Hi Paul, Could you create a test-case for this and I'll take a look?
Colm. On Tue, Dec 27, 2011 at 9:01 PM, Paul <[email protected]> wrote: > > I have a question about signing xml and then using xpaths against the new > signature tags in the xml. In one case a co-worker checked in some code that > had a very subtle change - here is a simplified example: > > (xmlsec 1.4.5) > > ... > Document doc = dbf.newDocumentBuilder().parse( new FileInputStream( > fileName ) ); > > DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(), > doc.getDocumentElement()); > > XMLSignature signature = fac.newXMLSignature(si, ki); > > signature.sign(dsc); > > if ( doTransform == true ) > { > OutputStream os = new FileOutputStream(outputFilename); > TransformerFactory tf = TransformerFactory.newInstance(); > Transformer trans = tf.newTransformer(); > trans.transform(new DOMSource(doc), new StreamResult(os)); > > doc = dbf.newDocumentBuilder().parse( new FileInputStream( > outputFilename ) ); > } > ... > > If I set the doTransform variable to true, then all of the code works as > designed. On the other hand, if I set doTransform to false and just use the > doc > directly, then xpaths looking for "Signature" will fail. So, it seems that > this > last transformation step is required? Or another way of looking at it - you > can't just have one Document object for operations both before signing and > after signing - there has to be one transformation that takes place. I'm > thinking about this in terms of server performance where there may be 50 - 100 > threads signing stuff at the same time. > > thanks, > Paul. > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
