Re: [xmlsec] Signaute that does not sign a node
Thanks, I'll check it out. On Mon, Nov 30, 2020 at 1:17 PM Aleksey Sanin wrote: > > For cases like this, XML Dsig spec has Object elements: > > https://www.w3.org/TR/xmldsig-core1/#sec-Object > > That can be used to validate the digest w/o invalidating > the signature itself if something goes wrong. > > Aleksey > > On 11/30/20 8:46 AM, Timothy Legge wrote: > > Hi Aleksey > > > > That does make sense to me. I don't have full information about the > > original XML file so I can't say if it was a problem with what was > > provided to me. I am working on perl's XML::Sig and this case caught > > me by surprise. I will need to get some more information on where and > > how the file was generated. > > > > Tim > > > > On Mon, Nov 30, 2020 at 12:41 PM Aleksey Sanin wrote: > >> > >> Hi Tim, > >> > >> I believe that technically inability to resolve a URI for a Reference > >> (e.g. ID in your case) should result in a failure for calculating digest > >> thus making the signature invalid. > >> > >> Best, > >> > >> Aleksey > >> > >> On 11/25/20 7:31 PM, Timothy Legge wrote: > >>> Hi > >>> > >>> I recently had a file that had three signatures but one of the > >>> References in the file did not point to anything in the XML file. > >>> > >>> https://pastebin.com/raw/8TWV0AZW > >>> > >>> What does one do with that? In my case I used the reference to look > >>> for a matching node with the ID set to the value of the reference. > >>> Since it was not in the file, I skipped processing that signature. > >>> > >>> I know it's a little off topic for this list but I imagine you have > >>> seen something similar before. > >>> > >>> Tim > >>> ___ > >>> xmlsec mailing list > >>> xmlsec@aleksey.com > >>> http://www.aleksey.com/mailman/listinfo/xmlsec > >>> ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Signaute that does not sign a node
For cases like this, XML Dsig spec has Object elements: https://www.w3.org/TR/xmldsig-core1/#sec-Object That can be used to validate the digest w/o invalidating the signature itself if something goes wrong. Aleksey On 11/30/20 8:46 AM, Timothy Legge wrote: Hi Aleksey That does make sense to me. I don't have full information about the original XML file so I can't say if it was a problem with what was provided to me. I am working on perl's XML::Sig and this case caught me by surprise. I will need to get some more information on where and how the file was generated. Tim On Mon, Nov 30, 2020 at 12:41 PM Aleksey Sanin wrote: Hi Tim, I believe that technically inability to resolve a URI for a Reference (e.g. ID in your case) should result in a failure for calculating digest thus making the signature invalid. Best, Aleksey On 11/25/20 7:31 PM, Timothy Legge wrote: Hi I recently had a file that had three signatures but one of the References in the file did not point to anything in the XML file. https://pastebin.com/raw/8TWV0AZW What does one do with that? In my case I used the reference to look for a matching node with the ID set to the value of the reference. Since it was not in the file, I skipped processing that signature. I know it's a little off topic for this list but I imagine you have seen something similar before. Tim ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Signaute that does not sign a node
Hi Aleksey That does make sense to me. I don't have full information about the original XML file so I can't say if it was a problem with what was provided to me. I am working on perl's XML::Sig and this case caught me by surprise. I will need to get some more information on where and how the file was generated. Tim On Mon, Nov 30, 2020 at 12:41 PM Aleksey Sanin wrote: > > Hi Tim, > > I believe that technically inability to resolve a URI for a Reference > (e.g. ID in your case) should result in a failure for calculating digest > thus making the signature invalid. > > Best, > > Aleksey > > On 11/25/20 7:31 PM, Timothy Legge wrote: > > Hi > > > > I recently had a file that had three signatures but one of the > > References in the file did not point to anything in the XML file. > > > > https://pastebin.com/raw/8TWV0AZW > > > > What does one do with that? In my case I used the reference to look > > for a matching node with the ID set to the value of the reference. > > Since it was not in the file, I skipped processing that signature. > > > > I know it's a little off topic for this list but I imagine you have > > seen something similar before. > > > > Tim > > ___ > > xmlsec mailing list > > xmlsec@aleksey.com > > http://www.aleksey.com/mailman/listinfo/xmlsec > > ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Signaute that does not sign a node
Hi Tim, I believe that technically inability to resolve a URI for a Reference (e.g. ID in your case) should result in a failure for calculating digest thus making the signature invalid. Best, Aleksey On 11/25/20 7:31 PM, Timothy Legge wrote: Hi I recently had a file that had three signatures but one of the References in the file did not point to anything in the XML file. https://pastebin.com/raw/8TWV0AZW What does one do with that? In my case I used the reference to look for a matching node with the ID set to the value of the reference. Since it was not in the file, I skipped processing that signature. I know it's a little off topic for this list but I imagine you have seen something similar before. Tim ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec