Re: [xmlsec] Re: core methods for write of and

Tue, 29 Jul 2003 08:46:51 -0700


Well, this patch still has some problems:
0) The "writer" approach you use is less flexible than "flags" approach
I have suggested. For example, it does not allow you to write *both*
subject name and issuer serial nodes which might be required.


O.K. I'm surprised - verify work when <X509Data> contain more than one tag ( as example
X509SubjectName and X509Certificate) for same certificate.

Why not? It might happen that one client is optimised to do cert lookup by subject name
and another one prefers to use serial number. If you put both in X509Data then you help both :)


X509IssuerSerial node can contain two subnodes and check for empty should be
more precise. Current source will remove content of non empty X509IssuerSerial node.

Yes, you are right. xmlSecIsEmptyNode () should check for element children. I have fixed it
(patch attached).


Between X509Data subnodes we can have text nodes.

According to the XMLDSig, only whitespace text nodes are allowed. Thus we don't care.
I don't think that formatting is such a big issues.


Is allowed to have text in X509Data ?

Only whitespaces.


At moment I'm not sure what is better:
- XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE
or
- XMLSEC_KEYINFO_FLAGS_CONTINUE_ON_EMPTY_NODE
When we try to verify xml file, according to schema definition X509Data can be empty, but subnode cannot be empty. In this case I think that we should stop on empty subnode. This mode I denominate "plain reading".
When we try to sign xml we are in other mode "template reading". In this mode empty subnodes should be allowed.
I will try to find where to set up flag in the source code (xmlSecDSigCtxVerify/xmlSecDSigCtxSign ....?).

I don't see how an empty X509Data child can make any harm. It would not influence the signature
verification thus I think that "by default" it should be allowed.




What is better:
- if(xmlSecIsEmptyNode(cur) == 1)
or
- if(xmlSecIsEmptyNode(cur) != 0)
?

" == 1" is better :) xmlSecIsEmptyNode() returns a negative value if an error occurs
(see documentation right before the function) :)



Aleksey


Index: src/xmltree.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/xmltree.c,v
retrieving revision 1.26
diff -u -r1.26 xmltree.c
--- src/xmltree.c       28 Jul 2003 19:07:54 -0000      1.26
+++ src/xmltree.c       29 Jul 2003 15:43:53 -0000
@@ -630,6 +630,10 @@
     int res;
     
     xmlSecAssert2(node != NULL, -1);
+
+    if(xmlSecGetNextElementNode(node->children) != NULL) {
+       return(0);
+    }
     
     content = xmlNodeGetContent(node);
     if(content == NULL) {

Reply via email to