Re: Resolver Issues with Enveloped Signature?

[Eric Johnson]

If I understand your question correctly, just look at some of the test 
cases in the code itself, and I suspect you'll find examples of what you 
want to do pretty quickly - as well as the code to work with the items 
in question. Look in the "data" folder for a document that closely 
matches what you want.

-Eric.
On 3/14/11 5:45 PM, Michael Bishop wrote:

    What an enveloped signature signs has to do with what it's
    reference(s) point to rather than where it is located.


OK, I think I'm getting the idea here.  So, if we take the example of 
a "guest book", where each person who signs the guest book only signs 
his/her entry, we must use references.

<guestbook>
<!-- Chuck's entry in the guest book. -->
<entry id="chuck"/>

<!-- Jane's entry in the guest book. -->
<entry id="jane"/>

<!-- Giles' entry in the guest book. -->
<entry id="giles"/>

<!-- Chuck's signature that signs his entry. -->
<ds:Signature>
<ds:Reference URI="#chuck"/>
</ds:Signature>

<!-- Jane's signature that signs her entry. -->
<ds:Signature>
<ds:Reference URI="#jane"/>
</ds:Signature>

<!-- Giles' signature that signs his entry. -->
<ds:Signature>
<ds:Reference URI="#giles"/>
</ds:Signature>
</guestbook>

In the above example, those signature could live anywhere (I guess in 
a true "enveloped" environment, they would live inside the <entry> 
elements), as long as they point to the proper URIs.  Are those the 
proper URIs?  How do you tag content with reference points?  Do I have 
to use a <ds:Object> element to do that as in enveloping signatures?

Basically, how do I properly sign multiple content with multiple 
signatures in the same document?  Are there any good references I can 
read through?

Thanks,

Michael
On Sat, Mar 12, 2011 at 1:21 AM, Malcolm Young 
<malcolm.yo...@gmail.com <mailto:malcolm.yo...@gmail.com>> wrote:

    What an enveloped signature signs has to do with what it's
    reference(s) point to rather than where it is located. The
    enveloped part simply indicates it is "somewhere" within the
    signed content and will need to be removed prior to processing.
    And yes -  same document references are usually represented with
    an empty uri which means the entire content is signed or an
    X-Pointer reference to an ID (like Uri="#_someID") which means the
    element with the ID value AND ALL of it's descendants will be
    signed. Again, this has nothing to do with WHERE in the document
    the signautre element is.
    Cheers,
    mal
    On Sat, Mar 12, 2011 at 2:37 PM, Michael Bishop
    <bisho...@gmail.com <mailto:bisho...@gmail.com>> wrote:

            An enveloped signature is over the data that contains the
            Signature element.


        Can you elaborate on this?  Here's an example.

        <root>
        <content/>
        <ds:Signature/>
        </root>

        What is signed here? <root>?  Or both <root> and <content>?

        <root>
        <content>
        <ds:Signature/>
        </content>
        </root>

        I would assume that in this case, only <content> is signed.

        I understand that typically, an enveloped signature signs the
        content represented by its parent.  But does it sign the
        parent AND all the parent's children?

        <root>
        <content/>
        <subContent/>
        </content>
        <moreContent>
        <subContent/>
        </moreContent>
        <ds:Signature/>
        </root>

        I would assume this signature signs the entire document.  If
        not, how would I do that?

        Thanks,

        Michael

        On Wed, Mar 9, 2011 at 10:00 AM, Michael Bishop
        <bisho...@gmail.com <mailto:bisho...@gmail.com>> wrote:

            OK, this is now issue 265 in the Santuario project.  I
            attached a test case and the certificate I'm using for the
            test.  Thanks for checking into it.

            Michael


            On Wed, Mar 9, 2011 at 4:47 AM, Colm O hEigeartaigh
            <cohei...@apache.org <mailto:cohei...@apache.org>> wrote:

                Can you create a test-case and attach it to JIRA and
                I'll take a look?

                Thanks,

                Colm.

                On Tue, Mar 8, 2011 at 8:57 PM, Michael Bishop
                <bisho...@gmail.com <mailto:bisho...@gmail.com>> wrote:
                > Hello,
                >
                > I'm having a problem with created an enveloped
                signature.  I was able to
                > create an enveloping signature just fine, but the
                enveloped signature hangs
                > on the XMLSignature.sign(privateKey) method for a
                long time, before throwing
                > an error.
                >
                > I was able to figure out what the error was; by
                default, the
                > XMLSignature.sign(privateKey) method was trying to
                access
                > http://www.w3.org/2000/09/xmldsig#rsa-sha1 and
                failing.  I can pull that up
                > in my browser, so I don't know why it's hanging
                there.  I didn't have this
                > issue with an enveloping signature.
                >
                > I wrote an extension of ResourceResolverSpi and mapped
                > http://www.w3.org/2000/09/xmldsig#rsa-sha1 to point
                to the schema included
                > in the XML Security JAR file.  That works fine, but
                I'm wondering what the
                > best solution is, and why enveloped signatures need
                to access this URL at
                > all?
                >
                > I can provide code as needed if it's necessary.
                >
                > Thanks,
                >
                > Michael Bishop
                >