You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by bu...@apache.org on 2009/03/10 08:38:32 UTC
DO NOT REPLY [Bug 42599] Integration of a full-featured XPointer
resource resolver.
https://issues.apache.org/bugzilla/show_bug.cgi?id=42599
--- Comment #9 from Christian Kleinewaechter <dr...@gmx.de> 2009-03-10 00:38:28 PST ---
(In reply to comment #8)
> (In reply to comment #7)
> > I've tried the xpointer resolver for generating signatures for the german
> > banking interface EBICS which uses #xpointer(//*[@authenticate='true']) to sign
> [...]
>
> After rechecking the EBICS spec I think there is a difference in what their
> reference declaration says what is to sign and what they actually want to sign
> based on their informal description. They say that they want to sign everything
> contained in elements with attribute authenticate set to true including the
> elements itself, so I think they actually want to sign
> "//*[@authenticate='true']/descendant-or-self::*". So probably
> CanonicalizerBase.canonicalizeXPathNodeSet is right thing to not include child
> nodes of selected nodes.
I have to correct my previous statement.The EBICS spec is correct:
http://www.w3.org/TR/xmldsig-core/ says
4.3.3.3 Same-Document URI-References
[...] The application MUST behave as if the result of XPointer processing
[XPointer-Framework] were a node-set derived from the resultant subresource as
follows:
1. include XPath nodes having full or partial content within the subresource
2. replace the root node with its children (if it is in the node-set)
3. replace any element node E with E plus all descendants of E (text,
comment, PI, element) and all namespace and attribute nodes of E and its
descendant elements.
4. if the URI has no fragment identifier or the fragment identifier is a
shortname XPointer, then delete all comment nodes
IMHO from 3. it is clear that we do not just have to include the nodes but
also their descendants.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.