https://issues.apache.org/bugzilla/show_bug.cgi?id=42599
--- Comment #9 from Christian Kleinewaechter <dru...@gmx.de> 2009-03-10 00:38:28 PST --- (In reply to comment #8) > (In reply to comment #7) > > I've tried the xpointer resolver for generating signatures for the german > > banking interface EBICS which uses #xpointer(//*...@authenticate='true']) > > to sign > [...] > > After rechecking the EBICS spec I think there is a difference in what their > reference declaration says what is to sign and what they actually want to sign > based on their informal description. They say that they want to sign > everything > contained in elements with attribute authenticate set to true including the > elements itself, so I think they actually want to sign > "//*...@authenticate='true']/descendant-or-self::*". So probably > CanonicalizerBase.canonicalizeXPathNodeSet is right thing to not include child > nodes of selected nodes. I have to correct my previous statement.The EBICS spec is correct: http://www.w3.org/TR/xmldsig-core/ says 4.3.3.3 Same-Document URI-References [...] The application MUST behave as if the result of XPointer processing [XPointer-Framework] were a node-set derived from the resultant subresource as follows: 1. include XPath nodes having full or partial content within the subresource 2. replace the root node with its children (if it is in the node-set) 3. replace any element node E with E plus all descendants of E (text, comment, PI, element) and all namespace and attribute nodes of E and its descendant elements. 4. if the URI has no fragment identifier or the fragment identifier is a shortname XPointer, then delete all comment nodes IMHO from 3. it is clear that we do not just have to include the nodes but also their descendants. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
