XSLT transform in xmlSignature java?

廉价感情. 提交于 2019-11-30 09:19:31
pd40

The xslt transform used when signing a document relates to how nodes in your source XML are selected when the signature is calculated.

This question/answer by Dave relates to signing parts of an XML document using xpath2. The link to Sean Mullans' post in this answer suggests xpath2 is more appropriate for signing parts of a document because the evaluation of an xpath expression is done per node.

So based on the sun dsig example you can replace the Reference creation using:

List<XPathType> xpaths = new ArrayList<XPathType>();
xpaths.add(new XPathType("//r1/user", XPathType.Filter.INTERSECT));

Reference ref = fac.newReference
  ("", fac.newDigestMethod(DigestMethod.SHA1, null),
        Collections.singletonList
          (fac.newTransform(Transform.XPATH2, 
                  new XPathFilter2ParameterSpec(xpaths))),
             null, null); 

This allows //r1/user to be protected with a signature while the rest of the document can be altered.

The problem with the xpath/xpath2 selection is that a signature can be generated for /some/node/that/does/not/exist. You are right to modify a test document and make sure the signature is working the way you expect.

You might test the document in a test program by generating a signature then tampering with the xml node before verification:

NodeList nlt = doc.getElementsByTagName("user");
nlt.item(0).getFirstChild().setTextContent("Something else");


A more reliable alternative to an xpath selector might be to put an ID on the xml document elements you hope to sign like:
<r1>
 <user id="sign1">asd</user>
 <person>ghi</person>
</r1>

then reference this ID as the URI in the first parameter of an enveloped transfer:

Reference ref = fac.newReference
  ("#sign1", fac.newDigestMethod(DigestMethod.SHA1, null),
    Collections.singletonList
      (fac.newTransform(Transform.ENVELOPED,(TransformParameterSpec) null)),
          null, null); 


For the output, a signature operation adds a new Signature element to the DOM you have loaded in memory. You can stream the output by transforming it like this:
TransformerFactory tf = TransformerFactory.newInstance();
Transformer trans = tf.newTransformer();
trans.setOutputProperty(OutputKeys.INDENT, "yes");

trans.transform(new DOMSource(doc), new StreamResult(System.out)); 

The XSLT specification doesn't define what happens to the result document; that's defined by the API specifications of your chosen XSLT processor. For example, if you invoke XSLT from Java using the JAXP interface, you can ask for the result as a DOM tree in memory or for it to be serialized to a specified file on disk.

You have tagged your question "Java" which is the only clue you give to your processing environment. My guess is you want to transform to a DOM and then use DOM interfaces to get the value from the new document. Though if you're using XSLT 2.0 and Saxon, the s9api interface is much more usable than the native JAXP interface.

Sinisha Mihajlovski

The xslt part defines only the transformation definition, nothing else. Have a look at this:

java xslt tutorial

in Francois Gravel answer the input.xml file is the file that will be transformed, the transform.xslt is the xslt definition which describes how to transform the xml file. output.out are the results, this may be xml, but it can also be html, flat file...

This is where I started with when i was using xslt:

http://www.w3schools.com/xsl/default.asp

Have a look at this also:

http://www.w3schools.com/xsl/tryxslt.asp?xmlfile=cdcatalog&xsltfile=cdcatalog

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!