[xmlsec] Detached signature validation problem

Aleksey Sanin aleksey at aleksey.com
Wed Jun 4 08:19:18 PDT 2008


I am really sorry but I can not accept this patch because it breaks
backward compatibility for existing callbacks. Now, these callbacks
have to expect a NULL uri and before it was guaranteed that the uri is
always not-NULL.

I still think that the best way is to create a specific scheme for
the in-memory data. The other security system will have to handle
it somehow anyway. Agreeing on the same scheme in this case is a much
better way of doing things.

Sorry again,
Aleksey

Frank Gross wrote:
> 
> Thanks for your answer, it's exactly what I was trying to do, but I got 
> a problem because when the system computes the signature where I added 
> my own URI scheme, the URI is computed in the signature (as expected). 
> But when I save it to the disk, I don't want the URI to be there because 
> the detached signature could be used by another security system that 
> didn't know my "specific" scheme.
> Then, when I load the detached signature without my "specific" URI, the 
> validation fails due to the signature value that is not the same (of 
> course once it was computed with the URI, and once without it).
> Therefore, I've had to changed the security library a little bit to make 
> a difference between an empty URI, and an URI that is not present. And 
> in that last case, I use the IO callback functions to parse my "in 
> memory" document.
> 
> If you could add a way to perform such operation in a future release, it 
> would be great.
> 
> Regards,
> 
> Frank
> 
> P.S: I've added a patch with the modifications if you are interested in.
> 
> 
> 
> Aleksey Sanin a écrit :
>> You probably want to overwrite the IO callbacks
>>
>> http://www.aleksey.com/xmlsec/api/xmlsec-io.html
>>
>> However, I don't know if this would work for
>> a document *without* URI. You probably want to
>> identify it somehow and assign *some* uri
>> (e.g. foo://<document id> or something like this).
>> Then IO callbacks could catch scheme "foo" and
>> load the document you need.
>>
>> Aleksey
>>
>> Frank Gross wrote:
>>> Hi,
>>>
>>>    I have a problem when I try to validate a detached signature 
>>> against my document. The 'xmlSecDSigCtxVerify' function takes two 
>>> parameters, the DSig context, and the node pointing to the signature 
>>> <dsig:Signature/> <http://www.w3.org/TR/xmldsig-core/#sec-Signature> 
>>> node. But as my detached signature has no URI, how can can I specify 
>>> to the context the document that it has to validate. (The 
>>> XML-Signature specification says that in such case, the application 
>>> is supposing to know what was signed). Indeed, I try to build an API 
>>> that sign any document build in memory and then saved with the 
>>> detached signature to the disk (as a separated XML document of 
>>> course), and another one to load both XML documents to validate the 
>>> signature.
>>>    I was able to sign and verify an enveloped signature, because in 
>>> that case the signature is inside the document itself, but with 
>>> detached signatures, what is the procedure ?
>>>
>>> Can someone help, or point me to the documentation explaining how to do.
>>>
>>> Thanks a lot,
>>>
>>> Frank
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec



More information about the xmlsec mailing list