about the
namespace of the element with the target attribute:

   xmlsec1 --sign --output doc-signed.xml \
      --privkey-pem t/test-conf/idp-assertion-sign-key.pem \
      --id-attr:ID urn:oasis:names:tc:SAML:2.0:assertion:Assertion \
      doc.xml

The <X509Certificate /> data is not added using the above command.
To add <X509Certificate /> data, a pkcs12 file containing the key and cert is required.

 a) Add the following <KeyInfo><X509Data/></KeyInfo> to the XML
   <Signature>
   ...
     <SignatureValue/>
     <KeyInfo><X509Data/></KeyInfo>
   </Signature>

 b) create p12 file, use password 123456
    openssl pkcs12 -export \
      -inkey t/test-conf/idp-assertion-sign-key.pem \
      -in t/test-conf/idp-assertion-sign-crt.pem \
      -out t/test-conf/idp-assertion-sign.p12
  Password: 123456
  Verify: 123456

 c) create signed file
   xmlsec1 --sign --output t/signed-docs/30-encrypted-assertion-and-flt-json.xml \
     --pkcs12 t/test-conf/idp-assertion-sign.p12 --pwd 123456 \
     --pubkey-cert-pem t/test-conf/idp-assertion-sign-crt.pem \
     --id-attr:ID Assertion t/test-data/encrypted-assertion-and-flt-json.xml.template

See also: https://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html
