Using XSL with XML Signature engines

Author: Ed Simon, Entrust Technologies
Date: 2000 January
Acknowledgements: Thanks to Kent Tamura of IBM for helping out with impromptu code reviews.

The XML Signature specification describes how to use XPath and XSLT as tranformations to be applied to an XML document before it is digested. For many applications, it might also make sense to create XML Signature <Signature> elements (and their children) through XSL stylesheets. This presentation takes a look at how XSLT code might be written to support these scenarios.

Important: To view most of these links, you require an XML-aware browser such as Internet Explorer 5.01.

Calling XML Signature functions through XSLT stylesheets; the basic scenario

In the first scenario, an application is assumed to have created a "template" for an XML Signature from some resources. The XML Signature template includes two URIs and all the details of the XML Signature EXCEPT the cryptographic values, specifically the digests of the resources and the signature value. The cryptographic values are placed in the signature by applying two XSLT stylesheets: one to get the digest values and one to get the signature value. The main role of the XSLT stylesheets is to provide a straight-forward interface for calling Java methods that do the actual cryptographic processing.

  1. XML Signature template with dummy crypto values
  2. XSL for updating digest values
  3. Result of applying XSL to template
  4. XSL for updating SignatureValue and KeyValue elements
  5. Result of applying previous XSL
  6. XSL for verifying signature
  7. Result of applying previous XSL

Handling XSLT <Transform> elements

In the second scenario, the Signature is over the XSLT-transformed contents of an Object element. The XSLT stylesheet is specified within a Transform element. Unlike the previous example, I did not have time to get all the code working before the F2F meeting so their are no interim results. I think the main difficultly lies in the object type conversion between XSLT's key() function and finding the appropriate Java/DOM class to use; I'll continue to work on this as time permits.

  1. XML Signature template with an XSLT transformation and dummy crypto values
  2. XSL for handling Signatures with XSLT transformations

Source for the Java methods called by the aforementioned XSLT stylesheets

Follow this link to see the abridged source for the Java methods.