java - XML dig sig error after upgrade to java7u25

Question

I have a Java application for signing XML documents. After upgrading Java to the latest version (Java7u25) it stops working. I get the following error:

javax.xml.crypto.dsig.XMLSignatureException:
javax.xml.crypto.URIReferenceException: 
com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException:
Cannot resolve element with ID ...

Reverting back to java7u21 solves the problem. Is there any change in the XML Dig Sig API that causes this error?

Answer 1

Same problem here. Seems to be a bug inside the JVM due to an evolution.

I've traked it down to com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverFragment

In java 7u21 & before :

91: // Element selectedElem = doc.getElementById(id);
92: selectedElem = IdResolver.getElementById(doc, id);

In java 7u25 :

87: selectedElem = doc.getElementById(id);
    //...
93: if (secureValidation) {

secureValidation refers to java 7u25 evolution on XML Sig validation (see changelog) so they must have broken changed something else while working on this evolution.

We've worked around this issue by providing a custom javax.xml.crypto.URIDereferencer to javax.xml.crypto.dom.DOMCryptoContext.setURIDereferencer(URIDereferencer) which is able to resolve node which are not yet in the DOM document tree (fragments in XMLObject).

I'm reporting this to Oracle right now, I'll update the answer with the bug id.

---

EDIT : found this in apache SVN

---

Edit 2 : Thanks to this bug report I've understood that this was an evolution in XML "Id" attributes handling.

Previous versions of java/JSR-105/SANTUARIO used to be very tolerant on "Id" attributes used in document.getElementById(...) but this new version requires an attribute that is identified as ID XML speaking. I mean that naming the attribute "Id" or "ID" is not sufficient anymore, you need to get it marked as ID, eventually by an XSD/DTD schema validation.

Unfortunalty, I'm following a schema that is not valid and therefore not parsable by Java.

If you are in the same situation see my solution below. Otherwise, if you're XML document does have a valid schema, have a look at @sherb solution https://stackoverflow.com/a/17437919/233906

Solution

Fortunately, you can tag an attribute as an ID using methods like Element.setIdAttributeNode(org.w3c.dom.Attr,boolean).

Combining with a little XPath like descendant-or-self::*/@Id to fetch Attr "Id" nodes plus a little Java ((Element)attr.getOwnerElement()).setIdAttributeNode(attr,true) should get you out of trouble.

But be carefull : setIdAttributeXXX() is valid only for the current document & node. If you clone/adopt/import you need to do a setIdAttributeXXX() on the new nodes of each DOM tree