[xmlsec] generate Signature subtree with dsig prefix

Aleksey Sanin aleksey at aleksey.com
Fri Apr 6 09:12:13 PDT 2007

> By looking over the code, it seems that creating the Signature
> subtree with the desired prefix (e.g., <dsig:Signature> ...)
> and next attempting to fill in the signature using the existing
> functions won't work.

No, it will work :) Nobody cares about the prefix. It can be
anything. The important parts are namespace URI and local node

> E.g., function xmlSecDSigCtxProcessSignatureNode from xmldsig.c
> will fail on
>  if(!xmlSecCheckNodeName(node, xmlSecNodeSignature, xmlSecDSigNs))

It does the right thing :) The check is for namespace URI and local
node name.

> It seems to me that a better solution is to generate the Signature
> with no prefixes (plain <Signature> etc), fill the actual signature
> in, and next change the prefixes.  Of course, it's a hack, until
> proper support for prefixes is added.
> First, does this sound OK for you?

Well, see above. xmlsec for sure does not care what prefix is used.
You can do the right thing right away. Moreover, there is no real
need to have namespace prefixes at all. It just makes your xml
file bigger :)

> Second, is the current implementation of the XPath filter 2.0 aware
> of prefixes?  (I'm using XPath 2.0 to specify what I actually want
> to sign).  Some other parts of the document I'm trying to sign
> may use prefixes, and changing them may be hard.

The XPath implementation is aware of namespaces.


More information about the xmlsec mailing list