Very good question :) Unfortunately, the only way to do it
reliably is to limit the allowed transforms (e.g. allow only
enveloped signature transforms). However, xmlsec provides 2 way
to do this semi-reliably:
1) In xmlSecDSigCtx struct you can get access to the post-C14N
pre-digest buffer with the stuff that was signed. You'll have to
parse it back and map nodes from these buffers to nodes from
the document somehow.
2) In xmlSecDSigCtx struct you can get access to list of
xmlSecDSigReferenceCtx structs. Then from xmlSecDSigReferenceCtx
struct you can get access to list of xmlSecTransformCtx structs.
When you can get the *last* *XML* transform in the list and
look into "xmlSecNodeSetPtr outNodes".
ATTENTION:
if you have OTHER transforms after the last XML transform, then
you can drop some nodes from signature. E.g. in the following
transforms chain
XPath transform -> XSLT -> XPath transform
the second XPath transform can remove nodes selected by the first
XPath transform.
Aleksey
Barry Ferg wrote:
Is there some way of figuring out if a given node is referenced by a
signature? Ideally I'd like to be able to run through the reference
processing, including XPath filter transforms, and get an
xmlSecNodeSetPtr to test against an xmlNodePtr.
Thanks!
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
