santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ralph-xmlsecur...@ralphholz.de
Subject Re: How to sign a sub-tree
Date Tue, 07 Aug 2007 14:00:30 GMT
Scott,

thanks, that was exactly the pointer I needed! If you have a minute to have a 
look at this. My doc looks like this

<Envelope>
<Header>...</Header>
<Body><pdpa:message>...</pdpa:message></Body>
</Envelope>

I would like to sign the "message" payload in the Body. So I did

transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
			String filter [][] = {{XPath2FilterContainer.INTERSECT, "//Body/message"}};
			transforms.addTransform(Transforms.TRANSFORM_XPATH2FILTER, 
					XPath2FilterContainer.newInstances(document, filter));

and the usual Signature transforms (canonise it, sign it) and got:

<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
<ds:Reference URI="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
<ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2" 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2" 
Filter="intersect">//Body/message</dsig-xpath:XPath>
</ds:Transform>...
</ds:Reference>
</ds:SignedInfo>

where I *hope* the XPath expression returns exactly the element I wanted, i.e. 
the intersection of the whole document (BaseURI, nothing else specified) with 
the Body/message portion.

I think I could also have an identifying attribute in the <pdpa:message>, and 
replace the expression with id("nameOfIDAttr"). Which is, I think, the 
recommended way as it is faster and less error-prone (I can assume 
Schema-aware entities).

Would this be the correct way? I am asking because it is kind of difficult to 
find out what's happening inside the black box, i.e. there is no output as to 
which elements are actually being signed.

Ralph

-- 
For contact details, please see www.ralphholz.de.

Mime
View raw message