[xmlsec] More help on Stlysheets and XML DSIG - The good ones
aleksey at aleksey.com
aleksey at aleksey.com
Tue Nov 8 18:35:43 PST 2005
Pere,
Thanks for the files! I looked at them one more time and I found
that xmlsec is doing the right thing! You are using "enveloped"
transform which is defined in section '6.6.4' of XMLDSig spec as
follows:
An enveloped signature transform T removes the whole Signature
element containing T from the digest calculation of the Reference
element containing T. The entire string of characters used by an XML
processor to match the Signature with the XML production element is
removed. The output of the transform is equivalent to the output
that would result from replacing T with an XPath transform containing
the following XPath parameter element:
<XPath xmlns:dsig="&dsig;">
count(ancestor-or-self::dsig:Signature |
here()/ancestor::dsig:Signature[1]) >
count(ancestor-or-self::dsig:Signature)</XPath>
If you apply this to enveloped transform in hula2.xml file then it is
clear that stylesheet PI node should be included in the digest output
and this is *exactly* what xmlsec is doing. BTW, I also tested the
XPath transform from above and it also keeps the PI node :)
Best,
Aleksey Sanin
More information about the xmlsec
mailing list