Aleksey: Ok, I've tried to use an XPath Transform to limit the data being verified. Unfortunately, it doesn't appear to work. Here's what I see happening in the code:
xmlSecTransformXPathReadNode( ) [xpath.c:203] takes the input xmlSecTransformPtr and upcasts it to a xmlSecXmlTransformPtr. It then stores the parsed XPath string and the "here" node reference in the xmlSecXmlTransform object it points to (at least there's checking of the pointer assignment sanity here). The caller, xmlSecTransformRead, returns to its caller xmlSecTransformNodeRead with the pointer to the object containing the XPath transform information. The transform is further passed back to xmlSecTransformsNodeRead which calls xmlSecTransformStateUpdate which discovers that the transform type is xmlSecTransformTypeXml and call xmlSecTransformCreateXml. This routine, because the file is already parsed and both curFirstBinTransform and curC14NTransform in the state object are NULL, does nothing and returns! This results in the XPath Transform information being parsed and saved but otherwise ignored. The <Signature> block contains the following transform which is parsed and ignored in the above case: <sig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";> <sig:XPath>/ISSKeys/Contacts/Contact</sig:XPath> </sig:Transform> The result is that adding an XPath transform like above, is ignored. This works properly with the Apache Java tools so I believe that it's a legal way to construct a reference. Eventually, I'd intended to change the XPath reference to a here()-relative reference to solve my compound document problem but this seemed like a quick/easy test -- unfortunately it's not working. Is this a bug, or, have I missed something else? Since Apache properly verifies this signature and the code in xmlSecTransformCreateXml seems to be missing any knowledge of this transform, I'm guessing that it's a bug -- but I'll appreciate your advice on how to proceed! Thanks! Ferrell ===================================== Ferrell Moultrie ([EMAIL PROTECTED]) Software Engineer Internet Security Systems, Inc. 6303 Barfield Road Atlanta, Georgia 30328 Phone: 404-236-2600 Direct: 404-236-2849 Fax: 404-236-2632 http://www.iss.net Internet Security Systems -- The Power to Protect ===================================== _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
