Re: Verification Response Proposal: Toolkits ought to return bytes of verified data to the application

Hi Ed,

--On Dienstag, 8. Januar 2002 20:59 -0500 edsimon@xmlsec.com wrote:

> I've been reviewing a number of XML Signature Toolkits and it seems to me
> that most do not implement a means, upon verification, of providing the
> signed bytes back to the application.  To me, such functionality is often
> critical particularly for detached data (eg. data external to the document
> containing the XML Signature).

Apache does ;-))

for (int i = 0;
     i < sig.getSignedInfo().getSignedContentLength();
     i++) {
   System.out.println("--- Signed Content number "+i+"follows ---");
   System.out.println(
      new String(
         sig.getSignedInfo().getSignedContentItem(i)));
}

One (in my opinion big) problem is the following: If I signed some Nodes 
inside a document, the result from de-referencing this is (due to the 
nature of a Reference) a canonicalized NodeSet which means that I only have 
a byte[] array and no longer a NodeSet. So if an application developer 
wants to know whether a particular Node from a given NodeSet was signed, 
this get's tricky cause the software must keep track of all References and 
their NodeSets prior to the last c14n...

Regards,
Christian

Received on Wednesday, 9 January 2002 03:30:15 UTC