Re: Problem: referring to a complete sub-tree using XPath from merlin on 2001-04-25 (w3c-ietf-xmldsig@w3.org from April to June 2001)

From: merlin <merlin@baltimore.ie>
Date: Wed, 25 Apr 2001 09:48:53 +0100
To: "Karl Scheibelhofer" <Karl.Scheibelhofer@iaik.at>
Cc: "XMLSigWG" <w3c-ietf-xmldsig@w3.org>
Message-Id: <20010425084853.92A3843DFB@yog-sothoth.ie.baltimore.com>
Hi Karl,

XPointer is the tool for this job, not XPath. It can do this
reference in a single path evaluation. The xmldsig standard
supports full same-document XPointer references; it is simply
an issue of implementing it ;}

Merlin

r/Karl.Scheibelhofer@iaik.at/2001.04.19/12:57:45
>Hi,
>
>i use XPath in a reference to select a element of the same document and all
>its descendants, attributes,... - simply the subtree with the specific
>element as its root.
>i already have a XPath that works. however, its awfully slow, because its
>quite long for this simple task it perfoms.
>
>here a short example
>
><?xml version="1.0" encoding="UTF-8"?>
><aida:eDocument xmlns:aida="http://www.iaik.at/aida"
>xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance"
>xsi:schemaLocation="http://www.iaik.at/aida eDocument.xsd">
>  <aida:signedContent>
>    <personnel xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance"
>xsi:noNamespaceSchemaLocation="personal.xsd">
>      <person contr="false" id="Big.Boss">
>        <name>
>          <family>Boss</family>
>          <given>Big</given>
>        </name>
>        <email>chief@foo.com</email>
>        <link subordinates="one.worker two.worker three.worker four.worker
>five.worker"/>
>      </person>
>	... (omitted some data)
>    </personnel>
>  </aida:signedContent>
>  <dsig:Signature Id="eDocumentSignature-1"
>xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>    <dsig:SignedInfo>
>      <dsig:CanonicalizationMethod
>Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000907"/>
>      <dsig:SignatureMethod
>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>      <dsig:Reference URI="">
>        <dsig:Transforms>
>          <dsig:Transform
>Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
>            <dsig:XPath xmlns:aida="http://www.iaik.at/aida"
>xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">count((here()/ancestor::aida
>:eDocument[1]/child::aida:signedContent[1]//. |
>here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//@* |
>here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//namespace::
>*) | self::node()) =
>count((here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//. |
>here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//@* |
>here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//namespace::
>*))</dsig:XPath>
>          </dsig:Transform>
>        </dsig:Transforms>
>        <dsig:DigestMethod
>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>        <dsig:DigestValue>ssbkbDM6VCUTYyzXMK06RKcbFHQ=</dsig:DigestValue>
>      </dsig:Reference>
>    </dsig:SignedInfo>
>
><dsig:SignatureValue>PFkUqjNCq9Ujyl/K/5c62vyEeExIVNFwrrH2ZuxLbmXjH9dQOFrVwPo
>dMb1xUY1Y  8iHpAcl8Z6xP3mMCK60ROtVCcDRS2v0ydULhJ+IZFjotIgwtGECy9lxZy4LDkeUJ
>RIvtzlDHBnp5jMb1+iLO1aTvkBzNLWbrAGo+rbqely4=</dsig:SignatureValue>
>    <dsig:KeyInfo>
>      <dsig:X509Data>
>        <dsig:X509Certificate>MIIC .... (omitted some data)
></dsig:X509Certificate>
>      </dsig:X509Data>
>    </dsig:KeyInfo>
>  </dsig:Signature>
></aida:eDocument>
>
>i need the here() functionality to ensure that the signature even verifies,
>if i embed the whole document into another xml document.
>the long XPath the you see in the example just selects the
><aida:signedContent> element with everything contained within this element.
>does anyone know a simpler XPath that does the same job? the performance of
>this is unacceptable: up to some minutes if i have a medium XML document in
>the signed content running without JIT. (i use Xerces 1.3.0 [with some
>patches])
>i did not want to use IDs, to be able to arbitrary include signed documents
>into other documents.
>
>regards,
>
>  Karl Scheibelhofer
>
>--
>
>Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at>
>Institute for Applied Information Processing and Communications (IAIK)
>at Technical University of Graz, Austria, http://www.iaik.at
>Phone: (+43) (316) 873-5540
>


-----------------------------------------------------------------------------
Baltimore Technologies plc will not be liable for direct,  special,  indirect 
or consequential  damages  arising  from  alteration of  the contents of this
message by a third party or as a result of any virus being passed on.

In addition, certain Marketing collateral may be added from time to time to
promote Baltimore Technologies products, services, Global e-Security or
appearance at trade shows and conferences.

This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
   http://www.baltimore.com
Received on Wednesday, 25 April 2001 04:49:38 UTC