What an enveloped signature signs has to do with what it's
reference(s) point to rather than where it is located.
OK, I think I'm getting the idea here. So, if we take the
example of a "guest book", where each person who signs the guest
book only signs his/her entry, we must use references.
<guestbook>
<!-- Chuck's entry in the guest book. -->
<entry id="chuck"/>
<!-- Jane's entry in the guest book. -->
<entry id="jane"/>
<!-- Giles' entry in the guest book. -->
<entry id="giles"/>
<!-- Chuck's signature that signs his entry. -->
<ds:Signature>
<ds:Reference URI="#chuck"/>
</ds:Signature>
<!-- Jane's signature that signs her entry. -->
<ds:Signature>
<ds:Reference URI="#jane"/>
</ds:Signature>
<!-- Giles' signature that signs his entry. -->
<ds:Signature>
<ds:Reference URI="#giles"/>
</ds:Signature>
</guestbook>
In the above example, those signature could live anywhere (I
guess in a true "enveloped" environment, they would live inside
the <entry> elements), as long as they point to the proper URIs.
Are those the proper URIs? How do you tag content with reference
points? Do I have to use a <ds:Object> element to do that as in
enveloping signatures?
Basically, how do I properly sign multiple content with multiple
signatures in the same document? Are there any good references I
can read through?
Thanks,
Michael
On Sat, Mar 12, 2011 at 1:21 AM, Malcolm Young
<[email protected] <mailto:[email protected]>> wrote:
What an enveloped signature signs has to do with what it's
reference(s) point to rather than where it is located. The
enveloped part simply indicates it is "somewhere" within the
signed content and will need to be removed prior to processing.
And yes - same document references are usually represented
with an empty uri which means the entire content is signed or
an X-Pointer reference to an ID (like Uri="#_someID") which
means the element with the ID value AND ALL of it's
descendants will be signed. Again, this has nothing to do
with WHERE in the document the signautre element is.
Cheers,
mal
On Sat, Mar 12, 2011 at 2:37 PM, Michael Bishop
<[email protected] <mailto:[email protected]>> wrote:
An enveloped signature is over the data that contains
the Signature element.
Can you elaborate on this? Here's an example.
<root>
<content/>
<ds:Signature/>
</root>
What is signed here? <root>? Or both <root> and <content>?
<root>
<content>
<ds:Signature/>
</content>
</root>
I would assume that in this case, only <content> is signed.
I understand that typically, an enveloped signature signs
the content represented by its parent. But does it sign
the parent AND all the parent's children?
<root>
<content/>
<subContent/>
</content>
<moreContent>
<subContent/>
</moreContent>
<ds:Signature/>
</root>
I would assume this signature signs the entire document.
If not, how would I do that?
Thanks,
Michael
On Wed, Mar 9, 2011 at 10:00 AM, Michael Bishop
<[email protected] <mailto:[email protected]>> wrote:
OK, this is now issue 265 in the Santuario project.
I attached a test case and the certificate I'm using
for the test. Thanks for checking into it.
Michael
On Wed, Mar 9, 2011 at 4:47 AM, Colm O hEigeartaigh
<[email protected] <mailto:[email protected]>> wrote:
Can you create a test-case and attach it to JIRA
and I'll take a look?
Thanks,
Colm.
On Tue, Mar 8, 2011 at 8:57 PM, Michael Bishop
<[email protected] <mailto:[email protected]>>
wrote:
> Hello,
>
> I'm having a problem with created an enveloped
signature. I was able to
> create an enveloping signature just fine, but
the enveloped signature hangs
> on the XMLSignature.sign(privateKey) method for
a long time, before throwing
> an error.
>
> I was able to figure out what the error was; by
default, the
> XMLSignature.sign(privateKey) method was trying
to access
> http://www.w3.org/2000/09/xmldsig#rsa-sha1 and
failing. I can pull that up
> in my browser, so I don't know why it's hanging
there. I didn't have this
> issue with an enveloping signature.
>
> I wrote an extension of ResourceResolverSpi and
mapped
> http://www.w3.org/2000/09/xmldsig#rsa-sha1 to
point to the schema included
> in the XML Security JAR file. That works fine,
but I'm wondering what the
> best solution is, and why enveloped signatures
need to access this URL at
> all?
>
> I can provide code as needed if it's necessary.
>
> Thanks,
>
> Michael Bishop
>
