questions on xml-security-c and xalan-c

[Philip Black-Knight <pb...@tresys.com>]

I'm looking into using santaurio in a application, but the disclaimers regarding xalan make me a little nervous.

We'd like to be able to add signatures to a document and allow the document to get added to some other DOM tree and keep the signature valid.  I've been able to do this using an xmldsig-filter2 intersect filter and the xpath expression "here():/ancestor::RootNode". A sample document seems to work with the txfmout test program.

My understanding is that santaurio uses xalan-c to perform the xmldsig-filter2 filtering and I was wondering if anyone knows of problems with this. Is there an alternative? The xalan project appears dead, is there a plan to move to an active project?

Thanks,
Phil

Re: questions on xml-security-c and xalan-c

["Cantor, Scott E." <ca...@osu.edu>]

On 3/30/11 8:13 PM, "Philip Black-Knight" <pb...@tresys.com> wrote:
>I had thought about ID attributes, but IDs could causes other problems.
>Basically, we want to be able to take a number of documents all
>conforming to the schema and add them into one master document. The
>smaller, signed, documents may be generated by different machines or
>processes at different times, so there is a possibility that 2 separate
>documents assign the same ID to a node. Unless I'm mistaken, this would
>causes errors later when attempting to validate the signatures.

All you have to do is require pseudorandom IDs, a common approach being
UUIDs (with an underscore in front to address XML syntax constraints on
IDs). That's not a problem that would justify XPath in my opinion, though
ID attributes are certainly not without other issues.

>Me neither.  There's XQilla, but AFAIK, it's XPath 2.0 only and there
>seems to be enough differences between xpath 1.0 and 2.0 that this XQilla
>wouldn't work.

Right. It appears that XML Signature 2.0 is going to be XPath 2 only (or
at least as good as), so if I ever do a clean room project to support
that, XQilla would be an option.

I was hoping your question meant you knew of something else.

-- Scott

RE: questions on xml-security-c and xalan-c

[Philip Black-Knight <pb...@tresys.com>]

> >We'd like to be able to add signatures to a document and allow the
> >document to get added to some other DOM tree and keep the signature
> >valid.  I've been able to do this using an xmldsig-filter2 intersect
> >filter and the xpath expression "here():/ancestor::RootNode". A sample
> >document seems to work with the txfmout test program.
> 
> An alternative to XPath, provided you have ID attributes and some
> application protection against wrapping attacks, is ID-based
> referencing
> of the object.

I had thought about ID attributes, but IDs could causes other problems. Basically, we want to be able to take a number of documents all conforming to the schema and add them into one master document. The smaller, signed, documents may be generated by different machines or processes at different times, so there is a possibility that 2 separate documents assign the same ID to a node. Unless I'm mistaken, this would causes errors later when attempting to validate the signatures.

> >My understanding is that santaurio uses xalan-c to perform the
> >xmldsig-filter2 filtering and I was wondering if anyone knows of
> problems
> >with this. Is there an alternative?
> 
> Not without finding and alternative and porting to it. I am aware of no
> XPath implementations via Xerces at this point.

Me neither.  There's XQilla, but AFAIK, it's XPath 2.0 only and there seems to be enough differences between xpath 1.0 and 2.0 that this XQilla wouldn't work.

Thanks for the reply
Phil

Re: questions on xml-security-c and xalan-c

["Cantor, Scott E." <ca...@osu.edu>]

On 3/30/11 7:39 PM, "Philip Black-Knight" <pb...@tresys.com> wrote:
>I'm looking into using santaurio in a application, but the disclaimers
>regarding xalan make me a little nervous.

They should, they'd certainly make me nervous.

>We'd like to be able to add signatures to a document and allow the
>document to get added to some other DOM tree and keep the signature
>valid.  I've been able to do this using an xmldsig-filter2 intersect
>filter and the xpath expression "here():/ancestor::RootNode". A sample
>document seems to work with the txfmout test program.

An alternative to XPath, provided you have ID attributes and some
application protection against wrapping attacks, is ID-based referencing
of the object.

>My understanding is that santaurio uses xalan-c to perform the
>xmldsig-filter2 filtering and I was wondering if anyone knows of problems
>with this. Is there an alternative?

Not without finding and alternative and porting to it. I am aware of no
XPath implementations via Xerces at this point.

> The xalan project appears dead, is there a plan to move to an active
>project?

Any pointers to one? Not that I'm going to do the work, but even having a
place to point would be better.

Note that XML Signature in current form requires at least XPath 1, and
support for the XPath 2 filter is separate and optional. So a 2-only
library wouldn't work.

-- Scott