InclusiveNamespaces are not considered in the Canonicalization algorithm

[KimDongHwan]

Hi I have read the other issues but haven't found a solution to this problem.

I am trying to validate a signature that has InclusiveNamespaces as a child of the CanonicalizationMethod like this:

<ds:CanonicalizationMethod` Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
  <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
</ds:CanonicalizationMethod>

This should generate a canonicalized form with the namespace included, like this:

<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap" />
  </ds:CanonicalizationMethod>
  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
...
...

but is only generating the ds:SignedInfo node with only one namespace (I think in the code is referenced as default defaultForPrefix, like this:

<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap" />
  </ds:CanonicalizationMethod>
  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
...
...

Is there a workaround for this? Thanks in advance

[yaronn]

what is the xml you try to validate? try (just for testing) to add the root element you validate the xmlns:soap definition. alternatively try to add that definition to the defaultForPrefix struct.

[KimDongHwan]

Hi, I tried those and others solutions without success. So I had to extend (as a patch) what the getCanonXml does and hardcoded the namespace soap in the SignedInfo node. I will try to find where the real problem is (in my code or the library) and will report it if I find it.

[yaronn]

cool, glad to hear you found a way to make it work for you

[phra]

@yaronn can we have this fixed instead of patching it by hand?

[yaronn]

@phra yeah it needs to be fixed but my workload right now only allows me to accept a PR in case someone has time to send one.

[phra]

@yaronn yesterday i tried to fix it but with no success. if you can check it i've created a repro code: https://runkit.com/phra/59ee12cbf4d03e00120d1e4a

[yaronn]

The repro doesn't have an InclusiveNamespace section, I was under the assumption this is the underlying issue. Maybe someone that used the patch can provide their sample repro / fix. Sorry I'm not more invested on this issue I just don't have the capacity at the moment.

[phra]

@yaronn i've created a related issue here: #145 and i've updated the repro code fixing the verification on 2 of 3 messages. the last message doesn't get validated.