A half an hour digging in the logs and I think I have an explanation:
0) The xmldsigverifier was compiled in April 2002 and it is more
than
a year old now (probably I need to upgrade it :) )
1) The c14n code in libxml2 version 2.4.20 that was used to
compiled
xmldsigverifier returns the exact results as you describe
2) The namespace processing in c14n.c was fixed around July 31, 2002
in order to support a new Merlin's c14n tests (merlin-c14n-three).
As far as
I can remember and as far as I can see from the code, this changes
solves exactly this problem.
Bottom line: there was a bug and it was fixed almost a year ago,
xmldsigverifier
on the web site is obsolete (and I hope I will have time to update it
soon).
Now I would like to repeat my explanations. I would appreciate if Rich
or
someone else familiar with c14n sepcifications:
We have something like this:
<Root xmlns="http://examples.com">
<Object>Test</Object>
</Root>
According to the spec [1] , the non-default namespace node is
rendered only if it is in the XPath node-set. In our case,
the XPath _expression_ selects *only*
<Object/> node itself
and none of its namespaces or attributes nodes. Thus I think
that xmlsec/libxml do the right thing by returning
<Object></Object>
after c14n.
Aleksey
[1] http://www.w3.org/TR/2001/REC-xml-c14n-20010315#ProcessingModel
- [xmlsec] Xml Signature verification failure Tsai Kun Lai(Ecom)
- Re: [xmlsec] Xml Signature verification failure Aleksey Sanin
- Re: [xmlsec] Xml Signature verification failur... Aleksey Sanin
- Re: [xmlsec] Xml Signature verification fa... Aleksey Sanin
- Re: [xmlsec] Xml Signature verificatio... Aleksey Sanin
- Re: [xmlsec] Xml Signature verificatio... Rich Salz
- Re: [xmlsec] Xml Signature verifi... Aleksey Sanin
