0

Is it possible to assign the enveloped Signature as a subchild that is in a different namespace than the document you've signed of you XML Document?

For example: 

<?xml version="1.0" encoding="UTF-8"?>
<Message xmlns="http://www.w3.org/2001/XMLSchema-instance" xmlns:a="myNamespace">
  <Header>
    <head:sgntr xmlns:head="myHeader"></head:sgntr>
  </Header>
  <Data>
  <a:DataEntry>some data</a:DataEntry>
  <a:DataEntry>some data</a:DataEntry>
 </Data>
</Message>

Calculate your Signature with the canonicalization method XmlDsigC14NTransform and then place it in the sgntr node. Issue that I face is that 3rd party software cannot validate my XML, if I replace the signature to the last node of the XML Document the 3rd party can validate it successfully.

ChrVer
  • 1
  • 3
  • See following posting which a Envelope with namesapce 'S' and the signature with namespace 'ds': https://stackoverflow.com/questions/46722997/saml-assertion-in-a-xml-using-c-sharp/46724392 – jdweng Aug 21 '18 at 15:53
  • You should add more information about why the 3rd party software cannot validate the XML. What specification do they use? – Jeroen Heier Aug 21 '18 at 15:54
  • 3rd party is the customer and XML ValidatorBuddy, the DigestValue is correct but SignatureValue isn't. We found a solution/workaround that I will post on this question. – ChrVer Aug 22 '18 at 07:55

1 Answers1

0

Problem was that the namespace prefixes defined between the root of a message and the node the signature ends up in are not considered when canonicalizing the SignedInfo. The SignatureValue is calculated on the SignedInfo so the solution that works is to add the namespaces that weren't declared in the XMLDocument root in the SignedInfo. This was done by overwriting the XmlDsigC14NTransform:GetOutput(...).

ChrVer
  • 1
  • 3