- From: Blake Dournaee <blake@sarvega.com>
- Date: Mon, 30 Aug 2004 14:31:15 -0700
- To: "'Srinivas'" <tarapur_01@yahoo.com>
- Cc: <w3c-ietf-xmldsig@w3.org>
Hi Srinivas -
If you want to sign the header of a SOAP document that doesn't contain an Id
attribute, you need to use an XPath transform filter.
Unfortunately, it is a bit screwy in my opinion. I say that because the
XPath filter syntax used in XML Signature is not the same as standard XPath
filter syntax.
Example:
<Envelope>
<Header>
Sign me and all of my children!
<c1>foo</c1>
<c2>bar</c2>
</Header>
<Body>
<ds:Signature>
<Reference URI="">
<Transforms>
<Transform>
<XPath>
ancestor-or-self:Header
</XPath>
</Transform>
</Transforms>
</Reference>
</ds:Signature>
</Body>
</Envelope>
Here is what is happening:
1. The URI that has "" as an attribute value means that the ENTIRE node set
is included in the digest. Obviously, you don't want this, but a filter over
this node set. This is the job of the XPath transform.
** The naïve way of forming the Xpath transform is Envelope/Header. This is
dead wrong and will not work. It will include everything **
Instead, the authors of the XML Signature specification decided to make the
XPath transform Boolean based. This means that you have to perform a Boolean
test for each node and explicitly include it or exclude it. This means that
signing is slow when you're not using Id attributes.
So, the transform asks the question: "Am I my self a Header type of element
or, alternatively, do I have Header as an ancestor."
This logic is hard to follow in my opinion, but this is the way it works.
Consequently, the only elements included in the digest are the Header
element and its children. To see this work for yourself, start at the top of
the document and apply the node test:
<Envelope>: Am I a Header element or do I have Header as an ancestor? No,
exclude
<Header>: Am I Header element or do I have Header as an ancestor? Yes.
include
"Sign": Am I a Header element or do I have Header as an ancestor? Yes,
<Header> is my ancestor, include.
"Me": Am I a Header element or do I have Header as an ancestor? Yes,
<Header> is my ancestor, include.
Etc.
Let me know if you have more questions,
Blake Dournaee
Senior Security Architect
Sarvega, Inc.
-----Original Message-----
From: Srinivas [mailto:tarapur_01@yahoo.com]
Sent: Monday, August 30, 2004 2:16 PM
To: Blake Dournaee
Subject: RE: Question about signing document header with XML Signature
Blake,
I am a little unclear as to the meaning of "denoting
the entire node-set with a filter over it for the
header."
Can you describe the usage of <Raference URI=""> to
sign the header of a message (in XML say)?
Thanks,
-Ravi
--- Blake Dournaee <blake@sarvega.com> wrote:
> For the case of a SOAP message header, the header
> may not have an Id
> attribute, so you must use an XPath expression in
> that case. Either way, you
> still use a <Reference> element, but simply change
> the URI based on the
> target to digest if needed. For the case of the
> XPath transform it would be
> the empty quotes "" denoting the entire node-set
> with a filter over it for
> the header.
>
> Blake Dournaee
> Senior Security Architect
> Sarvega, Inc.
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
Received on Monday, 30 August 2004 21:31:18 UTC