[xmlsec] Verify SignedInfo but not the references

[Aleksey Sanin]

You can run the complete signature verification and then look
at xmlDsigCtx to figure out what have happened.

Aleksey

On 9/24/15 9:31 AM, Dimitrios Siganos wrote:
> Hi,
> 
> Given an xmldsig signature with many extrernal references to large
> files, I'd like to verify the SignedInfo xml element but I don't want
> to verify the references in the same step. In other words, I'd like to
> check that the SignedInfo has not been tampered with but I don't want
> the xmlsec library to read the external references. I'd like to do
> that myself, in lazy way, on a file by file basis, to allow for
> quicker random access to individual files.
> 
> Here's an example signature:
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="AuthorSignature">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
> <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <Reference URI="a">
>     <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>     <DigestValue>tDyN15x4Nxb1LVVRGRjsiCOhwWNaZ5X5sXtoWSOS0BA=</DigestValue>
> </Reference>
> <Reference URI="b">
>     <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>     <DigestValue>HjuL1imtKF3KPAR+Qbb/Mba470xFsmL4ftwgVOE3c4w=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>...data omitted...</SignatureValue>
> <KeyInfo>
> <X509Data> <X509Certificate>...data omitted...</X509Certificate> </X509Data>
> </KeyInfo>
> </Signature>
> 
> From this example signature, I would like to make sure that SignedInfo
> is not tamperred but I don't want the library to read the files 'a'
> and 'b' and compare their hashes with the hashes recorded in the
> references.
> 
> Do you have any advice on the how best to do that?
> 
> Regards,
> Dimitris
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>