- From: Karl Scheibelhofer <Karl.Scheibelhofer@iaik.at>
- Date: Thu, 19 Apr 2001 12:57:45 +0200
- To: "XMLSigWG" <w3c-ietf-xmldsig@w3.org>
Hi,
i use XPath in a reference to select a element of the same document and all
its descendants, attributes,... - simply the subtree with the specific
element as its root.
i already have a XPath that works. however, its awfully slow, because its
quite long for this simple task it perfoms.
here a short example
<?xml version="1.0" encoding="UTF-8"?>
<aida:eDocument xmlns:aida="http://www.iaik.at/aida"
xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance"
xsi:schemaLocation="http://www.iaik.at/aida eDocument.xsd">
<aida:signedContent>
<personnel xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="personal.xsd">
<person contr="false" id="Big.Boss">
<name>
<family>Boss</family>
<given>Big</given>
</name>
<email>chief@foo.com</email>
<link subordinates="one.worker two.worker three.worker four.worker
five.worker"/>
</person>
... (omitted some data)
</personnel>
</aida:signedContent>
<dsig:Signature Id="eDocumentSignature-1"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000907"/>
<dsig:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<dsig:XPath xmlns:aida="http://www.iaik.at/aida"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">count((here()/ancestor::aida
:eDocument[1]/child::aida:signedContent[1]//. |
here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//@* |
here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//namespace::
*) | self::node()) =
count((here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//. |
here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//@* |
here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//namespace::
*))</dsig:XPath>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>ssbkbDM6VCUTYyzXMK06RKcbFHQ=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>PFkUqjNCq9Ujyl/K/5c62vyEeExIVNFwrrH2ZuxLbmXjH9dQOFrVwPo
dMb1xUY1Y 8iHpAcl8Z6xP3mMCK60ROtVCcDRS2v0ydULhJ+IZFjotIgwtGECy9lxZy4LDkeUJ
RIvtzlDHBnp5jMb1+iLO1aTvkBzNLWbrAGo+rbqely4=</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>MIIC .... (omitted some data)
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
</aida:eDocument>
i need the here() functionality to ensure that the signature even verifies,
if i embed the whole document into another xml document.
the long XPath the you see in the example just selects the
<aida:signedContent> element with everything contained within this element.
does anyone know a simpler XPath that does the same job? the performance of
this is unacceptable: up to some minutes if i have a medium XML document in
the signed content running without JIT. (i use Xerces 1.3.0 [with some
patches])
i did not want to use IDs, to be able to arbitrary include signed documents
into other documents.
regards,
Karl Scheibelhofer
--
Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at>
Institute for Applied Information Processing and Communications (IAIK)
at Technical University of Graz, Austria, http://www.iaik.at
Phone: (+43) (316) 873-5540
Received on Thursday, 19 April 2001 06:55:18 UTC