Hi all - I have a feeling that this is a FAQ, but despite looking long
and hard I haven't managed to find an answer.
I'm generating a signature to cover a document that starts like so:
<?xml version="1.0" encoding="UTF-8"?>
<solicitation xmlns="urn:frog" Id="solicitation-0"
xmlns:NS1="http://www.w3.org/2001/XMLSchema-instance";
NS1:schemaLocation="urn:frog http://xml.rcpt.to/mikolaj/default";>
<DNS xmlns="urn:frog">www.rcpt.to</DNS>
...
The c14n'd version, as extracted by getSignedContentItem, looks like
this:
<solicitation Id="solicitation-0" schemaLocation="urn:frog
http://xml.rcpt.to/mikolaj/default";><DNS>www.rcpt.to</DNS>
Point of major annoyance:
schemaLocation has lost its namespace! Needless to say, it turns the
signed document into so much garbage. Why does this happen, and how do I
fix it? I've tried playing with exclusive c14n and explicit namespaces,
but it doesn't seem to actually make any difference. Is this an
exclusive namespaces problem or something else entirely? Code is:
Transforms t = new Transforms(thisDocument);
HashSet hs = new HashSet();
hs.add("xmlns:NS1");
InclusiveNamespaces in = new InclusiveNamespaces(thisDocument, hs);
in.setXPathNamespaceContext("NS1","http://www.w3.org/2001/XMLSchema-instance";);
HelperNodeList names = new HelperNodeList();
names.appendChild(in.getElement());
t.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
t.addTransform(InclusiveNamespaces.ExclusiveCanonicalizationNamespace,names);
XMLSignature sig = new XMLSignature(thisDocument, "http://frog/";,
XMLSignature.ALGO_ID_SIGNATURE_DSA,
Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
...and results in...
<ds:SignedInfo xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";
xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1";
xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#solicitation-0" xmlns=""
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transforms xmlns=""
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";
xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";
xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ec:InclusiveNamespaces PrefixList="NS1"
xmlns=""
xmlns:NS1="http://www.w3.org/2001/XMLSchema-instance";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
xmlns="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns=""
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>iQbraueElJ+fAIDV6uoyWRcGkwc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
Point of minor annoyance:
The namespace declaration has vanished. My workaround for this is to use
the same sequence as in the XMLSignature code, namely to explicitly
create an element with a tag of "prefix:solicitation" and to manually
create "xmlns:prefix" attributes on the root element. I idly wonder why
it should be necessary to do this, however, given that createElementNS
is theoretically creating an element in a namespace (right?) which I
would have imagined would have made everything just work. *handwave* Why
doesn't it?
m.
