[xmlsec] XML Sig verification and missing SignedInfo Reference elment

Aleksey Sanin aleksey at aleksey.com
Mon Sep 16 12:02:12 PDT 2013

Section 4.3

"The structure of SignedInfo includes the canonicalization algorithm, a
signature algorithm, and one or more references."

And the schema:

  Schema Definition:

   <element name="SignedInfo" type="ds:SignedInfoType"/>
   <complexType name="SignedInfoType">
       <element ref="ds:CanonicalizationMethod"/>
       <element ref="ds:SignatureMethod"/>
       <element ref="ds:Reference" maxOccurs="unbounded"/>
     <attribute name="Id" type="ID" use="optional"/>

make me think that Reference element is required.

As a side note, I don't understand what signature are we talking about
if there are no Reference elements.


On 9/16/13 11:59 AM, Tom Wood wrote:
> Aleksey,
>   I last wrote to you in 2012 about XML Signature failure do to
> incompatibility between Windows .NET c14n code and libxml2 c14n.
> You were very helpful.
> I am hoping you can clear up another technical issue with XML signatures.
> The system I am working on is encountering an XML message that has a
> signature but
> does not include a <SignedInfo><Reference> block (and by extension, no
> <DigestValue>).
> It does have a <SignedInfo> block.
> The *xmlsec* application fails verification without a Reference element:
> *func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=830:obj=unknown:subj=unknown:error=81:Reference
> nodes are not found:
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=551:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
> Error: signature failed
> SignedInfo References (ok/all): 0/0
> Manifests References (ok/all): 0/0
> Error: failed to verify file "weird_sig.xml"
> *
> I have been reading the w3c,org spec for XML Signature (
> http://www.w3.org/TR/xmldsig-core/)
> and it does not explicitly state that <Reference> is a required element:
> /|Reference| is an element that *may* occur one or more times./
> Other element references in the doc specifically state if the element is
> required
> (eg
> /||SignatureMethod| is a required element that..
> CanonicalizationMethod|//is a required element that/.. )
> But the same document also states in section 3.1 and 3.2
> /3.1 Core generation
> The REQUIRED steps include the generation of |Reference| elements and
> the |SignatureValue| over |SignedInfo|.
> /
> and  3.2:
> /The REQUIRED steps of core validation
> <http://www.w3.org/TR/xmldsig-core/#def-ValidationCore> include (1)
> reference validation
> <http://www.w3.org/TR/xmldsig-core/#def-ValidationReference>, the
> verification of the
> digest contained in each |Reference| in |SignedInfo|,
> and (2) the cryptographic signature validation
> <http://www.w3.org/TR/xmldsig-core/#def-ValidationSignature> of the
> signature calculated over |SignedInfo|.
> /
> This appears contradictory to the notion that <Reference> is optional in
> a signature.
> Now why anyone would want to sign a document without including a
> Reference and DigestValue is certainly curious, but I am not yet in a
> position to
> criticize this choice if it is technically allowed.
> So is <Reference> optional or not?
> I am hoping the answer is simply that XML signatures MUST include a
> <reference> block.
> The main thing for me is that if it is optional but ***xmlsec* refuses
> to process the signature without <Reference>,
> is there some parameter I must use to skip reference validation?
>  Thanks,
> Tom Wood
> wood at xmission.com

More information about the xmlsec mailing list