FAQ: Error Signing SOAP Message

Sentry administrators may encounter an error similar to the following with the Sign Document task.


Element tns:ElementName has a relative namespace: xmlns:tns="test"


The XML Signature specification forbids the relative namespace syntax. All canonicalization specifications used with XML Signature include the following requirement:

"implementations of XML canonicalization MUST report an operation failure on documents containing relative namespace URIs"

For example:
Canonical XML Section 2.1


The purpose of the canocalization process is to guarantee that the document is normalized to a format that makes two similarly distinct documents the same. When a relative namespace is used, the absolute namespace is obtained from where the document was retrieved. If two documents belonging to two different domains were signed with a relative URI, the canocalized versions could be identical when in reality there are two different documents. This part of the RFC explains this as:

..., note that a document containing a relative URI [URI] is only operational when accessed from a specific URI that provides the proper base URI. In addition, if the document contains external general parsed entity references to content containing relative URIs, then the relative URIs will not be operational in the canonical form, which replaces the entity reference with internal content (thereby implicitly changing the default base URI of that content). Both of these problems can typically be solved by adding support for thexml:base attribute [XBase] to the application, then adding appropriate xml:base attributes to document element and all top-level elements in external entities. In addition, applications often have an opportunity to resolve relative URIs prior to the need for a canonical form. For example, in a digital signature application, a document is often retrieved and processed prior to signature generation. The processing SHOULD create a new document in which relative URIs have been converted to absolute URIs, thereby mitigating any security risk for the new document.



To resolve the error, use valid absolute namespace URIs.  If you have no control over this aspect of the service, you can workaround this error in Sentry by first encrypting the SOAP message. Then sign the encrypted document.  You can then encrypt the signed document again if necessary.


Article is closed for comments.