[xmlsec] Signaute that does not sign a node

Timothy Legge timlegge at gmail.com
Mon Nov 30 11:40:03 PST 2020


Thanks, I'll check it out.

On Mon, Nov 30, 2020 at 1:17 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
>
> For cases like this, XML Dsig spec has Object elements:
>
> https://www.w3.org/TR/xmldsig-core1/#sec-Object
>
> That can be used to validate the digest w/o invalidating
> the signature itself if something goes wrong.
>
> Aleksey
>
> On 11/30/20 8:46 AM, Timothy Legge wrote:
> > Hi Aleksey
> >
> > That does make sense to me.  I don't have full information about the
> > original XML file so I can't say if it was a problem with what was
> > provided to me.  I am working on perl's XML::Sig and this case caught
> > me by surprise.  I will need to get some more information on where and
> > how the file was generated.
> >
> > Tim
> >
> > On Mon, Nov 30, 2020 at 12:41 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
> >>
> >> Hi Tim,
> >>
> >> I believe that technically inability to resolve a URI for a Reference
> >> (e.g. ID in your case) should result in a failure for calculating digest
> >> thus making the signature invalid.
> >>
> >> Best,
> >>
> >> Aleksey
> >>
> >> On 11/25/20 7:31 PM, Timothy Legge wrote:
> >>> Hi
> >>>
> >>> I recently had a file that had three signatures but one of the
> >>> References in the file did not point to anything in the XML file.
> >>>
> >>> https://pastebin.com/raw/8TWV0AZW
> >>>
> >>> What does one do with that?  In my case I used the reference to look
> >>> for a matching node with the ID set to the value of the reference.
> >>> Since it was not in the file, I skipped processing that signature.
> >>>
> >>> I know it's a little off topic for this list but I imagine you have
> >>> seen something similar before.
> >>>
> >>> Tim
> >>> _______________________________________________
> >>> xmlsec mailing list
> >>> xmlsec at aleksey.com
> >>> http://www.aleksey.com/mailman/listinfo/xmlsec
> >>>


More information about the xmlsec mailing list