>
> What an enveloped signature signs has to do with what it's reference(s)
> point to rather than where it is located.
>
OK, I think I'm getting the idea here. So, if we take the example of a
"guest book", where each person who signs the guest book only signs his/her
entry, we must use references.
<guestbook>
<!-- Chuck's entry in the guest book. -->
<entry id="chuck"/>
<!-- Jane's entry in the guest book. -->
<entry id="jane"/>
<!-- Giles' entry in the guest book. -->
<entry id="giles"/>
<!-- Chuck's signature that signs his entry. -->
<ds:Signature>
<ds:Reference URI="#chuck"/>
</ds:Signature>
<!-- Jane's signature that signs her entry. -->
<ds:Signature>
<ds:Reference URI="#jane"/>
</ds:Signature>
<!-- Giles' signature that signs his entry. -->
<ds:Signature>
<ds:Reference URI="#giles"/>
</ds:Signature>
</guestbook>
In the above example, those signature could live anywhere (I guess in a true
"enveloped" environment, they would live inside the <entry> elements), as
long as they point to the proper URIs. Are those the proper URIs? How do
you tag content with reference points? Do I have to use a <ds:Object>
element to do that as in enveloping signatures?
Basically, how do I properly sign multiple content with multiple signatures
in the same document? Are there any good references I can read through?
Thanks,
Michael
On Sat, Mar 12, 2011 at 1:21 AM, Malcolm Young <[email protected]>wrote:
> What an enveloped signature signs has to do with what it's reference(s)
> point to rather than where it is located. The enveloped part simply
> indicates it is "somewhere" within the signed content and will need to be
> removed prior to processing.
>
> And yes - same document references are usually represented with an empty
> uri which means the entire content is signed or an X-Pointer reference to an
> ID (like Uri="#_someID") which means the element with the ID value AND ALL
> of it's descendants will be signed. Again, this has nothing to do with WHERE
> in the document the signautre element is.
>
> Cheers,
>
> mal
>
> On Sat, Mar 12, 2011 at 2:37 PM, Michael Bishop <[email protected]>wrote:
>
>> An enveloped signature is over the data that contains the Signature
>>> element.
>>>
>>
>> Can you elaborate on this? Here's an example.
>>
>> <root>
>> <content/>
>> <ds:Signature/>
>> </root>
>>
>> What is signed here? <root>? Or both <root> and <content>?
>>
>> <root>
>> <content>
>> <ds:Signature/>
>> </content>
>> </root>
>>
>> I would assume that in this case, only <content> is signed.
>>
>> I understand that typically, an enveloped signature signs the content
>> represented by its parent. But does it sign the parent AND all the parent's
>> children?
>>
>> <root>
>> <content/>
>> <subContent/>
>> </content>
>> <moreContent>
>> <subContent/>
>> </moreContent>
>> <ds:Signature/>
>> </root>
>>
>> I would assume this signature signs the entire document. If not, how
>> would I do that?
>>
>> Thanks,
>>
>> Michael
>>
>> On Wed, Mar 9, 2011 at 10:00 AM, Michael Bishop <[email protected]>wrote:
>>
>>> OK, this is now issue 265 in the Santuario project. I attached a test
>>> case and the certificate I'm using for the test. Thanks for checking into
>>> it.
>>>
>>> Michael
>>>
>>>
>>> On Wed, Mar 9, 2011 at 4:47 AM, Colm O hEigeartaigh <[email protected]
>>> > wrote:
>>>
>>>> Can you create a test-case and attach it to JIRA and I'll take a look?
>>>>
>>>> Thanks,
>>>>
>>>> Colm.
>>>>
>>>> On Tue, Mar 8, 2011 at 8:57 PM, Michael Bishop <[email protected]>
>>>> wrote:
>>>> > Hello,
>>>> >
>>>> > I'm having a problem with created an enveloped signature. I was able
>>>> to
>>>> > create an enveloping signature just fine, but the enveloped signature
>>>> hangs
>>>> > on the XMLSignature.sign(privateKey) method for a long time, before
>>>> throwing
>>>> > an error.
>>>> >
>>>> > I was able to figure out what the error was; by default, the
>>>> > XMLSignature.sign(privateKey) method was trying to access
>>>> > http://www.w3.org/2000/09/xmldsig#rsa-sha1 and failing. I can pull
>>>> that up
>>>> > in my browser, so I don't know why it's hanging there. I didn't have
>>>> this
>>>> > issue with an enveloping signature.
>>>> >
>>>> > I wrote an extension of ResourceResolverSpi and mapped
>>>> > http://www.w3.org/2000/09/xmldsig#rsa-sha1 to point to the schema
>>>> included
>>>> > in the XML Security JAR file. That works fine, but I'm wondering what
>>>> the
>>>> > best solution is, and why enveloped signatures need to access this URL
>>>> at
>>>> > all?
>>>> >
>>>> > I can provide code as needed if it's necessary.
>>>> >
>>>> > Thanks,
>>>> >
>>>> > Michael Bishop
>>>> >
>>>>
>>>
>>>
>>
>
