santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Cantor" <>
Subject RE: Removing references in xml-security-c
Date Sat, 20 Jun 2009 02:48:46 GMT
John Keeping wrote on 2009-06-19:
> I'm working on a product which needs to resign documents after modifying
> them and in some cases this involves removing references from the
> signature (for example if the referenced element has been deleted).
> It seems that just removing a reference from a DSIGSignature object is
> not sufficient to do this, as the XML Reference element is still in the
> document (although it is not updated).

That seems like a fundamental problem that has to be fixed systemically. I'm
not sure if the library in general supports resigning at all, so that may be
the problem. Is there reason to think that resigning would work if the DOM
manipulation was being done? Did you try that by hand and get it to work?

> Am I correct in thinking that there is no way to extract information
> from a DSIGReference to match it back to the document other than walking
> the tree from the signature node looking for it? If so, do you think it
> would be possible to add an accessor to DSIGReference for the
> mp_referenceNode field?

I don't think that's elegant unless all the DOMs are exposed (which is an
option), but more importantly my question would be what you would do with
it. I don't know that it would be safe to only remove that specific node and
then re-sign. Might be, I guess.

Anyway, I guess my point here is that the fix should be universal across the
APIs, and if mutation is both broken and feasible, that should probably be

I know in my case, I use an abstraction layer that's responsible for
creating the Reference List, and if I make changes, I drop the signature
object entirely and recreate it via that abstraction. That's probably why I
never noticed it.

-- Scott

View raw message