Return-Path: X-Original-To: apmail-santuario-dev-archive@www.apache.org Delivered-To: apmail-santuario-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 135089799 for ; Tue, 3 Jan 2012 14:53:37 +0000 (UTC) Received: (qmail 31273 invoked by uid 500); 3 Jan 2012 14:53:36 -0000 Delivered-To: apmail-santuario-dev-archive@santuario.apache.org Received: (qmail 31196 invoked by uid 500); 3 Jan 2012 14:53:36 -0000 Mailing-List: contact dev-help@santuario.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@santuario.apache.org Delivered-To: mailing list dev@santuario.apache.org Received: (qmail 31189 invoked by uid 99); 3 Jan 2012 14:53:35 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Jan 2012 14:53:35 +0000 Received: from localhost (HELO mail-qy0-f182.google.com) (127.0.0.1) (smtp-auth username coheigea, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Jan 2012 14:53:35 +0000 Received: by qcse13 with SMTP id e13so13685874qcs.27 for ; Tue, 03 Jan 2012 06:53:34 -0800 (PST) MIME-Version: 1.0 Received: by 10.229.76.220 with SMTP id d28mr19131128qck.50.1325602414704; Tue, 03 Jan 2012 06:53:34 -0800 (PST) Reply-To: coheigea@apache.org Received: by 10.224.197.138 with HTTP; Tue, 3 Jan 2012 06:53:34 -0800 (PST) In-Reply-To: References: Date: Tue, 3 Jan 2012 14:53:34 +0000 Message-ID: Subject: Re: xmlsec test From: Colm O hEigeartaigh To: dev@santuario.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Paul, Could you create a test-case for this and I'll take a look? Colm. On Tue, Dec 27, 2011 at 9:01 PM, Paul wrote: > > I have a question about signing xml and then using xpaths against the new > signature tags in the xml. In one case a co-worker checked in some code t= hat > had a very subtle change - here is a simplified example: > > (xmlsec 1.4.5) > > ... > Document doc =3D dbf.newDocumentBuilder().parse( new FileInputStream( > fileName ) ); > > DOMSignContext dsc =3D new DOMSignContext(keyEntry.getPrivateKey(), > doc.getDocumentElement()); > > XMLSignature signature =3D fac.newXMLSignature(si, ki); > > signature.sign(dsc); > > if ( doTransform =3D=3D true ) > { > =A0 =A0 =A0 =A0OutputStream os =3D new FileOutputStream(outputFilename); > =A0 =A0 =A0 =A0TransformerFactory tf =3D TransformerFactory.newInstance()= ; > =A0 =A0 =A0 =A0Transformer trans =3D tf.newTransformer(); > =A0 =A0 =A0 =A0trans.transform(new DOMSource(doc), new StreamResult(os)); > > =A0 =A0 =A0 =A0doc =3D dbf.newDocumentBuilder().parse( new FileInputStrea= m( > outputFilename ) ); > } > ... > > If I set the doTransform variable to true, then all of the code works as > designed. On the other hand, if I set doTransform to false and just use t= he doc > directly, then xpaths looking for "Signature" will fail. So, it seems tha= t this > last transformation step is required? Or another way of looking at it - y= ou > can't just have one Document object for operations both before signing an= d > after signing - there has to be one transformation that takes place. I'm > thinking about this in terms of server performance where there may be 50 = - 100 > threads signing stuff at the same time. > > thanks, > Paul. > > > --=20 Colm O hEigeartaigh Talend Community Coder http://coders.talend.com