0

We are validating message which have several embedded xades (BES) messages embedded. Which previously have been vaildated as valid. (Also the signature is embedded.)

<Messsage1>
    <OtherTags>
    ...Change location A...
    </OtherTags>
    <PreDocument>
        <Messsage2>
        <OtherTags>
        ...Change location B...
        </OtherTags>
        <PreDocument>
            <Messsage3>
            <OtherTags>
            ...Change location C...
            </OtherTags>
            <Signature>
            ...
            </Signature>
            </Messsage3>
        </PreDocument>
        <Signature>
        ...
        </Signature>
        </Messsage2>
    </PreDocument>
    <Signature>
    ...
    </Signature>
</Messsage1>

At the moment only changes made at "Change location C" will invalidate the message. Changes at "Change location A" and "Change location B" wont effect the validity of the message and even entire structures can be removed.

Is that the expected behaviour? Is it possible the change the behaviour? (So that every change will invalidate the message)

lgoncalves
  • 2,040
  • 1
  • 14
  • 12
user1389486
  • 17
  • 4
  • This is not specific to xades4j. It depends on how the references on each signature are defined and maybe on the order of signature generation. Can you detail? Also, what do you mean by "invalidate the massage"? Invalidating all the signatures or each "change location" invalidating the corresponding signaure? – lgoncalves Mar 25 '13 at 20:57

1 Answers1

0

The impacts of changing the XML on the validity of the signatures depends on two facts :

  • The URIs in the References: if you change something in the XML blob protected by a Reference this would (and MUST) invalidate your signature.

  • The transforms you are using in the References and the canonicalization algorithm you are using for them and for the ds:SignedInfo. For example, if you are using an Exclusive canonicalization algorithm, adding a namespace somewhere in the enveloping XML blob would not invalidate your signatures. Hope this helps.

Moez
  • 134
  • 7