- From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
- Date: Wed, 09 Jan 2002 09:33:31 +0100
- To: edsimon@xmlsec.com, w3c-ietf-xmldsig@w3.org
- Cc: manoj@infomosaic.com
Hi Ed,
--On Dienstag, 8. Januar 2002 20:59 -0500 edsimon@xmlsec.com wrote:
> I've been reviewing a number of XML Signature Toolkits and it seems to me
> that most do not implement a means, upon verification, of providing the
> signed bytes back to the application. To me, such functionality is often
> critical particularly for detached data (eg. data external to the document
> containing the XML Signature).
Apache does ;-))
for (int i = 0;
i < sig.getSignedInfo().getSignedContentLength();
i++) {
System.out.println("--- Signed Content number "+i+"follows ---");
System.out.println(
new String(
sig.getSignedInfo().getSignedContentItem(i)));
}
One (in my opinion big) problem is the following: If I signed some Nodes
inside a document, the result from de-referencing this is (due to the
nature of a Reference) a canonicalized NodeSet which means that I only have
a byte[] array and no longer a NodeSet. So if an application developer
wants to know whether a particular Node from a given NodeSet was signed,
this get's tricky cause the software must keep track of all References and
their NodeSets prior to the last c14n...
Regards,
Christian
Received on Wednesday, 9 January 2002 03:30:15 UTC