[xmlsec] Signaute that does not sign a node

Aleksey Sanin aleksey at aleksey.com
Mon Nov 30 09:17:18 PST 2020

For cases like this, XML Dsig spec has Object elements:


That can be used to validate the digest w/o invalidating
the signature itself if something goes wrong.


On 11/30/20 8:46 AM, Timothy Legge wrote:
> Hi Aleksey
> That does make sense to me.  I don't have full information about the
> original XML file so I can't say if it was a problem with what was
> provided to me.  I am working on perl's XML::Sig and this case caught
> me by surprise.  I will need to get some more information on where and
> how the file was generated.
> Tim
> On Mon, Nov 30, 2020 at 12:41 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
>> Hi Tim,
>> I believe that technically inability to resolve a URI for a Reference
>> (e.g. ID in your case) should result in a failure for calculating digest
>> thus making the signature invalid.
>> Best,
>> Aleksey
>> On 11/25/20 7:31 PM, Timothy Legge wrote:
>>> Hi
>>> I recently had a file that had three signatures but one of the
>>> References in the file did not point to anything in the XML file.
>>> https://pastebin.com/raw/8TWV0AZW
>>> What does one do with that?  In my case I used the reference to look
>>> for a matching node with the ID set to the value of the reference.
>>> Since it was not in the file, I skipped processing that signature.
>>> I know it's a little off topic for this list but I imagine you have
>>> seen something similar before.
>>> Tim
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list