[xmlsec] XML Sig verification and missing SignedInfo Reference elment
aleksey at aleksey.com
Mon Sep 16 12:02:12 PDT 2013
"The structure of SignedInfo includes the canonicalization algorithm, a
signature algorithm, and one or more references."
And the schema:
<element name="SignedInfo" type="ds:SignedInfoType"/>
<element ref="ds:Reference" maxOccurs="unbounded"/>
<attribute name="Id" type="ID" use="optional"/>
make me think that Reference element is required.
As a side note, I don't understand what signature are we talking about
if there are no Reference elements.
On 9/16/13 11:59 AM, Tom Wood wrote:
> I last wrote to you in 2012 about XML Signature failure do to
> incompatibility between Windows .NET c14n code and libxml2 c14n.
> You were very helpful.
> I am hoping you can clear up another technical issue with XML signatures.
> The system I am working on is encountering an XML message that has a
> signature but
> does not include a <SignedInfo><Reference> block (and by extension, no
> It does have a <SignedInfo> block.
> The *xmlsec* application fails verification without a Reference element:
> nodes are not found:
> library function failed:
> library function failed:
> Error: signature failed
> SignedInfo References (ok/all): 0/0
> Manifests References (ok/all): 0/0
> Error: failed to verify file "weird_sig.xml"
> I have been reading the w3c,org spec for XML Signature (
> and it does not explicitly state that <Reference> is a required element:
> /|Reference| is an element that *may* occur one or more times./
> Other element references in the doc specifically state if the element is
> /||SignatureMethod| is a required element that..
> CanonicalizationMethod|//is a required element that/.. )
> But the same document also states in section 3.1 and 3.2
> /3.1 Core generation
> The REQUIRED steps include the generation of |Reference| elements and
> the |SignatureValue| over |SignedInfo|.
> and 3.2:
> /The REQUIRED steps of core validation
> <http://www.w3.org/TR/xmldsig-core/#def-ValidationCore> include (1)
> reference validation
> <http://www.w3.org/TR/xmldsig-core/#def-ValidationReference>, the
> verification of the
> digest contained in each |Reference| in |SignedInfo|,
> and (2) the cryptographic signature validation
> <http://www.w3.org/TR/xmldsig-core/#def-ValidationSignature> of the
> signature calculated over |SignedInfo|.
> This appears contradictory to the notion that <Reference> is optional in
> a signature.
> Now why anyone would want to sign a document without including a
> Reference and DigestValue is certainly curious, but I am not yet in a
> position to
> criticize this choice if it is technically allowed.
> So is <Reference> optional or not?
> I am hoping the answer is simply that XML signatures MUST include a
> <reference> block.
> The main thing for me is that if it is optional but ***xmlsec* refuses
> to process the signature without <Reference>,
> is there some parameter I must use to skip reference validation?
> Tom Wood
> wood at xmission.com
More information about the xmlsec