santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Philip Black-Knight" <pbl...@tresys.com>
Subject RE: questions on xml-security-c and xalan-c
Date Wed, 30 Mar 2011 18:13:30 GMT
> >We'd like to be able to add signatures to a document and allow the
> >document to get added to some other DOM tree and keep the signature
> >valid.  I've been able to do this using an xmldsig-filter2 intersect
> >filter and the xpath expression "here():/ancestor::RootNode". A sample
> >document seems to work with the txfmout test program.
> 
> An alternative to XPath, provided you have ID attributes and some
> application protection against wrapping attacks, is ID-based
> referencing
> of the object.

I had thought about ID attributes, but IDs could causes other problems. Basically, we want
to be able to take a number of documents all conforming to the schema and add them into one
master document. The smaller, signed, documents may be generated by different machines or
processes at different times, so there is a possibility that 2 separate documents assign the
same ID to a node. Unless I'm mistaken, this would causes errors later when attempting to
validate the signatures.

> >My understanding is that santaurio uses xalan-c to perform the
> >xmldsig-filter2 filtering and I was wondering if anyone knows of
> problems
> >with this. Is there an alternative?
> 
> Not without finding and alternative and porting to it. I am aware of no
> XPath implementations via Xerces at this point.

Me neither.  There's XQilla, but AFAIK, it's XPath 2.0 only and there seems to be enough differences
between xpath 1.0 and 2.0 that this XQilla wouldn't work.

Thanks for the reply
Phil

Mime
View raw message