[xmlsec] Signaute that does not sign a node
Aleksey Sanin
aleksey at aleksey.com
Mon Nov 30 09:17:18 PST 2020
For cases like this, XML Dsig spec has Object elements:
https://www.w3.org/TR/xmldsig-core1/#sec-Object
That can be used to validate the digest w/o invalidating
the signature itself if something goes wrong.
Aleksey
On 11/30/20 8:46 AM, Timothy Legge wrote:
> Hi Aleksey
>
> That does make sense to me. I don't have full information about the
> original XML file so I can't say if it was a problem with what was
> provided to me. I am working on perl's XML::Sig and this case caught
> me by surprise. I will need to get some more information on where and
> how the file was generated.
>
> Tim
>
> On Mon, Nov 30, 2020 at 12:41 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
>>
>> Hi Tim,
>>
>> I believe that technically inability to resolve a URI for a Reference
>> (e.g. ID in your case) should result in a failure for calculating digest
>> thus making the signature invalid.
>>
>> Best,
>>
>> Aleksey
>>
>> On 11/25/20 7:31 PM, Timothy Legge wrote:
>>> Hi
>>>
>>> I recently had a file that had three signatures but one of the
>>> References in the file did not point to anything in the XML file.
>>>
>>> https://pastebin.com/raw/8TWV0AZW
>>>
>>> What does one do with that? In my case I used the reference to look
>>> for a matching node with the ID set to the value of the reference.
>>> Since it was not in the file, I skipped processing that signature.
>>>
>>> I know it's a little off topic for this list but I imagine you have
>>> seen something similar before.
>>>
>>> Tim
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
More information about the xmlsec
mailing list