- From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
- Date: Wed, 09 Jan 2002 09:33:31 +0100
- To: edsimon@xmlsec.com, w3c-ietf-xmldsig@w3.org
- Cc: manoj@infomosaic.com
Hi Ed, --On Dienstag, 8. Januar 2002 20:59 -0500 edsimon@xmlsec.com wrote: > I've been reviewing a number of XML Signature Toolkits and it seems to me > that most do not implement a means, upon verification, of providing the > signed bytes back to the application. To me, such functionality is often > critical particularly for detached data (eg. data external to the document > containing the XML Signature). Apache does ;-)) for (int i = 0; i < sig.getSignedInfo().getSignedContentLength(); i++) { System.out.println("--- Signed Content number "+i+"follows ---"); System.out.println( new String( sig.getSignedInfo().getSignedContentItem(i))); } One (in my opinion big) problem is the following: If I signed some Nodes inside a document, the result from de-referencing this is (due to the nature of a Reference) a canonicalized NodeSet which means that I only have a byte[] array and no longer a NodeSet. So if an application developer wants to know whether a particular Node from a given NodeSet was signed, this get's tricky cause the software must keep track of all References and their NodeSets prior to the last c14n... Regards, Christian
Received on Wednesday, 9 January 2002 03:30:15 UTC