[xmlsec] generate Signature subtree with dsig prefix

Alex Salcianu asalcianu at itasoftware.com
Fri Apr 6 06:26:13 PDT 2007


Aleksey Sanin wrote:
>> What is the easiest way to create a Signature subtree with a specific 
>> prefix, e.g., something like
>
> This is not supported directly by xmlsec in the current version.
> However, you can always create the Signature subtree yourself
> using LibXML2 functions.
>
Aleksey, thanks for the quick answer.

By looking over the code, it seems that creating the Signature
subtree with the desired prefix (e.g., <dsig:Signature> ...)
and next attempting to fill in the signature using the existing
functions won't work.

E.g., function xmlSecDSigCtxProcessSignatureNode from xmldsig.c
will fail on

  if(!xmlSecCheckNodeName(node, xmlSecNodeSignature, xmlSecDSigNs))

because the signature node is now named "dsig:Signature", instead
of the expected "Signature".

It seems to me that a better solution is to generate the Signature
with no prefixes (plain <Signature> etc), fill the actual signature
in, and next change the prefixes.  Of course, it's a hack, until
proper support for prefixes is added.

First, does this sound OK for you?

Second, is the current implementation of the XPath filter 2.0 aware
of prefixes?  (I'm using XPath 2.0 to specify what I actually want
to sign).  Some other parts of the document I'm trying to sign
may use prefixes, and changing them may be hard.

Does anyone from this list have experience with this kind of
situations?

Thanks,

Alex



More information about the xmlsec mailing list