You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Christof Soehngen <Ch...@SYRACOM.DE> on 2004/04/05 13:20:19 UTC

Problem Xpath2Filter when signing whole envelope

Hello everyone,
 
I have a problem, maybe some of you has experienced a similar situation:
 
I want so sign the whole SOAP-envelope, encryption should go over the body and some parts of the header (i.e. an enhanced version of a usernameToken and a nonce).
 
I began "implementing" the signature part first. I'm aware that I need a special transformation if I want the signature to cover the whole envelope. I chose XPath2Filter and subtracted the ds:signature part. This worked fine (encryption and the user token were not inserted yet).
 
<ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<dsig-xpath:XPath Filter="subtract" xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2">//ds:Signature</dsig-xpath:XPath> <http://www.w3.org/2001/04/xmlenc#">//ds:Signature</dsig-xpath:XPath>> 
</ds:Transform>
 
To prepare the encryption, I added another subtract-filter: xenc:encryptedKey. Note: I did not insert encryption, so the xml-document did not change, only the filter.
 
<dsig-xpath:XPath Filter="subtract" xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">//xenc:EncryptedKey</dsig-xpath:XPath>

Now here is my problem: The signature does not verify. I inserted a watch expression, that shows the output after all transformations and it is the same with and without the xenc:encryptedKey (why is clear, you can't subtract what isn't there). But the verification did not work.
I decided to play a little bit with the filter, so I changed the filter-statement from xenc:encryptedKey to ds:encryptedKey. The effect should be the same, both times the filter does not affect the message, because there is nothing to filter with this name. But now, the signature verifies again.
 
The problem seems to occur when I add a filter that needs a namespace declaration because the namespace is not declared when the signature takes place. But the error does only show up when this prefix is used in the filter, not when the namespace is only declared, but not used (I checked this by adding the xenc namespace definition to the ds:Signature-Filter, which works).
 
Does anyone have an explanation or solution for this problem?
 
By the way, this is why I want to sign the whole envelope in the first place: It is faster to sign whole envelope and filter some parts than signing 2 or more seperate parts.
 
Thanks,
Christof