santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Johnson <e...@tibco.com>
Subject Re: Resolver Issues with Enveloped Signature?
Date Wed, 16 Mar 2011 04:05:12 GMT
Hi Michael,

Sorry, my off-the-cuff knowledge of the test cases doesn't extend that 
far. I'd have to go hunting just like you.

-Eric.

On 3/15/11 5:57 PM, Michael Bishop wrote:
> I've gotten most of my guidance thus far from the samples in the 
> Santuario source.  Is there a specific one that I've missed that 
> exemplifies multiple signatures for multiple content using "enveloped" 
> signatures?
>
> On Tue, Mar 15, 2011 at 1:37 AM, Eric Johnson <eric@tibco.com 
> <mailto:eric@tibco.com>> wrote:
>
>     If I understand your question correctly, just look at some of the
>     test cases in the code itself, and I suspect you'll find examples
>     of what you want to do pretty quickly - as well as the code to
>     work with the items in question. Look in the "data" folder for a
>     document that closely matches what you want.
>
>     -Eric.
>
>
>     On 3/14/11 5:45 PM, Michael Bishop wrote:
>>
>>         What an enveloped signature signs has to do with what it's
>>         reference(s) point to rather than where it is located.
>>
>>
>>     OK, I think I'm getting the idea here.  So, if we take the
>>     example of a "guest book", where each person who signs the guest
>>     book only signs his/her entry, we must use references.
>>
>>     <guestbook>
>>     <!-- Chuck's entry in the guest book. -->
>>     <entry id="chuck"/>
>>
>>     <!-- Jane's entry in the guest book. -->
>>     <entry id="jane"/>
>>
>>     <!-- Giles' entry in the guest book. -->
>>     <entry id="giles"/>
>>
>>     <!-- Chuck's signature that signs his entry. -->
>>     <ds:Signature>
>>     <ds:Reference URI="#chuck"/>
>>     </ds:Signature>
>>
>>     <!-- Jane's signature that signs her entry. -->
>>     <ds:Signature>
>>     <ds:Reference URI="#jane"/>
>>     </ds:Signature>
>>
>>     <!-- Giles' signature that signs his entry. -->
>>     <ds:Signature>
>>     <ds:Reference URI="#giles"/>
>>     </ds:Signature>
>>     </guestbook>
>>
>>     In the above example, those signature could live anywhere (I
>>     guess in a true "enveloped" environment, they would live inside
>>     the <entry> elements), as long as they point to the proper URIs. 
>>     Are those the proper URIs?  How do you tag content with reference
>>     points?  Do I have to use a <ds:Object> element to do that as in
>>     enveloping signatures?
>>
>>     Basically, how do I properly sign multiple content with multiple
>>     signatures in the same document?  Are there any good references I
>>     can read through?
>>
>>     Thanks,
>>
>>     Michael
>>     On Sat, Mar 12, 2011 at 1:21 AM, Malcolm Young
>>     <malcolm.young@gmail.com <mailto:malcolm.young@gmail.com>> wrote:
>>
>>         What an enveloped signature signs has to do with what it's
>>         reference(s) point to rather than where it is located. The
>>         enveloped part simply indicates it is "somewhere" within the
>>         signed content and will need to be removed prior to processing.
>>         And yes -  same document references are usually represented
>>         with an empty uri which means the entire content is signed or
>>         an X-Pointer reference to an ID (like Uri="#_someID") which
>>         means the element with the ID value AND ALL of it's
>>         descendants will be signed. Again, this has nothing to do
>>         with WHERE in the document the signautre element is.
>>         Cheers,
>>         mal
>>         On Sat, Mar 12, 2011 at 2:37 PM, Michael Bishop
>>         <bishopmw@gmail.com <mailto:bishopmw@gmail.com>> wrote:
>>
>>                 An enveloped signature is over the data that contains
>>                 the Signature element.
>>
>>
>>             Can you elaborate on this?  Here's an example.
>>
>>             <root>
>>             <content/>
>>             <ds:Signature/>
>>             </root>
>>
>>             What is signed here? <root>?  Or both <root> and <content>?
>>
>>             <root>
>>             <content>
>>             <ds:Signature/>
>>             </content>
>>             </root>
>>
>>             I would assume that in this case, only <content> is signed.
>>
>>             I understand that typically, an enveloped signature signs
>>             the content represented by its parent.  But does it sign
>>             the parent AND all the parent's children?
>>
>>             <root>
>>             <content/>
>>             <subContent/>
>>             </content>
>>             <moreContent>
>>             <subContent/>
>>             </moreContent>
>>             <ds:Signature/>
>>             </root>
>>
>>             I would assume this signature signs the entire document. 
>>             If not, how would I do that?
>>
>>             Thanks,
>>
>>             Michael
>>
>>             On Wed, Mar 9, 2011 at 10:00 AM, Michael Bishop
>>             <bishopmw@gmail.com <mailto:bishopmw@gmail.com>> wrote:
>>
>>                 OK, this is now issue 265 in the Santuario project. 
>>                 I attached a test case and the certificate I'm using
>>                 for the test.  Thanks for checking into it.
>>
>>                 Michael
>>
>>
>>                 On Wed, Mar 9, 2011 at 4:47 AM, Colm O hEigeartaigh
>>                 <coheigea@apache.org <mailto:coheigea@apache.org>> wrote:
>>
>>                     Can you create a test-case and attach it to JIRA
>>                     and I'll take a look?
>>
>>                     Thanks,
>>
>>                     Colm.
>>
>>                     On Tue, Mar 8, 2011 at 8:57 PM, Michael Bishop
>>                     <bishopmw@gmail.com <mailto:bishopmw@gmail.com>>
>>                     wrote:
>>                     > Hello,
>>                     >
>>                     > I'm having a problem with created an enveloped
>>                     signature.  I was able to
>>                     > create an enveloping signature just fine, but
>>                     the enveloped signature hangs
>>                     > on the XMLSignature.sign(privateKey) method for
>>                     a long time, before throwing
>>                     > an error.
>>                     >
>>                     > I was able to figure out what the error was; by
>>                     default, the
>>                     > XMLSignature.sign(privateKey) method was trying
>>                     to access
>>                     > http://www.w3.org/2000/09/xmldsig#rsa-sha1 and
>>                     failing.  I can pull that up
>>                     > in my browser, so I don't know why it's hanging
>>                     there.  I didn't have this
>>                     > issue with an enveloping signature.
>>                     >
>>                     > I wrote an extension of ResourceResolverSpi and
>>                     mapped
>>                     > http://www.w3.org/2000/09/xmldsig#rsa-sha1 to
>>                     point to the schema included
>>                     > in the XML Security JAR file.  That works fine,
>>                     but I'm wondering what the
>>                     > best solution is, and why enveloped signatures
>>                     need to access this URL at
>>                     > all?
>>                     >
>>                     > I can provide code as needed if it's necessary.
>>                     >
>>                     > Thanks,
>>                     >
>>                     > Michael Bishop
>>                     >
>>
>>
>>
>>
>>
>

Mime
View raw message