XMLDSig: Do I have to specify Reference URI in an enveloped signature

java xml xml-signature xml-dsig xmlsec
10,759

Solution 1

I think I got it.

According to the specification the URI=""

Identifies the node-set (minus any comment nodes) of the XML resource containing the signature

which I understand as "Identifies all nodes (the node-set) of the XML document that contains the <ds:Signature> element. That would mean that URI="" <=> signed is the whole document.

This statement is backed up by another resource - the Apache Santuario FAQ:

3.1. What is the enveloped transform? The enveloped transform is a special transform that enables the use of so-called enveloped signatures.

Enveloped signatures are signatures over an entire XML document, for which the element is included in the document itself. An example could be: 

<![CDATA[
<?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?>
   <Root>
     <SomeContent>
       ... 
     </SomeContent>
       <ds:Signature>
         <ds:SignedInfo>
           <ds:Reference URI="">
             <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
             </ds:Transforms>
           </ds:Reference>
         </ds:SignedInfo>
         ....
       </ds:Signature>
   </Root>
]]>

The Reference indicates that Root and it's descendants (except for comments) are signed, but the Transform element says to throw out the Signature element (that is the parent of this Reference) from the stream that is to be signed. Note that if there are other Signature elements in Root, they will remain untouched.

... Which translates to "The URI="" signed is the whole document that contains the <ds:Signature> and we have one <ds:Transform> which says that this signature is enveloped and therefore should be removed before verification"

Therefore, the conclusion is: The URI="" and signature type (detached, enveloped, enveloping) are two completely different things. URIs are pointers to parts of the XML document that says what is signed and what isn't. URI="" means that the whole current document (the one that contains <ds:Signature>) is being signed. The signature type (detached, enveloped, enveloping) otoh affect what transformations should be applied before verification. In case of enveloped, the whole <ds:Signature> must be removed before verification.

Solution 2

If Reference URI is empty it means what element will be signed and signature will be enveloped as child of that element. Enveloped signature may have reference URI(s), if signing one part of document, but signature enveloped by another element in document. For example signing one or all of the <CD> elements, but ds:signature itself enveloped by <CATALOG> element. In your document only first CD element is used to calculate digest and signature value, but other CDs can be changed without signature invalidation.

Share:
10,759
mdzh
Author by

mdzh

A java developer.

Updated on June 11, 2022

Comments

  • mdzh
    mdzh almost 2 years

    Suppose I have such xml: 

    <?xml version="1.0" encoding="UTF-8"?>
<CATALOG>
    <CD>
        <TITLE>Empire Burlesque</TITLE>                    
        <ARTIST>Bob Dylan</ARTIST>
        <COUNTRY id="123">USA</COUNTRY>
        <COMPANY>Columbia</COMPANY>
        <PRICE>10.90</PRICE>
        <YEAR>1985</YEAR>
    </CD>    
    <CD>
        <TITLE>Hide your heart</TITLE>
        <ARTIST>Bonnie Tyler</ARTIST>
        <COUNTRY>UK</COUNTRY>
        <COMPANY>CBS Records</COMPANY>
        <PRICE>9.90</PRICE>
        <YEAR>1988</YEAR>
    </CD>
    <CD>
        <TITLE>Greatest Hits</TITLE>
        <ARTIST>Dolly Parton</ARTIST>
        <COUNTRY>USA</COUNTRY>
        <COMPANY>RCA</COMPANY>
        <PRICE>9.90</PRICE>
        <YEAR>1982</YEAR>
    </CD>   
</CATALOG>

    After signing I get:

    <?xml version="1.0" encoding="UTF-8"?>
<CATALOG>
    <CD>
        <TITLE>Empire Burlesque</TITLE>                    
        <ARTIST>Bob Dylan</ARTIST>
        <COUNTRY id="123">USA</COUNTRY>
        <COMPANY>Columbia</COMPANY>
        <PRICE>10.90</PRICE>
        <YEAR>1985</YEAR>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
                <ds:Reference URI="">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
                    <ds:DigestValue>C6i9GSNZ8seoXxfuFc482Q==</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>
d/ufAnYK35PKUdi+O6DUytV+36OGAr5meHXq2qoOUp+zO1Q5HbJvIs01qlPT9oKiBEi2QiAF3Sya
ZVwi4hEI9xHkLiewmOxPo1KgVfJ1Ir2RPpkdegFYFx9QCMR4Z1M7zTkijCKv9ncWR4MYjOAfDrKf
fbvUX3AbRHlUYJj6M4QcrQUuBPhSqo4TcxtfblNqmKUT+141+sLSsuM2xy24YeyF7NUff9tirCiP
KgBHpFGtiJAdxugAlzqHaR9CP2kRA2Sg046NBo2yO/nTDfUKqquZm4aaZsLWbvKJYvrgqD4YgH4M
FFpK5ChgYa4oi7f9BAYxOFcY9f1OCHsvpdCbpw==
            </ds:SignatureValue>
            <ds:KeyInfo>
                <ds:KeyValue>
                    <ds:RSAKeyValue>
                        <ds:Modulus>
1Bphf/ypmjIyIbWKBS39IaBpUn/e7oylpexMhTtsKYnbKuufzDhReR15oJ9cavVa9BkSSmLjaLxt
jIzIswaoW0SnTR4VySpbkujoeCSzoIGTlQ2ae96vT4sZURferQ8GpS/iExpblSX5knD8TBDCt+MK
UNTpJzPy6HdYGBtKfcc5C0STt07WGnhnOYYrIht1y/blne2Ec90dCt3hQmInqbBUbp1Ngl4V7xXH
rSifvQ6X+Dzg10l/vx92vFwBM3we+7p8jbDey9KLWS44W/AXmcxmuBo4kTN4fS9Ld/ctMR7ATbP2
frjcHJoecsQs3tnK1VZjrnnQUsZxDqjWhYDx2w==
                        </ds:Modulus>
                        <ds:Exponent>AQAB</ds:Exponent>
                    </ds:RSAKeyValue>
                </ds:KeyValue>
                <ds:X509Data>
                    <ds:X509Certificate>
MIICwTCCAamgAwIBAgIITKhEP4iHnaQwDQYJKoZIhvcNAQENBQAwDjEMMAoGA1UEAwwDa2V5MB4X
DTE1MDQwMjIxMDAxN1oXDTI1MDQwMjIxMDAxN1owDjEMMAoGA1UEAwwDa2V5MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCfKCAQEA1Bphf/ypmjIyIbWKBS39IaBpUn/e7oylpexMhTtsKYnbKuuf
zDhReR15oJ9cavVa9BkSSmLjaLxtjIzIswaoW0SnTR4VySpbkujoeCSzoIGTlQ2ae96vT4sZURfe
rQ8GpS/iExpblSX5knD8TBDCt+MKUNTpJzPy6HdYGBtKfcc5C0STt07WGnhnOYYrIht1y/blne2E
c90dCt3hQmInqbBUbp1Ngl4V7xXHrSifvQ6X+Azg10l/vx92vFwBM3we+7p8jbDey9KLWS44W/AX
mcxmuBo4kTN4fS9Ld/ctMR7ATbP2frjcHJoecsQs3tnK1VZjrnnQUsZxDqjWhYDx2wIDAQABoyMw
ITAOBgNVHQ8BAf8EBAMCBLAwDwYDVR0TAQH/BAUwAwEBADANBgkqhkiG9w0BAQ0FAAOCAQEAa3VI
zBGyt7mfHh9g9hAKYxUHkrPjiOQDoE3QP/2aZQlGMeD8OwgjZHA4d2iXLLOJt56lgQenEO2nFLxE
/SSEc4eOFHYR170W7eRuEqIByZhtu1DDMzCVzxTF/Gu/WtTeQzhu4q1Pl9zUyYeHhLIO+HzLJCn0
O2y6tD/E6zqqzPFSW1oXuISM4ZvFR+0wQgdgYMJa5JU6XwPvS2+7y2B28JFBUq90S4a4FVj65UT5
qrcgzi4Z2YF2phAD7Jkq3Oqdedmh9q1mg2VFg7v2/Kn+McTLSb0uX7svXMOr2IhZ1FppziQYx3UN
XPrBbbomwNITW6R56wCmB2nAcp93f9xrKw==
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
    </CD>    
    <CD>
        <TITLE>Hide your heart</TITLE>
        <ARTIST>Bonnie Tyler</ARTIST>
        <COUNTRY>UK</COUNTRY>
        <COMPANY>CBS Records</COMPANY>
        <PRICE>9.90</PRICE>
        <YEAR>1988</YEAR>
    </CD>
    <CD>
        <TITLE>Greatest Hits</TITLE>
        <ARTIST>Dolly Parton</ARTIST>
        <COUNTRY>USA</COUNTRY>
        <COMPANY>RCA</COMPANY>
        <PRICE>9.90</PRICE>
        <YEAR>1982</YEAR>
    </CD>   
</CATALOG>

    Does the fact that the <Signature> is enveloped under <CD> means that it signs exactly the element, or because of the <ds:Reference URI=""> it means that the whole XML is signed? From reading the specification http://www.w3.org/TR/xmldsig-core/ I'm left with the impression that enveloped signatures don't need Reference URI's. Is this correct?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Library to manage XAdES signatures in Java
XML adding the same element as a child (Getting HIERARCHY_REQUEST_ERR)
Java:Spring: XML conflict on reading spring context.xml Duplicated definition for: 'identifiedType'
JAXB unmarshal with declared type does not populate the resulting object with data
JAXB adding namespace to parent but not to the child elements contained
Java's default JAXB implementation is chosen over my classpath
How do I set the elementFormDefault of an Element in JAXB on a single class basis instead of having it set for the entire package?
Replacing XML node via Java
Convert Xml request to Object Spring Boot
Multiple values for parameters in testng.xml (without using dataProvider)