XSLT transform in xmlSignature java?

Question

I have a XML document.I am signing a part of document using xmlsignature. Before finding digest, I want to apply XSLT transform.

According to what I read, XSLT converts an XML document to another format(can be XML also). Now I am confused that,
where will be the transformed new document is avilable?

How to retrieve the value from this newly created document if I want to show it to user?

My XML Document

<r1>
 <user>asd</user>
 <person>ghi</person>
</r1>

Code for Transformation

Transform t=fac.newTransform(Transform.XPATH,new XPathFilterParameterSpec("/r1/user"));

According to xpath transformation,Whenever value of user element changes the xmlsignature should not be validated. And if person element's value changes then Signature should be validated. But when I change person element's value the signature is not validated. WHY?

Answer 1

The xslt transform used when signing a document relates to how nodes in your source XML are selected when the signature is calculated.

This question/answer by Dave relates to signing parts of an XML document using xpath2. The link to Sean Mullans' post in this answer suggests xpath2 is more appropriate for signing parts of a document because the evaluation of an xpath expression is done per node.

So based on the sun dsig example you can replace the Reference creation using:

List<XPathType> xpaths = new ArrayList<XPathType>();
xpaths.add(new XPathType("//r1/user", XPathType.Filter.INTERSECT));

Reference ref = fac.newReference
  ("", fac.newDigestMethod(DigestMethod.SHA1, null),
        Collections.singletonList
          (fac.newTransform(Transform.XPATH2, 
                  new XPathFilter2ParameterSpec(xpaths))),
             null, null); 

This allows //r1/user to be protected with a signature while the rest of the document can be altered.

The problem with the xpath/xpath2 selection is that a signature can be generated for /some/node/that/does/not/exist. You are right to modify a test document and make sure the signature is working the way you expect.

You might test the document in a test program by generating a signature then tampering with the xml node before verification:

NodeList nlt = doc.getElementsByTagName("user");
nlt.item(0).getFirstChild().setTextContent("Something else");

---

A more reliable alternative to an xpath selector might be to put an ID on the xml document elements you hope to sign like:

<r1>
 <user id="sign1">asd</user>
 <person>ghi</person>
</r1>

then reference this ID as the URI in the first parameter of an enveloped transfer:

Reference ref = fac.newReference
  ("#sign1", fac.newDigestMethod(DigestMethod.SHA1, null),
    Collections.singletonList
      (fac.newTransform(Transform.ENVELOPED,(TransformParameterSpec) null)),
          null, null); 

---

For the output, a signature operation adds a new Signature element to the DOM you have loaded in memory. You can stream the output by transforming it like this:

TransformerFactory tf = TransformerFactory.newInstance();
Transformer trans = tf.newTransformer();
trans.setOutputProperty(OutputKeys.INDENT, "yes");

trans.transform(new DOMSource(doc), new StreamResult(System.out));