Aleksey,
Thanks for your hints. The following works fine. 2 points of notice.
1) In the Pre-Digest buffer (see below) I will get extra white space and/or
CRLFs for every "subtract" I add in the transform chain. Do I need to do
another Canonicalization after the set of filters ? Can this be expressed as
a transform ?
2) Is there any way to do a "wildcard" type thing with the "subtract" so I
might use only a single filter instead of one for every //SignatureN ? Like
a sort of //Signature(*) or something ?
Thanks,
Ed
<?xml version="1.0"?>
<Document>
<ToBeSigned>
<Data>We must sign this.</Data>
<Signature1>1st exclude</Signature1>
<Signature2>2nd exclude</Signature2>
</ToBeSigned>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";
xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform
Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";>
<dsig-xpath:XPath
Filter="intersect"> //Document </dsig-xpath:XPath>
<dsig-xpath:XPath
Filter="subtract"> //Signature1 </dsig-xpath:XPath>
<dsig-xpath:XPath
Filter="subtract"> //Signature2 </dsig-xpath:XPath>
</Transform>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName></X509SubjectName>
<X509IssuerSerial></X509IssuerSerial>
<X509Certificate></X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</Document>
== PreDigest data - start buffer:
<Document>
<ToBeSigned>
<Data>We must sign this.</Data>
</ToBeSigned>
</Document>
== PreDigest data - end buffer
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Aleksey Sanin
Sent: September 23, 2003 11:55 PM
To: Edward Shallow
Cc: [EMAIL PROTECTED]
Subject: Re: [xmlsec] Emailing: EdTestFormNoMSO.zip
>Secondly but related, how would one create parallel signatures over the
>same data using XMLSec ? Using 2 successive sign operations ?
>
Yes.
>Assuming one is using a template, what would it look like for the 2nd sign
operation ?
>
Template is just an XML file, remember :)
>For this 2nd pass, does the enveloped-signature transform only exclude
>the signature being applied (i.e. the 2nd) ?
>
>
Enveloped transform by definition excludes only the current signature (see
XMLDSig spec for details).
It does not matter is it first or second signature.
>If so, what is the best way to exclude the 1st ?
>
XInclude, XPath, XPath2 or XSLT transofrms are probably the simplest ways
(you might have interop problems with XPath2). But probably I wouldn't use
XSLT just for that task.
Aleksey
_______________________________________________
xmlsec mailing list
[EMAIL PROTECTED]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[EMAIL PROTECTED]
http://www.aleksey.com/mailman/listinfo/xmlsec
