Hi Andrew, I had only a quick glance at this, but I think it may hve something to do with the fact that your "Object" is outside the signature, and you specify the type of the reference to be a reference to a ds:Object element which should be at the right place in the ds:Signature.
just my 2c, Karel. On Thu, 26 Feb 2004, Andrew wrote: > Good day once again, > > The problem did NOT have to do with the fact that I have multiple signatures in > a single file. The problem is that a Signature had multiple DSIGReference's to > Object's outside the signature. Leading to failing to verify after the XML file > is reloaded from disk. > > Here is an example of what I found would NOT work: > > <?xml version="1.0" encoding="UTF-8" standalone="no" ?><Blah> > <Object Id="ObjectA"/> > <Object Id="ObjectB"/> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="Sig"> > <SignedInfo> > <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml- > c14n-20010315"/> > <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac- > sha1"/> > <Reference URI="#ObjectA"> > ... > </Reference> > <Reference URI="#ObjectB"> > ... > </Reference> > </SignedInfo> > <SignatureValue>BntNqBw59jQHGi9YObpFsw1W0y8= > </SignatureValue> > </Signature> > </Blah> > > By removing ObjectB from the picture everything worked fine: > > <?xml version="1.0" encoding="UTF-8" standalone="no" ?><Blah> > <Object Id="ObjectA"/> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="Sig"> > <SignedInfo> > <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml- > c14n-20010315"/> > <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac- > sha1"/> > <Reference URI="#ObjectA"> > ... > </Reference> > </SignedInfo> > <SignatureValue>BntNqBw59jQHGi9YObpFsw1W0y8= > </SignatureValue> > </Signature> > </Blah> > > > Even when a signature was referencing only a single Object outside the Signature > I was left with: > > ->createReference(MAKE_UNICODE_STRING("#Tools"), > HASH_SHA1, "http://www.w3.org/2000/09/xmldsig#Object";); //Doesn't work > > once I removed the 3rd "type" parameter then everything worked fine: > > ->createReference(MAKE_UNICODE_STRING("#Tools"); //Works > > I then confirmed that the Object was being included in the Signature by > modifying the contents of the file, and observing a failed verify call. > > I feel that these are 2 seperate issues, but I could be wrong. > Perhaps I'm misinterpretting the W3C description of DSig's and what it's > capable of doing. > > My work around is to include the multiple referenced objects under a single > parent object. So in essence I'm going to use a single object/reference, rather > than multiple ones (see below): > > <?xml version="1.0" encoding="UTF-8" standalone="no" ?><Blah> > <Object Id="ParentObj"> > <Object Id="ObjectA"/> > <Object Id="ObjectB"/> > </Object> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="Sig"> > <SignedInfo> > <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml- > c14n-20010315"/> > <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac- > sha1"/> > <Reference URI="#ParentObj"> > ... > </Reference> > </SignedInfo> > <SignatureValue>BntNqBw59jQHGi9YObpFsw1W0y8= > </SignatureValue> > </Signature> > </Blah> > > > Sorry for the verbose explanation, but I'm hoping it will help someone to tell > me what I've done wrong if anything, or it helps them to fix whatever bug this > may prove to be. > > Thanks in advance > > Andrew >
