- From: Christian Geuer-Pollmann <Christian.Geuer-Pollmann@microsoft.com>
- Date: Thu, 15 Jun 2006 19:56:10 +0100
- To: <Hothi_Amrit@emc.com>, <aleksey@aleksey.com>
- Cc: <larry.bugbee@boeing.com>, <tgindin@us.ibm.com>, <w3c-ietf-xmldsig@w3.org>
As said below: You should not use it in the first place! I just wrote it to show that my implementation supports everything mentioned in the XML Signature spec. This resolver can be filled by the application before signature validation, so that when the Manifest/SignedInfo asks "who can resolve References without URI?", this thing steps up and says "I have the contents to be signed/validated". Christian -----Original Message----- From: Hothi_Amrit@emc.com [mailto:Hothi_Amrit@emc.com] Sent: Donnerstag, 15. Juni 2006 19:18 To: Christian Geuer-Pollmann; Hothi_Amrit@emc.com; aleksey@aleksey.com Cc: larry.bugbee@boeing.com; tgindin@us.ibm.com; w3c-ietf-xmldsig@w3.org Subject: RE: <ds:Signature/> and <Signature/> Christian, One thing I found is that there is very little documentation on NullURIReferenceResolver. Although, there is some sample code around, not much documentation as to when and how you should use this resolver. Cheers, Amrit. -----Original Message----- From: Christian Geuer-Pollmann [mailto:Christian.Geuer-Pollmann@microsoft.com] Sent: Thursday, June 15, 2006 3:00 AM To: Hothi_Amrit@emc.com; aleksey@aleksey.com Cc: larry.bugbee@boeing.com; tgindin@us.ibm.com; w3c-ietf-xmldsig@w3.org Subject: RE: <ds:Signature/> and <Signature/> Folks, two short comments: <Reference> and <Reference URI=""> are DIFFERENT. The latter one is a same-document URI (whole document excluding comment nodes), while <Reference> is a fragile one where the implementation must know what actually is signed. I highly recommend not to do these things, because it's really messy. This <Reference> thing is why I wrote the NullURIReferenceResolver. In addition, you can only use one Reference per SignedInfo or Manifest that uses this crude feature. So it is NOT a bug in the Apache XML Security implementation. The second comment is regarding "why are the SignatureValues different when I use the same RSA key?": The point is that signing <ds:SignedInfo xmlns:ds="...">...</ds:SignedInfo> yields to a different SignatureValue than signing <SignedInfo xmlns="...">...</SignedInfo>. If you want to generate the non-prefixed stuff with Apache XML Security, there is a switch where you can specify the preferred prefix for the signature namespace: org.apache.xml.security.utils.Constants.setSignatureSpecNSprefix(""); After that, recreate the signature... Greets, C. -----Original Message----- From: w3c-ietf-xmldsig-request@w3.org [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Hothi_Amrit@emc.com Sent: Mittwoch, 14. Juni 2006 20:40 To: aleksey@aleksey.com Cc: larry.bugbee@boeing.com; tgindin@us.ibm.com; w3c-ietf-xmldsig@w3.org Subject: RE: <ds:Signature/> and <Signature/> I'm not sure it's a bug. If the URI is missing, there has to be some way to know the identity of the signed object and that's where the NullURIReferenceResolver comes in. Amrit. -----Original Message----- From: Aleksey Sanin [mailto:aleksey@aleksey.com] Sent: Wednesday, June 14, 2006 11:13 AM To: Hothi, Amrit Cc: larry.bugbee@boeing.com; tgindin@us.ibm.com; w3c-ietf-xmldsig@w3.org Subject: Re: <ds:Signature/> and <Signature/> > > When Java tries to process the C signature it expects the URI to be there. > If not it will throw an exception. You might want to file a bug report against apache. The URI attribute is optional according to the spec: http://www.w3.org/TR/xmldsig-core/#sec-Reference Best, Aleksey Sanin
Received on Thursday, 15 June 2006 18:56:20 UTC