Paul Buhler wrote:
I have what I hope is a simple question. I am trying to sign the
EncryptedData element in an XML document. This element has an id attribute
of "ed1".
If I use a same-document reference URI of "#ed1" I get the desired result;
i.e., the digest is only calculated for the EncryptedData fragment of the
XML file.
The question I have is as follows, shouldn't specifying a reference URI of
"" along with a XPath filtering transform of "//[EMAIL PROTECTED]'ed1']"
accomplish the
same thing?
No. This is a common misunderstanding. Section 6.6.3 (XPath Filtering)
of the W3C XML Signature Rec states:
The transform output is also an XPath node-set. The XPath expression
appearing in the XPath parameter is evaluated once for each node in
the input node-set. The result is converted to a boolean. If the
boolean is true, then the node is included in the output node-set. If
the boolean is false, then the node is omitted from the output
node-set.
You have specified an expression that evaluates from the root of the
document (//[EMAIL PROTECTED]'ed1']) and will be true for every single node in the
document (which is what a Reference URI of "" dereferences to). So every
node will be included in the digest.
You need to use an XPath expression which operates on the current node's
context and determines if it should be included or not. Try something
like this:
"ancestor-or-self::[EMAIL PROTECTED]'ed1']"
--Sean
When I try this, the digest is computed for the entire document.
Any thoughts?
Incidentally, I am using the JSR-105 implementation distributed with JWSDP
1.6.
Regards,
Paul Buhler
Computer Science Dept.
College of Charleston
