Well, xmldsig standard defines the namespace and that's
how any standard compatible signature should be done.
Again, I think someone just copy pasted
<xs:element name="Signature" type="ds:SignatureType"/>
into XYZBlock.xsd w/o understanding how schemas work.
The best course of action is to fix this in the schema.
Aleksey
On 6/5/20 1:11 PM, Kiss Ádám wrote:
Right, so it cannot be done this way. Thank you!
I also tried to put the Signature element into ds: namespace, but then
the sign tool failed again. It turned out the removing the cb: namespace
from the parent element of the ds:Signature node solves the problem. I
saw xmlSecDSigNs variable hardcoded in libxmlsec not only when finding
the Signature node, but also later in the transformation chain. May I
ask if that is mandatory to be that way, or I can change the search
namespace (by changing that constant) to the relative one written in our
standard. I should then recompile of course the whole lib which I've
done before.
Bests, Adam
------------------------------------------------------------------------
*Feladó:* Aleksey Sanin <[email protected]>
*Elküldve:* 2020. június 4. 17:09
*Címzett:* Kiss Ádám; [email protected]
*Tárgy:* Re: [xmlsec] Signing with root element not having namespace
In xmndsig-core-schema.xsd, there is targetNamespace defined:
targetNamespace="http://www.w3.org/2000/09/xmldsig#";
Which places ALL entities (types, elements, ...) from this schema
into this namespace (including Signature node itself).
In XYZBlock.xsd, the same Signature element is redefined for no
obvious reasons as
<xs:element name="Signature" type="ds:SignatureType"/>
This should be replaced with something like this to reference the
Signature element defined in xmldsig spec:
<xs:element ref="ds:Signature"/>
As it stands right now, this is not an xmldsig compatible construct.
Hope this helps,
Aleksey
On 6/4/20 3:57 AM, Kiss Ádám wrote:
Thank you for your answer!
Unfortunately the standard is not public, but obfuscated version should
be okay for investigation. I've attached the XSDs the standard specify.
The XML I sent you earlier is just our interpretation, can be changed.
Do you have any idea we can go on?
Bests, Adam
------------------------------------------------------------------------
*Feladó:* Aleksey Sanin <[email protected]>
*Elküldve:* 2020. június 3. 17:39
*Címzett:* Kiss Ádám; [email protected]
*Tárgy:* Re: [xmlsec] Signing with root element not having namespace
Indeed in your XML file the Signature node doesn't have the correct
namespace:
<Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
Is this standard publically available somewhere? This doesn't look
right to me.
Aleksey
On 6/3/20 7:50 AM, Kiss Ádám wrote:
Hello!
I've been using your lib for a long time with many success!
Now I got a task which I cannot handle with my skills. I've attached a
simplified version of the XML.
The main problem is that an industry standard determines the whole
structure of the XML in this application including the namespaces. When
I tried to sign it with the standard method in the doc I got the error:
'node not found'. It turned out xmlsecGetNodeNSHref sees the <Signature>
block with (null) namepspace, which doesn't fit xmlsec's requirement.
Changing xmlSecFindNode to ignore the (null) namespace helped for a
short time, but some function calls later a similar error was found in
xmlSecFindParent. After getting over again C14N failed. I am not sure if
that (null) is the problem during the canonization.
I cannot see that deep into the code. Could you help me out?
Bests,
Adam
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
