[xmlsec] libxml2 --without-http ... and xmlsec

Aleksey Sanin aleksey at aleksey.com
Fri Jul 4 10:51:42 PDT 2003

> My question, as novice for xmlsec is how important for 
> "merlin-xmldsig-twenty-three/signature-external-b64-dsa" test is data 
> referenced from URIs ? 

It's important. This test makes sure that "external signatures" are 
supported (see
xmldsig spec for definition).

> when I would instead of  external to use enveloping signature, how to 
> compute object id, where to look in source or better to remove URI?

It depends on the situation. There are 3 major signature types: 
enveloping, enveloped and external.
The first two define signature included in the same document as signed 
data. In the 3rd case
the XML signature is applied to an external resource thus it verifies 
that this external resource
was not changed. For example, your external data file might be HUGE (say 
100-200 GB) and you
just do not want to put it in XML file because XML processor might die 
reading it. When xmlsec
processes external signature it does not read the whole binary file in 
memory thus it allows
you to sign such huge files.

> Really I would like to have my own callback but not in XmlLIB rather 
> in XmlSEC. 

Actually you probably want to replace both :) Good news is that they 
areexactly the same,
just registered in 2 different places. The reason is that LibXML 
callbacks are used for XML
files and support some "additional" features like automatic gunzip. 
XMLSec uses its own
callbacks for binary files and LibXML callbacks for XML files.


More information about the xmlsec mailing list