I have an issue that my XML signature cannot be verified with an external (e-government) tool. The XML document contains an <xml-stylesheet> directive and this causes a problem. if I remove it, an XML is signed and verified correctly as well. The signature can be, however, verified with a simple Java application I wrote (I don't know what's difference between those two tools - but normally it must be verifiable with any tool - right?). Can someone help me pls? Thanks in advance.
Here is my code:
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
Document signedDocument = signRequest.getDocument();
Reference ref = fac.newReference("", fac.newDigestMethod(
DigestMethod.SHA1, null), Collections.singletonList(fac
(TransformParameterSpec) null)), null, null);
SignedInfo si = fac
(C14NMethodParameterSpec) null), fac
X509Certificate cert = (X509Certificate) signRequest.getCertificate();
KeyInfoFactory kif = fac.getKeyInfoFactory();
List x509Content = new ArrayList();
X509Data xd = kif.newX509Data(x509Content);
KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
DOMSignContext dsc = new DOMSignContext(signRequest.getPrivateKey(),
XMLSignature signature = fac.newXMLSignature(si, ki);
I found this code on Oracle Java. Before it I tried to use the Apache Santuario but I used XmlSiganture object directly (no Factory is used) - the same effect.
I tried to use Reference in order to sign only root element but the only way I know is to use element id -> #my_id to access an element. And this doesn't work as well :-(.
Thanks for any help.
Edited by: user5845341 on 21.02.2012 08:02
Maybe one detail more: signing the same document with and without xslt-stylesheet directive gives me different digest values and signature values as well. If I say that my root node should be signed how is it possible that those changes are relevant? Is whole document always signed? I really don't get it... Any tips? Thnx for any help.