[xmlsec] XmlDSig: The Reference Processing Model (Node set vs Octet stream)

Aleksey Sanin aleksey at aleksey.com
Fri Aug 30 08:05:20 PDT 2013 

I don't understand your question. At the end, digest is always
applied to the octet stream. The rules in the spec describe how
to get to the octet stream. In human language, there are only
two rules:

1) Do not parse to XML unless it is necessary: it is already
parsed (same document) or there is an XML transform (e.g. XPath)
2) To convert back to octet stream use the specified c14n method.

IMHO, it's pretty straightforward and logical.

Best,

Aleksey

On 8/30/13 6:50 AM, Alexwell Sandro wrote:
> I do not know if this is the list for this discussion.
> 
> I added this question to stackoverflow
> <http://stackoverflow.com/questions/18522211/xmldsig-the-reference-processing-model-node-set-vs-octet-stream>.
> 
> I'm studying XML Advanced Electronic Signatures
> <http://www.etsi.org/deliver/etsi_ts%5C101900_101999%5C101903%5C01.04.02_60%5Cts_101903v010402p.pdf>.
> 
> *To create "ArchiveTimeStamp" (page 58) the Specification says:*
> 
> /Process the retrieved ds:Reference element according to the reference
> processing model of XMLDSIG./
> /
> /
> /If the result is a XML node set, canonicalize it. (...)/
> 
> *The Reference Processing Model is over this:*
> 
> <*ds:Reference *Id="myId" URI="http://fakefile.xml">
>     <*ds:Transforms*>
>         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>     </ds:Transforms>
>     <ds:DigestMethod/>
>     <ds:DigestValue/>
> </ds:Reference>
> 
> The process uses "URI=..." and "ds:Transforms" to retrieve the data.
> 
> *Below are some parts extracted from (4.3.3.2 The Reference Processing
> Model <http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel>):*
> 
> /The data-type of the result of URI dereferencing or subsequent
> Transforms is either an octet stream or an XPath node-set. (...)/
> /
> /
> /In this specification, a 'same-document' reference is defined as a
> URI-Reference that consists of a hash sign ('#') followed by a fragment
> or alternatively consists of an empty URI (...)/
> /
> /
> /Unless the URI-Reference is such a 'same-document' reference, the
> result of dereferencing the URI-Reference MUST be an octet stream. In
> particular, an XML document identified by URI is not parsed by the
> signature application unless the URI is a same-document reference or
> unless a transform that requires XML parsing is applied./
> /
> /
> /The following examples demonstrate what the URI attribute identifies
> and how it is dereferenced:/
> /
> /
> /URI="http://example.com/bar.xml" /
> /Identifies the octets (...)/
> /
> /
> /URI="http://example.com/bar.xml#chapter1" /
> /Identifies the element with ID attribute value 'chapter1' of the
> external XML resource (...), provided as an octet stream. (...)/
> /
> /
> /URI="" /
> /Identifies the node-set (...)/
> /
> /
> /URI="#chapter1" /
> /Identifies a node-set containing the (...)/
> 
> *The question.*
> 
> *For these References:*
> 
> <ds:Reference Id="myId" URI="http://fakefile.xml">
> ...
> (empty transform list)
> ...
> </ds:Reference>
> *Result 1#: ( <file> ... childs ... <file> ).*
> 
> <ds:Reference Id="myId" URI="http://fakefile.xml">
> ...
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> ...
> </ds:Reference>
> *Result 2#: (xml with exc-c14n).*
> 
> <ds:Reference Id="myId" URI="http://fakefile.xml">
> ...
> <ds:Transform "fake_Xpath_transform_to_get_all_childs"/>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> ...
> </ds:Reference>
> *Result 3#: ( only childs with exc-c14n <child_1/>...<child_x/> ) This
> is not valid XML file to parse, does not has single root. But can be
> "node set" with in fakefile.xml context.*
> 
> *Are results (1#, 2# and 3#) "octet stream" ?*
> 
> Because: /Unless the URI-Reference is such a 'same-document' reference,
> the result of dereferencing the URI-Reference MUST be an octet stream./
> 
> *Or are they "XML node set" required by XML Advanced Electronic
> Signatures to canonicalize?*
> 
> Because: /(...) In particular, an XML document identified by URI is not
> parsed by the signature application unless the URI is a same-document
> reference *or unless a transform that requires XML parsing is applied*./
> 
> *Or the (unless a transform that requires XML parsing is applied) is
> valid only with in Reference context and the results are octet stream?*
> 
> Articles are welcome.
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>

More information about the xmlsec mailing list