[xmlsec] Determining if a node is referenced by a signature

Aleksey Sanin aleksey at aleksey.com
Thu Mar 30 15:02:32 PST 2006

Very good question :) Unfortunately, the only way to do it
reliably is to limit the allowed transforms (e.g. allow only
enveloped signature transforms). However, xmlsec provides 2 way
to do this semi-reliably:

1) In xmlSecDSigCtx struct you can get access to the post-C14N
pre-digest buffer with the stuff that was signed. You'll have to
parse it back and map nodes from these buffers to nodes from
the document somehow.

2) In xmlSecDSigCtx struct you can get access to list of
xmlSecDSigReferenceCtx structs. Then from xmlSecDSigReferenceCtx
struct you can get access to list of xmlSecTransformCtx structs.
When you can get the *last* *XML* transform in the list and
look into "xmlSecNodeSetPtr outNodes".


if you have OTHER transforms after the last XML transform, then
you can drop some nodes from signature. E.g. in the following
transforms chain

    XPath transform -> XSLT -> XPath transform

the second XPath transform can remove nodes selected by the first
XPath transform.


Barry Ferg wrote:
> Is there some way of figuring out if a given node is referenced by a 
> signature?  Ideally I'd like to be able to run through the reference 
> processing, including XPath filter transforms, and get an 
> xmlSecNodeSetPtr to test against an xmlNodePtr.
> Thanks!
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list