Andrew,
Could you provide a full XML file together with the piece of code you are
using to produce the signature? There could be something in the
transforms within the references. There might also be something being
added during the signature build that is not getting properly reflected in
the actual DOM document. (Which seems likely given your Type comments
below.)
Cheers,
Berin
> Good day once again,
>
> The problem did NOT have to do with the fact that I have multiple
> signatures in a single file. The problem is that a Signature had
> multiple DSIGReference's to Object's outside the signature. Leading to
> failing to verify after the XML file is reloaded from disk.
>
> Here is an example of what I found would NOT work:
>
> <?xml version="1.0" encoding="UTF-8" standalone="no" ?><Blah>
> <Object Id="ObjectA"/>
> <Object Id="ObjectB"/>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="Sig">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-
> c14n-20010315"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-
> sha1"/>
> <Reference URI="#ObjectA">
> ...
> </Reference>
> <Reference URI="#ObjectB">
> ...
> </Reference>
> </SignedInfo>
> <SignatureValue>BntNqBw59jQHGi9YObpFsw1W0y8=
> </SignatureValue>
> </Signature>
> </Blah>
>
> By removing ObjectB from the picture everything worked fine:
>
> <?xml version="1.0" encoding="UTF-8" standalone="no" ?><Blah>
> <Object Id="ObjectA"/>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="Sig">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-
> c14n-20010315"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-
> sha1"/>
> <Reference URI="#ObjectA">
> ...
> </Reference>
> </SignedInfo>
> <SignatureValue>BntNqBw59jQHGi9YObpFsw1W0y8=
> </SignatureValue>
> </Signature>
> </Blah>
>
>
> Even when a signature was referencing only a single Object outside the
> Signature I was left with:
>
> ->createReference(MAKE_UNICODE_STRING("#Tools"),
> HASH_SHA1, "http://www.w3.org/2000/09/xmldsig#Object";); //Doesn't work
>
> once I removed the 3rd "type" parameter then everything worked fine:
>
> ->createReference(MAKE_UNICODE_STRING("#Tools"); //Works
>
> I then confirmed that the Object was being included in the Signature by
> modifying the contents of the file, and observing a failed verify
> call.
>
> I feel that these are 2 seperate issues, but I could be wrong.
> Perhaps I'm misinterpretting the W3C description of DSig's and what
> it's capable of doing.
>
> My work around is to include the multiple referenced objects under a
> single parent object. So in essence I'm going to use a single
> object/reference, rather than multiple ones (see below):
>
> <?xml version="1.0" encoding="UTF-8" standalone="no" ?><Blah>
> <Object Id="ParentObj">
> <Object Id="ObjectA"/>
> <Object Id="ObjectB"/>
> </Object>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="Sig">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-
> c14n-20010315"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-
> sha1"/>
> <Reference URI="#ParentObj">
> ...
> </Reference>
> </SignedInfo>
> <SignatureValue>BntNqBw59jQHGi9YObpFsw1W0y8=
> </SignatureValue>
> </Signature>
> </Blah>
>
>
> Sorry for the verbose explanation, but I'm hoping it will help someone
> to tell me what I've done wrong if anything, or it helps them to fix
> whatever bug this may prove to be.
>
> Thanks in advance
>
> Andrew
