[xmlsec] Verify SignedInfo but not the references

Dimitrios Siganos dimitris at siganos.org
Thu Sep 24 18:35:36 PDT 2015 

Hi Aleksey,

I believe the following patch gives me the ability to do what I want,
which is to be able to check the integrity of SignedInfo even if the
references are not all available.

When XMLSEC_DSIG_FLAGS_SKIP_REFERENCE_ERRORS is set, dsigCtx->status
will not be set to invalid due to a reference hash mismatch.
This allows xmlsec to carry on and check the integrity of SignedInfo.
Of course, the user then has more work to do to check if everything
went well. He has to check each dsigRefCtx individually for failure
but that is what I want in my case.

I appreciate that you may not want this feature in xmlsec library.
However, I'd appreciate it if you thought my patch had a problem.
If you think this is something that you'd like to have in libxmlsec
then I can expand my patch and make it more complete.

diff --git a/include/xmlsec/xmldsig.h b/include/xmlsec/xmldsig.h
index 3cd311e..623b8b1 100644
--- a/include/xmlsec/xmldsig.h
+++ b/include/xmlsec/xmldsig.h
@@ -95,6 +95,14 @@ typedef enum {
 #define XMLSEC_DSIG_FLAGS_USE_VISA3D_HACK                       0x00000010

 /**
+ * XMLSEC_DSIG_FLAGS_SKIP_REFERENCE_ERRORS:
+ *
+ * If this flag is set then errors thrown by <dsig:Reference/> processing
+ * do not change the status of the dsig verification.
+ */
+#define XMLSEC_DSIG_FLAGS_SKIP_REFERENCE_ERRORS               0x00000020
+
+/**
  * xmlSecDSigCtx:
  * @userData:                   the pointer to user data (xmlsec and
xmlsec-crypto libraries
  *                              never touches this).
diff --git a/src/xmldsig.c b/src/xmldsig.c
index 10ba03f..e3e39dd 100644
--- a/src/xmldsig.c
+++ b/src/xmldsig.c
@@ -830,8 +833,10 @@
xmlSecDSigCtxProcessSignedInfoNode(xmlSecDSigCtxPtr dsigCtx,
xmlNodePtr node) {

         /* bail out if next Reference processing failed */
         if(dsigRefCtx->status != xmlSecDSigStatusSucceeded) {
-            dsigCtx->status = xmlSecDSigStatusInvalid;
-            return(0);
+            if ((dsigCtx->flags &
XMLSEC_DSIG_FLAGS_SKIP_REFERENCE_ERRORS) == 0) {
+                dsigCtx->status = xmlSecDSigStatusInvalid;
+                return(0);
+            }
         }
         cur = xmlSecGetNextElementNode(cur->next);
     }

Regards,
Dimitris

On Thu, Sep 24, 2015 at 8:49 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> You can run the complete signature verification and then look
> at xmlDsigCtx to figure out what have happened.
>
> Aleksey
>
> On 9/24/15 9:31 AM, Dimitrios Siganos wrote:
>> Hi,
>>
>> Given an xmldsig signature with many extrernal references to large
>> files, I'd like to verify the SignedInfo xml element but I don't want
>> to verify the references in the same step. In other words, I'd like to
>> check that the SignedInfo has not been tampered with but I don't want
>> the xmlsec library to read the external references. I'd like to do
>> that myself, in lazy way, on a file by file basis, to allow for
>> quicker random access to individual files.
>>
>> Here's an example signature:
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="AuthorSignature">
>> <SignedInfo>
>> <CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
>> <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>> <Reference URI="a">
>>     <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>>     <DigestValue>tDyN15x4Nxb1LVVRGRjsiCOhwWNaZ5X5sXtoWSOS0BA=</DigestValue>
>> </Reference>
>> <Reference URI="b">
>>     <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>>     <DigestValue>HjuL1imtKF3KPAR+Qbb/Mba470xFsmL4ftwgVOE3c4w=</DigestValue>
>> </Reference>
>> </SignedInfo>
>> <SignatureValue>...data omitted...</SignatureValue>
>> <KeyInfo>
>> <X509Data> <X509Certificate>...data omitted...</X509Certificate> </X509Data>
>> </KeyInfo>
>> </Signature>
>>
>> From this example signature, I would like to make sure that SignedInfo
>> is not tamperred but I don't want the library to read the files 'a'
>> and 'b' and compare their hashes with the hashes recorded in the
>> references.
>>
>> Do you have any advice on the how best to do that?
>>
>> Regards,
>> Dimitris
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>

More information about the xmlsec mailing list