Thanks for your answer, it's exactly what I was trying to do, but I got
a problem because when the system computes the signature where I added
my own URI scheme, the URI is computed in the signature (as expected).
But when I save it to the disk, I don't want the URI to be there because
the detached signature could be used by another security system that
didn't know my "specific" scheme.
Then, when I load the detached signature without my "specific" URI, the
validation fails due to the signature value that is not the same (of
course once it was computed with the URI, and once without it).
Therefore, I've had to changed the security library a little bit to make
a difference between an empty URI, and an URI that is not present. And
in that last case, I use the IO callback functions to parse my "in
memory" document.
If you could add a way to perform such operation in a future release, it
would be great.
Regards,
Frank
P.S: I've added a patch with the modifications if you are interested in.
Aleksey Sanin a écrit :
You probably want to overwrite the IO callbacks
http://www.aleksey.com/xmlsec/api/xmlsec-io.html
However, I don't know if this would work for
a document *without* URI. You probably want to
identify it somehow and assign *some* uri
(e.g. foo://<document id> or something like this).
Then IO callbacks could catch scheme "foo" and
load the document you need.
Aleksey
Frank Gross wrote:
Hi,
I have a problem when I try to validate a detached signature
against my document. The 'xmlSecDSigCtxVerify' function takes two
parameters, the DSig context, and the node pointing to the signature
<dsig:Signature/> <http://www.w3.org/TR/xmldsig-core/#sec-Signature>
node. But as my detached signature has no URI, how can can I specify
to the context the document that it has to validate. (The
XML-Signature specification says that in such case, the application
is supposing to know what was signed). Indeed, I try to build an API
that sign any document build in memory and then saved with the
detached signature to the disk (as a separated XML document of
course), and another one to load both XML documents to validate the
signature.
I was able to sign and verify an enveloped signature, because in
that case the signature is inside the document itself, but with
detached signatures, what is the procedure ?
Can someone help, or point me to the documentation explaining how to do.
Thanks a lot,
Frank
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
diff --exclude-from=./exclude -rc xmlsec1-1.2.11/src/io.c 1.2.11/src/src/io.c
*** xmlsec1-1.2.11/src/io.c Thu Mar 6 18:55:37 2008
--- 1.2.11/src/src/io.c Thu Mar 6 19:14:35 2008
***************
*** 123,129 ****
xmlSecSize i, size;
xmlSecAssert2(xmlSecPtrListCheckId(list, xmlSecIOCallbackPtrListId), NULL);
! xmlSecAssert2(uri != NULL, NULL);
size = xmlSecPtrListGetSize(list);
for(i = 0; i < size; ++i) {
--- 123,129 ----
xmlSecSize i, size;
xmlSecAssert2(xmlSecPtrListCheckId(list, xmlSecIOCallbackPtrListId), NULL);
! /* xmlSecAssert2(uri != NULL, NULL); */
size = xmlSecPtrListGetSize(list);
for(i = 0; i < size; ++i) {
***************
*** 383,389 ****
xmlSecInputURICtxPtr ctx;
xmlSecAssert2(xmlSecTransformCheckId(transform, xmlSecTransformInputURIId), -1);
! xmlSecAssert2(uri != NULL, -1);
ctx = xmlSecTransformInputUriGetCtx(transform);
xmlSecAssert2(ctx != NULL, -1);
--- 383,389 ----
xmlSecInputURICtxPtr ctx;
xmlSecAssert2(xmlSecTransformCheckId(transform, xmlSecTransformInputURIId), -1);
! /* xmlSecAssert2(uri != NULL, -1); */
ctx = xmlSecTransformInputUriGetCtx(transform);
xmlSecAssert2(ctx != NULL, -1);
diff --exclude-from=./exclude -rc xmlsec1-1.2.11/src/transforms.c 1.2.11/src/src/transforms.c
*** xmlsec1-1.2.11/src/transforms.c Thu Mar 6 18:55:37 2008
--- 1.2.11/src/src/transforms.c Thu Mar 6 19:15:05 2008
***************
*** 287,293 ****
xmlSecTransformUriTypeCheck(xmlSecTransformUriType type, const xmlChar* uri) {
xmlSecTransformUriType uriType = 0;
! if((uri == NULL) || (xmlStrlen(uri) == 0)) {
uriType = xmlSecTransformUriTypeEmpty;
} else if(uri[0] == '#') {
uriType = xmlSecTransformUriTypeSameDocument;
--- 287,295 ----
xmlSecTransformUriTypeCheck(xmlSecTransformUriType type, const xmlChar* uri) {
xmlSecTransformUriType uriType = 0;
! if (uri == NULL) {
! uriType = xmlSecTransformUriTypeNone;
! } else if (xmlStrlen(uri) == 0) {
uriType = xmlSecTransformUriTypeEmpty;
} else if(uri[0] == '#') {
uriType = xmlSecTransformUriTypeSameDocument;
***************
*** 296,302 ****
} else {
uriType = xmlSecTransformUriTypeRemote;
}
! return(((uriType & type) != 0) ? 1 : 0);
}
/**************************************************************************
--- 298,305 ----
} else {
uriType = xmlSecTransformUriTypeRemote;
}
! /* return(((uriType & type) != 0) ? 1 : 0); */
! return 1;
}
/**************************************************************************
***************
*** 653,659 ****
*/
xmlSecTransformPtr
xmlSecTransformCtxNodeRead(xmlSecTransformCtxPtr ctx, xmlNodePtr node,
! xmlSecTransformUsage usage) {
xmlSecTransformPtr transform;
int ret;
--- 656,662 ----
*/
xmlSecTransformPtr
xmlSecTransformCtxNodeRead(xmlSecTransformCtxPtr ctx, xmlNodePtr node,
! xmlSecTransformUsage usage) {
xmlSecTransformPtr transform;
int ret;
***************
*** 811,817 ****
/* is it an empty uri? */
if((uri == NULL) || (xmlStrlen(uri) == 0)) {
! return(0);
}
/* do we have barename or full xpointer? */
--- 814,821 ----
/* is it an empty uri? */
if((uri == NULL) || (xmlStrlen(uri) == 0)) {
! ctx->uri = xmlStrdup(uri); /* to distinguish between no URI or empty URI */
! return(0);
}
/* do we have barename or full xpointer? */
***************
*** 1114,1120 ****
xmlSecAssert2(ctx != NULL, -1);
xmlSecAssert2(ctx->status == xmlSecTransformStatusNone, -1);
! xmlSecAssert2(uri != NULL, -1);
/* we should not execute transform for a different uri */
xmlSecAssert2((ctx->uri == NULL) || (uri == ctx->uri) || xmlStrEqual(uri, ctx->uri), -1);
--- 1118,1124 ----
xmlSecAssert2(ctx != NULL, -1);
xmlSecAssert2(ctx->status == xmlSecTransformStatusNone, -1);
! /* xmlSecAssert2(uri != NULL, -1); */
/* we should not execute transform for a different uri */
xmlSecAssert2((ctx->uri == NULL) || (uri == ctx->uri) || xmlStrEqual(uri, ctx->uri), -1);
***************
*** 1235,1241 ****
xmlSecAssert2(ctx->status == xmlSecTransformStatusNone, -1);
xmlSecAssert2(doc != NULL, -1);
! if((ctx->uri == NULL) || (xmlStrlen(ctx->uri) == 0)) {
xmlSecNodeSetPtr nodes;
if((ctx->xptrExpr != NULL) && (xmlStrlen(ctx->xptrExpr) > 0)){
--- 1239,1245 ----
xmlSecAssert2(ctx->status == xmlSecTransformStatusNone, -1);
xmlSecAssert2(doc != NULL, -1);
! if((ctx->uri != NULL) && (xmlStrlen(ctx->uri) == 0)) {
xmlSecNodeSetPtr nodes;
if((ctx->xptrExpr != NULL) && (xmlStrlen(ctx->xptrExpr) > 0)){
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
