RE: Xpath filter2 newbe question from Christian Geuer-Pollmann on 2007-07-27 (w3c-ietf-xmldsig@w3.org from July to September 2007)

From: Christian Geuer-Pollmann <Christian.Geuer-Pollmann@microsoft.com>
Date: Fri, 27 Jul 2007 17:47:06 +0100
To: Anders Rundgren <anders.rundgren@telia.com>, "w3c-ietf-xmldsig@w3.org" <w3c-ietf-xmldsig@w3.org>
Message-ID: <6CF75D3DC659834C980077A2E31582BE09B99EA8DE@EA-EXMSG-C310.europe.corp.microsoft.>

This is a quick shoo from the hip without running it in an implementation, but I would try this:



<RootToBeSigned_ByAll ID="O.54434343">

  <StuffToBeSigned_ByAll/>

  <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something">

    <ds:Signature>

      <ds:SignedInfo>

       <dsig:Reference URI="">

        <dsig:Transforms>

          <dsig:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">

            <dsig-xpath:XPath Filter="subtract">

               /RootToBeSigned_ByAll/RepeatedElemToBeSigned_ByChildSignatureOnly

            </dsig-xpath:XPath>

            <dsig-xpath:XPath Filter="union">

               /RootToBeSigned_ByAll/RepeatedElemToBeSigned_ByChildSignatureOnly[@Attrib="something"]

            </dsig-xpath:XPath>

          </dsig:Transform>

        </dsig:Transforms>

        <dsig:Transforms Algorithm="...#enveloped-signature">



        ...

       </dsig:Reference>

               ...

      </ds:SignedInfo>

      ...

    </ds:Signature>

  </RepeatedElemToBeSigned>

  <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something_else">

    <dsSignature 2...

  </RepeatedElemToBeSigned>



  <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="...">

    <dsSignature n...

  </RepeatedElemToBeSigned>

</RootToBeSigned_ByAll>



1: You select all nodes in the document URI="" (well, except the commens :))

2: You subtract all the //RepeatedElemToBeSigned_ByChildSignatureOnly ones

3: You re-include the one you care about. And if you don't make in an arbitrary Attrib but type ID, then you simply <union>#foo</union>



And if you want, you may move the #enveloped-signature also into the XPath2.


<dsig-xpath:XPath Filter="subtract">

  RootToBeSigned_ByAll/RepeatedElemToBeSigned_ByChildSignatureOnly[@Attrib="something"]/ds:Signature

</dsig-xpath:XPath>

Best regards,
Christian

---

Dr.-Ing. Christian Geuer-Pollmann
Lead Software Design Engineer

Europäisches Microsoft Innovations Center GmbH, Ritterstrasse 23, D-52072 Aachen, Germany
Geschäftsführer: Keith Dolliver, Benjamin O. Orndorff; Amtsgericht Aachen, HRB 12066
http://www.microsoft.com/emic/




-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Anders Rundgren
Sent: Montag, 23. Juli 2007 11:03
To: w3c-ietf-xmldsig@w3.org
Subject: Xpath filter2 newbe question





Hi,

Here is an example of a document that is signed by a number of peers (that should not sign over the others).

I wonder if anybody has an idea of how an XPath filter2 could be designed in order to support this?

It is probably trivial but not for me :-(



I would like to avoid multiple References in each Signature as well as adding IDs to

RepeatedElemToBeSigned_ByChildSignatureOnly.  If possible that is...



<RootToBeSigned_ByAll ID="O.54434343">

  <StuffToBeSigned_ByAll/>

  <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something">

    <ds:Signature 1...

  </RepeatedElemToBeSigned>

  <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something_else">

    <dsSignature 2...

  </RepeatedElemToBeSigned>



  <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="...">

    <dsSignature n...

  </RepeatedElemToBeSigned>

</RootToBeSigned_ByAll>



Regards

Anders Rungren

Received on Friday, 27 July 2007 16:47:26 UTC