Re: Verification Response Proposal: Toolkits ought to return bytes of verified data to the application

Hi Christian,

Correct me if I'm misunderstanding, but I think Ed was interested in the 
dereferenced data obtained specifically *during* the reference validation 
process. If the call to getSignedContentItem(i) is made either before or 
after the call to verifyReferences(), then there's no guarantee (from the 
calling code's perspective) that the external data object was not retrieved 
twice and possibly modified in between. It may be that the Apache 
implementation actually caches the content retrieved during reference 
validation, but that would be an implementation detail that calling code 
can't really rely on.

::Ari

>Hi Ed,
>
>--On Dienstag, 8. Januar 2002 20:59 -0500 edsimon@xmlsec.com wrote:
>
>>I've been reviewing a number of XML Signature Toolkits and it seems to me
>>that most do not implement a means, upon verification, of providing the
>>signed bytes back to the application.  To me, such functionality is often
>>critical particularly for detached data (eg. data external to the document
>>containing the XML Signature).
>
>Apache does ;-))
>
>for (int i = 0;
>     i < sig.getSignedInfo().getSignedContentLength();
>     i++) {
>   System.out.println("--- Signed Content number "+i+"follows ---");
>   System.out.println(
>      new String(
>         sig.getSignedInfo().getSignedContentItem(i)));
>}
>
>One (in my opinion big) problem is the following: If I signed some Nodes 
>inside a document, the result from de-referencing this is (due to the 
>nature of a Reference) a canonicalized NodeSet which means that I only 
>have a byte[] array and no longer a NodeSet. So if an application 
>developer wants to know whether a particular Node from a given NodeSet was 
>signed, this get's tricky cause the software must keep track of all 
>References and their NodeSets prior to the last c14n...
>
>Regards,
>Christian

Received on Wednesday, 9 January 2002 14:00:31 UTC