What an enveloped signature signs has to do with what it's reference(s) point to rather than where it is located. The enveloped part simply indicates it is "somewhere" within the signed content and will need to be removed prior to processing.
And yes - same document references are usually represented with an empty uri which means the entire content is signed or an X-Pointer reference to an ID (like Uri="#_someID") which means the element with the ID value AND ALL of it's descendants will be signed. Again, this has nothing to do with WHERE in the document the signautre element is. Cheers, mal On Sat, Mar 12, 2011 at 2:37 PM, Michael Bishop <[email protected]> wrote: > An enveloped signature is over the data that contains the Signature >> element. >> > > Can you elaborate on this? Here's an example. > > <root> > <content/> > <ds:Signature/> > </root> > > What is signed here? <root>? Or both <root> and <content>? > > <root> > <content> > <ds:Signature/> > </content> > </root> > > I would assume that in this case, only <content> is signed. > > I understand that typically, an enveloped signature signs the content > represented by its parent. But does it sign the parent AND all the parent's > children? > > <root> > <content/> > <subContent/> > </content> > <moreContent> > <subContent/> > </moreContent> > <ds:Signature/> > </root> > > I would assume this signature signs the entire document. If not, how would > I do that? > > Thanks, > > Michael > > On Wed, Mar 9, 2011 at 10:00 AM, Michael Bishop <[email protected]>wrote: > >> OK, this is now issue 265 in the Santuario project. I attached a test >> case and the certificate I'm using for the test. Thanks for checking into >> it. >> >> Michael >> >> >> On Wed, Mar 9, 2011 at 4:47 AM, Colm O hEigeartaigh >> <[email protected]>wrote: >> >>> Can you create a test-case and attach it to JIRA and I'll take a look? >>> >>> Thanks, >>> >>> Colm. >>> >>> On Tue, Mar 8, 2011 at 8:57 PM, Michael Bishop <[email protected]> >>> wrote: >>> > Hello, >>> > >>> > I'm having a problem with created an enveloped signature. I was able >>> to >>> > create an enveloping signature just fine, but the enveloped signature >>> hangs >>> > on the XMLSignature.sign(privateKey) method for a long time, before >>> throwing >>> > an error. >>> > >>> > I was able to figure out what the error was; by default, the >>> > XMLSignature.sign(privateKey) method was trying to access >>> > http://www.w3.org/2000/09/xmldsig#rsa-sha1 and failing. I can pull >>> that up >>> > in my browser, so I don't know why it's hanging there. I didn't have >>> this >>> > issue with an enveloping signature. >>> > >>> > I wrote an extension of ResourceResolverSpi and mapped >>> > http://www.w3.org/2000/09/xmldsig#rsa-sha1 to point to the schema >>> included >>> > in the XML Security JAR file. That works fine, but I'm wondering what >>> the >>> > best solution is, and why enveloped signatures need to access this URL >>> at >>> > all? >>> > >>> > I can provide code as needed if it's necessary. >>> > >>> > Thanks, >>> > >>> > Michael Bishop >>> > >>> >> >> >
