Yup. At the moment the C++ library only checks for "Id", so it won't find your reference (attribute "id"). The plan is to allow more control with the user in this space, so that you can turn off the ability to search for "Id" named attributes, or search for others. But I don't know if that will make it into the version 1.10.
Cheers,
BerinMatej Kafadar wrote:
Hi,
If you hava a signed XML file (below) WITHOUT SCHEMA, is siganture (focus on id) valid or invalid?
<root xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <signedNode id="data"> ... some nodes (doesn't matter)... </signedNode> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#data"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>nlywR123biGN45lEBdhNrTvzGX4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>9MM7YZQTR ... </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>RhbG5vIHBv ... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </root>
Java libraries can sign and verify that kind of signature. C++ libraries throws an exception, works well with "Id" not "id".
So is this signature valid or invalid?
matej
Scott/Sean/Milan,
What I'm going to do in the C++ library is put in a call that allows you to disable the search for non registered Ids. That allows for backwards compatibility, but ensures that the settings can be more secure.
I might also mark it in the docs with a warning that at version 2, this will become the default.
Cheers, Berin
Scott Cantor wrote:
My advice would be to remove the code that searches for attributes named id, or Id and force the application to manually register those ids.
+1.
But I'd add that Sun's inclusion of an XML parser in the JRE really complicates this because it forces us to endorse a parser that does
support
the DOM3 calls needed to manually register IDs. I'm not aware of any non-DOM3 method in, say, Xerces, that even supports registration of IDs, whether standard or otherwise. Happy to learn of one, though.
-- Scott
