Good day once again, The problem did NOT have to do with the fact that I have multiple signatures in a single file. The problem is that a Signature had multiple DSIGReference's to Object's outside the signature. Leading to failing to verify after the XML file is reloaded from disk.
Here is an example of what I found would NOT work: <?xml version="1.0" encoding="UTF-8" standalone="no" ?><Blah> <Object Id="ObjectA"/> <Object Id="ObjectB"/> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="Sig"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml- c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac- sha1"/> <Reference URI="#ObjectA"> ... </Reference> <Reference URI="#ObjectB"> ... </Reference> </SignedInfo> <SignatureValue>BntNqBw59jQHGi9YObpFsw1W0y8= </SignatureValue> </Signature> </Blah> By removing ObjectB from the picture everything worked fine: <?xml version="1.0" encoding="UTF-8" standalone="no" ?><Blah> <Object Id="ObjectA"/> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="Sig"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml- c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac- sha1"/> <Reference URI="#ObjectA"> ... </Reference> </SignedInfo> <SignatureValue>BntNqBw59jQHGi9YObpFsw1W0y8= </SignatureValue> </Signature> </Blah> Even when a signature was referencing only a single Object outside the Signature I was left with: ->createReference(MAKE_UNICODE_STRING("#Tools"), HASH_SHA1, "http://www.w3.org/2000/09/xmldsig#Object";); //Doesn't work once I removed the 3rd "type" parameter then everything worked fine: ->createReference(MAKE_UNICODE_STRING("#Tools"); //Works I then confirmed that the Object was being included in the Signature by modifying the contents of the file, and observing a failed verify call. I feel that these are 2 seperate issues, but I could be wrong. Perhaps I'm misinterpretting the W3C description of DSig's and what it's capable of doing. My work around is to include the multiple referenced objects under a single parent object. So in essence I'm going to use a single object/reference, rather than multiple ones (see below): <?xml version="1.0" encoding="UTF-8" standalone="no" ?><Blah> <Object Id="ParentObj"> <Object Id="ObjectA"/> <Object Id="ObjectB"/> </Object> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="Sig"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml- c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac- sha1"/> <Reference URI="#ParentObj"> ... </Reference> </SignedInfo> <SignatureValue>BntNqBw59jQHGi9YObpFsw1W0y8= </SignatureValue> </Signature> </Blah> Sorry for the verbose explanation, but I'm hoping it will help someone to tell me what I've done wrong if anything, or it helps them to fix whatever bug this may prove to be. Thanks in advance Andrew
