OK, I've dug through each and every bit of sample code and unit tests
supplied with Santuario. I'm still not finding what I need. The samples
sign an entire document as enveloped, not a subsection of a document.
In a nutshell, I want an enveloped signature with a reference URI pointing
to a section of a document, not the entire thing. I've gone through the
Digital Signature spec and can't find an example there. I find either
references to entirely different URIs (when your signature doesn't live in
the same document) or the entire local document ("").
Does it work the same as an enveloping signature, only that the <Object>
element lives outside the signature, or can a reference URI be used to point
to a specific area of the document without the <Object> element?
On Wed, Mar 16, 2011 at 12:05 AM, Eric Johnson <[email protected]> wrote:
> Hi Michael,
>
> Sorry, my off-the-cuff knowledge of the test cases doesn't extend that far.
> I'd have to go hunting just like you.
>
> -Eric.
>
>
> On 3/15/11 5:57 PM, Michael Bishop wrote:
>
> I've gotten most of my guidance thus far from the samples in the Santuario
> source. Is there a specific one that I've missed that exemplifies multiple
> signatures for multiple content using "enveloped" signatures?
>
> On Tue, Mar 15, 2011 at 1:37 AM, Eric Johnson <[email protected]> wrote:
>
>> If I understand your question correctly, just look at some of the test
>> cases in the code itself, and I suspect you'll find examples of what you
>> want to do pretty quickly - as well as the code to work with the items in
>> question. Look in the "data" folder for a document that closely matches what
>> you want.
>>
>> -Eric.
>>
>>
>> On 3/14/11 5:45 PM, Michael Bishop wrote:
>>
>> What an enveloped signature signs has to do with what it's reference(s)
>>> point to rather than where it is located.
>>>
>>
>> OK, I think I'm getting the idea here. So, if we take the example of a
>> "guest book", where each person who signs the guest book only signs his/her
>> entry, we must use references.
>>
>> <guestbook>
>> <!-- Chuck's entry in the guest book. -->
>> <entry id="chuck"/>
>>
>> <!-- Jane's entry in the guest book. -->
>> <entry id="jane"/>
>>
>> <!-- Giles' entry in the guest book. -->
>> <entry id="giles"/>
>>
>> <!-- Chuck's signature that signs his entry. -->
>> <ds:Signature>
>> <ds:Reference URI="#chuck"/>
>> </ds:Signature>
>>
>> <!-- Jane's signature that signs her entry. -->
>> <ds:Signature>
>> <ds:Reference URI="#jane"/>
>> </ds:Signature>
>>
>> <!-- Giles' signature that signs his entry. -->
>> <ds:Signature>
>> <ds:Reference URI="#giles"/>
>> </ds:Signature>
>> </guestbook>
>>
>> In the above example, those signature could live anywhere (I guess in a
>> true "enveloped" environment, they would live inside the <entry> elements),
>> as long as they point to the proper URIs. Are those the proper URIs? How
>> do you tag content with reference points? Do I have to use a <ds:Object>
>> element to do that as in enveloping signatures?
>>
>> Basically, how do I properly sign multiple content with multiple
>> signatures in the same document? Are there any good references I can read
>> through?
>>
>> Thanks,
>>
>> Michael
>> On Sat, Mar 12, 2011 at 1:21 AM, Malcolm Young
>> <[email protected]>wrote:
>>
>>> What an enveloped signature signs has to do with what it's reference(s)
>>> point to rather than where it is located. The enveloped part simply
>>> indicates it is "somewhere" within the signed content and will need to be
>>> removed prior to processing.
>>>
>>> And yes - same document references are usually represented with an empty
>>> uri which means the entire content is signed or an X-Pointer reference to an
>>> ID (like Uri="#_someID") which means the element with the ID value AND ALL
>>> of it's descendants will be signed. Again, this has nothing to do with WHERE
>>> in the document the signautre element is.
>>>
>>> Cheers,
>>>
>>> mal
>>>
>>> On Sat, Mar 12, 2011 at 2:37 PM, Michael Bishop <[email protected]>wrote:
>>>
>>>> An enveloped signature is over the data that contains the Signature
>>>>> element.
>>>>>
>>>>
>>>> Can you elaborate on this? Here's an example.
>>>>
>>>> <root>
>>>> <content/>
>>>> <ds:Signature/>
>>>> </root>
>>>>
>>>> What is signed here? <root>? Or both <root> and <content>?
>>>>
>>>> <root>
>>>> <content>
>>>> <ds:Signature/>
>>>> </content>
>>>> </root>
>>>>
>>>> I would assume that in this case, only <content> is signed.
>>>>
>>>> I understand that typically, an enveloped signature signs the content
>>>> represented by its parent. But does it sign the parent AND all the
>>>> parent's
>>>> children?
>>>>
>>>> <root>
>>>> <content/>
>>>> <subContent/>
>>>> </content>
>>>> <moreContent>
>>>> <subContent/>
>>>> </moreContent>
>>>> <ds:Signature/>
>>>> </root>
>>>>
>>>> I would assume this signature signs the entire document. If not, how
>>>> would I do that?
>>>>
>>>> Thanks,
>>>>
>>>> Michael
>>>>
>>>> On Wed, Mar 9, 2011 at 10:00 AM, Michael Bishop <[email protected]>wrote:
>>>>
>>>>> OK, this is now issue 265 in the Santuario project. I attached a test
>>>>> case and the certificate I'm using for the test. Thanks for checking into
>>>>> it.
>>>>>
>>>>> Michael
>>>>>
>>>>>
>>>>> On Wed, Mar 9, 2011 at 4:47 AM, Colm O hEigeartaigh <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> Can you create a test-case and attach it to JIRA and I'll take a look?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Tue, Mar 8, 2011 at 8:57 PM, Michael Bishop <[email protected]>
>>>>>> wrote:
>>>>>> > Hello,
>>>>>> >
>>>>>> > I'm having a problem with created an enveloped signature. I was
>>>>>> able to
>>>>>> > create an enveloping signature just fine, but the enveloped
>>>>>> signature hangs
>>>>>> > on the XMLSignature.sign(privateKey) method for a long time, before
>>>>>> throwing
>>>>>> > an error.
>>>>>> >
>>>>>> > I was able to figure out what the error was; by default, the
>>>>>> > XMLSignature.sign(privateKey) method was trying to access
>>>>>> > http://www.w3.org/2000/09/xmldsig#rsa-sha1 and failing. I can pull
>>>>>> that up
>>>>>> > in my browser, so I don't know why it's hanging there. I didn't
>>>>>> have this
>>>>>> > issue with an enveloping signature.
>>>>>> >
>>>>>> > I wrote an extension of ResourceResolverSpi and mapped
>>>>>> > http://www.w3.org/2000/09/xmldsig#rsa-sha1 to point to the schema
>>>>>> included
>>>>>> > in the XML Security JAR file. That works fine, but I'm wondering
>>>>>> what the
>>>>>> > best solution is, and why enveloped signatures need to access this
>>>>>> URL at
>>>>>> > all?
>>>>>> >
>>>>>> > I can provide code as needed if it's necessary.
>>>>>> >
>>>>>> > Thanks,
>>>>>> >
>>>>>> > Michael Bishop
>>>>>> >
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
