[xmlsec] XMLSEC Reference URI question

Aleksey Sanin aleksey at aleksey.com
Wed Jul 24 14:48:22 PDT 2002

I am not sure I clear understand what kind of problem do you have.
Will you mind to send me the file you have problems with?



Moultrie, Ferrell (ISSAtlanta) wrote:

>  Ok, I've tried to use an XPath Transform to limit the data being verified.
>Unfortunately, it doesn't appear to work. Here's what I see happening in the
>xmlSecTransformXPathReadNode( ) [xpath.c:203] takes the input
>xmlSecTransformPtr and upcasts it to a xmlSecXmlTransformPtr. It then stores
>the parsed XPath string and the "here" node reference in the
>xmlSecXmlTransform object it points to (at least there's checking of the
>pointer assignment sanity here). 
>The caller, xmlSecTransformRead, returns to its caller
>xmlSecTransformNodeRead with the pointer to the object containing the XPath
>transform information. The transform is further passed back to
>xmlSecTransformsNodeRead which calls xmlSecTransformStateUpdate which
>discovers that the transform type is xmlSecTransformTypeXml and call
>xmlSecTransformCreateXml. This routine, because the file is already parsed
>and both curFirstBinTransform and curC14NTransform in the state object are
>NULL, does nothing and returns!
>This results in the XPath Transform information being parsed and saved but
>otherwise ignored. The <Signature> block contains the following transform
>which is parsed and ignored in the above case:
>  <sig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
>  <sig:XPath>/ISSKeys/Contacts/Contact</sig:XPath> 
>  </sig:Transform>
>The result is that adding an XPath transform like above, is ignored. This
>works properly with the Apache Java tools so I believe that it's a legal way
>to construct a reference. Eventually, I'd intended to change the XPath
>reference to a here()-relative reference to solve my compound document
>problem but this seemed like a quick/easy test -- unfortunately it's not
>Is this a bug, or, have I missed something else? Since Apache properly
>verifies this signature and the code in xmlSecTransformCreateXml seems to be
>missing any knowledge of this transform, I'm guessing that it's a bug -- but
>I'll appreciate your advice on how to proceed!
>  Ferrell
>Ferrell Moultrie (ferrell at iss.net)
>Software Engineer
>Internet Security Systems, Inc.
>6303 Barfield Road
>Atlanta, Georgia 30328
>Phone:  404-236-2600
>Direct: 404-236-2849
>Fax:    404-236-2632
>Internet Security Systems -- The Power to Protect
>xmlsec mailing list
>xmlsec at aleksey.com

More information about the xmlsec mailing list