[xmlsec] XMLSEC Reference URI question

Aleksey Sanin aleksey at aleksey.com
Tue Jul 23 15:48:20 PDT 2002


Hi, Ferrell!

The current XMLDSig does not require full XInclude support and limits
the possible reference URIs to the URIs you've listed plus full 
qualified URLs.
The xmlsec does not support full XIncude simply because there were no demand
for this yet :)
The problem with "id" is that the according to the XML specs attribute with
*any* name could have ID flag in the DTD/schema and by this used as "id".
For example, you can have something like this in your DTD:
   <!ATTLIST Section ThisIsAnID ID #IMPLIED>
and attribute "ThisIsAnID" MUST be treated as an "id" (for example, when 
you
are using "#xpointer(id('tag'))" to reference the element).
As you can see, the "id" attribute means nothing w/o DTD or shema :) I 
decided that
it's a bad idea to require application to provide DTD/schema in order to 
validate document.
So I've implemented a "hack" when application can tell xmlsec library 
which attributes
are "ids" in the particular document.
Regarding your question, I think that can do something like this:  

<Document>
  <Section1 id="section1">
    ... content ...
    <dsig:Signature>
	<dsig:SignedInfo>
	...
	<dsig:Reference URI="#xpointer(id('section1'))">
		<dsig:Transforms>
			<!-- exclude dsig:Siganture element from digest! -->
			<dsig:Transform	/>			
		</dsig:Transforms>			
		...
	</dsig:Reference>
	</dsig:SignedInfo>
	...
    </dsig:Signature>
  </Section1>
  <Section2 id="section2">
    ... content ...
    <dsig:Signature>
	<dsig:SignedInfo>
	...
	<dsig:Reference URI="#xpointer(id('section2'))">
		<dsig:Transforms>
			<!-- exclude dsig:Siganture element from digest! -->
			<dsig:Transform	/>			
		</dsig:Transforms>			
		...
	</dsig:Reference>
	</dsig:SignedInfo>
	...
    </dsig:Signature>
  </Section2>
  ...
</Document>

Please note, that you need to put additional XPath transform to exclude 
<dsig:Signature> element
itself from digesting (XPath transofrm is supported by xmlsec)!


With best regards,

Aleksey





Moultrie, Ferrell (ISSAtlanta) wrote:

>Aleksey:
>  Looking in xmlSecTransformStateParseUri() [transforms.c:1069] it appears
>that your support of current-document URI references is limited to:
> o URI="" (empty URI, whole document signed/verified)
> o URI="#xpointer(/)"
> o URI="#xpointer(id('tag'))"
>  Further, it looks like the id('tag') actually resolves to looking for the
>first element in the document with the attribute Id="tag". This is commented
>as a hack for documents w/o schemas or DTDs. Can you explain what's behind
>this "hack" and where you are headed with regard to the complete URI
>specification?
>
>  Also, since the URI processing appears to be limited, I'm wondering if you
>support the use of an <XPath> element child of the <Transform> element
>fully, partially, or not at all. 
>
>  The problem I'm trying to solve is that I have documents which consist of
>multiple sections that each have an individual signature on that section
>only. In other words,
>
><Document>
>  <Section1>
>    ... content ...
>    <Signature ... />
>  </Section1>
>  <Section2>
>    ... content ...
>    <Signature ... />
>  </Section2>
>  ...
></Document>
>
>  I need to have some way (presumably the Reference URI or the Transform) to
>limit the signature (and verification) to just the content of <Section1>
>when computing <Section1>'s signature block, etc. What is the best way to
>support this case with the current XMLSEC library?
>
>Thanks!
>  Ferrell
>
>=====================================
>Ferrell Moultrie (ferrell at iss.net)
>Software Engineer
>
>Internet Security Systems, Inc.
>6303 Barfield Road
>Atlanta, Georgia 30328
>Phone:  404-236-2600
>Direct: 404-236-2849
>Fax:    404-236-2632
>http://www.iss.net
>
>Internet Security Systems -- The Power to Protect
>=====================================
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>  
>





More information about the xmlsec mailing list