W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2001

Re: Problem: referring to a complete sub-tree using XPath

From: merlin <merlin@baltimore.ie>
Date: Wed, 25 Apr 2001 09:48:53 +0100
To: "Karl Scheibelhofer" <Karl.Scheibelhofer@iaik.at>
Cc: "XMLSigWG" <w3c-ietf-xmldsig@w3.org>
Message-Id: <20010425084853.92A3843DFB@yog-sothoth.ie.baltimore.com>

Hi Karl,

XPointer is the tool for this job, not XPath. It can do this
reference in a single path evaluation. The xmldsig standard
supports full same-document XPointer references; it is simply
an issue of implementing it ;}


>i use XPath in a reference to select a element of the same document and all
>its descendants, attributes,... - simply the subtree with the specific
>element as its root.
>i already have a XPath that works. however, its awfully slow, because its
>quite long for this simple task it perfoms.
>here a short example
><?xml version="1.0" encoding="UTF-8"?>
><aida:eDocument xmlns:aida="http://www.iaik.at/aida"
>xsi:schemaLocation="http://www.iaik.at/aida eDocument.xsd">
>  <aida:signedContent>
>    <personnel xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance"
>      <person contr="false" id="Big.Boss">
>        <name>
>          <family>Boss</family>
>          <given>Big</given>
>        </name>
>        <email>chief@foo.com</email>
>        <link subordinates="one.worker two.worker three.worker four.worker
>      </person>
>	... (omitted some data)
>    </personnel>
>  </aida:signedContent>
>  <dsig:Signature Id="eDocumentSignature-1"
>    <dsig:SignedInfo>
>      <dsig:CanonicalizationMethod
>      <dsig:SignatureMethod
>      <dsig:Reference URI="">
>        <dsig:Transforms>
>          <dsig:Transform
>            <dsig:XPath xmlns:aida="http://www.iaik.at/aida"
>:eDocument[1]/child::aida:signedContent[1]//. |
>here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//@* |
>*) | self::node()) =
>count((here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//. |
>here()/ancestor::aida:eDocument[1]/child::aida:signedContent[1]//@* |
>          </dsig:Transform>
>        </dsig:Transforms>
>        <dsig:DigestMethod
>        <dsig:DigestValue>ssbkbDM6VCUTYyzXMK06RKcbFHQ=</dsig:DigestValue>
>      </dsig:Reference>
>    </dsig:SignedInfo>
>dMb1xUY1Y  8iHpAcl8Z6xP3mMCK60ROtVCcDRS2v0ydULhJ+IZFjotIgwtGECy9lxZy4LDkeUJ
>    <dsig:KeyInfo>
>      <dsig:X509Data>
>        <dsig:X509Certificate>MIIC .... (omitted some data)
>      </dsig:X509Data>
>    </dsig:KeyInfo>
>  </dsig:Signature>
>i need the here() functionality to ensure that the signature even verifies,
>if i embed the whole document into another xml document.
>the long XPath the you see in the example just selects the
><aida:signedContent> element with everything contained within this element.
>does anyone know a simpler XPath that does the same job? the performance of
>this is unacceptable: up to some minutes if i have a medium XML document in
>the signed content running without JIT. (i use Xerces 1.3.0 [with some
>i did not want to use IDs, to be able to arbitrary include signed documents
>into other documents.
>  Karl Scheibelhofer
>Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at>
>Institute for Applied Information Processing and Communications (IAIK)
>at Technical University of Graz, Austria, http://www.iaik.at
>Phone: (+43) (316) 873-5540

Baltimore Technologies plc will not be liable for direct,  special,  indirect 
or consequential  damages  arising  from  alteration of  the contents of this
message by a third party or as a result of any virus being passed on.

In addition, certain Marketing collateral may be added from time to time to
promote Baltimore Technologies products, services, Global e-Security or
appearance at trade shows and conferences.

This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
Received on Wednesday, 25 April 2001 04:49:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:10:04 UTC