Search code examples
javaxmljaxbxml-dsig

Java DOM appendChild: namespaces and signed documents

I'm having a problem generating a document with signed nodes. I have a bunch of signed XMLs, in text format. They signature is valid, I've tested it with xmlsec1. I have to load all the XMLs and put them in another XML document, for sending it to another service. So, first of all I create the container document ("sobre" is a local variable, a JAXB root element):

JAXBContext context = JAXBContext.newInstance("org.importe.test");
StringWriter writer = new StringWriter();
Marshaller marshaller = context.createMarshaller();
marshaller.marshal(sobre, writer);
String xml = writer.toString();
Document doc = loadXMLFromString(xml);

and then I add the XMLs to the container:

for (String cfexml : cfexmls) {
  Document cfe = loadXMLFromString(cfexml);
  Node newNode = doc.importNode(cfe.getDocumentElement(), true);
  doc.getElementsByTagName("EnvioCFE").item(0).appendChild(newNode);
}

finally I get the xml from the container document:

TransformerFactory tf = TransformerFactory.newInstance();
Transformer trans = tf.newTransformer();
StringWriter outputWriter = new StringWriter();
trans.transform(new DOMSource(doc), new StreamResult(outputWriter));
String signedxml = outputWriter.toString();

The point is that I'm getting the child node modified, without namespaces, and so the signature validation of the extract node fails. Here is an excerpt of the XML that I've to add as a child node:

<?xml version="1.0" encoding="UTF-8"?>
<CFE xmlns="http://org.importe.test" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://www.w3.org/2001/04/xmlenc#" version="1.0">
  <data>
    [...]
  </data>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    [...]
  </Signature>
</CFE>

but when the node is imported in the container document it get modified (actually I've noticed that it loose namespace declarations):

<?xml version="1.0" encoding="UTF-8"?>
<EnvioCFE xmlns="http://org.importe.test" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://www.w3.org/2001/04/xmlenc#" version="1.0">
  <Header version="1.0">
  </Header>
  <CFE version="1.0">
    <data>
      [...]
    </data>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      [...]
    </Signature>
  </CFE>
</EnvioCFE>

How can I add a node to the container keeping the namespace declaration? More generally can I add it being sure it's added "as is", without any modifications? (I'm using glassfish 4 and Java 7)

Thank you

EDIT:

This is the code of loadXMLFromString:

public Document loadXMLFromString(String xml) throws ParserConfigurationException, SAXException, IOException {
  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
  factory.setNamespaceAware(true);
  DocumentBuilder builder = factory.newDocumentBuilder();
  return builder.parse(new InputSource(new StringReader(xml)));
}
Solution

  • Ok, I've done research and I've found the problem:

    • if I use xalan-2.7.1.jar, xercesImpl-2.9.1.jar, xml-apis-1.3.04.jar and xmlsec-1.5.6.jar for DOM and XML security implementation, it works as I expect: adding a node does not modify the contents, so the digital signature is valid;
    • if I use the standard java libraries not only adding a node change the node itself, but sometimes the digital signature doesn't pass the xmlsec1 check, I imagine for a problem in the transformation from DOM to String.

    I hope this can help someone, anyway I don't know why it happens, I'm sure I'm not doing weird things, but I've no time now to going deeply.

    Actually I'm stuck to find how tell glassfish to load the DOM implementation I want, or to set a priority: I've found no way to say "load xerces instead of standard lib".