[xmlsec] Find out what is signed

Aleksey Sanin aleksey at aleksey.com
Tue Feb 18 11:24:54 PST 2003 

Very good question! This is exactly what you want to prevent when working
with XML signatures :)
In xmlsec there is no way to get list of signed nodes. Instead, you can get
the binary buffer with signed data and parse it (the reason is that 
actually
you are signing binary data, not list of nodes).
In order to instruct xmlsec to store the binary buffer just before 
digesting/signing,
set to 1 all/some of the following members of xmlSecDSigCtx structure:
    storeSignatures
    storeReferences
    storeManifests
The actual buffers are available in xmlSecDSigResult and 
xmlSecReferenceResult
structures in "buffer" member (check the help for details). An example 
could be
found in xmlsec/apps.c (see "-print-***" command line options).

Aleksey


Ulrich.Wimboeck at de.gi-de.com wrote:

>
>
>Hi,
>
>in my application I have the following problem:
>In order to sign a part of a document I add a Signature within the tree of
>the element I want to sign.
>To select the element I use an XPath expression. Usually this is no
>problem.
>
>But now: What if someone adds a signature to the document (of cause he
>needs to have the secret key)
>with the XPath expression as shown in the example. This XPath expression
>does not refer to the
>data I assume.
>
>Is there way to get the node (nodelist) which is signed by the signature -
>something like
>xmlNodePtr getSignedNode(xmlNodePtr signatureNode) ; ?
>Then it would be possible for me if the correct node is meant.
>
>Thanx
>Uli
>
><?xml version="1.0" encoding="UTF-8"?>
><Root>
>  <Data SomeAttribute="Value">
>     <Checksum>
>       <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>          <SignedInfo>
>            <CanonicalizationMethod Algorithm="
>http://www.w3.org/2001/10/xml-exc-c14n#"/>
>            <SignatureMethod Algorithm="
>http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
>            <Reference URI="">
>               <Transforms>
>                 <Transform Algorithm="
>http://www.w3.org/2002/06/xmldsig-filter2">
>                    <XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2
>" Filter="intersect">//ancestor-or-self::Data[attribute::SomeAttribute=
>"ValueOfOtherDataElement"]</XPath>
>                 </Transform>
>                 <Transform Algorithm="
>http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                 <Transform Algorithm="
>http://www.w3.org/2001/10/xml-exc-c14n#"/>
>               </Transforms>
>               <DigestMethod Algorithm="
>http://www.w3.org/2000/09/xmldsig#sha1"/>
>               <DigestValue>pnyqjufX6FlbaUvSi1PXUpv+++c=</DigestValue>
>            </Reference>
>          </SignedInfo>
>          <SignatureValue>GquSfEU9DZraSLWyIEyr96QNvYY=</SignatureValue>
>       </Signature>
>     </Checksum>
>  </Data>
>  <Data SomeAttribute="ValueOfOtherDataElement"/>
></Root>
>
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>  
>

More information about the xmlsec mailing list