[xmlsec] Including comments in signatures
Aleksey Sanin
aleksey at aleksey.com
Mon Jul 7 08:03:43 PDT 2008
Hello!
Well, this is one of the "dark corners" of the XMLDSig spec...
From http://www.w3.org/TR/xmldsig-core/
URI=""
Identifies the node-set (minus any comment nodes) of the
XML resource containing the signature
Thus, the comments are removed even before you get to the c14n.
You can workaround this by using the following reference URI:
<Reference URI="#xpointer(/)">
Best,
Aleksey
Olav Morken wrote:
> Hi,
>
> when the XMLSec library processes a reference with a #WithComments
> canonicalization, it doesn't include the comments in the PreDigest data.
>
> Is this a bug or have I misunderstood how the [...]#WithComments
> canonicalizations are supposed to work?
>
>
> To test this I used version 1.2.11 of the XMLSec library, with the
> sign1-program from:
> http://www.aleksey.com/xmlsec/api/xmlsec-examples-sign-template-file.html#XMLSEC-EXAMPLE-SIGN1
> I modified this program slightly to do a debug dump after creating the
> signature. The program is attached as sign1.c, and the debug output
> is attached as debug.txt. The document i tried to sign was test.xml,
> which is also attached.
>
> data.xml looks like this:
> <?xml version="1.0" encoding="UTF-8"?>
> <Test>
> <!-- Comment! -->
> <Data>test</Data>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> ...
> </Signature>
> </Test>
>
> And the relevant part of the debug output is this:
> [...]
> === Transform: c14n-with-comments (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments)
> [...]
> == PreDigest data - start buffer:
> <Test>
>
> <Data>test</Data>
>
> </Test>
> == PreDigest data - end buffer
> [...]
>
>
> Thanks,
> Olav Morken
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list