Search code examples
javaxmlxml-signature

Xml Signature in Java but only on elements where attribute authenticate='true'


I have been able to sign and verify my XML signature when using Apache Santuario, but now I want to only apply the signature to fields where the attribute authenticate="true"

For example:

<Document>
  <DoNotSign></DoNotSign>
  <DoSign authenticate="true"></DoSign>
  <Something>
    <SomethingElse authenticate="true"></SomethingElse>
  </Someting>
</Document>

Can anyone help me understand how to achieve it?

I add the reference URI like so:

xmlSignature.addDocument("#xpointer(//*[@authenticate='true'])", transforms, Constants.ALGO_ID_DIGEST_SHA1);

And just get an exception:

Original Exception was org.apache.xml.security.utils.resolver.ResourceResolverException: 
Could not find a resolver for URI #xpointer(//*[@authenticate='true'])

I have tried adding the following:

transforms.addTransform(Transforms.TRANSFORM_XPOINTER);
xmlSignature.getSignedInfo().addResourceResolver(new ResolverXPointer());

This returns me an exception when adding the XPOINTER transform. The ResolverXPointer seems to have no effect.

TransformationException: Unknown transformation. 
No handler installed for URI http://www.w3.org/TR/2001/WD-xptr-20010108

The complete method is below:

final var transforms = new Transforms(document);
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
transforms.addTransform(Transforms.TRANSFORM_XPOINTER);

xmlSignature.addDocument("#xpointer(//*[@authenticate='true'])", transforms, Constants.ALGO_ID_DIGEST_SHA1);
xmlSignature.addKeyInfo(signingCertificate);
xmlSignature.sign(signingKey);

Solution

  • To solve this issue I created a custom ResourceResolverSPI and added it

      ResourceResolver.register(new XPathResourceResolver(), true);
    

    That solved the issue, the custom resolver just uses XPath to create a Set for signing.