[xmlsec] inconsistent XPath: xmlsec vs apache.org's xml-security

Mikolaj Habryn dichro at rcpt.to
Tue Jan 4 01:06:02 PST 2005

Attached as compliance.xml is a signed document which contains two other
signed documents nested within it, all with encapsulated signatures. The
structure is thus:


The solicitation and compliance signatures have an XPath expression
intended to select the entirety of the respective document with the
exception of the signatures covering it (effectively encapsulated
signature with nested documents).

The curious bit is that xmlsec (or rather, I suppose, libxml), when
evaluating the compliance's transforms, removes the signature from the
proposition as well as the compliance (signed content attached as
output-c-failed.xml) which obviously then fails to verify.

The transform behaves as expected with apache.org's xml-security Java
classes, which do the actual generation of solicitation and compliance
(attached as compliance-signed-java.xml).

The XPath expression I'm using is basically (substituting
frog:compliance or frog:solicitation for root as appropriate):

intersect: here()/ancestor::root[1]
subtract: here()/ancestor::root[1]/child::ds:Signature

Is there anything clearly wrong with that? Am I overlooking something
blindingly obvious? Is it in fact a libxml problem and is there another
way of expressing it if so?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: compliance.xml
Type: text/xml
Size: 15871 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20050104/8736068e/compliance-0002.xml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: output-c-failed.xml
Type: text/xml
Size: 3325 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20050104/8736068e/output-c-failed-0002.xml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compliance-signed-java.xml
Type: text/xml
Size: 4583 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20050104/8736068e/compliance-signed-java-0002.xml

More information about the xmlsec mailing list