Network Working Group J. Boyer
Request for Comments: 3653 PureEdge Solutions
Category: Informational M. Hughes
Betrusted, Inc.
J. Reagle
W3C
December 2003
Network Working Group J. Boyer
Request for Comments: 3653 PureEdge Solutions
Category: Informational M. Hughes
Betrusted, Inc.
J. Reagle
W3C
December 2003
XML-Signature XPath Filter 2.0
XML签名XPath筛选器2.0
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2003). All Rights Reserved.
版权所有(C)互联网协会(2003年)。版权所有。
Abstract
摘要
XML Signature recommends a standard means for specifying information content to be digitally signed and for representing the resulting digital signatures in XML. Some applications require the ability to specify a subset of a given XML document as the information content to be signed. The XML Signature specification meets this requirement with the XPath transform. However, this transform can be difficult to implement efficiently with existing technologies. This specification defines a new XML Signature transform to facilitate the development of efficient document subsetting implementations that interoperate under similar performance profiles.
XML签名推荐了一种标准方法,用于指定要进行数字签名的信息内容以及用XML表示生成的数字签名。有些应用程序需要能够指定给定XML文档的子集作为要签名的信息内容。XML签名规范通过XPath转换满足这一要求。然而,使用现有技术很难有效地实现这种转换。该规范定义了一个新的XML签名转换,以促进开发高效的文档子集实现,这些实现可以在类似的性能配置文件下进行互操作。
This document is the W3C XML Signature XPath-Filter 2.0 Recommendation. This document has been reviewed by W3C Members and other interested parties and has been endorsed by the Director as a W3C Recommendation. It is a stable document and may be used as reference material or cited as a normative reference from another document. W3C's role in making the Recommendation is to draw attention to the specification and to promote its widespread deployment. This enhances the functionality and interoperability of the Web.
本文档是W3C XML签名XPath筛选器2.0建议。本文件已由W3C成员和其他利益相关方审查,并已作为W3C建议得到董事的认可。它是一份稳定的文件,可作为参考材料使用,或作为另一份文件的规范性参考引用。W3C在提出建议时的作用是提请注意该规范并促进其广泛部署。这增强了Web的功能和互操作性。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Acknowledgements (Informative) . . . . . . . . . . . . 4
1.2. W3C Status . . . . . . . . . . . . . . . . . . . . . . 4
2. Terminology. . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Specification of Signature Filter Transform. . . . . . . . . 5
3.1. Algorithm Identifier . . . . . . . . . . . . . . . . . 5
3.2. Syntax of Signature Filter Transform . . . . . . . . . 5
3.3. Input and Evaluation Context of Signature Filter
Transform. . . . . . . . . . . . . . . . . . . . . . . 7
3.4. Processing Model of Signature Filter Transform . . . . 7
4. Examples of Signature Filter Transform . . . . . . . . . . . 9
5. Normative References . . . . . . . . . . . . . . . . . . . . 13
6. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 14
7. Full Copyright Statement . . . . . . . . . . . . . . . . . . 15
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Acknowledgements (Informative) . . . . . . . . . . . . 4
1.2. W3C Status . . . . . . . . . . . . . . . . . . . . . . 4
2. Terminology. . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Specification of Signature Filter Transform. . . . . . . . . 5
3.1. Algorithm Identifier . . . . . . . . . . . . . . . . . 5
3.2. Syntax of Signature Filter Transform . . . . . . . . . 5
3.3. Input and Evaluation Context of Signature Filter
Transform. . . . . . . . . . . . . . . . . . . . . . . 7
3.4. Processing Model of Signature Filter Transform . . . . 7
4. Examples of Signature Filter Transform . . . . . . . . . . . 9
5. Normative References . . . . . . . . . . . . . . . . . . . . 13
6. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 14
7. Full Copyright Statement . . . . . . . . . . . . . . . . . . 15
The XML Recommendation [XML] specifies the syntax of a class of objects called XML documents. The Namespaces in XML Recommendation [XML-NS] specifies additional syntax and semantics for XML documents. The XML Signature Recommendation [XML-DSig] defines standard means for specifying information content to be digitally signed, including the ability to select a portion of an XML document to be signed using an XPath transform.
XML建议[XML]指定了一类称为XML文档的对象的语法。XML推荐[XML-NS]中的名称空间为XML文档指定了额外的语法和语义。XML签名建议[XML DSig]定义了用于指定要进行数字签名的信息内容的标准方法,包括使用XPath转换选择要签名的XML文档的一部分的能力。
This specification describes a new signature filter transform that, like the XPath transform [XML-DSig, section 6.6.3], provides a method for computing a portion of a document to be signed. In the interest of simplifying the creation of efficient implementations, the architecture of this transform is not based on evaluating an [XPath] expression for every node of the XML parse tree (as defined by the [XPath] data model). Instead, a sequence of XPath expressions is used to select the roots of document subtrees -- location sets, in the language of [XPointer] -- which are combined using set intersection, subtraction and union, and then used to filter the input node-set. The principal differences from the XPath transform are:
本规范描述了一种新的签名过滤器转换,它与XPath转换[XMLDSIG,第6.6.3节]类似,提供了一种计算要签名的文档部分的方法。为了简化高效实现的创建,此转换的体系结构不是基于为XML解析树的每个节点(如[XPath]数据模型所定义)计算[XPath]表达式。相反,XPath表达式序列用于选择文档子树的根(位置集,使用[XPointer]语言),这些子树使用集合交集、减法和并集进行组合,然后用于过滤输入节点集。XPath转换的主要区别在于:
* A sequence of XPath operations can be executed in a single transform, allowing complex filters to be more easily expressed and optimized. * The XPath expressions are evaluated against the input document resulting in a set of nodes, instead of being used as a boolean test against each node of the input node-set.
* XPath操作序列可以在单个转换中执行,从而使复杂过滤器更容易表达和优化。*XPath表达式根据输入文档进行计算,生成一组节点,而不是作为对输入节点集的每个节点的布尔测试。
* To increase efficiency, the expansion of a given node to include all nodes having the given node as an ancestor is now implicit so it can be performed by faster means than the evaluation of an XPath expression for each document node. * The resulting node-sets can be combined using the three fundamental set operations (intersection, subtraction, and union), and then applied as a filter against the input node-set, allowing operations such as signing an entire document except for a specified subset, to be expressed more clearly and efficiently.
* 为了提高效率,将给定节点扩展为包含所有以给定节点为祖先的节点现在是隐式的,因此可以通过比计算每个文档节点的XPath表达式更快的方式来执行。*生成的节点集可以使用三种基本集操作(交集、减法和并集)进行组合,然后作为输入节点集的过滤器应用,从而可以更清楚、更有效地表达诸如对整个文档(指定子集除外)签名的操作。
As with the original XPath transform, the primary purpose of this transform is to ensure that only specifically defined changes to the input XML document are permitted after the signature is affixed. This can be done by excluding precisely those nodes that are allowed to change once the signature is affixed, and including all other input nodes in the output. It is the responsibility of the signature filter transform author to ensure that nodes are not excluded which could affect the interpretation of the transform output in the application context.
与原始XPath转换一样,此转换的主要目的是确保在附加签名后只允许对输入XML文档进行专门定义的更改。这可以通过精确地排除那些在附加签名后允许更改的节点,并在输出中包括所有其他输入节点来实现。签名过滤器转换作者负责确保不排除可能影响应用程序上下文中转换输出解释的节点。
Consider the motivating scenario where an application wishes to affix two enveloped signatures to the document; any other change to the document must cause the signatures to be invalid. When the application creates the first signature that signature is automatically omitted from its own digest calculations. However, it will also be necessary to exclude the subsequent (second) signature element from the digest calculations of the first signature. This specification can be used to efficiently satisfy this requirement using the set subtraction operation.
考虑应用程序希望将两个包络签名附加到文档的激励场景;对文档的任何其他更改都必须导致签名无效。当应用程序创建第一个签名时,该签名将自动从其自己的摘要计算中忽略。但是,还需要从第一个签名的摘要计算中排除后续(第二个)签名元素。本规范可用于使用集合减法运算有效地满足此要求。
This transform also supports the ability to specify a set of nodes that will be included in a signature, with all non-specified nodes being excluded. This formulation is useful for isolating a portion of a document, such as a chapter of a document, or a payload in a protocol message, and can be expressed using the set intersection operation.
此转换还支持指定将包含在签名中的一组节点的能力,并排除所有未指定的节点。该公式用于隔离文档的一部分,例如文档的一章或协议消息中的有效负载,并且可以使用集合交叉操作来表示。
Complete familiarity with the first XML Signature XPath Transform [XML-DSig, section 6.6.3] is required.
需要完全熟悉第一个XML签名XPath转换[XML DSig,第6.6.3节]。
NOTE: Since XPath Filter 2.0 depends on details of XPath, be sure to take into account the XPath Errata at <http://www.w3.org/1999/11/REC-xpath-19991116-errata>.
注意:由于XPathFilter 2.0依赖于XPath的详细信息,因此请务必考虑以下位置的XPath勘误表:<http://www.w3.org/1999/11/REC-xpath-19991116-errata>.
The following people provided valuable feedback that improved the quality of this specification:
以下人员提供了宝贵的反馈,提高了本规范的质量:
* Christian Geuer-Pollmann, Universitat Siegen * Donald Eastlake, 3rd, Motorola * Gregor Karlinger, IAK TU Graz * Aleksey Sanin
* 克里斯蒂安·盖尔·波尔曼,锡根大学*唐纳德·伊斯特莱克,第三届,摩托罗拉*格雷戈·卡林格,IAK TU Graz*阿列克西·萨宁
The World Wide Web Consortium Recommendation corresponding to this RFC is at:
与本RFC相对应的万维网联盟建议位于:
http://www.w3.org/TR/xmldsig-filter2/
http://www.w3.org/TR/xmldsig-filter2/
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [Keywords].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14、RFC 2119[关键词]中的描述进行解释。
The XPath 1.0 Recommendation [XPath] defines the term node-set as "(an unordered collection of nodes without duplicates)" and specifies a data model for representing an input XML document as a set of nodes of various types (element, attribute, namespace, text, comment, processing instruction, and root).
XPath 1.0建议[XPath]将术语节点集定义为“(没有重复项的无序节点集合”),并指定一个数据模型,用于将输入XML文档表示为一组不同类型的节点(元素、属性、名称空间、文本、注释、处理指令和根节点)。
An input document is the document that contains all the nodes available to processing by this transform. A document subset is a portion of an XML document indicated by an XPath node-set, which may not include all of the nodes in the document. For example, the input node-set is a collection of XPath nodes from the input document that is passed as a parameter to this transform. A subtree rooted by a given node is a document subset containing the given node and every node having the given node as an ancestor. Subtree expansion is the process of expanding a node-set to include all subtrees rooted at any node in the node-set. For example, the subtree expansion of a node-set consisting of just a single element node would be a node-set containing that element, its attribute nodes, namespace nodes, and all its descendants including their attribute nodes and namespaces nodes.
输入文档是包含此转换可处理的所有节点的文档。文档子集是由XPath节点集表示的XML文档的一部分,它可能不包括文档中的所有节点。例如,输入节点集是输入文档中XPath节点的集合,作为参数传递给此转换。以给定节点为根的子树是文档子集,包含给定节点和每个节点,每个节点都以给定节点为祖先。子树扩展是将节点集扩展为包含节点集中任何节点的所有子树的过程。例如,仅由单个元素节点组成的节点集的子树扩展将是包含该元素、其属性节点、命名空间节点及其所有子体(包括其属性节点和命名空间节点)的节点集。
The XML Signature Recommendation [XML-DSig] defines a reference as a sequence of steps performed to obtain an octet stream to be digitally signed. A transform is an identified algorithm to be used as a step
XML签名建议[XML DSig]将引用定义为获取要进行数字签名的八位字节流所执行的一系列步骤。转换是一种已识别的算法,用作步骤
in the reference processing model. A transform takes an octet stream or XPath node-set as input, and it produces an octet stream or XPath node-set as output (the reference processing model automatically converts the final output to an octet stream if it is an XPath node-set).
在参考处理模型中。转换以八位字节流或XPath节点集作为输入,并生成八位字节流或XPath节点集作为输出(如果是XPath节点集,则引用处理模型会自动将最终输出转换为八位字节流)。
The transform operates by computing a node-set that is used to filter the input node-set: The output node-set consists of only those nodes in both the input node-set and the filter node-set. In other words, the output node-set is the intersection of the input node-set and the computed filter node-set.
转换通过计算用于过滤输入节点集的节点集进行操作:输出节点集仅由输入节点集和过滤节点集中的节点组成。换句话说,输出节点集是输入节点集和计算的过滤器节点集的交集。
The filter node-set is computed by evaluating a sequence of XPath expressions and combining their results. A node-set is initially computed containing the entire input document. In sequence, each XPath expression is then evaluated, subtree-expanded, and then used to transform the filter node-set according to a specified set operation; intersection, subtraction, or union. After all XPaths have been applied, the resulting node-set is used as the filter node-set.
过滤器节点集是通过计算XPath表达式序列并组合它们的结果来计算的。首先计算包含整个输入文档的节点集。依次计算每个XPath表达式,展开子树,然后根据指定的集合操作转换过滤器节点集合;交集、减法或并集。应用所有XPath后,生成的节点集将用作筛选器节点集。
The XML Signature Recommendation [XML-DSig] uses a [URI] to identify each algorithm to be performed when creating or validating a signature. The signature filter transform is identified as follows:
XML签名建议[XML DSig]使用[URI]标识创建或验证签名时要执行的每个算法。签名过滤器转换的标识如下:
Algorithm Identifier
http://www.w3.org/2002/06/xmldsig-filter2
Algorithm Identifier
http://www.w3.org/2002/06/xmldsig-filter2
The signature filter transform shall be represented by a sequence of one or more elements named XPath. The content of XPath is character data containing an XPath expression. The XPath has an attribute named Filter whose possible values are intersect, subtract, and union. The Filter attribute indicates the set operation that is performed with the resulting node-set when computing the filter node-set. The following is an example of markup for a signature filter that signs the entire input node-set except for elements with identifier foo and bar (and all nodes with one of those elements as an ancestor):
签名过滤器转换应由一个或多个名为XPath的元素序列表示。XPath的内容是包含XPath表达式的字符数据。XPath有一个名为Filter的属性,其可能值为intersect、subtract和union。“过滤器”属性指示在计算过滤器节点集时使用结果节点集执行的集合操作。以下是签名筛选器的标记示例,该标记对整个输入节点集进行签名,标识符为foo和bar的元素除外(以及以其中一个元素作为祖先的所有节点):
<XPath Filter="subtract"
xmlns="http://www.w3.org/2002/06/xmldsig-filter2">
id("foo bar")
<XPath Filter="subtract"
xmlns="http://www.w3.org/2002/06/xmldsig-filter2">
id("foo bar")
</XPath>
</XPath>
Schema Definition:
架构定义:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE schema
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE schema
PUBLIC "-//W3C//DTD XMLSchema 200102//EN"
"http://www.w3.org/2001/XMLSchema.dtd"
[
<!ATTLIST schema
xmlns:xf CDATA #FIXED 'http://www.w3.org/2002/06/xmldsig-filter2'>
<!ENTITY xf 'http://www.w3.org/2002/06/xmldsig-filter2'>
<!ENTITY % p ''>
<!ENTITY % s ''>
]>
PUBLIC "-//W3C//DTD XMLSchema 200102//EN"
"http://www.w3.org/2001/XMLSchema.dtd"
[
<!ATTLIST schema
xmlns:xf CDATA #FIXED 'http://www.w3.org/2002/06/xmldsig-filter2'>
<!ENTITY xf 'http://www.w3.org/2002/06/xmldsig-filter2'>
<!ENTITY % p ''>
<!ENTITY % s ''>
]>
<schema xmlns="http://www.w3.org/2001/XMLSchema"
xmlns:xf="http://www.w3.org/2002/06/xmldsig-filter2"
targetNamespace="http://www.w3.org/2002/06/xmldsig-filter2"
version="0.1" elementFormDefault="qualified">
<schema xmlns="http://www.w3.org/2001/XMLSchema"
xmlns:xf="http://www.w3.org/2002/06/xmldsig-filter2"
targetNamespace="http://www.w3.org/2002/06/xmldsig-filter2"
version="0.1" elementFormDefault="qualified">
<element name="XPath"
type="xf:XPathType"/>
<element name="XPath"
type="xf:XPathType"/>
<complexType name="XPathType">
<simpleContent>
<extension base="string">
<attribute name="Filter">
<simpleType>
<restriction base="string">
<enumeration value="intersect"/>
<enumeration value="subtract"/>
<enumeration value="union"/>
</restriction>
</simpleType>
</attribute>
</extension>
</simpleContent>
</complexType>
<complexType name="XPathType">
<simpleContent>
<extension base="string">
<attribute name="Filter">
<simpleType>
<restriction base="string">
<enumeration value="intersect"/>
<enumeration value="subtract"/>
<enumeration value="union"/>
</restriction>
</simpleType>
</attribute>
</extension>
</simpleContent>
</complexType>
</schema>
</schema>
DTD:
DTD:
<!ELEMENT XPath (#PCDATA) >
<!ATTLIST XPath
Filter (intersect|subtract|union) #REQUIRED >
<!ELEMENT XPath (#PCDATA) >
<!ATTLIST XPath
Filter (intersect|subtract|union) #REQUIRED >
The input required by this transform is an XPath node-set over the input document. If the input document is an octet stream, then the application MUST convert the octet stream to an XPath node-set that contains all of the document nodes (including comment nodes). The evaluation context for the XPath expressions in the filter transform will be:
此转换所需的输入是在输入文档上设置的XPath节点。如果输入文档是八位字节流,则应用程序必须将八位字节流转换为包含所有文档节点(包括注释节点)的XPath节点集。过滤器转换中XPath表达式的计算上下文为:
* A context node equal to the root node of the document whose node-set was provided as input to this transform. The root node is the parent of the document element and any comment and processing instruction nodes outside of the document element. * A context position, initialized to 1. * A context size, initialized to 1. * A library of functions equal to the function set defined in [XPath] plus a function named here(). * A set of variable bindings. No means for initializing these is defined. Thus, the set of variable bindings used when evaluating the XPath expression is empty, and use of a variable reference in the XPath expression results in an error. * The set of namespace declarations in scope for the XPath element.
* 上下文节点,等于文档的根节点,其节点集作为此转换的输入提供。根节点是文档元素以及文档元素之外的任何注释和处理指令节点的父节点。*上下文位置,初始化为1.*上下文大小,初始化为1。*函数库等于[XPath]中定义的函数集加上名为here()的函数。*一组变量绑定。没有定义初始化这些的方法。因此,计算XPath表达式时使用的变量绑定集为空,在XPath表达式中使用变量引用会导致错误。*XPath元素作用域中的命名空间声明集。
The function here() is defined as follows:
函数here()的定义如下:
Function: node-set here()
函数:此处设置节点()
The here() function returns a node-set containing the attribute or processing instruction node or the parent element of the text node that directly bears the XPath expression. In this transform, this will be the XPath element. This expression results in an error if the containing XPath expression does not appear in the same XML document against which the XPath expression is being evaluated.
函数的作用是:返回一个节点集,该节点集包含属性、处理指令节点或直接承载XPath表达式的文本节点的父元素。在这个转换中,这将是XPath元素。如果包含的XPath表达式未出现在计算XPath表达式的同一XML文档中,则此表达式将导致错误。
Using the aforementioned evaluation context, the signature filter transform evaluates the XPath expressions appearing in the character content of the XPath elements and uses these to compute a filter node-set F, which is then used to filter the input node-set I resulting in an output node-set O:
使用上述计算上下文,签名过滤器转换计算XPath元素的字符内容中出现的XPath表达式,并使用这些表达式计算过滤器节点集F,然后使用过滤器节点集F过滤输入节点集I,生成输出节点集O:
* Initialize the filter node-set F to consist of all nodes in the input document. * Iterate through each XPath expression, X, in sequence, and update the filter node-set F as follows:
* 初始化过滤器节点集F,使其包含输入文档中的所有节点。*按顺序迭代每个XPath表达式X,并更新过滤器节点集F,如下所示:
o Evaluate the XPath expression X. The result is a node-set
S.
o Compute the set S' consisting of all nodes in the input
document that are either present in S or that have an
ancestor in S. This is equal to the union of all the
document subtrees rooted by a node in S.
o If the Filter attribute value is intersect, then compute the
intersection of the selected subtrees, S', with the filter
node-set F. The result will include only those nodes that
are in both the filter node-set and the selected subtrees:
F' = F INTERSECT S'.
o If the Filter attribute value is subtract, then compute the
subtraction of the selected subtrees, S', from the filter
node-set F. The result will include only those nodes that
are in the filter node-set, but not the selected subtrees:
F' = F - S'.
o Otherwise, if the Filter attribute value is union, then
compute the union the selected subtrees, S', with the filter
node-set F. The result will include all those nodes that
are in either the filter node-set, the selected subtrees, or
both: F' = F UNION S'.
o Update the filter node-set F to be the new node-set F'.
* Finally, after applying all the XPath expressions, compute the
output node-set O to be the intersection of the computed filter
node-set, F, with the input node-set, I. The result will
include all nodes from the input node-set that are also in the
filter node-set: O = I INTERSECT F.
* An empty input node-set will always result in an empty output
node-set.
o Evaluate the XPath expression X. The result is a node-set
S.
o Compute the set S' consisting of all nodes in the input
document that are either present in S or that have an
ancestor in S. This is equal to the union of all the
document subtrees rooted by a node in S.
o If the Filter attribute value is intersect, then compute the
intersection of the selected subtrees, S', with the filter
node-set F. The result will include only those nodes that
are in both the filter node-set and the selected subtrees:
F' = F INTERSECT S'.
o If the Filter attribute value is subtract, then compute the
subtraction of the selected subtrees, S', from the filter
node-set F. The result will include only those nodes that
are in the filter node-set, but not the selected subtrees:
F' = F - S'.
o Otherwise, if the Filter attribute value is union, then
compute the union the selected subtrees, S', with the filter
node-set F. The result will include all those nodes that
are in either the filter node-set, the selected subtrees, or
both: F' = F UNION S'.
o Update the filter node-set F to be the new node-set F'.
* Finally, after applying all the XPath expressions, compute the
output node-set O to be the intersection of the computed filter
node-set, F, with the input node-set, I. The result will
include all nodes from the input node-set that are also in the
filter node-set: O = I INTERSECT F.
* An empty input node-set will always result in an empty output
node-set.
In this processing model, the conversion from a subtree interpretation of the XPath expressions to a node-set containing all nodes that must be used during the set operation, along with actual performance of the set operation, is described explicitly. Implementors SHOULD observe that it is possible to compute the effective result of this operation in a single pass through the input document without performing subtree expansion or any set operations:
在此处理模型中,明确描述了从XPath表达式的子树解释到包含集合操作期间必须使用的所有节点的节点集的转换,以及集合操作的实际性能。实施者应注意,在不执行子树展开或任何集合操作的情况下,可以在通过输入文档的一次过程中计算此操作的有效结果:
* For each XPath expression X, in sequence, evaluate the expression and store the resulting node-set, S, along with the associated set operation. * Prepend a node-set consisting of just the document node, along with the operation union. * Create a new, empty filter node-set. * Process each node in the input node-set document, adding each node to the output node-set F if a flag Z is true. The flag is computed as follows:
* 对于每个XPath表达式X,依次计算表达式并存储生成的节点集S以及关联的集操作。*在仅包含文档节点和操作联合的节点集之前添加前缀。*创建新的空筛选器节点集。*处理输入节点集文档中的每个节点,如果标志Z为真,则将每个节点添加到输出节点集F。该标志的计算如下:
o Z is true if and only if the node is present in any subtree-expanded union node-set and all subsequent subtree-expanded intersect node-sets but no subsequent subtree-expanded subtract node-sets, or false otherwise. If there are no subsequent intersect or subtract node-sets, then that part of the test is automatically passed. o Presence in a subtree-expanded node-set can be efficiently determined without actually expanding the node-set, by simply maintaining a stack or count that identifies whether any nodes from that node-set are an ancestor of the node being processed.
o 当且仅当节点存在于任何子树展开的并集节点集中以及所有后续子树展开的相交节点集中,但没有后续子树展开的减法节点集中时,Z为真,否则为假。如果没有后续的相交或相减节点集,则该部分测试将自动通过。o通过简单地维护一个堆栈或计数,识别来自该节点集中的任何节点是否是正在处理的节点的祖先,可以有效地确定子树扩展节点集中的存在,而无需实际扩展节点集。
Implementers MAY further observe that, if this transform is followed by a canonicalization operation (e.g., [XML-C14N]), the described filter computation can be efficiently commingled with the document-order canonicalization processing.
实现者可以进一步观察到,如果该转换之后是规范化操作(例如,[XML-C14N]),则所描述的过滤器计算可以有效地与文档顺序规范化处理混合。
The example below illustrates one way to create an enveloped signature with the signature filter transform. The function here() identifies the XPath element, and the subsequent location path obtains the nearest ancestor Signature element. Due to the subtract value of the Filter attribute, the output of the signature filter transform is a node-set containing every node from the input node-set except the nodes in the subtree rooted by the Signature element containing the example signature filter transform below.
下面的示例演示了使用签名过滤器转换创建封装签名的一种方法。函数here()标识XPath元素,后续位置路径获取最近的祖先签名元素。由于Filter属性的减法值,签名过滤器变换的输出是一个节点集,包含输入节点集中的每个节点,但子树中以包含下面示例签名过滤器变换的签名元素为根的节点除外。
<XPath Filter="subtract"
xmlns="http://www.w3.org/2002/06/xmldsig-filter2"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
here()/ancestor::dsig:Signature[1] </XPath>
<XPath Filter="subtract"
xmlns="http://www.w3.org/2002/06/xmldsig-filter2"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
here()/ancestor::dsig:Signature[1] </XPath>
A suitable signature reference URI to use with this subtract filter would be URI="" (the entire signature document, without comments), URI="#xpointer(/)" (the entire signature document, with comments) or any same-document reference that includes the signature itself.
与此减法筛选器一起使用的合适签名引用URI应为URI=“”(整个签名文档,无注释)、URI=“#xpointer(/)”(整个签名文档,有注释)或包含签名本身的任何相同文档引用。
An example of an intersect filter is a signature that co-signs another signature. In this example, a Signature element identified by PrimaryBorrowSig must be signed. The XPath expression obtains the element node, and the transform expands the output node-set to contain all nodes from the input node-set that are also in the subtree rooted by the element node.
intersect筛选器的一个示例是对另一个签名进行联合签名的签名。在本例中,必须对primarybrowsig标识的签名元素进行签名。XPath表达式获取元素节点,转换将扩展输出节点集,以包含输入节点集中的所有节点,这些节点也位于元素节点所根的子树中。
<XPath Filter="intersect"
xmlns="http://www.w3.org/2002/06/xmldsig-filter2">
id("PrimaryBorrowerSig") </XPath>
<XPath Filter="intersect"
xmlns="http://www.w3.org/2002/06/xmldsig-filter2">
id("PrimaryBorrowerSig") </XPath>
This type of intersect filter is useful for efficiently signing subsets of a document, whether this is the same document as the signature or an external document. For example, if the signature reference URI is URI="document.xml", then this document will be automatically parsed and just the identified element and its descendants will be signed.
这种类型的intersect筛选器对于有效地对文档子集进行签名非常有用,无论该文档是与签名相同的文档还是外部文档。例如,如果签名引用URI是URI=“document.xml”,那么该文档将被自动解析,并且只对已标识的元素及其子元素进行签名。
Union filters, by themselves are of no particular use: The initial filter node-set consists of the entire input document; any union with this will have no effect, so the output of the transform will be identical to the input. The union operation is intended to follow a subtract operation, to allow a subtree to be removed, with the exception of a lower subtree which is still included in the output.
联合过滤器本身没有特殊用途:初始过滤器节点集由整个输入文档组成;任何与此合并都将无效,因此变换的输出将与输入相同。union操作旨在跟随减法操作,以允许删除子树,但仍包含在输出中的较低子树除外。
Consider the following document which contains a same-document enveloped signature reference with an XPath filter containing three
考虑下面的文档,其中包含一个包含三个XPath筛选器的同一文档信封签名引用
XPath operations:
XPath操作:
<Document>
<ToBeSigned>
<!-- comment -->
<Data />
<NotToBeSigned>
<ReallyToBeSigned>
<!-- comment -->
<Data />
</ReallyToBeSigned>
</NotToBeSigned>
</ToBeSigned>
<ToBeSigned>
<Data />
<NotToBeSigned>
<Data />
</NotToBeSigned>
</ToBeSigned>
<dsig:Signature
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2">
<dsig:SignedInfo>
...
<dsig:Reference URI="">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<dsig-xpath:XPath
Filter="intersect"> //ToBeSigned </dsig-xpath:XPath>
<dsig-xpath:XPath
<Document>
<ToBeSigned>
<!-- comment -->
<Data />
<NotToBeSigned>
<ReallyToBeSigned>
<!-- comment -->
<Data />
</ReallyToBeSigned>
</NotToBeSigned>
</ToBeSigned>
<ToBeSigned>
<Data />
<NotToBeSigned>
<Data />
</NotToBeSigned>
</ToBeSigned>
<dsig:Signature
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2">
<dsig:SignedInfo>
...
<dsig:Reference URI="">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<dsig-xpath:XPath
Filter="intersect"> //ToBeSigned </dsig-xpath:XPath>
<dsig-xpath:XPath
Filter="subtract"> //NotToBeSigned </dsig-xpath:XPath>
<dsig-xpath:XPath
Filter="union"> //ReallyToBeSigned </dsig-xpath:XPath>
</dsig:Transform>
</dsig:Transforms>
...
</dsig:Reference>
</dsig:SignedInfo>
...
</dsig:Signature> </Document>
Filter="subtract"> //NotToBeSigned </dsig-xpath:XPath>
<dsig-xpath:XPath
Filter="union"> //ReallyToBeSigned </dsig-xpath:XPath>
</dsig:Transform>
</dsig:Transforms>
...
</dsig:Reference>
</dsig:SignedInfo>
...
</dsig:Signature> </Document>
The intersect operation computes the intersection of the XPath-selected subtrees with the filter node-set. In this case, the filter node-set initially contains the entire input document, and the XPath expression evaluates to the two ToBeSigned elements; these are expanded to include all their descendents and intersected with the filter node-set, resulting in the following:
intersect操作计算XPath所选子树与筛选器节点集的交集。在本例中,过滤器节点集最初包含整个输入文档,XPath表达式的计算结果为两个ToBeSigned元素;这些节点将展开以包括其所有子节点,并与过滤器节点集相交,从而产生以下结果:
<ToBeSigned>
<!-- comment -->
<Data />
<NotToBeSigned>
<ReallyToBeSigned>
<!-- comment -->
<Data />
</ReallyToBeSigned>
</NotToBeSigned>
</ToBeSigned><ToBeSigned>
<Data />
<NotToBeSigned>
<Data />
</NotToBeSigned>
</ToBeSigned>
<ToBeSigned>
<!-- comment -->
<Data />
<NotToBeSigned>
<ReallyToBeSigned>
<!-- comment -->
<Data />
</ReallyToBeSigned>
</NotToBeSigned>
</ToBeSigned><ToBeSigned>
<Data />
<NotToBeSigned>
<Data />
</NotToBeSigned>
</ToBeSigned>
The subtract filter computes the subtraction of the XPath-selected subtrees from the filter node-set. In this case, the XPath expression evaluates to the two NotToBeSigned elements; these are expanded to include all their descendents and subtracted from the filter node-set:
减法过滤器从过滤器节点集中计算XPath所选子树的减法。在本例中,XPath表达式计算为两个NotToDesign元素;这些将展开以包括其所有子代,并从过滤器节点集中减去:
<ToBeSigned>
<!-- comment -->
<Data />
<ToBeSigned>
<!-- comment -->
<Data />
</ToBeSigned><ToBeSigned>
<Data />
</ToBeSigned><ToBeSigned>
<Data />
</ToBeSigned>
</ToBeSigned>
Next, the union filter computes the union of the XPath-selected subtrees with the filter node-set. In this case, the XPath expression evaluates to the ReallyToBeSigned element; this is expanded to include all its descendents and added to the filter node-set:
接下来,联合过滤器计算XPath所选子树与过滤器节点集的联合。在本例中,XPath表达式的计算结果为ReallyToBeSigned元素;这将展开以包括其所有子代,并添加到过滤器节点集:
<ToBeSigned>
<!-- comment -->
<Data />
<ReallyToBeSigned>
<!-- comment -->
<Data />
</ReallyToBeSigned>
</ToBeSigned><ToBeSigned>
<Data />
<ToBeSigned>
<!-- comment -->
<Data />
<ReallyToBeSigned>
<!-- comment -->
<Data />
</ReallyToBeSigned>
</ToBeSigned><ToBeSigned>
<Data />
</ToBeSigned>
</ToBeSigned>
Finally, this resulting filter node-set is used to transform the input node-set. In this example, the input node-set is the entire document, with comments removed. The transformed node-set will thus be all those nodes from the input document, less comments, that are also in the filter node-set:
最后,该结果过滤器节点集用于转换输入节点集。在本例中,输入节点集是整个文档,删除了注释。因此,转换后的节点集将是输入文档中的所有节点,减去注释,这些节点也在过滤器节点集中:
<ToBeSigned>
<ToBeSigned>
<Data />
<ReallyToBeSigned>
<Data />
<ReallyToBeSigned>
<Data />
</ReallyToBeSigned>
</ToBeSigned><ToBeSigned>
<Data />
<Data />
</ReallyToBeSigned>
</ToBeSigned><ToBeSigned>
<Data />
</ToBeSigned>
</ToBeSigned>
Note that the result contains no nodes that were not in the input node-set. Although the filter node-set included comments, these were not present in the input node-set so they are not present in the output node-set.
请注意,结果不包含不在输入节点集中的节点。尽管过滤器节点集包含注释,但这些注释不存在于输入节点集中,因此它们不存在于输出节点集中。
This signature filter does not provide any increased capability over the original XPath transform. For example, this reference could be replicated using the XPath transform as follows.
与原始XPath转换相比,此签名筛选器不提供任何增强的功能。例如,可以使用XPath转换复制此引用,如下所示。
<dsig:Reference URI="">
<dsig:Transforms>
<dsig:Transform
<dsig:Reference URI="">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<dsig:XPath>
(ancestor-or-self::ToBeSigned and
not (ancestor-or-self::NotToBeSigned))
or ancestor-or-self::ReallyToBeSigned
</dsig:XPath>
</dsig:Transform>
</dsig:Transforms>
... </dsig:Reference>
Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<dsig:XPath>
(ancestor-or-self::ToBeSigned and
not (ancestor-or-self::NotToBeSigned))
or ancestor-or-self::ReallyToBeSigned
</dsig:XPath>
</dsig:Transform>
</dsig:Transforms>
... </dsig:Reference>
The advantage of the signature filter transform over the XPath transform is that the latter requires evaluation of a potentially-complex expression against every node in the input set, which has proved costly in practice for many useful operations. This specification's filter requires evaluation of simple XPath expressions and then the execution of some basic set operations or their equivalent, which can be implemented significantly more efficiently.
与XPath转换相比,签名过滤器转换的优势在于后者需要针对输入集中的每个节点计算一个潜在的复杂表达式,这在实践中对于许多有用的操作来说代价高昂。该规范的过滤器需要对简单的XPath表达式求值,然后执行一些基本的集合操作或其等效操作,这些操作可以更有效地实现。
[Keywords] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[关键词]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[URI] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 2396, August 1998.
[URI]Berners Lee,T.,Fielding,R.和L.Masinter,“统一资源标识符(URI):通用语法”,RFC 2396,1998年8月。
[XML] "Extensible Markup Language (XML) 1.0 (Second Edition)", T. Bray, E. Maler, J. Paoli, and C. M. Sperberg-McQueen. W3C Recommendation, October 2000. Available at <http://www.w3.org/TR/2000/REC-xml-20001006>.
[XML]“可扩展标记语言(XML)1.0(第二版)”,T.Bray,E.Maler,J.Paoli和C.M.Sperberg-McQueen。W3C建议,2000年10月。可在<http://www.w3.org/TR/2000/REC-xml-20001006>.
[XML-C14N] Boyer, J., "Canonical XML", RFC 3076, March 2001. Also a W3C Recommendation available at <http://www.w3.org/TR/2001/REC-xml-c14n-20010315>.
[XML-C14N]Boyer,J.,“规范XML”,RFC 30762001年3月。另外,W3C建议也可在<http://www.w3.org/TR/2001/REC-xml-c14n-20010315>.
[XML-DSig] Eastlake, J., Reagle, J. and D. Solo, "XML-Signature Syntax and Processing", RFC 3275, March 2002. Also a W3C Recommendation available at <http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/>.
[XMLDSIG]Eastlake,J.,Reagle,J.和D.Solo,“XML签名语法和处理”,RFC3275,2002年3月。另外,W3C建议也可在<http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/>.
[XML-NS] "Namespaces in XML", T. Bray, D. Hollander, and A. Layman. W3C Recommendation, January 1999. Available at <http://www.w3.org/TR/1999/REC-xml-names-19990114/>.
[XML-NS]“XML中的名称空间”,T.Bray、D.Hollander和A.Layman。W3C建议,1999年1月。可在<http://www.w3.org/TR/1999/REC-xml-names-19990114/>.
[XPath] "XML Path Language (XPath) Version 1.0", J. Clark and S. DeRose. W3C Recommendation, November 1999. Available at <http://www.w3.org/TR/1999/REC-xpath-19991116>. (Note also XPath Errata at <http://www.w3.org/1999/11/REC-xpath-19991116-errata>.)
[XPath]“XML路径语言(XPath)1.0版”,J.Clark和S.DeRose。W3C建议,1999年11月。可在<http://www.w3.org/TR/1999/REC-xpath-19991116>. (另请注意XPath勘误表<http://www.w3.org/1999/11/REC-xpath-19991116-errata>.)
[XPointer] "XML Pointer Language (XPointer)", S. DeRose, R. Daniel, and E. Maler. W3C Candidate Recommendation, January 2001. Available at <http://www.w3.org/TR/2001/CR-xptr-20010911/>.
[XPointer]“XML指针语言(XPointer)”,S.DeRose、R.Daniel和E.Maler。W3C候选人推荐,2001年1月。可在<http://www.w3.org/TR/2001/CR-xptr-20010911/>.
John Boyer PureEdge Solutions Inc. 4396 West Saanich Rd. Victoria, BC, Canada V8Z 3E9
John Boyer PureEdge Solutions Inc.加拿大不列颠哥伦比亚省维多利亚州西萨尼奇路4396号V8Z 3E9
Phone: +1-888-517-2675
EMail: jboyer@PureEdge.com
Phone: +1-888-517-2675
EMail: jboyer@PureEdge.com
Merlin Hughes Betrusted, Inc. 11000 Broken Land Parkway Suite 900 Columbia, MD 21044
Merlin Hughes Betrusted,Inc.11000 Brokend Land Parkway Suite 900哥伦比亚,马里兰州21044
Phone: +1-443-367-7000
EMail: Merlin.Hughes@betrusted.com
Phone: +1-443-367-7000
EMail: Merlin.Hughes@betrusted.com
Joseph M. Reagle Jr., W3C Massachusetts Institute of Technology Laboratory for Computer Science NE43-350, 545 Technology Square Cambridge, MA 02139
Joseph M.Reagle Jr.,W3C麻省理工学院计算机科学实验室NE43-350,马萨诸塞州剑桥技术广场545号,邮编02139
Phone: +1.617.258.7621
EMail: reagle@mit.edu
Phone: +1.617.258.7621
EMail: reagle@mit.edu
Copyright (C) The Internet Society (2003). All Rights Reserved.
版权所有(C)互联网协会(2003年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。