W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2002

Re: Verification Response Proposal: Toolkits ought to return bytes of verified data to the application

From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Date: Wed, 09 Jan 2002 09:33:31 +0100
To: edsimon@xmlsec.com, w3c-ietf-xmldsig@w3.org
Cc: manoj@infomosaic.com
Message-ID: <1251496562.1010568811@pinkpanther>
Hi Ed,

--On Dienstag, 8. Januar 2002 20:59 -0500 edsimon@xmlsec.com wrote:

> I've been reviewing a number of XML Signature Toolkits and it seems to me
> that most do not implement a means, upon verification, of providing the
> signed bytes back to the application.  To me, such functionality is often
> critical particularly for detached data (eg. data external to the document
> containing the XML Signature).

Apache does ;-))

for (int i = 0;
     i < sig.getSignedInfo().getSignedContentLength();
     i++) {
   System.out.println("--- Signed Content number "+i+"follows ---");
   System.out.println(
      new String(
         sig.getSignedInfo().getSignedContentItem(i)));
}

One (in my opinion big) problem is the following: If I signed some Nodes 
inside a document, the result from de-referencing this is (due to the 
nature of a Reference) a canonicalized NodeSet which means that I only have 
a byte[] array and no longer a NodeSet. So if an application developer 
wants to know whether a particular Node from a given NodeSet was signed, 
this get's tricky cause the software must keep track of all References and 
their NodeSets prior to the last c14n...

Regards,
Christian
Received on Wednesday, 9 January 2002 03:30:15 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:14 GMT