[xmlsec] Encryption and namespace
Aleksey Sanin
aleksey at aleksey.com
Mon Mar 22 09:06:00 PST 2004
Let me explain situation in more details. There is an XML
file
<aaa:Root xmlns:aaa="http://www.example.org/">
<aaa:Data>Something</aaa:Data>
</aaa:Root>
The user wants to encrypt the <aaa:Data/> node and the result
document looks like this:
<aaa:Root xmlns:aaa="http://www.example.org/">
<enc:EncryptedData/>
</aaa:Root>
The actual encrypted data is "<aaa:Data>Something</aaa:Data>".
When one wants to decrypt the document and restore the original
file, s/he needs to be able to parse the part of XML document
"<aaa:Data>Something</aaa:Data>"
and re-insert it back in the source document.
I am not sure I understand how it worked before: I don't see how
the code before managed to find out what "aaa" means.
I don't have a solution right now but there are two trivial options:
1) Find a way to parse partial XML document in the context of
a given node in another XML document.
2) Put all the namespace declarations into the node before
encrypting (not very good because the encrypted content is changed).
I'll think about this.
Aleksey
Daniel Veillard wrote:
> On Mon, Mar 22, 2004 at 08:47:16AM -0800, Aleksey Sanin wrote:
>
>>It seems to me that this is only a warning. The code in
>>gnome-xml/parser.c file prints out the error message
>> "Namespace prefix %s for %s on %s is not defined\n"
>>and continues. It should still create the XML tree.
>
>
> yes but it can't create a decent XML tree. The document
> is not conformant to Namespace in XML Rec. I don't know who or
> why people though that it's an acceptable situation, but it's
> not. To be able to run XPath on a document it MUST be compliant
> to Namespace in XML, as a result I think that XML Sec and DSig
> should fail on such document.
>
> Daniel
>
More information about the xmlsec
mailing list