[xmlsec] XMLSEC Reference URI question

Moultrie, Ferrell (ISSAtlanta) FMoultrie at iss.net
Tue Jul 23 15:17:50 PDT 2002

  Looking in xmlSecTransformStateParseUri() [transforms.c:1069] it appears
that your support of current-document URI references is limited to:
 o URI="" (empty URI, whole document signed/verified)
 o URI="#xpointer(/)"
 o URI="#xpointer(id('tag'))"
  Further, it looks like the id('tag') actually resolves to looking for the
first element in the document with the attribute Id="tag". This is commented
as a hack for documents w/o schemas or DTDs. Can you explain what's behind
this "hack" and where you are headed with regard to the complete URI

  Also, since the URI processing appears to be limited, I'm wondering if you
support the use of an <XPath> element child of the <Transform> element
fully, partially, or not at all. 

  The problem I'm trying to solve is that I have documents which consist of
multiple sections that each have an individual signature on that section
only. In other words,

    ... content ...
    <Signature ... />
    ... content ...
    <Signature ... />

  I need to have some way (presumably the Reference URI or the Transform) to
limit the signature (and verification) to just the content of <Section1>
when computing <Section1>'s signature block, etc. What is the best way to
support this case with the current XMLSEC library?


Ferrell Moultrie (ferrell at iss.net)
Software Engineer

Internet Security Systems, Inc.
6303 Barfield Road
Atlanta, Georgia 30328
Phone:  404-236-2600
Direct: 404-236-2849
Fax:    404-236-2632

Internet Security Systems -- The Power to Protect

More information about the xmlsec mailing list