[xmlsec] XMLSEC Reference URI question

Moultrie, Ferrell (ISSAtlanta) FMoultrie at iss.net
Wed Jul 24 14:39:13 PDT 2002

  Ok, I've tried to use an XPath Transform to limit the data being verified.
Unfortunately, it doesn't appear to work. Here's what I see happening in the

xmlSecTransformXPathReadNode( ) [xpath.c:203] takes the input
xmlSecTransformPtr and upcasts it to a xmlSecXmlTransformPtr. It then stores
the parsed XPath string and the "here" node reference in the
xmlSecXmlTransform object it points to (at least there's checking of the
pointer assignment sanity here). 

The caller, xmlSecTransformRead, returns to its caller
xmlSecTransformNodeRead with the pointer to the object containing the XPath
transform information. The transform is further passed back to
xmlSecTransformsNodeRead which calls xmlSecTransformStateUpdate which
discovers that the transform type is xmlSecTransformTypeXml and call
xmlSecTransformCreateXml. This routine, because the file is already parsed
and both curFirstBinTransform and curC14NTransform in the state object are
NULL, does nothing and returns!

This results in the XPath Transform information being parsed and saved but
otherwise ignored. The <Signature> block contains the following transform
which is parsed and ignored in the above case:

  <sig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">

The result is that adding an XPath transform like above, is ignored. This
works properly with the Apache Java tools so I believe that it's a legal way
to construct a reference. Eventually, I'd intended to change the XPath
reference to a here()-relative reference to solve my compound document
problem but this seemed like a quick/easy test -- unfortunately it's not

Is this a bug, or, have I missed something else? Since Apache properly
verifies this signature and the code in xmlSecTransformCreateXml seems to be
missing any knowledge of this transform, I'm guessing that it's a bug -- but
I'll appreciate your advice on how to proceed!


Ferrell Moultrie (ferrell at iss.net)
Software Engineer

Internet Security Systems, Inc.
6303 Barfield Road
Atlanta, Georgia 30328
Phone:  404-236-2600
Direct: 404-236-2849
Fax:    404-236-2632

Internet Security Systems -- The Power to Protect

More information about the xmlsec mailing list