The following XML is taken from the CanonSubtree sample app, but illustrates an issue that I've encountered, which is causing a signature verification interop problem (Keytools and xml-sec).
I've slightly altered the XML from the CanonSubtree sample by adding xmlns="" to the CanonicalizationMethod element. The second chunk of XML is the result of Apache xml-sec 1.3 subtree (SignedInfo) canonicalization. <?xml version="1.0" encoding="UTF-8"?> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod xmlns="" Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> <Reference URI="http://www.w3.org/TR/xml-stylesheet";> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> <DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue> </Reference> </SignedInfo> <Signature> <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> <Reference URI="http://www.w3.org/TR/xml-stylesheet";> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> <DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue> </Reference> </SignedInfo> Note that xmlns="" has been omitted from the CanonicalizationMethod element. This is correct in the context of the subtree prior to adding doc level namespaces to the subtree root (i.e. <SignedInfo> vs <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>), but seems incorrect following the addition of the doc level namespace. I've read the W3C spec several times, yet it is still not clear to me what the correct behavior is. And apparently it was not clear to different implementors of the c14n spec, since Keytools retains xmlns="" in this type of context while xml-sec removes it, hence xml-sec cannot verify signatures created by Keytools in these contexts. I'd appreciate any insight or advice.
