> >We'd like to be able to add signatures to a document and allow the > >document to get added to some other DOM tree and keep the signature > >valid. I've been able to do this using an xmldsig-filter2 intersect > >filter and the xpath expression "here():/ancestor::RootNode". A sample > >document seems to work with the txfmout test program. > > An alternative to XPath, provided you have ID attributes and some > application protection against wrapping attacks, is ID-based > referencing > of the object.
I had thought about ID attributes, but IDs could causes other problems. Basically, we want to be able to take a number of documents all conforming to the schema and add them into one master document. The smaller, signed, documents may be generated by different machines or processes at different times, so there is a possibility that 2 separate documents assign the same ID to a node. Unless I'm mistaken, this would causes errors later when attempting to validate the signatures. > >My understanding is that santaurio uses xalan-c to perform the > >xmldsig-filter2 filtering and I was wondering if anyone knows of > problems > >with this. Is there an alternative? > > Not without finding and alternative and porting to it. I am aware of no > XPath implementations via Xerces at this point. Me neither. There's XQilla, but AFAIK, it's XPath 2.0 only and there seems to be enough differences between xpath 1.0 and 2.0 that this XQilla wouldn't work. Thanks for the reply Phil
