Hello, I've filed the following bug-report, but Daniel Veillard told me, that it'll be best to post on the mailing list and check with Aleksey. So this is what I'll do now ;) So here's my bugreport: Please describe the problem: The Problem is the following section of the C14N Recommondation: 4.7 Propagation of Default Namespace Declaration in Document Subsets The XPath data model represents an empty default namespace with the absence of a node, not with the presence of a default namespace node having an empty value. Thus, with respect to the fact that element e3 in the following examples is not namespace qualified, we cannot tell the difference between <e1 xmlns="a:b"><e2 xmlns=""><e3/></e2></e1> versus <e1 xmlns="a:b"><e2><e3 xmlns=""/></e2></e1>. All we know is that e3 was not namespace qualified on input, so we preserve this information on output if e2 is omitted so that e3 does not take on the default namespace qualification of e1. The implementation of C14n in libxml2 does not seem to do have the same behavior, as the implementation of Sun (for Java) or IBM (see http://www.aleksey.com/pipermail/xmlsec/2003/000976.html ), thus I do not think, this will change in the future. I'm actually not quite sure, what is meant by that part of the specification, so it might be quite possible, that Sun and IBM are correct, but libxml2 is not. Steps to reproduce: Try to canocalize the following XML-Document (I have reduced it to the essential part): <dsig:SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"; xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI=""> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";><dsig:XPath xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";> count(ancestor-or-self::dsig:Signature | here()/ancestor::dsig:Signature[1]) > count(ancestor-or-self::dsig:Signature) </dsig:XPath> </dsig:Transform> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue>nDF2V/bzRd0VE3EwShWtsBzTEDc=</dsig:DigestValue></dsig:Reference> </dsig:SignedInfo> Actual results: libxml2 canocalisation adds, because in SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"; is defined, loads of xmlns="" declarations to all child nodes of SignedInfo and it does not remove the extra namespace declaration in XPath (as it must accoriding to http://www.w3.org/TR/2001/REC-xml-c14n-20010315#SuperfluousNSDecl ) Expected results: Java does not add the extra xmlns="" and removes the extra namespace declaration in XPath. Because C14N is used for signing documents, all implementations must behave the same, else the signatures cannot be verified. So I expect libxml2 to behave as Java (and as it seems the rest of the world does) Does this happen every time? I only have tested it with this example (or slight modifications), but I checked the code and it should not behave very differently in other cases. cheers, Arne PS: I already wrote a fix that seems to work for me, but I'm not quite sure, if it's really correct. I think I actually only had one example case with that special problem to test it against.
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil