I have a question about signing xml and then using xpaths against the new
signature tags in the xml. In one case a co-worker checked in some code that
had a very subtle change - here is a simplified example:
(xmlsec 1.4.5)
...
Document doc = dbf.newDocumentBuilder().parse( new FileInputStream(
fileName ) );
DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(),
doc.getDocumentElement());
XMLSignature signature = fac.newXMLSignature(si, ki);
signature.sign(dsc);
if ( doTransform == true )
{
OutputStream os = new FileOutputStream(outputFilename);
TransformerFactory tf = TransformerFactory.newInstance();
Transformer trans = tf.newTransformer();
trans.transform(new DOMSource(doc), new StreamResult(os));
doc = dbf.newDocumentBuilder().parse( new FileInputStream(
outputFilename ) );
}
...
If I set the doTransform variable to true, then all of the code works as
designed. On the other hand, if I set doTransform to false and just use the doc
directly, then xpaths looking for "Signature" will fail. So, it seems that this
last transformation step is required? Or another way of looking at it - you
can't just have one Document object for operations both before signing and
after signing - there has to be one transformation that takes place. I'm
thinking about this in terms of server performance where there may be 50 - 100
threads signing stuff at the same time.
thanks,
Paul.
