[xmlsec] Detached signature validation problem
Aleksey Sanin
aleksey at aleksey.com
Wed Jun 4 08:19:18 PDT 2008
I am really sorry but I can not accept this patch because it breaks
backward compatibility for existing callbacks. Now, these callbacks
have to expect a NULL uri and before it was guaranteed that the uri is
always not-NULL.
I still think that the best way is to create a specific scheme for
the in-memory data. The other security system will have to handle
it somehow anyway. Agreeing on the same scheme in this case is a much
better way of doing things.
Sorry again,
Aleksey
Frank Gross wrote:
>
> Thanks for your answer, it's exactly what I was trying to do, but I got
> a problem because when the system computes the signature where I added
> my own URI scheme, the URI is computed in the signature (as expected).
> But when I save it to the disk, I don't want the URI to be there because
> the detached signature could be used by another security system that
> didn't know my "specific" scheme.
> Then, when I load the detached signature without my "specific" URI, the
> validation fails due to the signature value that is not the same (of
> course once it was computed with the URI, and once without it).
> Therefore, I've had to changed the security library a little bit to make
> a difference between an empty URI, and an URI that is not present. And
> in that last case, I use the IO callback functions to parse my "in
> memory" document.
>
> If you could add a way to perform such operation in a future release, it
> would be great.
>
> Regards,
>
> Frank
>
> P.S: I've added a patch with the modifications if you are interested in.
>
>
>
> Aleksey Sanin a écrit :
>> You probably want to overwrite the IO callbacks
>>
>> http://www.aleksey.com/xmlsec/api/xmlsec-io.html
>>
>> However, I don't know if this would work for
>> a document *without* URI. You probably want to
>> identify it somehow and assign *some* uri
>> (e.g. foo://<document id> or something like this).
>> Then IO callbacks could catch scheme "foo" and
>> load the document you need.
>>
>> Aleksey
>>
>> Frank Gross wrote:
>>> Hi,
>>>
>>> I have a problem when I try to validate a detached signature
>>> against my document. The 'xmlSecDSigCtxVerify' function takes two
>>> parameters, the DSig context, and the node pointing to the signature
>>> <dsig:Signature/> <http://www.w3.org/TR/xmldsig-core/#sec-Signature>
>>> node. But as my detached signature has no URI, how can can I specify
>>> to the context the document that it has to validate. (The
>>> XML-Signature specification says that in such case, the application
>>> is supposing to know what was signed). Indeed, I try to build an API
>>> that sign any document build in memory and then saved with the
>>> detached signature to the disk (as a separated XML document of
>>> course), and another one to load both XML documents to validate the
>>> signature.
>>> I was able to sign and verify an enveloped signature, because in
>>> that case the signature is inside the document itself, but with
>>> detached signatures, what is the procedure ?
>>>
>>> Can someone help, or point me to the documentation explaining how to do.
>>>
>>> Thanks a lot,
>>>
>>> Frank
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list