How to sign only specific part of XML

[eslamm]

I am trying to do some XML Signature however after much searching I have not been able to find a solution.I am using java to sign an XML using Xpath2 transform and EXCLUSIVE canonicalization. If I have the following XML\[code\]<?xml version="1.0" encoding="UTF-8"?><msg xmlns="http://someaddress/ad/m1" xmlns:ns1="http://someotheraddres/ad/m2" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#"><header> <id>wsfrwerwerwer</id> <name>addr</name> <somenode> <trace>ND</trace> </somenode></header><payload><ns0:addr xmlns:ns0="http://someaddres/ad/m3"><ns2:data xmlns:ns2="http://someaddres/ad/m3"> <ns2:name>somevalue</ns2:name> <ns2:value>354</ns2:value> </ns2:data> </ns0:addr></payload></msg>\[/code\]And sign it, I get the following output (Real data replaced with dummy)\[code\]<?xml version="1.0" encoding="UTF-8" standalone="no"?><msg xmlns="http://someaddress/ad/m1" xmlns:ns1="http://someotheraddres/ad/m2" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#"><header> <id>wsfrwerwerwer</id> <name>addr</name> <somenode> <trace>ND</trace> </somenode></header><payload> <ns0:addr xmlns:ns0="http://someaddres/ad/m3"> <ns2:data xmlns:ns2="http://someaddres/ad/m3"> <ns2:name>somevalue</ns2:name> <ns2:value>354</ns2:value> </ns2:data> </ns0:addr> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> <XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2" xmlns:ns0="http://someaddres/ad/m3" Filter="intersect">//*[local-name()='addr']/*</XPath> </Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <DigestValue>sdlfjdeklsdfngf</DigestValue> </Reference> </SignedInfo> <SignatureValue>femhjgklnlkl</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>swerwerwrwerwerwe</X509Certificate> </X509Data> </KeyInfo> </Signature></payload></msg>\[/code\]If I validate the signature, everything is fine however the issue here is that right after this I perform an XSLT in the XML which perform some changes to some elements but not the signed element (\[code\]ns0:addr\[/code\]) which is left intact. Even though I explicitly say that only the "addr" element should be signed, if I try to perform changes to any of its parents (\[code\]payload\[/code\] or \[code\]msg\[/code\]), it then fails the signature when (according to my understanding) it should not. If I perform changes to other elements such as anything inside header, the signature is still valid.I have tested the XPath expression (\[code\]//*[local-name()='addr']/*\[/code\]) and it selects the correct data to be signed (\[code\]ns0:addr\[/code\]) but it seems to be taking also all elements leading to it starting from the root element (\[code\]msg\[/code\]).I have also tried to use different transforms such as UNION but that does work at all.Does anybody know what the issue might be? Is there any way, in Java, to see exactly what is being signed when signing the XML for debugging purposes?