Thanks for the quick response. I did use the XPATH transform to select the proper node set to sign in both cases. I just tried some experiments and find out that you need to put the exclusive c14n AFTER xpath transformation in order for the embedded signature verification to succeed. It looks like that XPATH transformation may have changed some properties (namespace?) of the input node set. Is it a general rule that the c14n should always be the last transformation if transformation has ever been used?
Jinsong -----Original Message----- From: Berin Lautenbach [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 08, 2004 3:56 AM To: [EMAIL PROTECTED] Subject: Re: questions about xml signature in java Raul Benito wrote: >> namespace definitions has caused the failure of verification when a >> signed document A is embedded into another document B. After B is >> signed, the namespace definition in A has also changed and signature >> verification is failed. Is there anyway to let the signing method to >> not change the original DOM tree (other than adding the Signature >> element)? >> >> Thanks, >> >> Jinsong >> > > The CVS version change less the original DOM tree(in some cases it is > still needed to mess the DOM tree). Any how there has to be some problem > with your signature embeding, becouse the exclusive c14n doesn't fail if > it has more namespaces defined that when it was signed. +1 to everything Raul said. Just to add a thought as to why the signature might be failing - what document are you feeding to xml-security? If you have embedded the document you provided in another document and then try to validate the signature, the validation will fail as the reference has a URI of "", so it will try to validate the signature against the entire *new* document. Cheers, Berin
