- From: Christian Geuer-Pollmann <Christian.Geuer-Pollmann@microsoft.com>
- Date: Fri, 27 Jul 2007 17:47:06 +0100
- To: Anders Rundgren <anders.rundgren@telia.com>, "w3c-ietf-xmldsig@w3.org" <w3c-ietf-xmldsig@w3.org>
- Message-ID: <6CF75D3DC659834C980077A2E31582BE09B99EA8DE@EA-EXMSG-C310.europe.corp.microsoft.>
This is a quick shoo from the hip without running it in an implementation, but I would try this: <RootToBeSigned_ByAll ID="O.54434343"> <StuffToBeSigned_ByAll/> <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something"> <ds:Signature> <ds:SignedInfo> <dsig:Reference URI=""> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> <dsig-xpath:XPath Filter="subtract"> /RootToBeSigned_ByAll/RepeatedElemToBeSigned_ByChildSignatureOnly </dsig-xpath:XPath> <dsig-xpath:XPath Filter="union"> /RootToBeSigned_ByAll/RepeatedElemToBeSigned_ByChildSignatureOnly[@Attrib="something"] </dsig-xpath:XPath> </dsig:Transform> </dsig:Transforms> <dsig:Transforms Algorithm="...#enveloped-signature"> ... </dsig:Reference> ... </ds:SignedInfo> ... </ds:Signature> </RepeatedElemToBeSigned> <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something_else"> <dsSignature 2... </RepeatedElemToBeSigned> <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="..."> <dsSignature n... </RepeatedElemToBeSigned> </RootToBeSigned_ByAll> 1: You select all nodes in the document URI="" (well, except the commens :)) 2: You subtract all the //RepeatedElemToBeSigned_ByChildSignatureOnly ones 3: You re-include the one you care about. And if you don't make in an arbitrary Attrib but type ID, then you simply <union>#foo</union> And if you want, you may move the #enveloped-signature also into the XPath2. <dsig-xpath:XPath Filter="subtract"> RootToBeSigned_ByAll/RepeatedElemToBeSigned_ByChildSignatureOnly[@Attrib="something"]/ds:Signature </dsig-xpath:XPath> Best regards, Christian --- Dr.-Ing. Christian Geuer-Pollmann Lead Software Design Engineer Europäisches Microsoft Innovations Center GmbH, Ritterstrasse 23, D-52072 Aachen, Germany Geschäftsführer: Keith Dolliver, Benjamin O. Orndorff; Amtsgericht Aachen, HRB 12066 http://www.microsoft.com/emic/ -----Original Message----- From: w3c-ietf-xmldsig-request@w3.org [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Anders Rundgren Sent: Montag, 23. Juli 2007 11:03 To: w3c-ietf-xmldsig@w3.org Subject: Xpath filter2 newbe question Hi, Here is an example of a document that is signed by a number of peers (that should not sign over the others). I wonder if anybody has an idea of how an XPath filter2 could be designed in order to support this? It is probably trivial but not for me :-( I would like to avoid multiple References in each Signature as well as adding IDs to RepeatedElemToBeSigned_ByChildSignatureOnly. If possible that is... <RootToBeSigned_ByAll ID="O.54434343"> <StuffToBeSigned_ByAll/> <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something"> <ds:Signature 1... </RepeatedElemToBeSigned> <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something_else"> <dsSignature 2... </RepeatedElemToBeSigned> <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="..."> <dsSignature n... </RepeatedElemToBeSigned> </RootToBeSigned_ByAll> Regards Anders Rungren
Received on Friday, 27 July 2007 16:47:26 UTC