Section 4.3 "The structure of SignedInfo includes the canonicalization algorithm, a signature algorithm, and one or more references."
And the schema: Schema Definition: <element name="SignedInfo" type="ds:SignedInfoType"/> <complexType name="SignedInfoType"> <sequence> <element ref="ds:CanonicalizationMethod"/> <element ref="ds:SignatureMethod"/> <element ref="ds:Reference" maxOccurs="unbounded"/> </sequence> <attribute name="Id" type="ID" use="optional"/> </complexType> make me think that Reference element is required. As a side note, I don't understand what signature are we talking about if there are no Reference elements. Aleksey On 9/16/13 11:59 AM, Tom Wood wrote: > Aleksey, > I last wrote to you in 2012 about XML Signature failure do to > incompatibility between Windows .NET c14n code and libxml2 c14n. > You were very helpful. > > I am hoping you can clear up another technical issue with XML signatures. > > The system I am working on is encountering an XML message that has a > signature but > does not include a <SignedInfo><Reference> block (and by extension, no > <DigestValue>). > It does have a <SignedInfo> block. > > The *xmlsec* application fails verification without a Reference element: > > *func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=830:obj=unknown:subj=unknown:error=81:Reference > nodes are not found: > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=551:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec > library function failed: > func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec > library function failed: > Error: signature failed > ERROR > SignedInfo References (ok/all): 0/0 > Manifests References (ok/all): 0/0 > Error: failed to verify file "weird_sig.xml" > * > > I have been reading the w3c,org spec for XML Signature ( > http://www.w3.org/TR/xmldsig-core/) > and it does not explicitly state that <Reference> is a required element: > /|Reference| is an element that *may* occur one or more times./ > > Other element references in the doc specifically state if the element is > required > (eg > /||SignatureMethod| is a required element that.. > CanonicalizationMethod|//is a required element that/.. ) > > But the same document also states in section 3.1 and 3.2 > /3.1 Core generation > The REQUIRED steps include the generation of |Reference| elements and > the |SignatureValue| over |SignedInfo|. > / > and 3.2: > /The REQUIRED steps of core validation > <http://www.w3.org/TR/xmldsig-core/#def-ValidationCore> include (1) > reference validation > <http://www.w3.org/TR/xmldsig-core/#def-ValidationReference>, the > verification of the > digest contained in each |Reference| in |SignedInfo|, > and (2) the cryptographic signature validation > <http://www.w3.org/TR/xmldsig-core/#def-ValidationSignature> of the > signature calculated over |SignedInfo|. > / > This appears contradictory to the notion that <Reference> is optional in > a signature. > > Now why anyone would want to sign a document without including a > Reference and DigestValue is certainly curious, but I am not yet in a > position to > criticize this choice if it is technically allowed. > > So is <Reference> optional or not? > I am hoping the answer is simply that XML signatures MUST include a > <reference> block. > > The main thing for me is that if it is optional but ***xmlsec* refuses > to process the signature without <Reference>, > is there some parameter I must use to skip reference validation? > > Thanks, > Tom Wood > w...@xmission.com _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec