By looking over the code, it seems that creating the Signature subtree with the desired prefix (e.g., <dsig:Signature> ...) and next attempting to fill in the signature using the existing functions won't work.
No, it will work :) Nobody cares about the prefix. It can be anything. The important parts are namespace URI and local node name.
E.g., function xmlSecDSigCtxProcessSignatureNode from xmldsig.c will fail on if(!xmlSecCheckNodeName(node, xmlSecNodeSignature, xmlSecDSigNs))
It does the right thing :) The check is for namespace URI and local node name.
It seems to me that a better solution is to generate the Signature with no prefixes (plain <Signature> etc), fill the actual signature in, and next change the prefixes. Of course, it's a hack, until proper support for prefixes is added. First, does this sound OK for you?
Well, see above. xmlsec for sure does not care what prefix is used. You can do the right thing right away. Moreover, there is no real need to have namespace prefixes at all. It just makes your xml file bigger :)
Second, is the current implementation of the XPath filter 2.0 aware of prefixes? (I'm using XPath 2.0 to specify what I actually want to sign). Some other parts of the document I'm trying to sign may use prefixes, and changing them may be hard.
The XPath implementation is aware of namespaces. Aleksey _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
