santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Franco Catrin L." <fcat...@tuxpan.com>
Subject Re: Problem verifying an XML enveloped signature
Date Mon, 01 Dec 2008 17:01:03 GMT
El lun, 01-12-2008 a las 17:06 +0100, Inma Marín escribió:
> Hello,

> I have a problem when validating an XML enveloped signature. The point
> is that I want to verify an XML document which includes 3 enveloped
> signatures. These enveloped signatures are independent, in such a way
> that each of them are generated only over the XML document (removing
> the already existing signatures). To that extent, an xpath expression
> (not(ancestor-or-self::node()=//*[namespace-uri()='http://www.w3.org/2000/09/xmldsig#'
and local-name()='Signature'])) is used instead of an enveloped transform (as an enveloped
transform only removes the actual signature element, and I need all existing signatures elements
be removed). However, when verifying this document, the verification last a lot of time!

I'm using this expression with success :
not(ancestor-or-self::ds:Signature)


> Particularly, if I try to verify an XML document with only one
> signature, if it has been generated using the XPath expression , the
> verification lasts 15 minutes more than if the signature has been
> generated using the enveloped transform!!

It sounds to me like it is trying to resolve the URI, but I can't
confirm it, I'm saying this like a simple user and not a developer.

> I am using xmlsec v1.2.1.
> 
>  
> 
> Could you be so kind as to tell me why it happens, please? Does any
> later version make this kind of verification quicker? If no, any idea
> of making this verification more rapid?


I'm using 1.4.2 with the expression written above and it's as fast as I
can expect

-- 
Franco Catrin L.  TUXPAN Software S.A.
http://www.tuxpan.com/fcatrin


Mime
View raw message