[xmlsec] Signature in different namespace

Mon Oct 15 12:56:35 PDT 2012

Hi.  I want to implement support for signing/verifying PSKC data (RFC
6030) which uses xmldsig.  The XML schema is here:

http://tools.ietf.org/html/rfc6030#section-11

In particular it refer to xmldsig like this:

               <xs:element name="Signature"
                    type="ds:SignatureType" minOccurs="0"/>

As far as I can tell (and this is reinforced by the example in section 7
of RFC 6030), this means the XML will have a Signature element in the
PSKC namespace but with children from the xmldsig namespace.  For
example:

   <?xml version="1.0" encoding="UTF-8"?>
   <KeyContainer
       xmlns="urn:ietf:params:xml:ns:keyprov:pskc"
       xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
       xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
       Version="1.0">
       <KeyPackage>
...
       </KeyPackage>
       <Signature>
           <ds:SignedInfo>
               <ds:CanonicalizationMethod
...

I'm having trouble making XMLSec cope with this.  xmlSecDSigCtxSign
calls xmlSecDSigCtxProcessSignatureNode which starts with:

    if(!xmlSecCheckNodeName(node, xmlSecNodeSignature, xmlSecDSigNs)) {
        xmlSecError(XMLSEC_ERRORS_HERE,

So I get a hard error when trying to sign with a Signature node that
isn't in the xmldsig namespace.  Any ideas on what could be done here?

(Sorry if you get a similar email later on, I recently subscribed to
re-send this e-mail.)

Thanks,
/Simon