[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xml-security-dev
Subject:    Re: XML Signature transform question
From:       Sean Mullan <Sean.Mullan () Sun ! COM>
Date:       2005-08-01 14:08:21
Message-ID: 42EE2CD5.1040801 () Sun ! COM
[Download RAW message or body]

Paul Buhler wrote:
> I have what I hope is a simple question. I am trying to sign the
> EncryptedData element in an XML document. This element has an id attribute
> of "ed1".
> 
> If I use a same-document reference URI of "#ed1" I get the desired result;
> i.e., the digest is only calculated for the EncryptedData fragment of the
> XML file.
> 
> The question I have is as follows, shouldn't specifying a reference URI of
> "" along with a XPath filtering transform of "//*[@id='ed1']" accomplish the
> same thing? 

No. This is a common misunderstanding. Section 6.6.3 (XPath Filtering) 
of the W3C XML Signature Rec states:

    The transform output is also an XPath node-set. The XPath expression
    appearing in the XPath parameter is evaluated once for each node in
    the input node-set. The result is converted to a boolean. If the
    boolean is true, then the node is included in the output node-set. If
    the boolean is false, then the node is omitted from the output
    node-set.

You have specified an expression that evaluates from the root of the 
document (//*[@id='ed1']) and will be true for every single node in the 
document (which is what a Reference URI of "" dereferences to). So every 
node will be included in the digest.

You need to use an XPath expression which operates on the current node's 
context and determines if it should be included or not. Try something 
like this:

"ancestor-or-self::EncryptedData[@id='ed1']"

--Sean

> When I try this, the digest is computed for the entire document.
> Any thoughts?
> 
> Incidentally, I am using the JSR-105 implementation distributed with JWSDP
> 1.6.
> 
> Regards,
> 
> Paul Buhler
> Computer Science Dept.
> College of Charleston
> 
> 
> 
> 

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic