[xmlsec] More help on Stlysheets and XML DSIG - The good ones

aleksey at aleksey.com aleksey at aleksey.com
Tue Nov 8 18:35:43 PST 2005


Thanks for the files! I looked at them one more time and I found
that xmlsec is doing the right thing! You are using "enveloped"
transform which is defined in section '6.6.4' of XMLDSig spec as

   An enveloped signature transform T removes the whole Signature
   element containing T from the digest calculation of the Reference
   element containing T.  The entire string of characters used by an XML
   processor to match the Signature with the XML production element is
   removed.  The output of the transform is equivalent to the output
   that would result from replacing T with an XPath transform containing
   the following XPath parameter element:

      <XPath xmlns:dsig="&dsig;">
      count(ancestor-or-self::dsig:Signature |
      here()/ancestor::dsig:Signature[1]) >

If you apply this to enveloped transform in hula2.xml file then it is
clear that stylesheet PI node should be included in the digest output
and this is *exactly* what xmlsec is doing. BTW, I also tested the
XPath transform from above and it also keeps the PI node :)

Aleksey Sanin

More information about the xmlsec mailing list