[xmlsec] Signing with root element not having namespace

Kiss Ádám kiss.adam at prolan.hu
Fri Jun 5 13:11:42 PDT 2020

Right, so it cannot be done this way. Thank you!

I also tried to put the Signature element into ds: namespace, but then the sign tool failed again. It turned out the removing the cb: namespace from the parent element of the ds:Signature node solves the problem. I saw xmlSecDSigNs variable hardcoded in libxmlsec not only when finding the Signature node, but also later in the transformation chain. May I ask if that is mandatory to be that way, or I can change the search namespace (by changing that constant) to the relative one written in our standard. I should then recompile of course the whole lib which I've done before.

Bests, Adam

Feladó: Aleksey Sanin <aleksey at aleksey.com>
Elküldve: 2020. június 4. 17:09
Címzett: Kiss Ádám; xmlsec at aleksey.com
Tárgy: Re: [xmlsec] Signing with root element not having namespace

In xmndsig-core-schema.xsd, there is targetNamespace defined:


Which places ALL entities (types, elements, ...) from this schema
into this namespace (including Signature node itself).

In XYZBlock.xsd, the same Signature element is redefined for no
obvious reasons as

<xs:element name="Signature" type="ds:SignatureType"/>

This should be replaced with something like this to reference the
Signature element defined in xmldsig spec:

<xs:element ref="ds:Signature"/>

As it stands right now, this is not an xmldsig compatible construct.

Hope this helps,


On 6/4/20 3:57 AM, Kiss Ádám wrote:
> Thank you for your answer!
> Unfortunately the standard is not public, but obfuscated version should
> be okay for investigation. I've attached the XSDs the standard specify.
> The XML I sent you earlier is just our interpretation, can be changed.
> Do you have any idea we can go on?
> Bests, Adam
> ------------------------------------------------------------------------
> *Feladó:* Aleksey Sanin <aleksey at aleksey.com>
> *Elküldve:* 2020. június 3. 17:39
> *Címzett:* Kiss Ádám; xmlsec at aleksey.com
> *Tárgy:* Re: [xmlsec] Signing with root element not having namespace
> Indeed in your XML file the Signature node doesn't have the correct
> namespace:
> <Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> Is this standard publically available somewhere? This doesn't look
> right to me.
> Aleksey
> On 6/3/20 7:50 AM, Kiss Ádám wrote:
>> Hello!
>> I've been using your lib for a long time with many success!
>> Now I got a task which I cannot handle with my skills. I've attached a
>> simplified version of the XML.
>> The main problem is that an industry standard determines the whole
>> structure of the XML in this application including the namespaces. When
>> I tried to sign it with the standard method in the doc I got the error:
>> 'node not found'. It turned out xmlsecGetNodeNSHref sees the <Signature>
>> block with (null) namepspace, which doesn't fit xmlsec's requirement.
>> Changing xmlSecFindNode to ignore the (null) namespace helped for a
>> short time, but some function calls later a similar error was found in
>> xmlSecFindParent. After getting over again C14N failed. I am not sure if
>> that (null) is the problem during the canonization.
>> I cannot see that deep into the code. Could you help me out?
>> Bests,
>> Adam
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20200605/f9a66f93/attachment.htm>

More information about the xmlsec mailing list