XSLT在xmlSignature Java中转换? [英] XSLT transform in xmlSignature java?
问题描述
我有一个XML文档.我正在使用xmlsignature签名文档的一部分.在找到摘要之前,我要应用XSLT转换.
根据我的阅读,XSLT将 XML文档转换为另一种格式(也可以是XML).现在我很困惑,
转换后的新文档在哪里可用?
如果需要,如何从此新创建的文档中检索值展示给用户?
我的XML文档
I have a XML document.I am signing a part of document using xmlsignature. Before finding digest, I want to apply XSLT transform.
According to what I read, XSLT converts an XML document to another format(can be XML also). Now I am confused that,
where will be the transformed new document is avilable?
How to retrieve the value from this newly created document if I want to show it to user?
My XML Document
<r1>
<user>asd</user>
<person>ghi</person>
</r1>
转化代码
Transform t=fac.newTransform(Transform.XPATH,new XPathFilterParameterSpec("/r1/user"));
根据xpath转换,每当用户元素值更改xmlsignature时,都不应对其进行验证.并且,如果人员元素的值发生更改,则应验证签名.但是,当我更改人员元素的值时,签名不会得到验证.为什么?
According to xpath transformation,Whenever value of user element changes the xmlsignature should not be validated. And if person element's value changes then Signature should be validated. But when I change person element's value the signature is not validated. WHY?
推荐答案
对文档进行签名时使用的xslt转换与在计算签名时如何选择源XML中的节点有关.
The xslt transform used when signing a document relates to how nodes in your source XML are selected when the signature is calculated.
此问题/答案由链接肖恩·穆兰斯(Sean Mullans)的帖子在此答案中指出,xpath2更适合对文档的部分进行签名,因为对xpath表达式的评估是针对每个节点进行的.
This question/answer by Dave relates to signing parts of an XML document using xpath2. The link to Sean Mullans' post in this answer suggests xpath2 is more appropriate for signing parts of a document because the evaluation of an xpath expression is done per node.
因此基于 sun dsig示例,您可以使用以下方式替换参考创建:
So based on the sun dsig example you can replace the Reference creation using:
List<XPathType> xpaths = new ArrayList<XPathType>();
xpaths.add(new XPathType("//r1/user", XPathType.Filter.INTERSECT));
Reference ref = fac.newReference
("", fac.newDigestMethod(DigestMethod.SHA1, null),
Collections.singletonList
(fac.newTransform(Transform.XPATH2,
new XPathFilter2ParameterSpec(xpaths))),
null, null);
这可以通过签名保护//r1/user ,同时可以更改文档的其余部分.
This allows //r1/user to be protected with a signature while the rest of the document can be altered.
xpath/xpath2选择的问题是可以为/some/node/that/does/not/exist 生成签名.您可以修改测试文档,并确保签名按预期方式工作.
The problem with the xpath/xpath2 selection is that a signature can be generated for /some/node/that/does/not/exist. You are right to modify a test document and make sure the signature is working the way you expect.
您可以通过在验证之前生成签名然后篡改xml节点来在测试程序中测试文档:
You might test the document in a test program by generating a signature then tampering with the xml node before verification:
NodeList nlt = doc.getElementsByTagName("user");
nlt.item(0).getFirstChild().setTextContent("Something else");
xpath选择器的一种更可靠的替代方法可能是将ID放在您希望签名的xml文档元素上,例如:
A more reliable alternative to an xpath selector might be to put an ID on the xml document elements you hope to sign like:
<r1>
<user id="sign1">asd</user>
<person>ghi</person>
</r1>
然后在信封传输的第一个参数中将此ID作为URI引用:
then reference this ID as the URI in the first parameter of an enveloped transfer:
Reference ref = fac.newReference
("#sign1", fac.newDigestMethod(DigestMethod.SHA1, null),
Collections.singletonList
(fac.newTransform(Transform.ENVELOPED,(TransformParameterSpec) null)),
null, null);
对于输出,签名操作将新的Signature元素添加到您已加载到内存中的DOM中.您可以通过像这样转换输出来流式传输:
For the output, a signature operation adds a new Signature element to the DOM you have loaded in memory. You can stream the output by transforming it like this:
TransformerFactory tf = TransformerFactory.newInstance();
Transformer trans = tf.newTransformer();
trans.setOutputProperty(OutputKeys.INDENT, "yes");
trans.transform(new DOMSource(doc), new StreamResult(System.out));
这篇关于XSLT在xmlSignature Java中转换?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
