InclusiveNamespaces and empty PrefixList

[Christopher Cool]

I have a dynamic client application that is sending a signed SOAP request
to a service where an InclusiveNamespaces element contains a PrefixList
that is empty. The service rejects the payload with the error:

*Validation failed because:cvc-minLength-valid: Value '' with length = '0'
is not facet-valid with respect to minLength '1' for type 'NMTOKENS'.*

I took a look at the specs:

    https://www.w3.org/TR/xml-exc-c14n/


http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html#InclusiveNamespaces

And it is not clear to me if PrefixList can be an empty string or not, but
this spec:

    https://www.w3.org/TR/2000/WD-xml-2e-20000814#NT-Nmtokens

indicates that it cannot.

I am using the following settings:


   - The "action" parameter is set to "Timestamp" and "Body"
   - The "signatureDigestAlgorithm" parameter is "
   http://www.w3.org/2000/09/xmldsig#sha1";
   - The "signatureParts" parameter is

"{Element}{
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body
";


Here is a snippet from the header of the outbound request. Note that the
Reference for the Timestamp contains values in the PrefixList, but the
reference associated with the Body does not:

<ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#";>
        <ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#";
               PrefixList="soap">
        </ec:InclusiveNamespaces>
    </ds:CanonicalizationMethod>
    <ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1";>
        </ds:SignatureMethod>

<ds:Reference URI="#TS-15">
    <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
           <ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#";
                PrefixList="ns1 ns2 ns3 ns4 soap">
           </ec:InclusiveNamespaces>
         </ds:Transform>
    </ds:Transforms>

    <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>

    <ds:DigestValue>hjy97p3MBjtA2IjdM/XzjHG9V6s=</ds:DigestValue>
</ds:Reference>

<ds:Reference URI="#id-16">
   <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
          <ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#";
              *PrefixList**=""*>
         </ec:InclusiveNamespaces>
       </ds:Transform>
   </ds:Transforms>

   <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
"></ds:DigestMethod>
   <ds:DigestValue>dknPQWZJt54NUo+dJKAWiG8oYz8=</ds:DigestValue>
</ds:Reference>

</ds:SignedInfo>

And here is the reference to the Body (id-16):

<soap:Body xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
 utility-1.0.xsd" wsu:Id="id-16">

Is an empty PrefixList valid?

If not, is there a way to control this programmatically as an outbound
interceptor? I saw the samples that use DefaultCryptoCoverageChecker, but
the samples use it as an inbound interceptor.

I am using CXF 2.7.8, WSS4j 1.6.11 and XMLSec 1.5.4.

Thanks,

Chris