To have these external documents available during verification is not a requirement - thisUnfortunately this is not possible. XMLDSig processing clearly states that verifier MUST check
is enveloped-signature so the surrounding document is available of course.
digests in all <dsig:References/> elements and verify signature for <dsig:SignedInfo/> element.
Thus I am not sure that I understand how is it possible to verify an XML signature if an external
document referenced from <dsig:Reference/> URI attribute is not available.
But you might want to use <dsig:Manifest/> elements instead of <dsig:Reference/>. It seems that
it better works in your case because invalide digest in <dsig:Manifest/> element does not affect
the validity of the signature. The general scheme is:
0) Digests in <dsig:Manifest/> elements calculated for something (your external documents,
for example).
1) A special <dsig:Reference/> points to all <dsig:Manifests/> elements thus its digests
is calculated over the digests in <dsig:Manifest/> elements.
2) Signature is calculated for <dsig:SignedInfo/> over <dsig:Reference/> digests.
In this scheme, the signature verifies the digests in <dsig:Manifest/> element (compare this with
the <dsig:Reference/> case when signature verifies the data pointed by URIs and transforms).
You can have invalid digest in one of <dsig:Manifest/> element (or you would not be able to verify it)
but you still can verify other <dsig:Manifest/>elemnts.
Needless to say that xmlsec does support <dsig:Manifest/>. There is a paramter "processManifests"
in xmlSecDSigCtx (0.0.X branch) that controls whether xmlsec would try to calculate or verify
digests in <dsig:Manifest/> elements automaticaly. However, in your case you probably don't
want this behaiviour thus you just need to create the signature template for steps 1) and 2) above
and make sure that digests in <dsig:Manifest/> elements are calculated and stored in the XML tree
*before* calculating the signature. Everything else would be the same as processing any other
signature.
The downside of this approach is that <dsig:Manifest/> elements supports is not a MUST in XMLDSig
specification. Thus not everyone have implemented it. I doubt that you'll have any problem with that
because you actually would not use <dsig:Manifest/> elements in any "special" way. But if you use
anything besides xmlsec I would strongly recomment to check interoperability of this solution.
If you could not use <dsig:Manifest/> elements then you are on your own. Nothing is impossible
but you would have to hack xmlsec code by yourself. Check src/xmldsig.c file that does digests
and signatures calculations. Probably you want to add something like this:
- signatures
Calculate digests if and only if the current <dsig:DigestValue/> is an empty string
(this would allow you to set it by yourself).
- verification
Do not fail if you could not load the document pointed by URI attribute in <dsig:Reference/>
element.
Please note that this solution does not use actual XMLDSig spec. You are on your own here and
probably you should think about security issues. Also the chances that you'll have interop problems
for this approach are much bigger.
Aleksey
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
