I'm trying to sign a document using the transform TRANSFORM_XPATH2FILTER, but I get a bad signature if I try to use ONLY the filter XPath2FilterContainer.SUBTRACT 1) Ex: String filters[][] = { {XPath2FilterContainer.SUBTRACT, "//NotToBeSigned"} }; transforms.addTransform( Transforms.TRANSFORM_XPATH2FILTER, XPath2FilterContainer.newInstances(doc, filters) ); With this filter I always get the same DigestValue element inside SignedInfo, even with different xml sources. But, if I try to add the filter XPath2FilterContainer.INTERSECT including all nodes, then I get the right DigestValue and signature 2) Ex: String filters[][] = { { XPath2FilterContainer.INTERSECT, "*" },{ XPath2FilterContainer.SUBTRACT, "//NotToBeSigned"} }; transforms.addTransform(Transforms.TRANSFORM_XPATH2FILTER, XPath2FilterContainer.newInstances(doc, filters)); The second example works both with the 1.3 and 1.2 releases, while the first one does not work with 1.3 release.
Created attachment 17534 [details] Test case Trying to sign 2 different docs, you have to get 2 different digest value. In 1.3 version ,if you use Filters OK (row 57) it works, but if you use Filters KO (row 60) it doensn't work. In 1.2.1 version it works also with Filters KO.
I modify the source file org.apache.xml.security.transforms.implementations.TransformXPath2Filter inner class XPath2NodeFilter, method isNodeInclude : public boolean isNodeInclude(Node currentNode) { boolean notIncluded = false; if (!substractNodes.isEmpty() && rooted(currentNode, substractNodes)) { notIncluded = true; } else if (!intersectNodes.isEmpty() && !rooted(currentNode, intersectNodes)) { notIncluded = true; } if (!unionNodes.isEmpty() && notIncluded && rooted(currentNode, unionNodes)) { notIncluded = false; } return !notIncluded; } I add the 3 checks !isEmpty() for each ArrayList and now it seems to work.
Incorpareted fix in SVN, thanks for your findings.
Closing old bugs.