W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2000

XPath transformation sample

From: Petteri Stenius <Petteri.Stenius@remtec.fi>
Date: Thu, 6 Apr 2000 18:55:25 +0300
Message-ID: <CD0FF8F92CA8D311B9AB00105A14D5570B1009@server.remtec.fi>
To: "'IETF/W3C XML-DSig WG (E-mail)'" <w3c-ietf-xmldsig@w3.org>

Hello,

If I understand the XPath transformation spec correctly then the sample
XPath expression for SignatureValue and DigestValue exclusion are wrong.

The sample expression returns a node-set that does not contain the
*elements* SignatureValue and DigestValue but does actually contain their
*text* child nodes!


I've attached sample output from our current preliminary XPath
transformation implementation:

- out.xml is a signed XML document I use as input for the XPath
transformation (the SignatureValue is not correct, it's not a signed value
but the plain digest)

- xpath.txt is the output from a separate XPath transformation, with each
node from the node-set serialized on a separate row

The XPath expression is as follows:

/descendant-or-self::node()[
not(self::dsig:SignatureValue and parent::dsig:Signature[@dsig:Id='S1'])
and not(self::dsig:DigestValue and ancestor::*[3 and @dsig:Id='S1'])
]

A simple working XPath expression would be:

/descendant-or-self::node()[
not(ancestor-or-self::dsig:Signature[@dsig:Id='S1'])
]

This expression would exclude the entire Signature element.

Petteri

--
Petteri Stenius                            Petteri.Stenius@remtec.fi
Remtec Systems, Ltd.                           Office +358-9-5259240
                                                 Fax +358-9-52592411
http://www.remtec.fi/                         Mobile +358-50-5506161



Received on Thursday, 6 April 2000 11:55:33 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:09 GMT