(Tcl) Verify XML Signature with External URL References

Demonstrates how to verify an XML digital signature that includes references to URLs where the data to be digested is on a web server.

Chilkat Tcl Extension Downloads Chilkat Tcl Extension Downloads

load ./chilkat.dll

# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

# The signed XML we wish to verify contains external references such as this:

#     <ds:Reference Id="xmldsig-e7ae7ce2-9133-4d56-bd97-0a6aef738cc2-ref0" URI="https://www.chilkatsoft.com/images/starfish.jpg">
#       <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
#       <ds:DigestValue>AOU810yJV5Np/DnO29qpObqiTSTTCDvxGsX5ayiTYXI=</ds:DigestValue>
#     </ds:Reference>
#     <ds:Reference Id="xmldsig-e7ae7ce2-9133-4d56-bd97-0a6aef738cc2-ref1" URI="https://www.chilkatsoft.com/hamlet.xml">
#       <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
#       <ds:DigestValue>4sRRyWOzC7EOic4fQ9+Op1pa10DbgoBGjBvkq09LZmE=</ds:DigestValue>
#     </ds:Reference>

set verifier [new_CkXmlDSig]

set http [new_CkHttp]

# First load the signed XML
set sbSignedXml [new_CkStringBuilder]

set success [CkStringBuilder_LoadFile $sbSignedXml "qa_data/xml_dsig_verify/signedWithExternalUrlRefs.xml" "utf-8"]
if {$success == 0} then {
    puts "Failed to load signed XML."
    delete_CkXmlDSig $verifier
    delete_CkHttp $http
    delete_CkStringBuilder $sbSignedXml
    exit
}

set success [CkXmlDSig_LoadSignatureSb $verifier $sbSignedXml]
if {$success == 0} then {
    puts [CkXmlDSig_lastErrorText $verifier]
    delete_CkXmlDSig $verifier
    delete_CkHttp $http
    delete_CkStringBuilder $sbSignedXml
    exit
}

# Iterate over each reference.  If it is an external URL reference, download the data and provide it to the verifier.
set sbRefUri [new_CkStringBuilder]

set bd [new_CkBinData]

set numRefs [CkXmlDSig_get_NumReferences $verifier]
set i 0
while {$i < $numRefs} {
    if {[CkXmlDSig_IsReferenceExternal $verifier $i] == 1} then {
        CkStringBuilder_Clear $sbRefUri
        CkStringBuilder_Append $sbRefUri [CkXmlDSig_referenceUri $verifier $i]
        if {[CkStringBuilder_StartsWith $sbRefUri "https://" 0] == 1} then {
            puts "External URL Reference: [CkStringBuilder_getAsString $sbRefUri]"

            # Download the data at the URL and provide to the verifier.
            set success [CkHttp_DownloadBd $http [CkStringBuilder_getAsString $sbRefUri] $bd]
            if {$success == 0} then {
                puts [CkHttp_lastErrorText $http]
                delete_CkXmlDSig $verifier
                delete_CkHttp $http
                delete_CkStringBuilder $sbSignedXml
                delete_CkStringBuilder $sbRefUri
                delete_CkBinData $bd
                exit
            }

            set success [CkXmlDSig_SetRefDataBd $verifier $i $bd]
            if {$success == 0} then {
                puts [CkXmlDSig_lastErrorText $verifier]
                delete_CkXmlDSig $verifier
                delete_CkHttp $http
                delete_CkStringBuilder $sbSignedXml
                delete_CkStringBuilder $sbRefUri
                delete_CkBinData $bd
                exit
            }

        }

    }

    set i [expr $i + 1]
}

# Now that we have the external data, verify the signature..
set bVerified [CkXmlDSig_VerifySignature $verifier 1]
if {$bVerified == 0} then {
    puts [CkXmlDSig_lastErrorText $verifier]
}

puts "Signature verified = $bVerified"

delete_CkXmlDSig $verifier
delete_CkHttp $http
delete_CkStringBuilder $sbSignedXml
delete_CkStringBuilder $sbRefUri
delete_CkBinData $bd