- From: Karl Scheibelhofer <Karl.Scheibelhofer@iaik.at>
- Date: Thu, 19 Apr 2001 12:57:45 +0200
- To: "XMLSigWG" <w3c-ietf-xmldsig@w3.org>
Hi, i use XPath in a reference to select a element of the same document and all its descendants, attributes,... - simply the subtree with the specific element as its root. i already have a XPath that works. however, its awfully slow, because its quite long for this simple task it perfoms. here a short example <?xml version="1.0" encoding="UTF-8"?> <aida:eDocument xmlns:aida="http://www.iaik.at/aida" xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance" xsi:schemaLocation="http://www.iaik.at/aida eDocument.xsd"> <aida:signedContent> <personnel xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance" xsi:noNamespaceSchemaLocation="personal.xsd"> <person contr="false" id="Big.Boss"> <name> <family>Boss</family> <given>Big</given> </name> <email>chief@foo.com</email> <link subordinates="one.worker two.worker three.worker four.worker five.worker"/> </person> ... (omitted some data) </personnel> </aida:signedContent> <dsig:Signature Id="eDocumentSignature-1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000907"/> <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <dsig:Reference URI=""> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"> <dsig:XPath xmlns:aida="http://www.iaik.at/aida" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">count((here()/ancestor::aida :eDocument[1]/child::aida:signedContent[1]//. | here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//@* | here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//namespace:: *) | self::node()) = count((here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//. | here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//@* | here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//namespace:: *))</dsig:XPath> </dsig:Transform> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue>ssbkbDM6VCUTYyzXMK06RKcbFHQ=</dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> <dsig:SignatureValue>PFkUqjNCq9Ujyl/K/5c62vyEeExIVNFwrrH2ZuxLbmXjH9dQOFrVwPo dMb1xUY1Y 8iHpAcl8Z6xP3mMCK60ROtVCcDRS2v0ydULhJ+IZFjotIgwtGECy9lxZy4LDkeUJ RIvtzlDHBnp5jMb1+iLO1aTvkBzNLWbrAGo+rbqely4=</dsig:SignatureValue> <dsig:KeyInfo> <dsig:X509Data> <dsig:X509Certificate>MIIC .... (omitted some data) </dsig:X509Certificate> </dsig:X509Data> </dsig:KeyInfo> </dsig:Signature> </aida:eDocument> i need the here() functionality to ensure that the signature even verifies, if i embed the whole document into another xml document. the long XPath the you see in the example just selects the <aida:signedContent> element with everything contained within this element. does anyone know a simpler XPath that does the same job? the performance of this is unacceptable: up to some minutes if i have a medium XML document in the signed content running without JIT. (i use Xerces 1.3.0 [with some patches]) i did not want to use IDs, to be able to arbitrary include signed documents into other documents. regards, Karl Scheibelhofer -- Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at> Institute for Applied Information Processing and Communications (IAIK) at Technical University of Graz, Austria, http://www.iaik.at Phone: (+43) (316) 873-5540
Received on Thursday, 19 April 2001 06:55:18 UTC