SV: [xmlsec] Adding URI and digest
Aleksey Sanin
aleksey at aleksey.com
Tue Sep 9 00:33:19 PDT 2003
>To have these external documents available during verification is not a requirement - this
>is enveloped-signature so the surrounding document is available of course.
>
Unfortunately this is not possible. XMLDSig processing clearly states
that verifier MUST check
digests in all <dsig:References/> elements and verify signature for
<dsig:SignedInfo/> element.
Thus I am not sure that I understand how is it possible to verify an XML
signature if an external
document referenced from <dsig:Reference/> URI attribute is not available.
But you might want to use <dsig:Manifest/> elements instead of
<dsig:Reference/>. It seems that
it better works in your case because invalide digest in <dsig:Manifest/>
element does not affect
the validity of the signature. The general scheme is:
0) Digests in <dsig:Manifest/> elements calculated for something
(your external documents,
for example).
1) A special <dsig:Reference/> points to all <dsig:Manifests/>
elements thus its digests
is calculated over the digests in <dsig:Manifest/> elements.
2) Signature is calculated for <dsig:SignedInfo/> over
<dsig:Reference/> digests.
In this scheme, the signature verifies the digests in <dsig:Manifest/>
element (compare this with
the <dsig:Reference/> case when signature verifies the data pointed by
URIs and transforms).
You can have invalid digest in one of <dsig:Manifest/> element (or you
would not be able to verify it)
but you still can verify other <dsig:Manifest/>elemnts.
Needless to say that xmlsec does support <dsig:Manifest/>. There is a
paramter "processManifests"
in xmlSecDSigCtx (0.0.X branch) that controls whether xmlsec would try
to calculate or verify
digests in <dsig:Manifest/> elements automaticaly. However, in your case
you probably don't
want this behaiviour thus you just need to create the signature template
for steps 1) and 2) above
and make sure that digests in <dsig:Manifest/> elements are calculated
and stored in the XML tree
*before* calculating the signature. Everything else would be the same as
processing any other
signature.
The downside of this approach is that <dsig:Manifest/> elements supports
is not a MUST in XMLDSig
specification. Thus not everyone have implemented it. I doubt that
you'll have any problem with that
because you actually would not use <dsig:Manifest/> elements in any
"special" way. But if you use
anything besides xmlsec I would strongly recomment to check
interoperability of this solution.
If you could not use <dsig:Manifest/> elements then you are on your own.
Nothing is impossible
but you would have to hack xmlsec code by yourself. Check src/xmldsig.c
file that does digests
and signatures calculations. Probably you want to add something like this:
- signatures
Calculate digests if and only if the current
<dsig:DigestValue/> is an empty string
(this would allow you to set it by yourself).
- verification
Do not fail if you could not load the document pointed by
URI attribute in <dsig:Reference/>
element.
Please note that this solution does not use actual XMLDSig spec. You are
on your own here and
probably you should think about security issues. Also the chances that
you'll have interop problems
for this approach are much bigger.
Aleksey
More information about the xmlsec
mailing list