[xmlsec] Detached signature validation problem

Frank Gross fg at 4js.com
Thu Mar 6 10:20:04 PST 2008


Thanks for your answer, it's exactly what I was trying to do, but I got 
a problem because when the system computes the signature where I added 
my own URI scheme, the URI is computed in the signature (as expected). 
But when I save it to the disk, I don't want the URI to be there because 
the detached signature could be used by another security system that 
didn't know my "specific" scheme.
Then, when I load the detached signature without my "specific" URI, the 
validation fails due to the signature value that is not the same (of 
course once it was computed with the URI, and once without it).
Therefore, I've had to changed the security library a little bit to make 
a difference between an empty URI, and an URI that is not present. And 
in that last case, I use the IO callback functions to parse my "in 
memory" document.

If you could add a way to perform such operation in a future release, it 
would be great.

Regards,

Frank

P.S: I've added a patch with the modifications if you are interested in.



Aleksey Sanin a écrit :
> You probably want to overwrite the IO callbacks
>
> http://www.aleksey.com/xmlsec/api/xmlsec-io.html
>
> However, I don't know if this would work for
> a document *without* URI. You probably want to
> identify it somehow and assign *some* uri
> (e.g. foo://<document id> or something like this).
> Then IO callbacks could catch scheme "foo" and
> load the document you need.
>
> Aleksey
>
> Frank Gross wrote:
>> Hi,
>>
>>    I have a problem when I try to validate a detached signature 
>> against my document. The 'xmlSecDSigCtxVerify' function takes two 
>> parameters, the DSig context, and the node pointing to the signature 
>> <dsig:Signature/> <http://www.w3.org/TR/xmldsig-core/#sec-Signature> 
>> node. But as my detached signature has no URI, how can can I specify 
>> to the context the document that it has to validate. (The 
>> XML-Signature specification says that in such case, the application 
>> is supposing to know what was signed). Indeed, I try to build an API 
>> that sign any document build in memory and then saved with the 
>> detached signature to the disk (as a separated XML document of 
>> course), and another one to load both XML documents to validate the 
>> signature.
>>    I was able to sign and verify an enveloped signature, because in 
>> that case the signature is inside the document itself, but with 
>> detached signatures, what is the procedure ?
>>
>> Can someone help, or point me to the documentation explaining how to do.
>>
>> Thanks a lot,
>>
>> Frank
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch.diff
Type: text/x-diff
Size: 4905 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20080306/9dbe69d6/patch-0002.bin


More information about the xmlsec mailing list