santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Cantor" <canto...@osu.edu>
Subject RE: SignedInfo's verify method
Date Mon, 14 Dec 2009 19:35:19 GMT
> 1. Does it make difference to SignedInfo's verify API:
>
(http://santuario.apache.org/Java/api/org/apache/xml/security/signature/Sign
> edInfo.html#verify())
> that the xml contains soapenv or SOAP-ENV. I think that this method
figures
> out the namespace and uncanonicalize the stuff by appending the actual URL
> of the namespace  rather than the short form (SOAP-ENV or soapenv, it can
be
> anything I presume)

That's not how all the standard c14n algorithms work, prefixes are part of
the signed material and you can't change them in between. Any tool that
rewrites them while purporting to support signing is essentially broken.

> 2. If the namespace value (like soapenv or SOAP-ENV) does play a role in
the
> verify API, can I make Axis2 to use SOAP-ENV rather than to use SOAPENV?

That's an Axis question.

-- Scott



Mime
View raw message