santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Renato Tegon Forti" <re...@acm.org>
Subject RES: Trying understanding (Xml NS question)
Date Tue, 02 Oct 2012 11:27:40 GMT
The way is I remove NS before check! Do you think that this will always
work?

tks

 

De: Cantor, Scott [mailto:cantor.2@osu.edu] 
Enviada em: terça-feira, 2 de outubro de 2012 00:28
Para: <dev@santuario.apache.org>
Cc: dev@santuario.apache.org
Assunto: Re: Trying understanding (Xml NS question)

 

On Oct 1, 2012, at 10:58 AM, "Renato Tegon Forti" <re.tf@acm.org> wrote:

 

In this case the the signature checks fail!

 

If I remove the NS:

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#
<http://www.w3.org/2000/09/xmldsig> "

 

Like this:

 

The signature is validated OK!

 

Why? 

 

Probably because you signed the reference and left it with the inclusive
c14n algorithm, in which namespaces are certainly going to affect the
signature. The signer did not include them, and now they're present so the
digest changes.

 

‘am trying understanding! What I must do to work with NS
(xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#
<http://www.w3.org/2000/09/xmldsig> 

 

You can't, not unless the signer changes the signed document and/or uses
exclusive c14n as a transform. 

 

-- Scott


Mime
View raw message