- From: Christian Geuer-Pollmann <Christian.Geuer-Pollmann@microsoft.com>
- Date: Thu, 15 Jun 2006 11:00:13 +0100
- To: <Hothi_Amrit@emc.com>, <aleksey@aleksey.com>
- Cc: <larry.bugbee@boeing.com>, <tgindin@us.ibm.com>, <w3c-ietf-xmldsig@w3.org>
Folks, two short comments: <Reference> and <Reference URI=""> are DIFFERENT. The latter one is a same-document URI (whole document excluding comment nodes), while <Reference> is a fragile one where the implementation must know what actually is signed. I highly recommend not to do these things, because it's really messy. This <Reference> thing is why I wrote the NullURIReferenceResolver. In addition, you can only use one Reference per SignedInfo or Manifest that uses this crude feature. So it is NOT a bug in the Apache XML Security implementation. The second comment is regarding "why are the SignatureValues different when I use the same RSA key?": The point is that signing <ds:SignedInfo xmlns:ds="...">...</ds:SignedInfo> yields to a different SignatureValue than signing <SignedInfo xmlns="...">...</SignedInfo>. If you want to generate the non-prefixed stuff with Apache XML Security, there is a switch where you can specify the preferred prefix for the signature namespace: org.apache.xml.security.utils.Constants.setSignatureSpecNSprefix(""); After that, recreate the signature... Greets, C. -----Original Message----- From: w3c-ietf-xmldsig-request@w3.org [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Hothi_Amrit@emc.com Sent: Mittwoch, 14. Juni 2006 20:40 To: aleksey@aleksey.com Cc: larry.bugbee@boeing.com; tgindin@us.ibm.com; w3c-ietf-xmldsig@w3.org Subject: RE: <ds:Signature/> and <Signature/> I'm not sure it's a bug. If the URI is missing, there has to be some way to know the identity of the signed object and that's where the NullURIReferenceResolver comes in. Amrit. -----Original Message----- From: Aleksey Sanin [mailto:aleksey@aleksey.com] Sent: Wednesday, June 14, 2006 11:13 AM To: Hothi, Amrit Cc: larry.bugbee@boeing.com; tgindin@us.ibm.com; w3c-ietf-xmldsig@w3.org Subject: Re: <ds:Signature/> and <Signature/> > > When Java tries to process the C signature it expects the URI to be there. > If not it will throw an exception. You might want to file a bug report against apache. The URI attribute is optional according to the spec: http://www.w3.org/TR/xmldsig-core/#sec-Reference Best, Aleksey Sanin
Received on Thursday, 15 June 2006 10:00:21 UTC