[xmlsec] Verify SignedInfo but not the references

Dimitrios Siganos dimitris at siganos.org
Thu Sep 24 09:31:54 PDT 2015


Hi,

Given an xmldsig signature with many extrernal references to large
files, I'd like to verify the SignedInfo xml element but I don't want
to verify the references in the same step. In other words, I'd like to
check that the SignedInfo has not been tampered with but I don't want
the xmlsec library to read the external references. I'd like to do
that myself, in lazy way, on a file by file basis, to allow for
quicker random access to individual files.

Here's an example signature:
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="AuthorSignature">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="a">
    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    <DigestValue>tDyN15x4Nxb1LVVRGRjsiCOhwWNaZ5X5sXtoWSOS0BA=</DigestValue>
</Reference>
<Reference URI="b">
    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    <DigestValue>HjuL1imtKF3KPAR+Qbb/Mba470xFsmL4ftwgVOE3c4w=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...data omitted...</SignatureValue>
<KeyInfo>
<X509Data> <X509Certificate>...data omitted...</X509Certificate> </X509Data>
</KeyInfo>
</Signature>

>From this example signature, I would like to make sure that SignedInfo
is not tamperred but I don't want the library to read the files 'a'
and 'b' and compare their hashes with the hashes recorded in the
references.

Do you have any advice on the how best to do that?

Regards,
Dimitris


More information about the xmlsec mailing list