You need to include the enveloped signature transformation specifically. This serves to remove the signature element from the document before signing and verification. This is required because the signature element changes during signing; if the original signature element were part of the signed content, the final signature would be invalid, because part of the signed content (the signature) would be different. See http://www.w3.org/TR/xmldsig-core/#sec-EnvelopedSignature and http://www.w3.org/TR/xmldsig-core/#sec-Transforms.
> -----Original Message----- > From: def abc [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 02, 2005 8:45 AM > To: security-dev@xml.apache.org > Subject: Re: Verify signature: bad for enveloped, ok for > enveloping and detached. > > --- Raul Benito <[EMAIL PROTECTED]> a > écrit : > > Does you add enveloped-signature-transformation? > > It is need to enveloped signatures. If not it will > > fail. > > Not sure to understand... > My signed XML does have a transformation (c14n) -- see > below. > Do you mean I should apply a transformation to the > signed document for verification ? > > Regards, > -- Axelle. > > <policy xmlns="http://xxx"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation="http://xxx/DSP ./DSP.xsd"> > <dsi_policy> > [...] > </dsi_policy> > <ds:Signature > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></ > ds:CanonicalizationMethod> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:Si > gnatureMethod> > <ds:Reference > URI="file:/G:/prog/xml-security-1_2_0/misc.xml"> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> > <ds:DigestValue>HbVbteOlAwHiVZYotc1E7wWswyo=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue> > CRCr/II7oFTYANIz3NMqpUgnMLMvyU9rwpZNOBk5+Sp9k+kXyMJNU/7WehvTmh > tu6mTTXplUpmyw > [...] > </ds:SignatureValue> > </ds:Signature></policy> > > > > > > > > Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de > stockage pour vos mails ! > Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/ >
