santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ralph-xmlsecur...@ralphholz.de
Subject Re: How to sign a sub-tree
Date Wed, 08 Aug 2007 10:12:26 GMT
Hi,

> > I think I could also have an identifying attribute in the <pdpa:message>,
> > and replace the expression with id("nameOfIDAttr"). Which is, I think,
> > the recommended way as it is faster and less error-prone (I can assume
> > Schema-aware entities).
>
> Then by all means do not use XPath. But if you use an ID, you don't need to
> use an xpointer, just set the Reference URI to "#foo" where foo is the ID.
> No extra transform needed, apart from c14n or something else like that.

I know the XPath, but not sure how this is works, so... The # is a URI 
fragment operator (URI-RFC), so this would make the XML something like this 
(<pdpa:message> contains the subtree to be signed):

<pdpa:message xmlns:pdpa="http://ralphholz.de/PDP-A_1"
    pdpaId="pdpaId">
...
</pdpa:message>

And I reference it by:

sig.addDocument(BaseURI+"#pdpaId", transforms, Constants.ALGO_ID_DIGEST_SHA1);

Do you mean that - would that select the subtree if both the attribute name 
and attribute value "pdpaId" occur only once in the document?

I said "Schema-aware" above but actually I meant my parsers know the XML they 
work on, not that I have an XSD defined - would the XSD be needed or is it 
enough that the attribute is unique?

Thanks,
Ralph

-- 
For contact details, please see www.ralphholz.de.

Mime
View raw message