SV: [xmlsec] Adding URI and digest

Aleksey Sanin aleksey@aleksey.com
Tue, 09 Sep 2003 00:33:19 -0700


>To have these external documents available during verification is not a requirement - this
>is enveloped-signature so the surrounding document is available of course.  
>
Unfortunately this is not possible. XMLDSig processing clearly states 
that verifier MUST check
digests in all <dsig:References/> elements and verify signature for 
<dsig:SignedInfo/> element.
Thus I am not sure that I understand how is it possible to verify an XML 
signature if an external
document referenced from <dsig:Reference/> URI attribute is not available.

But you might want to use <dsig:Manifest/> elements instead of 
<dsig:Reference/>. It seems that
it better works in your case because invalide digest in <dsig:Manifest/> 
element does not affect
the validity of the signature. The general scheme is:

       0) Digests in <dsig:Manifest/> elements calculated for something 
(your external documents,
       for example).
       1) A special <dsig:Reference/> points to all <dsig:Manifests/> 
elements thus its digests
       is calculated over the digests in <dsig:Manifest/> elements.
       2) Signature is calculated for <dsig:SignedInfo/> over 
<dsig:Reference/> digests.
      
In this scheme, the signature verifies the digests in <dsig:Manifest/> 
element (compare this with
the <dsig:Reference/> case when signature verifies the data pointed by 
URIs and transforms).
You can have invalid digest in one of <dsig:Manifest/> element (or you 
would not be able to verify it)
but you still can verify other <dsig:Manifest/>elemnts.

Needless to say that xmlsec does support <dsig:Manifest/>. There is a 
paramter "processManifests"
in xmlSecDSigCtx (0.0.X branch) that controls whether xmlsec would try 
to calculate or verify
digests in <dsig:Manifest/> elements automaticaly. However, in your case 
you probably don't
want this behaiviour thus you just need to create the signature template 
for steps 1) and 2) above
and make sure that digests in <dsig:Manifest/> elements are calculated 
and stored in the XML tree
*before* calculating the signature. Everything else would be the same as 
processing any other
signature.

The downside of this approach is that <dsig:Manifest/> elements supports 
is not a MUST in XMLDSig
specification. Thus not everyone have implemented it. I doubt that 
you'll have any problem with that
because you actually would not use <dsig:Manifest/> elements in any 
"special" way. But if you use
anything besides xmlsec I would strongly recomment to check 
interoperability of this solution.

If you could not use <dsig:Manifest/> elements then you are on your own. 
Nothing is impossible
but you would have to hack xmlsec code by yourself. Check src/xmldsig.c 
file that does digests
and signatures calculations. Probably you want to add something like this:
       - signatures
             Calculate digests if and only if the current 
<dsig:DigestValue/> is an empty string
             (this would allow you to set it by yourself).
       - verification
              Do not fail if you could not load the document pointed by 
URI attribute in <dsig:Reference/>
              element.
Please note that this solution does not use actual XMLDSig spec. You are 
on your own here and
probably you should think about security issues. Also the chances that 
you'll have interop problems
for this approach are much bigger.


Aleksey