164
Chapter 5 • XML Digital Signatures
This code obviously works only if the referenced document is an XML docu-
ment, in which case the datastream that moves through the transform processes is
called a node set.A non-XML document is treated as binary data and the datas-
tream is called an octet stream.The type of stream could change as the data moves
through the transforms; for example, a MIME encoder could convert some binary
image data into base-64 encoding, and that data could become placed inside an
XML template for output—an octet stream in and a node set out. Because the
data can change in this way as it goes through the transform process, one should
be careful about the input requirements of the transforms that are being used. In
some cases, it might be necessary to provide an intermediate transform to change
the data as a way of “gluing” together two different desired transform algorithms.
Using XPath to Transform a Document
For our weather report data, signing the report for an individual station might
not be that useful, since the stations (usually) report an update every hour.
Suppose instead that we wanted to sign only certain static elements in the file.
With the mechanisms that we have seen so far, this would be an awkward thing
to accomplish, given the way the weather report file is structured.We need some
mechanism to sign only certain elements (in this case, let’s consider the location
elements) of the file.This is exactly what the XPath (www.w3.org/TR/1999/
REC-xpath-19991116 and www.w3.org/TR/2001/WD-xpath20-20011220)
transformation mechanism can provide for us.The XPath transformation is a way
to filter a node set and act on only those elements that match a given rule.We
could have implemented our previous example of signing only the data for San
Francisco using an XPath, as shown in Figure 5.12.
Figure 5.12 Using XPath to Sign Only San Francisco Weather Data
<Reference URI="file:///home/skip/xml/weather.xml">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-
19991116">
<XPath>
//weather[@Id="KSFO"]
</XPath>
</Transform>
</Transforms>
www.syngress.com
Continued
