I've been working on some signature validation code, and one approach I took led me to look at Reference.getReferenceData(). This is with 1.5.3 of the Java library.
In my case, the reference URI is always a document-local reference, i.e.,
either "" or "#foo", and I look at getReferenceData() after calling
Signature.checkSignatureValue. The result of this is both a
ReferenceNodeSetData and a ReferenceSubTreeData.
My current approach involves looking at the ReferenceSubTreeData, but I also
looked at the node set returned from ReferenceNodeSetData.iterator() in this
case. In the Javadoc, it specifies that the nodes are returned in document
order, which I understand to mean that Element nodes appear before the
Attribute nodes associated with them.
What I actually found was that the Attribute nodes for an elemeent appeared in
the iterator() sequence *before* the Element node itself.
So my question is: have I misunderstood something either in DSIG in general or
the ReferenceNodeSetData API in particular, or does this sound like a bug?
-- Ian
smime.p7s
Description: S/MIME cryptographic signature
