Scott, thanks, that was exactly the pointer I needed! If you have a minute to have a look at this. My doc looks like this
<Envelope>
<Header>...</Header>
<Body><pdpa:message>...</pdpa:message></Body>
</Envelope>
I would like to sign the "message" payload in the Body. So I did
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
String filter [][] = {{XPath2FilterContainer.INTERSECT,
"//Body/message"}};
transforms.addTransform(Transforms.TRANSFORM_XPATH2FILTER,
XPath2FilterContainer.newInstances(document, filter));
and the usual Signature transforms (canonise it, sign it) and got:
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
...
<ds:Reference URI="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
...
<ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2";
Filter="intersect">//Body/message</dsig-xpath:XPath>
</ds:Transform>...
</ds:Reference>
</ds:SignedInfo>
where I *hope* the XPath expression returns exactly the element I wanted, i.e.
the intersection of the whole document (BaseURI, nothing else specified) with
the Body/message portion.
I think I could also have an identifying attribute in the <pdpa:message>, and
replace the expression with id("nameOfIDAttr"). Which is, I think, the
recommended way as it is faster and less error-prone (I can assume
Schema-aware entities).
Would this be the correct way? I am asking because it is kind of difficult to
find out what's happening inside the black box, i.e. there is no output as to
which elements are actually being signed.
Ralph
--
For contact details, please see www.ralphholz.de.
signature.asc
Description: This is a digitally signed message part.
