Problem: referring to a complete sub-tree using XPath

Hi,

i use XPath in a reference to select a element of the same document and all
its descendants, attributes,... - simply the subtree with the specific
element as its root.
i already have a XPath that works. however, its awfully slow, because its
quite long for this simple task it perfoms.

here a short example

<?xml version="1.0" encoding="UTF-8"?>
<aida:eDocument xmlns:aida="http://www.iaik.at/aida"
xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance"
xsi:schemaLocation="http://www.iaik.at/aida eDocument.xsd">
  <aida:signedContent>
    <personnel xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="personal.xsd">
      <person contr="false" id="Big.Boss">
        <name>
          <family>Boss</family>
          <given>Big</given>
        </name>
        <email>chief@foo.com</email>
        <link subordinates="one.worker two.worker three.worker four.worker
five.worker"/>
      </person>
	... (omitted some data)
    </personnel>
  </aida:signedContent>
  <dsig:Signature Id="eDocumentSignature-1"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
    <dsig:SignedInfo>
      <dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000907"/>
      <dsig:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <dsig:Reference URI="">
        <dsig:Transforms>
          <dsig:Transform
Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
            <dsig:XPath xmlns:aida="http://www.iaik.at/aida"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">count((here()/ancestor::aida
:eDocument[1]/child::aida:signedContent[1]//. |
here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//@* |
here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//namespace::
*) | self::node()) =
count((here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//. |
here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//@* |
here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//namespace::
*))</dsig:XPath>
          </dsig:Transform>
        </dsig:Transforms>
        <dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <dsig:DigestValue>ssbkbDM6VCUTYyzXMK06RKcbFHQ=</dsig:DigestValue>
      </dsig:Reference>
    </dsig:SignedInfo>

<dsig:SignatureValue>PFkUqjNCq9Ujyl/K/5c62vyEeExIVNFwrrH2ZuxLbmXjH9dQOFrVwPo
dMb1xUY1Y  8iHpAcl8Z6xP3mMCK60ROtVCcDRS2v0ydULhJ+IZFjotIgwtGECy9lxZy4LDkeUJ
RIvtzlDHBnp5jMb1+iLO1aTvkBzNLWbrAGo+rbqely4=</dsig:SignatureValue>
    <dsig:KeyInfo>
      <dsig:X509Data>
        <dsig:X509Certificate>MIIC .... (omitted some data)
</dsig:X509Certificate>
      </dsig:X509Data>
    </dsig:KeyInfo>
  </dsig:Signature>
</aida:eDocument>

i need the here() functionality to ensure that the signature even verifies,
if i embed the whole document into another xml document.
the long XPath the you see in the example just selects the
<aida:signedContent> element with everything contained within this element.
does anyone know a simpler XPath that does the same job? the performance of
this is unacceptable: up to some minutes if i have a medium XML document in
the signed content running without JIT. (i use Xerces 1.3.0 [with some
patches])
i did not want to use IDs, to be able to arbitrary include signed documents
into other documents.

regards,

  Karl Scheibelhofer

--

Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at>
Institute for Applied Information Processing and Communications (IAIK)
at Technical University of Graz, Austria, http://www.iaik.at
Phone: (+43) (316) 873-5540

Received on Thursday, 19 April 2001 06:55:18 UTC