Xml signatures verifies OK in .NET but fails in Java

Question

I post this in SO because I was not able to find a solution anywhere and spent a lot of time to figure out what the problem was. I hope some developer struggeling with the same problem finds this post in the future :)

C14N-transform seems to be implemented differently in .NET and Java. Two different "standards".

Never manually add the xmlns:xml namespace to your xml-document if a Java client might need to verify a contained xml signature. Java seems to strip away xmlns:xml declaration BEFORE verifying the contained signature(!)

Answer 1

Blame this on the XML Canonicalization spec. Section 4.6 (Superflous Namespace Declarations) states firstly:

Unnecessary namespace declarations are not made in the canonical form.

which implies that the declaration of the XML namespace is dropped, and then says

The root document element is handled specially since it has no parent element. All namespace declarations in it are retained, except the declaration of an empty default namespace is automatically omitted.

which implies that the declaration of the XML namespace is retained.

Writing specs is hard!

Answer 2

Remove (dont add manually!) any xmlns:xml declarations (the red box) if the signature uses C14N transform (the yellow box). Not tested, but this might apply to Executive C14N transforms as well.

• Java (C14N transform) removes any xmlns:xml namespace declarations BEFORE validating the signature
• .NET (C14N transform) keeps the xmlns:xml namespace declaration as-is BEFORE validating the signature

Hence, the xml-hashvalues will be different and Java will report a signature-failure while .NET will report it as OK (if it's OK, of course).

This problem is only verified for Java and .NET but might apply to other signature-API's, too.