这个 XPath 表达式到底是做什么的(count 和 here)?
这来自 XML 签名规范:
<XPath xmlns:dsig="&dsig;">
count(ancestor-or-self::dsig:Signature |
here()/ancestor::dsig:Signature[1]) >
count(ancestor-or-self::dsig:Signature)</XPath>
随附的文本显示“封装签名变换 T 从包含 T 的参考元素的摘要计算中删除包含 T 的整个签名元素。”我没有可用的 here() 所以我无法探测它。我认为规范的文本有点宽松。考虑以下场景:
<saml2:Assertion ID="2">
<ds:Signature ID="s1">
<ds:SignedInfo>
<ds:Reference URI="#2">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></ds:Transforms>
</ds:Reference>
</ds:SignedInfo>
</ds:Signature>
<ds:Signature ID="s2">
<ds:SignedInfo>
<ds:Reference URI="#2">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></ds:Transforms>
</ds:Reference>
</ds:SignedInfo>
</ds:Signature>
<ds:Signature ID="s3">
<ds:SignedInfo>
<ds:Reference URI="#2">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></ds:Transforms>
</ds:Reference>
</ds:SignedInfo>
</ds:Signature>
</saml2:Assertion>
当活动节点为“s2”时,哪些
系统 XML 库为 损坏。我不能问它。
This is from theXML Signature specification:
<XPath xmlns:dsig="&dsig;">
count(ancestor-or-self::dsig:Signature |
here()/ancestor::dsig:Signature[1]) >
count(ancestor-or-self::dsig:Signature)</XPath>
The accompanying text says "An enveloped signature transform T removes the whole Signature element containing T from the digest calculation of the Reference element containing T." I don't have a working here() so I can't probe it. I think the text of the specification is a little loose. Consider the following scenario:
<saml2:Assertion ID="2">
<ds:Signature ID="s1">
<ds:SignedInfo>
<ds:Reference URI="#2">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></ds:Transforms>
</ds:Reference>
</ds:SignedInfo>
</ds:Signature>
<ds:Signature ID="s2">
<ds:SignedInfo>
<ds:Reference URI="#2">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></ds:Transforms>
</ds:Reference>
</ds:SignedInfo>
</ds:Signature>
<ds:Signature ID="s3">
<ds:SignedInfo>
<ds:Reference URI="#2">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></ds:Transforms>
</ds:Reference>
</ds:SignedInfo>
</ds:Signature>
</saml2:Assertion>
With the active node being "s2", which <ds:Signature> nodes are removed?
The system XML library isbroken. I can't ask it.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
表达式 count(X|Y) >如果 Y 包含 X 中未包含的一个或多个节点,则 count(X) 返回 true。
我认为
[1]完全是多余的。如果here()具有不是上下文节点的祖先或自身的祖先签名,则表达式为 true。至于
here()的作用,您必须从了解 XML 签名规范的人那里了解。该表达式出现在 XML 签名规范中,紧接着是一个解释:“对于文档的每个节点,当且仅当包含该节点及其签名元素祖先的节点集不存在时,谓词表达式才为真。包括包含 XPath 表达式的封装 Signature 元素”。我不确定哪一部分还不清楚......
The expression
count(X|Y) > count(X)returns true if Y contains one or more nodes that are not included in X.I think the
[1]is entirely redundant. The expression is true ifhere()has an ancestor Signature that is not an ancestor-or-self of the context node.As for what
here()does, you'll have to get that from someone who knows the XML Signature spec.The expression, where it appears in the XML Signature spec, is immediately followed by an explanation: "For each node of the document, the predicate expression is true if and only if the node-set containing the node and its Signature element ancestors does not include the enveloped Signature element containing the XPath expression". I'm not sure what part of that isn't clear...