[xmlsec] Emailing: EdTestFormNoMSO.zip

Edward Shallow ed.shallow@rogers.com
Wed, 24 Sep 2003 10:21:31 -0400 

Aleksey,

     Thanks for your hints. The following works fine. 2 points of notice.

1) In the Pre-Digest buffer (see below) I will get extra white space and/or
CRLFs for every "subtract" I add in the transform chain. Do I need to do
another Canonicalization after the set of filters ? Can this be expressed as
a transform ?

2) Is there any way to do a "wildcard" type thing with the "subtract" so I
might use only a single filter instead of one for every //SignatureN ? Like
a sort of //Signature(*) or something ?

Thanks,
Ed  


<?xml version="1.0"?>
<Document>
	<ToBeSigned>
		<Data>We must sign this.</Data>
		<Signature1>1st exclude</Signature1>
		<Signature2>2nd exclude</Signature2>
	</ToBeSigned>
	<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2">
		<SignedInfo>
			<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
			<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
			<Reference URI="">
				<Transforms>
					<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
					<Transform
Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
						<dsig-xpath:XPath
Filter="intersect"> //Document </dsig-xpath:XPath>
						<dsig-xpath:XPath
Filter="subtract"> //Signature1 </dsig-xpath:XPath>
						<dsig-xpath:XPath
Filter="subtract"> //Signature2 </dsig-xpath:XPath>
					</Transform>
				</Transforms>
				<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
				<DigestValue></DigestValue>
			</Reference>
		</SignedInfo>
		<SignatureValue>
		</SignatureValue>
		<KeyInfo>
			<X509Data>
				<X509SubjectName></X509SubjectName>
				<X509IssuerSerial></X509IssuerSerial>
				<X509Certificate></X509Certificate>
			</X509Data>
		</KeyInfo>
	</Signature>
</Document>



== PreDigest data - start buffer:
<Document>
        <ToBeSigned>
                <Data>We must sign this.</Data>


        </ToBeSigned>

</Document>
== PreDigest data - end buffer

 

-----Original Message-----
From: xmlsec-admin@aleksey.com [mailto:xmlsec-admin@aleksey.com] On Behalf
Of Aleksey Sanin
Sent: September 23, 2003 11:55 PM
To: Edward Shallow
Cc: xmlsec@aleksey.com
Subject: Re: [xmlsec] Emailing: EdTestFormNoMSO.zip


>Secondly but related, how would one create parallel signatures over the 
>same data using XMLSec ?  Using 2 successive sign operations ?
>
Yes.

>Assuming one is using a template, what would it look like for the 2nd sign
operation ? 
>
Template is just an XML file, remember :)

>For this 2nd pass, does the enveloped-signature transform only exclude 
>the signature being applied (i.e. the 2nd) ?
>  
>
Enveloped transform by definition excludes only the current signature (see
XMLDSig spec for details).
It does not matter is it first or second signature.

>If so, what is the best way to exclude the 1st ? 
>
XInclude, XPath, XPath2 or XSLT transofrms are probably the simplest ways
(you might have interop problems with XPath2). But probably I wouldn't use
XSLT just for that task.

Aleksey


_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec