Tcl
Tcl
Verify an XML Signature with Multiple References
See more XML Digital Signatures Examples
Demonstrates how to verify an XML digital signature that contains multiple references.Chilkat Tcl Downloads
load ./chilkat.dll
set success 0
# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.
# An example of an enveloping XML signature with mulitple references is available at
# https://www.chilkatsoft.com/exampleData/envelopedMultipleRefs.xml
# This example will show how to verify the signature and all references, and also how
# to verify each reference individually. This is useful to distinguish which part
# of the XML signature validation failed. It could be that one or more of the references
# failed because of a hash computation mismatch. Or it could be that the signature over
# the SignedInfo failed.
# First, let's grab the sample XML signature.
set http [new_CkHttp]
set sbXml [new_CkStringBuilder]
set success [CkHttp_QuickGetSb $http "https://www.chilkatsoft.com/exampleData/envelopedMultipleRefs.xml" $sbXml]
if {$success != 1} then {
puts [CkHttp_lastErrorText $http]
delete_CkHttp $http
delete_CkStringBuilder $sbXml
exit
}
# Load the XML containing the signature to be verified.
set verifier [new_CkXmlDSig]
set success [CkXmlDSig_LoadSignatureSb $verifier $sbXml]
if {$success != 1} then {
puts [CkXmlDSig_lastErrorText $verifier]
delete_CkHttp $http
delete_CkStringBuilder $sbXml
delete_CkXmlDSig $verifier
exit
}
set verifyReferenceDigests 1
# The quick way to validate all references and the signature over the SignedInfo
# is to call VerifySignature with verifyReferenceDigests equal to 1.
set verified [CkXmlDSig_VerifySignature $verifier $verifyReferenceDigests]
puts "Signature and all reference digests verified = $verified"
# Let's pretend the call to VerifySignature returned 0. Something did not validate.
# Was it one or more of the References that did not hash to the correct value?
# Or was it the signature over the SignedInfo that failed?
# We can check just the signature over the SignedInfo by passing 0 to VerifySignature.
# This allows us to skip the hashing and checking each Reference.
set verifyReferenceDigests 0
set signedInfoVerified [CkXmlDSig_VerifySignature $verifier $verifyReferenceDigests]
puts "Neglecting the reference hashes, the SignedInfo validation result = $signedInfoVerified"
# We can also verify each reference digest separately
set numRefs [CkXmlDSig_get_NumReferences $verifier]
set i 0
while {$i < $numRefs} {
set refDigestVerified [CkXmlDSig_VerifyReferenceDigest $verifier $i]
puts "Reference $i digest verified = $refDigestVerified"
set i [expr $i + 1]
}
# For this sample XML signature with 3 References, we get the following output:
# Signature and all reference digests verified = True
# Neglecting the reference hashes, the SignedInfo validation result = True
# Reference 0 digest verified = True
# Reference 1 digest verified = True
# Reference 2 digest verified = Tru
delete_CkHttp $http
delete_CkStringBuilder $sbXml
delete_CkXmlDSig $verifier