- From: Ari Kermaier <arik@phaos.com>
- Date: Wed, 09 Jan 2002 14:12:09 -0500
- To: w3c-ietf-xmldsig@w3.org
- Cc: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Hi Christian,
Correct me if I'm misunderstanding, but I think Ed was interested in the
dereferenced data obtained specifically *during* the reference validation
process. If the call to getSignedContentItem(i) is made either before or
after the call to verifyReferences(), then there's no guarantee (from the
calling code's perspective) that the external data object was not retrieved
twice and possibly modified in between. It may be that the Apache
implementation actually caches the content retrieved during reference
validation, but that would be an implementation detail that calling code
can't really rely on.
::Ari
>Hi Ed,
>
>--On Dienstag, 8. Januar 2002 20:59 -0500 edsimon@xmlsec.com wrote:
>
>>I've been reviewing a number of XML Signature Toolkits and it seems to me
>>that most do not implement a means, upon verification, of providing the
>>signed bytes back to the application. To me, such functionality is often
>>critical particularly for detached data (eg. data external to the document
>>containing the XML Signature).
>
>Apache does ;-))
>
>for (int i = 0;
> i < sig.getSignedInfo().getSignedContentLength();
> i++) {
> System.out.println("--- Signed Content number "+i+"follows ---");
> System.out.println(
> new String(
> sig.getSignedInfo().getSignedContentItem(i)));
>}
>
>One (in my opinion big) problem is the following: If I signed some Nodes
>inside a document, the result from de-referencing this is (due to the
>nature of a Reference) a canonicalized NodeSet which means that I only
>have a byte[] array and no longer a NodeSet. So if an application
>developer wants to know whether a particular Node from a given NodeSet was
>signed, this get's tricky cause the software must keep track of all
>References and their NodeSets prior to the last c14n...
>
>Regards,
>Christian
Received on Wednesday, 9 January 2002 14:00:31 UTC