in src/main/java/org/apache/xml/security/transforms/implementations/TransformXSLT.java [74:167]
protected XMLSignatureInput enginePerformTransform(
XMLSignatureInput input, OutputStream baos, Element transformElement,
String baseURI, boolean secureValidation
) throws IOException, TransformationException {
try {
Element xsltElement =
XMLUtils.selectNode(transformElement.getFirstChild(), XSLTSpecNS, "stylesheet", 0);
if (xsltElement == null) {
xsltElement =
XMLUtils.selectNode(transformElement.getFirstChild(), XSLTSpecNS, "transform", 0);
}
if (xsltElement == null) {
Object[] exArgs = { "xslt:stylesheet", "Transform" };
throw new TransformationException("xml.WrongContent", exArgs);
}
TransformerFactory tFactory = TransformerFactory.newInstance();
// Process XSLT stylesheets in a secure manner
tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
if (secureValidation) {
try {
tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
} catch (IllegalArgumentException ex) {
// ignore
}
}
/*
* This transform requires an octet stream as input. If the actual
* input is an XPath node-set, then the signature application should
* attempt to convert it to octets (apply Canonical XML]) as described
* in the Reference Processing Model (section 4.3.3.2).
*/
Source stylesheet;
/*
* This complicated transformation of the stylesheet itself is necessary
* because of the need to get the pure style sheet. If we simply say
* Source stylesheet = new DOMSource(this.xsltElement);
* whereby this.xsltElement is not the rootElement of the Document,
* this causes problems;
* so we convert the stylesheet to byte[] and use this as input stream
*/
{
try (ByteArrayOutputStream os = new ByteArrayOutputStream()) {
Transformer transformer = tFactory.newTransformer();
DOMSource source = new DOMSource(xsltElement);
StreamResult result = new StreamResult(os);
transformer.transform(source, result);
stylesheet =
new StreamSource(new ByteArrayInputStream(os.toByteArray()));
}
}
Transformer transformer = tFactory.newTransformer(stylesheet);
// Force Xalan to use \n as line separator on all OSes. This
// avoids OS specific signature validation failures due to line
// separator differences in the transformed output. Unfortunately,
// this is not a standard JAXP property so will not work with non-Xalan
// implementations.
try {
transformer.setOutputProperty("{http://xml.apache.org/xalan}line-separator", "\n");
} catch (Exception e) {
LOG.log(Level.WARNING, "Unable to set Xalan line-separator property: " + e.getMessage());
}
try (InputStream is = new ByteArrayInputStream(input.getBytes())) {
Source xmlSource = new StreamSource(is);
if (baos == null) {
try (ByteArrayOutputStream baos1 = new ByteArrayOutputStream()) {
StreamResult outputTarget = new StreamResult(baos1);
transformer.transform(xmlSource, outputTarget);
XMLSignatureInput output = new XMLSignatureByteInput(baos1.toByteArray());
output.setSecureValidation(secureValidation);
return output;
}
}
StreamResult outputTarget = new StreamResult(baos);
transformer.transform(xmlSource, outputTarget);
}
XMLSignatureInput output = new XMLSignatureByteInput(null);
output.setSecureValidation(secureValidation);
output.setOutputStream(baos);
return output;
} catch (XMLSecurityException | TransformerException ex) {
throw new TransformationException(ex);
}
}