[xmlsec] Detached signature validation problem
aleksey at aleksey.com
Wed Jun 4 08:19:18 PDT 2008
I am really sorry but I can not accept this patch because it breaks
backward compatibility for existing callbacks. Now, these callbacks
have to expect a NULL uri and before it was guaranteed that the uri is
I still think that the best way is to create a specific scheme for
the in-memory data. The other security system will have to handle
it somehow anyway. Agreeing on the same scheme in this case is a much
better way of doing things.
Frank Gross wrote:
> Thanks for your answer, it's exactly what I was trying to do, but I got
> a problem because when the system computes the signature where I added
> my own URI scheme, the URI is computed in the signature (as expected).
> But when I save it to the disk, I don't want the URI to be there because
> the detached signature could be used by another security system that
> didn't know my "specific" scheme.
> Then, when I load the detached signature without my "specific" URI, the
> validation fails due to the signature value that is not the same (of
> course once it was computed with the URI, and once without it).
> Therefore, I've had to changed the security library a little bit to make
> a difference between an empty URI, and an URI that is not present. And
> in that last case, I use the IO callback functions to parse my "in
> memory" document.
> If you could add a way to perform such operation in a future release, it
> would be great.
> P.S: I've added a patch with the modifications if you are interested in.
> Aleksey Sanin a écrit :
>> You probably want to overwrite the IO callbacks
>> However, I don't know if this would work for
>> a document *without* URI. You probably want to
>> identify it somehow and assign *some* uri
>> (e.g. foo://<document id> or something like this).
>> Then IO callbacks could catch scheme "foo" and
>> load the document you need.
>> Frank Gross wrote:
>>> I have a problem when I try to validate a detached signature
>>> against my document. The 'xmlSecDSigCtxVerify' function takes two
>>> parameters, the DSig context, and the node pointing to the signature
>>> <dsig:Signature/> <http://www.w3.org/TR/xmldsig-core/#sec-Signature>
>>> node. But as my detached signature has no URI, how can can I specify
>>> to the context the document that it has to validate. (The
>>> XML-Signature specification says that in such case, the application
>>> is supposing to know what was signed). Indeed, I try to build an API
>>> that sign any document build in memory and then saved with the
>>> detached signature to the disk (as a separated XML document of
>>> course), and another one to load both XML documents to validate the
>>> I was able to sign and verify an enveloped signature, because in
>>> that case the signature is inside the document itself, but with
>>> detached signatures, what is the procedure ?
>>> Can someone help, or point me to the documentation explaining how to do.
>>> Thanks a lot,
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
> xmlsec mailing list
> xmlsec at aleksey.com
More information about the xmlsec