And I am not sure that XInclude will help you here because if you have a standalone
document
��� <Section>
��� ��� ...
��� ��� <dsig: Signature>
��� ��� ��� ...
��� ��� ��� <dsig:Reference URI=".....">
��� ��� ��� ��� ....
��� ��� ��� </dsig:Reference>
��� ��� </dsig:Signature>
��� </Section>
and after this it is embeded into another larger document then the path to <Section> changes
(and reference URI is signed with the message itself!). I really don't think that full xpointer
support can help you here.
However, I got another idea. There is a nice XPath extension in XML DSig: function "here()".
It is used to create enveloping signatures and I think it can help you. Please check the XMLDSig
spec for details on how it works and the enveloping transform description.
Aleksey
Moultrie, Ferrell (ISSAtlanta) wrote:
Aleksey: Thanks for the background. My biggest problem is that my document is a collection of logically unrelated documents (think of a file folder full of signed letters). They were all created/signed independently of each other at different times/places. Because of this, the "section#" attribute is a problem since I have no globally unique ID to reference when creating/validating the signature. Since I presume that the Id="tag" is itself actually computed into the signature hash, I can't assign the tag when building the compound document. If I'm wrong on that and only the children of Section# would be signed/verified then I could work around this by assigning section numbers on a document-by-document basis when assembling the master document. The only other solution I've thought of would be to clone the subdocuments into a new/empty document and sign/verify them there. That seems like a lot of extra work but then an empty URI would work. Does the above description make sense? Any other ideas on how to solve this problem without having to implement full URI/xpointer support? Thanks! Ferrell-----Original Message----- From: Aleksey Sanin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 23, 2002 6:48 PM To: Moultrie, Ferrell (ISSAtlanta) Cc: '[EMAIL PROTECTED]'; Dodd, Tim (ISS Atlanta) Subject: Re: [xmlsec] XMLSEC Reference URI question Hi, Ferrell! The current XMLDSig does not require full XInclude support and limits the possible reference URIs to the URIs you've listed plus full qualified URLs. The xmlsec does not support full XIncude simply because there were no demand for this yet :) The problem with "id" is that the according to the XML specs attribute with *any* name could have ID flag in the DTD/schema and by this used as "id". For example, you can have something like this in your DTD: <!ATTLIST Section ThisIsAnID ID #IMPLIED> and attribute "ThisIsAnID" MUST be treated as an "id" (for example, when you are using "#xpointer(id('tag'))" to reference the element). As you can see, the "id" attribute means nothing w/o DTD or shema :) I decided that it's a bad idea to require application to provide DTD/schema in order to validate document. So I've implemented a "hack" when application can tell xmlsec library which attributes are "ids" in the particular document. Regarding your question, I think that can do something like this: <Document> <Section1 id="section1"> ... content ... <dsig:Signature> <dsig:SignedInfo> ... <dsig:Reference URI="#xpointer(id('section1'))"> <dsig:Transforms> <!-- exclude dsig:Siganture element from digest! --> <dsig:Transform /> </dsig:Transforms> ... </dsig:Reference> </dsig:SignedInfo> ... </dsig:Signature> </Section1> <Section2 id="section2"> ... content ... <dsig:Signature> <dsig:SignedInfo> ... <dsig:Reference URI="#xpointer(id('section2'))"> <dsig:Transforms> <!-- exclude dsig:Siganture element from digest! --> <dsig:Transform /> </dsig:Transforms> ... </dsig:Reference> </dsig:SignedInfo> ... </dsig:Signature> </Section2> ... </Document> Please note, that you need to put additional XPath transform to exclude <dsig:Signature> element itself from digesting (XPath transofrm is supported by xmlsec)! With best regards, Aleksey Moultrie, Ferrell (ISSAtlanta) wrote:Aleksey: Looking in xmlSecTransformStateParseUri() [transforms.c:1069] it appears that your support of current-document URI references is limited to: o URI="" (empty URI, whole document signed/verified) o URI="#xpointer(/)" o URI="#xpointer(id('tag'))" Further, it looks like the id('tag') actually resolves to looking for the first element in the document with the attribute Id="tag". This iscommentedas a hack for documents w/o schemas or DTDs. Can you explain what's behind this "hack" and where you are headed with regard to the complete URI specification? Also, since the URI processing appears to be limited, I'm wondering if you support the use of an <XPath> element child of the <Transform> element fully, partially, or not at all. The problem I'm trying to solve is that I have documents which consist of multiple sections that each have an individual signature on that section only. In other words, <Document> <Section1> ... content ... <Signature ... /> </Section1> <Section2> ... content ... <Signature ... /> </Section2> ... </Document> I need to have some way (presumably the Reference URI or the Transform) to limit the signature (and verification) to just the content of <Section1> when computing <Section1>'s signature block, etc. What is the best way to support this case with the current XMLSEC library? Thanks! Ferrell ===================================== Ferrell Moultrie ([EMAIL PROTECTED]) Software Engineer Internet Security Systems, Inc. 6303 Barfield Road Atlanta, Georgia 30328 Phone: 404-236-2600 Direct: 404-236-2849 Fax: 404-236-2632 http://www.iss.net Internet Security Systems -- The Power to Protect ===================================== _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
