I've gotten most of my guidance thus far from the samples in the Santuario source. Is there a specific one that I've missed that exemplifies multiple signatures for multiple content using "enveloped" signatures?
On Tue, Mar 15, 2011 at 1:37 AM, Eric Johnson <[email protected]> wrote: > If I understand your question correctly, just look at some of the test > cases in the code itself, and I suspect you'll find examples of what you > want to do pretty quickly - as well as the code to work with the items in > question. Look in the "data" folder for a document that closely matches what > you want. > > -Eric. > > > On 3/14/11 5:45 PM, Michael Bishop wrote: > > What an enveloped signature signs has to do with what it's reference(s) >> point to rather than where it is located. >> > > OK, I think I'm getting the idea here. So, if we take the example of a > "guest book", where each person who signs the guest book only signs his/her > entry, we must use references. > > <guestbook> > <!-- Chuck's entry in the guest book. --> > <entry id="chuck"/> > > <!-- Jane's entry in the guest book. --> > <entry id="jane"/> > > <!-- Giles' entry in the guest book. --> > <entry id="giles"/> > > <!-- Chuck's signature that signs his entry. --> > <ds:Signature> > <ds:Reference URI="#chuck"/> > </ds:Signature> > > <!-- Jane's signature that signs her entry. --> > <ds:Signature> > <ds:Reference URI="#jane"/> > </ds:Signature> > > <!-- Giles' signature that signs his entry. --> > <ds:Signature> > <ds:Reference URI="#giles"/> > </ds:Signature> > </guestbook> > > In the above example, those signature could live anywhere (I guess in a > true "enveloped" environment, they would live inside the <entry> elements), > as long as they point to the proper URIs. Are those the proper URIs? How > do you tag content with reference points? Do I have to use a <ds:Object> > element to do that as in enveloping signatures? > > Basically, how do I properly sign multiple content with multiple signatures > in the same document? Are there any good references I can read through? > > Thanks, > > Michael > On Sat, Mar 12, 2011 at 1:21 AM, Malcolm Young <[email protected]>wrote: > >> What an enveloped signature signs has to do with what it's reference(s) >> point to rather than where it is located. The enveloped part simply >> indicates it is "somewhere" within the signed content and will need to be >> removed prior to processing. >> >> And yes - same document references are usually represented with an empty >> uri which means the entire content is signed or an X-Pointer reference to an >> ID (like Uri="#_someID") which means the element with the ID value AND ALL >> of it's descendants will be signed. Again, this has nothing to do with WHERE >> in the document the signautre element is. >> >> Cheers, >> >> mal >> >> On Sat, Mar 12, 2011 at 2:37 PM, Michael Bishop <[email protected]>wrote: >> >>> An enveloped signature is over the data that contains the Signature >>>> element. >>>> >>> >>> Can you elaborate on this? Here's an example. >>> >>> <root> >>> <content/> >>> <ds:Signature/> >>> </root> >>> >>> What is signed here? <root>? Or both <root> and <content>? >>> >>> <root> >>> <content> >>> <ds:Signature/> >>> </content> >>> </root> >>> >>> I would assume that in this case, only <content> is signed. >>> >>> I understand that typically, an enveloped signature signs the content >>> represented by its parent. But does it sign the parent AND all the parent's >>> children? >>> >>> <root> >>> <content/> >>> <subContent/> >>> </content> >>> <moreContent> >>> <subContent/> >>> </moreContent> >>> <ds:Signature/> >>> </root> >>> >>> I would assume this signature signs the entire document. If not, how >>> would I do that? >>> >>> Thanks, >>> >>> Michael >>> >>> On Wed, Mar 9, 2011 at 10:00 AM, Michael Bishop <[email protected]>wrote: >>> >>>> OK, this is now issue 265 in the Santuario project. I attached a test >>>> case and the certificate I'm using for the test. Thanks for checking into >>>> it. >>>> >>>> Michael >>>> >>>> >>>> On Wed, Mar 9, 2011 at 4:47 AM, Colm O hEigeartaigh < >>>> [email protected]> wrote: >>>> >>>>> Can you create a test-case and attach it to JIRA and I'll take a look? >>>>> >>>>> Thanks, >>>>> >>>>> Colm. >>>>> >>>>> On Tue, Mar 8, 2011 at 8:57 PM, Michael Bishop <[email protected]> >>>>> wrote: >>>>> > Hello, >>>>> > >>>>> > I'm having a problem with created an enveloped signature. I was able >>>>> to >>>>> > create an enveloping signature just fine, but the enveloped signature >>>>> hangs >>>>> > on the XMLSignature.sign(privateKey) method for a long time, before >>>>> throwing >>>>> > an error. >>>>> > >>>>> > I was able to figure out what the error was; by default, the >>>>> > XMLSignature.sign(privateKey) method was trying to access >>>>> > http://www.w3.org/2000/09/xmldsig#rsa-sha1 and failing. I can pull >>>>> that up >>>>> > in my browser, so I don't know why it's hanging there. I didn't have >>>>> this >>>>> > issue with an enveloping signature. >>>>> > >>>>> > I wrote an extension of ResourceResolverSpi and mapped >>>>> > http://www.w3.org/2000/09/xmldsig#rsa-sha1 to point to the schema >>>>> included >>>>> > in the XML Security JAR file. That works fine, but I'm wondering >>>>> what the >>>>> > best solution is, and why enveloped signatures need to access this >>>>> URL at >>>>> > all? >>>>> > >>>>> > I can provide code as needed if it's necessary. >>>>> > >>>>> > Thanks, >>>>> > >>>>> > Michael Bishop >>>>> > >>>>> >>>> >>>> >>> >> >
