[xmlsec] inconsistent XPath: xmlsec vs apache.org's xml-security

Aleksey Sanin aleksey at aleksey.com
Tue Jan 4 09:35:50 PST 2005



Mikolaj Habryn wrote:
> Attached as compliance.xml is a signed document which contains two other
> signed documents nested within it, all with encapsulated signatures. The
> structure is thus:
> 
> <compliance>
>   <proposition>
>     <solicitation>
>       <Signature/>
>     </solicitation
>     <Signature/>
>   </proposition>
>   <Signature/>
> </compliance>

OK, I think I see your problem with third Signature element:

- First Signature element has Reference with the following XPath2
transform:
   intersect: here()/ancestor::frog:solicitation[1]
   subtract: here()/ancestor::frog:solicitation[1]/child::ds:Signature

This selects the <solicitation> element from the document and
then removes the Signature element from it. This is exactly what
xmlsec digests (see attached first.xml file, formatting is added to make
it readable).

- Second Signature element has Reference with the "enveloped signature"
transform followed by exc-c14n transform. This selects everything but
the second Signature element itself. Again, xmlsec does exactly this
(see attached second.xml file, formatting is added to make it readable).

- Third Signature element has Reference with the following XPath2
transform:
   intersect: here()/ancestor::frog:compliance[1]
   subtract: here()/ancestor::frog:compliance[1]/child::ds:Signature

This selects the <compliance> element from the document and
then removes the *third Signature* element only (see attached third.xml
file, formatting is added to make it readable) and I think you expect
it to remove *all Signature* elements from the document.

I believe, that this behaiviour is related to "here()" function. And we 
need Daniel to say if this is correct or not. Daniel, what should the
following XPath query return
    here()/ancestor::frog:compliance[1]/child::ds:Signature

1) Only the current (from here() context) Signature element
2) All the Signature elements under <frog:compliance> element

Meantime, you can get what you want if you change the XPath2 transform
in third Signature element to this one:
   intersect: here()/ancestor::frog:compliance[1]
   subtract: //ds:Signature



Aleksey




-------------- next part --------------
A non-text attachment was scrubbed...
Name: third.xml
Type: text/xml
Size: 3994 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20050104/92ab1b92/third-0002.xml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: first.xml
Type: text/xml
Size: 249 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20050104/92ab1b92/first-0002.xml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: second.xml
Type: text/xml
Size: 4768 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20050104/92ab1b92/second-0002.xml


More information about the xmlsec mailing list