> > Thanks for the quick response. I did use the XPATH transform to select > the proper node set to sign in both cases. I just tried some experiments > and find out that you need to put the exclusive c14n AFTER xpath > transformation in order for the embedded signature verification to > succeed. It looks like that XPATH transformation may have changed some > properties (namespace?) of the input node set. Is it a general rule > that the c14n should always be the last transformation if transformation > has ever been used? > > Jinsong > >
More or less, the transformations are executed in order, and the output of the last one if it is not a c14n transformation is c14ned(think that always is inclusive, but I'm not sure). By the way, Using xpath to select what to sign is a horrible idea speed wise, and perhaps a nightmare interoperation wise(if you are flexible what you accept several xpath expressions can select the same set of nodes, and if you are not some space can reject a perfectly valid signature). If you can: use reference URI for select what you want to use, is faster and easier. Raul
