<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>XML namespaces are pretty confusing. From what little I gather,
unprefixed attributes don't belong to any namespace, not even the
default one.</p>
<p>I think I can see the bug in the debugging output.<br>
</p>
<p>On Java 8 and 10 and 11, I'd guess that the
marshaling/canonicalization has issues when combining differently
namespaced objects.<br>
</p>
<p>In my working code (also works on Java 11), when my ETSI/XADES
QualifyingProperties element is created specifying my namespace
(the default namespace for the XML document that I'm signing), it
works fine. If I change my document's default namespace to be the
XADES one, it also works. But I cannot make them work when both
are in use. The reason seems to be as follows.</p>
<p>1) The signedXML generated looks great and sensible, with the
xades namespace as expected.<br>
</p>
<p><tt> <ds:Object></tt><tt><br>
</tt><tt> <xades:QualifyingProperties
Id="QualifyingProperties_ID" Target="#OpenESignForms_Seal" </tt><tt><b>xmlns:xades=<a class="moz-txt-link-rfc2396E" href="http://uri.etsi.org/01903/v1.4.1#">"http://uri.etsi.org/01903/v1.4.1#"</a></b></tt><tt>></tt><tt><br>
</tt><tt> <xades:SignedProperties></tt><tt><br>
</tt><tt> <xades:SignedSignatureProperties></tt><tt><br>
</tt><tt>
<xades:SigningTime>2019-02-15T11:30:44-08:00</xades:SigningTime></tt><tt><br>
</tt><tt> </xades:SignedSignatureProperties></tt><tt><br>
</tt><tt> <xades:SignedDataObjectProperties></tt><tt><br>
</tt><tt> <xades:DataObjectFormat
ObjectReference="#Payload_Reference_ID"></tt><tt><br>
</tt><tt>
<xades:Description>description</xades:Description></tt><tt><br>
</tt><tt>
<xades:MimeType>text/html</xades:MimeType></tt><tt><br>
</tt><tt> </xades:DataObjectFormat></tt><tt><br>
</tt><tt> </xades:SignedDataObjectProperties></tt><tt><br>
</tt><tt> </xades:SignedProperties></tt><tt><br>
</tt><tt> </xades:QualifyingProperties></tt><tt><br>
</tt><tt> </ds:Object></tt><tt><br>
</tt><br>
</p>
<p>2) But using the debugging options, it shows this element during
SIGNING (presuming canonicalization) that makes <i><b>no sense</b></i>.
It's added both the default namespace, the 'dsig' namespace, but
doesn't include the xades namespace. Wwhat does the 'xades'
prefix even refer to in this XML for the signing digest?<br>
</p>
<p><tt> <xades:QualifyingProperties </tt><tt><b>xmlns=<a class="moz-txt-link-rfc2396E" href="http://open.esignforms.com/XMLSchema/2011">"http://open.esignforms.com/XMLSchema/2011"</a>
xmlns:ds=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a></b></tt><tt>
Id="QualifyingProperties_ID" Target="#OpenESignForms_Seal"></tt><tt><br>
</tt><tt> <xades:SignedProperties></tt><tt><br>
</tt><tt> <xades:SignedSignatureProperties></tt><tt><br>
</tt><tt>
<xades:SigningTime>2019-02-15T11:30:44-08:00</xades:SigningTime></tt><tt><br>
</tt><tt> </xades:SignedSignatureProperties></tt><tt><br>
</tt><tt> <xades:SignedDataObjectProperties></tt><tt><br>
</tt><tt> <xades:DataObjectFormat
ObjectReference="#Payload_Reference_ID"></tt><tt><br>
</tt><tt>
<xades:Description>description</xades:Description></tt><tt><br>
</tt><tt>
<xades:MimeType>text/html</xades:MimeType></tt><tt><br>
</tt><tt> </xades:DataObjectFormat></tt><tt><br>
</tt><tt> </xades:SignedDataObjectProperties></tt><tt><br>
</tt><tt> </xades:SignedProperties></tt><tt><br>
</tt><tt> </xades:QualifyingProperties></tt><br>
</p>
<p>3) And again, the debugger shows this element during VERIFICATION
(presuming canonicalization) that is excessive, but at least makes
some sense (though there are no default elements nor 'dsig'
elements). It's added all three namespaces: our default
namespace, the 'dsig' namespace AND the 'xades' namespace. <br>
</p>
<p><tt> <xades:QualifyingProperties <b>xmlns=<a class="moz-txt-link-rfc2396E" href="http://open.esignforms.com/XMLSchema/2011">"http://open.esignforms.com/XMLSchema/2011"</a>
xmlns:ds=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a> <font
color="#cc0000">xmlns:xades=<a class="moz-txt-link-rfc2396E" href="http://uri.etsi.org/01903/v1.4.1#">"http://uri.etsi.org/01903/v1.4.1#"</a></font></b>
Id="QualifyingProperties_ID" Target="#OpenESignForms_Seal"></tt><tt><br>
</tt><tt> <xades:SignedProperties></tt><tt><br>
</tt><tt> <xades:SignedSignatureProperties></tt><tt><br>
</tt><tt>
<xades:SigningTime>2019-02-15T11:30:44-08:00</xades:SigningTime></tt><tt><br>
</tt><tt> </xades:SignedSignatureProperties></tt><tt><br>
</tt><tt> <xades:SignedDataObjectProperties></tt><tt><br>
</tt><tt> <xades:DataObjectFormat
ObjectReference="#Payload_Reference_ID"></tt><tt><br>
</tt><tt>
<xades:Description>description</xades:Description></tt><tt><br>
</tt><tt>
<xades:MimeType>text/html</xades:MimeType></tt><tt><br>
</tt><tt> </xades:DataObjectFormat></tt><tt><br>
</tt><tt> </xades:SignedDataObjectProperties></tt><tt><br>
</tt><tt> </xades:SignedProperties></tt><tt><br>
</tt><tt> </xades:QualifyingProperties</tt><br>
</p>
<p>So the libraries are oddly creating two distinct canonicalized
XML for digesting, with the signing phase seeming to miss the
important 'xades' namespace declaration entirely. This is no
doubt why this is the only Reference that fails verification as
the two. I'm guessing that the verification digest is correct
when using multiple namespaced objects/references, but the signing
digest is not since it doesn't include the 'xades' namespace
declaration.</p>
<p>This seems to hold true for Java 8, 10 and 11. That is, by
specifying null namespaces on atrributes, the code fails the same
under under Java 11, and the debugging output shows the same odd
namespaces above. If I use a single namespace, then it signs fine
under Java 8, 10 and 11.<br>
</p>
<p>David</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 2/15/19 11:12 AM, Sean Mullan wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ea7a7809-665d-c8aa-9ebf-f2a54abbaf92@oracle.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="moz-cite-prefix">On 2/14/19 9:32 PM, Open eSignForms
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:166893ef-5c96-ba36-3a94-114dd2caeccf@gmail.com">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<p>Yes, indeed that's the issue. But I don't know why/how all
those xmlns attributes are added, since I don't directly add
them.</p>
<p>I found the only way I can make it work under Java 8, 10 and
11 is to use my common namespace (XML_NAMESPACE_2011 = <a
class="moz-txt-link-rfc2396E"
href="http://open.esignforms.com/XMLSchema/2011"
moz-do-not-send="true">"http://open.esignforms.com/XMLSchema/2011"</a>)
for all the XADES elements with the null namespace on all
their attributes. Even if I put that same namespace on the
attributes, it then fails.</p>
<p>When I do that, the signed XML generates clean looking XML
like this:</p>
<p> <ds:Object><br>
<QualifyingProperties Id="QualifyingProperties_ID"
Target="#OpenESignForms_Seal"><br>
<SignedProperties><SignedSignatureProperties><br>
<SigningTime>2019-02-14T17:37:39-08:00</SigningTime><br>
</SignedSignatureProperties><br>
<SignedDataObjectProperties><br>
<DataObjectFormat
ObjectReference="#Payload_Reference_ID"><br>
<Description>description</Description><br>
<MimeType>text/html</MimeType><br>
</DataObjectFormat><br>
</SignedDataObjectProperties><br>
</SignedProperties><br>
</QualifyingProperties><br>
</ds:Object><br>
<ds:Object><br>
<ds:SignatureProperties><br>
<ds:SignatureProperty<b>
Id="OpenESignForms_Seal_ID" Target="#OpenESignForms_Seal"</b>><br>
<OpenESignForms_XmlDigitalSignatureSeal
DeploymentHostAddress="192.1.1.1"
DeploymentHostName="open.esignforms.com"
DeploymentId="1.1.1.1" SignerAddress="192.1.1.1"
SignerAgent="No-Browser-Test"
Timestamp="2019-02-14T17:37:39-08:00" Version="19.1.19"/><br>
</ds:SignatureProperty><br>
</ds:SignatureProperties><br>
</ds:Object><br>
<br>
</p>
<p>But even above, as you can see, the second ds:Object shows
ds:SignatureProperty, yet the Id and Target attributes do not
include a 'ds:' prefix, which it's my understanding to mean
that they default to our XML payload's default namespace. </p>
</blockquote>
<p>I don't think that's correct, I think attributes w/o a prefix
by default belong to the namespace of the element in which they
are defined, which in this case is SignatureProperties and the
dsig namespace.</p>
<p>Regarding below, I would forget about JDK 11 for the time being
and focus on generating a signature with proper XMLNS
definitions on JDK 10. If you have any problems verifying with
that on JDK 10 or prior, let me know. The reason is that we will
likely be restoring JDK 11 (and later) to the same state it was
in for JDK 10. There were some changes to the marshalling code
in JDK 11 which is causing these and other problems which will
likely be backed out. <br>
</p>
<p>--Sean</p>
</blockquote>
</body>
</html>