Re: Xpath filter2 newbe question from Anders Rundgren on 2007-07-29 (w3c-ietf-xmldsig@w3.org from July to September 2007)

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Sun, 29 Jul 2007 17:36:51 +0200
To: "Christian Geuer-Pollmann" <Christian.Geuer-Pollmann@microsoft.com>, <w3c-ietf-xmldsig@w3.org>
Message-ID: <00d601c7d1f6$4a1ca620$82c5a8c0@arport2v>

Hi Christian,

Thank You very much!
I have digged a bit into this during the vacation [:-(] and I think this is perfect.

br
ar
----- Original Message ----- 
From: Christian Geuer-Pollmann
To: Anders Rundgren ; w3c-ietf-xmldsig@w3.org
Sent: Friday, July 27, 2007 18:47
Subject: RE: Xpath filter2 newbe question

This is a quick shoo from the hip without running it in an implementation, but I would try this:

<RootToBeSigned_ByAll ID="O.54434343">
  <StuffToBeSigned_ByAll/>
  <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something">
    <ds:Signature>
      <ds:SignedInfo>
       <dsig:Reference URI="">
        <dsig:Transforms>
          <dsig:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
            <dsig-xpath:XPath Filter="subtract">
               /RootToBeSigned_ByAll/RepeatedElemToBeSigned_ByChildSignatureOnly
            </dsig-xpath:XPath>
            <dsig-xpath:XPath Filter="union">
               /RootToBeSigned_ByAll/RepeatedElemToBeSigned_ByChildSignatureOnly[@Attrib="something"]
            </dsig-xpath:XPath>
          </dsig:Transform>
        </dsig:Transforms>
        <dsig:Transforms Algorithm=".#enveloped-signature">

        ...
       </dsig:Reference>
               ...
      </ds:SignedInfo>
      ...
    </ds:Signature>
  </RepeatedElemToBeSigned>
  <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something_else">
    <dsSignature 2...
  </RepeatedElemToBeSigned>

  <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="...">
    <dsSignature n...
  </RepeatedElemToBeSigned>
</RootToBeSigned_ByAll>

1: You select all nodes in the document URI="" (well, except the commens J)
2: You subtract all the //RepeatedElemToBeSigned_ByChildSignatureOnly ones
3: You re-include the one you care about. And if you don't make in an arbitrary Attrib but type ID, then you simply
<union>#foo</union>

And if you want, you may move the #enveloped-signature also into the XPath2.

<dsig-xpath:XPath Filter="subtract">
  RootToBeSigned_ByAll/RepeatedElemToBeSigned_ByChildSignatureOnly[@Attrib="something"]/ds:Signature
</dsig-xpath:XPath>

Best regards,
Christian

---

Dr.-Ing. Christian Geuer-Pollmann
Lead Software Design Engineer

Europäisches Microsoft Innovations Center GmbH, Ritterstrasse 23, D-52072 Aachen, Germany
Geschäftsführer: Keith Dolliver, Benjamin O. Orndorff; Amtsgericht Aachen, HRB 12066
http://www.microsoft.com/emic/

-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Anders Rundgren
Sent: Montag, 23. Juli 2007 11:03
To: w3c-ietf-xmldsig@w3.org
Subject: Xpath filter2 newbe question

Hi,
Here is an example of a document that is signed by a number of peers (that should not sign over the others).
I wonder if anybody has an idea of how an XPath filter2 could be designed in order to support this?
It is probably trivial but not for me :-(

I would like to avoid multiple References in each Signature as well as adding IDs to
RepeatedElemToBeSigned_ByChildSignatureOnly.  If possible that is...

<RootToBeSigned_ByAll ID="O.54434343">
  <StuffToBeSigned_ByAll/>
  <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something">
    <ds:Signature 1...
  </RepeatedElemToBeSigned>
  <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something_else">
    <dsSignature 2...
  </RepeatedElemToBeSigned>

  <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="...">
    <dsSignature n...
  </RepeatedElemToBeSigned>
</RootToBeSigned_ByAll>

Regards
Anders Rungren

Received on Sunday, 29 July 2007 15:37:10 UTC