How to set a namespace in a xmldisg signature?

Hello,

Currently I'm working with Visual Studio 2003 in order to generate xmldsig signature. I'm using the class signedxml  to create the xmldsig signature and I get somthing like this:

  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
............
  </Signature>

But I need the signature to be in a namespace that should be identified by
the dsig prefix:

<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
.....
</dsig:Signature>

How can I achive this?

Any help would be greatly appreciated.
Thanks

Put some code here and lets see what we can do.

I use nothing special but the code that is used as example in the MSDN:

// Get the signing key
                RSACryptoServiceProvider myRSA = myCrypto.GetMyRSACryptoProvider(myCertContext);
// Create the signedXml object               
                XmlDocument doc = new XmlDocument();
                doc.PreserveWhitespace = false;
                doc.Load(new XmlTextReader("c:/tmp/tobesigned/hola.xml"));
                MySignedXml signedXml = new MySignedXml(doc);
                signedXml.SigningKey = myRSA;
// Create a reference from a file
                Reference reference = new Reference();
                reference.Uri = "#file1";
                signedXml.AddReference(reference);
// Compute the signature.
                signedXml.ComputeSignature();
// Get the XML representation of the signature and save it to an XmlElement object.
                XmlElement xmlDigitalSignature = signedXml.GetXml();
// Write the resulting XML
                XmlDataDocument outDoc = new XmlDataDocument();
                XmlTextWriter xmltw = new XmlTextWriter("C:/tmp/signature/TrialPedroCert.xml", new UTF8Encoding(true));

That code computes perfectly the signature but I don't know how to add the namespace prefix to the resulting xml. ( I can't add it after creating the signature because it will corrupt the signature).

Let me guess ...

you are submitting this snipper to apache security suite.

I have seen you post the same code around over the web. The problem is not your code BUT the validator used to read this.

The dsig prefix doesn't indicate whether they 2 use different namespaces. Check
the namespaces and compare (in the first case check the default namespace
xmlns='...").

If the validator cannot read this, then it is really poor design to rely on namespace prefix.

If you look at the specs, Section 1.3 states that:

This namespace is also used as the prefix for algorithm identifiers used by this specification. While applications MUST support XML and XML namespaces, the use of internal entities [XML] or our "dsig" XML namespace prefix and defaulting/scoping conventions are OPTIONAL; we use these facilities to provide compact and readable examples.

Therefore, it is NOT necessarily to have a prefix to it as long as it points to the same namespace ...

However, AFAIK - If you need to, you will need to do a lot of grunt work and that means building your own signature stack.

 

Softwaremaker wrote:

...However, AFAIK - If you need to, you will need to do a lot of grunt work and that means building your own signature stack...

I have looked closely at that stack - if you really need the dsig prefix and the other end cannot validate it, you would have to output your own signatures. It is not as hard as it sounds. Just a fair bit of grunt work. No rocket science involved.

I would advise you to advise the other party of the spec requirements. Having the prefix is only OPTIONAL and to be honest - prefix/s are not important at all. If the other party needs to have it to validate it, then it is a serious design flaw on their end.

Strictly speaking -

• [ds:Signature xmlns:ds="urn:softwaremaker.net-foo.bar" /]
• [dsig:Signature xmlns:dsig="urn:softwaremaker.net-foo.bar" /]
• [Signature xmlns="urn:softwaremaker.net-foo/bar /]

are isomorphically the same.

If the other parser thinks it is different, it is a design flaw at the other end.

If the other end is an Apache AXIS Server, I believe the newer version (WSS4J 1.0) fixes their problem.

Thanks a lot for your replys.

I know that the the prefix is not strictly needed but in my case is strongly recommended to add it. Let me explain, we have all the signature generator and validator done in JAVA and now we want to add a signature generator done in .NET in order to have acccess from COM clients ( is what I'm developing). We want that the .NET signature generator outputs the same signature format that our JAVA signature generator does.
Here comes the need about the prefix because our JAVA signer outputs the signature with that prefix (it was decided sometime ago). Although the validator can validate the signature without the prefix we would like creating our signatures with the prefix inside.

You told that adding that prefix " It is not as hard as it sounds. Just a fair bit of grunt work. No rocket science involved."
Do you have any clue about that??

Thanks again Softwaremaker.

Senshodan wrote:

Although the validator can validate the signature without the prefix we would like creating our signatures with the prefix inside. You told that adding that prefix " It is not as hard as it sounds. Just a fair bit of grunt work. No rocket science involved." Do you have any clue about that??

1) If the specs say the prefix is OPTIONAL and your validator can validate the prefix-less signatures, why would you want to "create the signatures with the prefix inside" ? What is the compelling reason for that ?

2) The constant you need to override with the prefix is an internal class. Therefore, you need to disassemble the .NET XMLSignature stacks. The [internal] XMLSignature class contains the prefixes you need to change

Thanks again for replying so quickly.

About 1 there are two reasons:
- Compatibility with our existing signer.
- We are planning to extend the signature to XADES format. In that case the dsig prefix is mandatory.

About 2
- I'm completely lost about that. Do you know where could I find more info about that subject.

Thanks a lot for your support.

Senshodan wrote:

...- We are planning to extend the signature to XADES format. In that case the dsig prefix is mandatory.

Did u mean the ds prefix ? The specs didnt make any mention of dsig

Yep I meant ds prefix...

Its your lucky day. If you agree to my disclaimer here, you may proceed to my blog post here: http://www.softwaremaker.net/blog/XAdESInteropWithXMLDSIGAsImplementedByTheNETFramework.aspx and see my explanations behind all. At the end, you will find a download.

I hope it works !!! I know you have been asking around this for some time in the forums and newsgroups with no answers

 

I'm really impresssed!

I have just read your blog ( I was working on another issue for some days) and I'm really impressed about the work you have done, know I just have to try to see if it works :)

I don't know how to say thanks for such a help, if any day you come to Barcelona just send me and e-mail and I will invite you a bier.

By the way, taking advantage of you knowledge on .net and digital signature. do you know something about this issue.

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=225235&SiteID=1

The problem doesn't happen usign the .net 1.1 but with 2.0 it crash as described...

Well just say thanks again!!

I have spoken to a few experts [on the standards body] about this and it seems that the concensus is that the prefix is NOT needed at all.

The XAdES specifications did not EXPLICITLY state that the prefix is needed so I don't see how you draw the conclusion that prefixes are fixed. Maybe I am missing something.

It looked to me like all the spec was saying was that the *examples* used those prefixes.

It strikes me as surprising that any specification worth its salt would specify a *fixed prefix*. It would have been too restrictive and not something that many vendors would agree and abide.

You may want to check with the other party for this.