RE: XPath transformation sample from John Boyer on 2000-04-06 (w3c-ietf-xmldsig@w3.org from April to June 2000)

From: John Boyer <jboyer@PureEdge.com>
Date: Thu, 6 Apr 2000 09:29:16 -0700
To: "Petteri Stenius" <Petteri.Stenius@remtec.fi>, "'IETF/W3C XML-DSig WG \(E-mail\)'" <w3c-ietf-xmldsig@w3.org>
Message-ID: <BFEDKCINEPLBDLODCODKEEEGCCAA.jboyer@PureEdge.com>

Hi Petteri,

Yes, my mistake.  I've done that right in the past, but I missed the
ancestor-or-self problem in that particular example.

I will change the example to the much more simple act of omitting the whole
signature element from the DigestValue calculation since it is A) easier,
and B) not harmful.

This will be done in the upcoming version that changes from having a
serialize function to simply describing how to serialize.

John Boyer
Software Development Manager
PureEdge Solutions, Inc. (formerly UWI.Com)
Creating Binding E-Commerce
jboyer@PureEdge.com


-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org]On Behalf Of Petteri Stenius
Sent: Thursday, April 06, 2000 8:55 AM
To: 'IETF/W3C XML-DSig WG (E-mail)'
Subject: XPath transformation sample



Hello,

If I understand the XPath transformation spec correctly then the sample
XPath expression for SignatureValue and DigestValue exclusion are wrong.

The sample expression returns a node-set that does not contain the
*elements* SignatureValue and DigestValue but does actually contain their
*text* child nodes!


I've attached sample output from our current preliminary XPath
transformation implementation:

- out.xml is a signed XML document I use as input for the XPath
transformation (the SignatureValue is not correct, it's not a signed value
but the plain digest)

- xpath.txt is the output from a separate XPath transformation, with each
node from the node-set serialized on a separate row

The XPath expression is as follows:

/descendant-or-self::node()[
not(self::dsig:SignatureValue and parent::dsig:Signature[@dsig:Id='S1'])
and not(self::dsig:DigestValue and ancestor::*[3 and @dsig:Id='S1'])
]

A simple working XPath expression would be:

/descendant-or-self::node()[
not(ancestor-or-self::dsig:Signature[@dsig:Id='S1'])
]

This expression would exclude the entire Signature element.

Petteri

--
Petteri Stenius                            Petteri.Stenius@remtec.fi
Remtec Systems, Ltd.                           Office +358-9-5259240
                                                 Fax +358-9-52592411
http://www.remtec.fi/                         Mobile +358-50-5506161

Received on Thursday, 6 April 2000 12:20:19 UTC