santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Johnson <e...@tibco.com>
Subject Re: Resolver Issues with Enveloped Signature?
Date Tue, 15 Mar 2011 05:37:06 GMT
If I understand your question correctly, just look at some of the test 
cases in the code itself, and I suspect you'll find examples of what you 
want to do pretty quickly - as well as the code to work with the items 
in question. Look in the "data" folder for a document that closely 
matches what you want.

-Eric.

On 3/14/11 5:45 PM, Michael Bishop wrote:
>
>     What an enveloped signature signs has to do with what it's
>     reference(s) point to rather than where it is located.
>
>
> OK, I think I'm getting the idea here.  So, if we take the example of 
> a "guest book", where each person who signs the guest book only signs 
> his/her entry, we must use references.
>
> <guestbook>
> <!-- Chuck's entry in the guest book. -->
> <entry id="chuck"/>
>
> <!-- Jane's entry in the guest book. -->
> <entry id="jane"/>
>
> <!-- Giles' entry in the guest book. -->
> <entry id="giles"/>
>
> <!-- Chuck's signature that signs his entry. -->
> <ds:Signature>
> <ds:Reference URI="#chuck"/>
> </ds:Signature>
>
> <!-- Jane's signature that signs her entry. -->
> <ds:Signature>
> <ds:Reference URI="#jane"/>
> </ds:Signature>
>
> <!-- Giles' signature that signs his entry. -->
> <ds:Signature>
> <ds:Reference URI="#giles"/>
> </ds:Signature>
> </guestbook>
>
> In the above example, those signature could live anywhere (I guess in 
> a true "enveloped" environment, they would live inside the <entry> 
> elements), as long as they point to the proper URIs.  Are those the 
> proper URIs?  How do you tag content with reference points?  Do I have 
> to use a <ds:Object> element to do that as in enveloping signatures?
>
> Basically, how do I properly sign multiple content with multiple 
> signatures in the same document?  Are there any good references I can 
> read through?
>
> Thanks,
>
> Michael
> On Sat, Mar 12, 2011 at 1:21 AM, Malcolm Young 
> <malcolm.young@gmail.com <mailto:malcolm.young@gmail.com>> wrote:
>
>     What an enveloped signature signs has to do with what it's
>     reference(s) point to rather than where it is located. The
>     enveloped part simply indicates it is "somewhere" within the
>     signed content and will need to be removed prior to processing.
>     And yes -  same document references are usually represented with
>     an empty uri which means the entire content is signed or an
>     X-Pointer reference to an ID (like Uri="#_someID") which means the
>     element with the ID value AND ALL of it's descendants will be
>     signed. Again, this has nothing to do with WHERE in the document
>     the signautre element is.
>     Cheers,
>     mal
>     On Sat, Mar 12, 2011 at 2:37 PM, Michael Bishop
>     <bishopmw@gmail.com <mailto:bishopmw@gmail.com>> wrote:
>
>             An enveloped signature is over the data that contains the
>             Signature element.
>
>
>         Can you elaborate on this?  Here's an example.
>
>         <root>
>         <content/>
>         <ds:Signature/>
>         </root>
>
>         What is signed here? <root>?  Or both <root> and <content>?
>
>         <root>
>         <content>
>         <ds:Signature/>
>         </content>
>         </root>
>
>         I would assume that in this case, only <content> is signed.
>
>         I understand that typically, an enveloped signature signs the
>         content represented by its parent.  But does it sign the
>         parent AND all the parent's children?
>
>         <root>
>         <content/>
>         <subContent/>
>         </content>
>         <moreContent>
>         <subContent/>
>         </moreContent>
>         <ds:Signature/>
>         </root>
>
>         I would assume this signature signs the entire document.  If
>         not, how would I do that?
>
>         Thanks,
>
>         Michael
>
>         On Wed, Mar 9, 2011 at 10:00 AM, Michael Bishop
>         <bishopmw@gmail.com <mailto:bishopmw@gmail.com>> wrote:
>
>             OK, this is now issue 265 in the Santuario project.  I
>             attached a test case and the certificate I'm using for the
>             test.  Thanks for checking into it.
>
>             Michael
>
>
>             On Wed, Mar 9, 2011 at 4:47 AM, Colm O hEigeartaigh
>             <coheigea@apache.org <mailto:coheigea@apache.org>> wrote:
>
>                 Can you create a test-case and attach it to JIRA and
>                 I'll take a look?
>
>                 Thanks,
>
>                 Colm.
>
>                 On Tue, Mar 8, 2011 at 8:57 PM, Michael Bishop
>                 <bishopmw@gmail.com <mailto:bishopmw@gmail.com>> wrote:
>                 > Hello,
>                 >
>                 > I'm having a problem with created an enveloped
>                 signature.  I was able to
>                 > create an enveloping signature just fine, but the
>                 enveloped signature hangs
>                 > on the XMLSignature.sign(privateKey) method for a
>                 long time, before throwing
>                 > an error.
>                 >
>                 > I was able to figure out what the error was; by
>                 default, the
>                 > XMLSignature.sign(privateKey) method was trying to
>                 access
>                 > http://www.w3.org/2000/09/xmldsig#rsa-sha1 and
>                 failing.  I can pull that up
>                 > in my browser, so I don't know why it's hanging
>                 there.  I didn't have this
>                 > issue with an enveloping signature.
>                 >
>                 > I wrote an extension of ResourceResolverSpi and mapped
>                 > http://www.w3.org/2000/09/xmldsig#rsa-sha1 to point
>                 to the schema included
>                 > in the XML Security JAR file.  That works fine, but
>                 I'm wondering what the
>                 > best solution is, and why enveloped signatures need
>                 to access this URL at
>                 > all?
>                 >
>                 > I can provide code as needed if it's necessary.
>                 >
>                 > Thanks,
>                 >
>                 > Michael Bishop
>                 >
>
>
>
>
>

Mime
View raw message