[xmlsec] signing failure with 0.0.13 that work with 0.0.10

Moultrie, Ferrell (ISSAtlanta) FMoultrie at iss.net
Wed Mar 19 11:19:12 PST 2003


Aleksey:
  The principal problem I have with this change is that it is very
difficult (at least for me to figure out) to specify the sig:Signature
node as part of the xpath specification since it contains a namespace
reference. In other words, you proposed using something like,
   --node-xpath '//Contact/*[6]' 
Unfortunately, the [6] reference is problematic since the number of
elements changes in all my documents. I'd prefer something like,
   --node-xpath '//Contact/Signature'  -or-
   --node-xpath '//Contact/sig:Signature' 
but neither of them is legal/understood by XPath. The first one doesn't
find Signature and for the second one the NS prefix sig is undefined. If
there's a reasonably simple XPath expression that I can append to my
XPath to point to the embedded Signature node, then I could live with
that. Failing that, it's pretty unusable for dsig as it is in 0.0.13.
Additionally, I didn't really think that the previous implementation was
badly inconsistent -- for encryption/decryption you pointed to the node
to be encrypted/decrypted, for signature you pointed to the node
containing the Signature element which *usually* (or at least could be)
the node being signed/verified. 
  I can live with it either way that will work. If there's a way to
specify the Signature NS as part of the xpath specification then while
it's more work I can still use it. If the appl looks for Signature as a
member element of the specified node, then I don't have to change what
I'm already doing. Give me a clue as to how it can/should be
fixed/changed and I'll go take a shot at fixing it and sending you the
diff's. 
Thanks!
  Ferrell

-----Original Message-----
From: Aleksey Sanin [mailto:aleksey at aleksey.com] 
Sent: Wednesday, March 19, 2003 2:01 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: xmlsec at aleksey.com
Subject: Re: [xmlsec] signing failure with 0.0.13 that work with 0.0.10


Oh, now I remember! Well, the main reason for this is that I would 
prefer to have
the same semantics for the Encryption and Signature. In encryption case,

you can use
"--node-xpath" to specify the "start" node you want to encrypt. It seems

logical to me,
that you can use the same option to specify the "start" node you want to

sign, verify or
decrypt. However, I don't have any strong feeling about that so I can 
make it work
the way you need.

Aleksey






More information about the xmlsec mailing list