Incorrect Namespace in <DigestMethod> Element during XML Signing Process

[GabrielIFPB]

Hello,

I encountered an issue when using the signxml to valid XML documents, specifically during the signing process. The problem arises with the namespace being generated for the element, causing validation to fail.

Problem Description:

When signing an XML document using the XMLSigner function, the generated element looks like this:

<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />

However, when attempting to validate the signed XML, the following error is returned:

signxml.exceptions.InvalidInput: Expected to find XML element DigestMethod in {http://www.w3.org/2000/09/xmldsig#}Reference

The library expects the <DigestMethod> element to be in the {http://www.w3.org/2000/09/xmldsig#} namespace, but the generated namespace includes a suffix {http://www.w3.org/2000/09/xmldsig#sha256}.

Code Snippet

Here is the code used to generate the XML signature:

signer = XMLSigner(
    method=methods.enveloped,
    signature_algorithm="rsa-sha256",
    digest_algorithm="sha256",
    c14n_algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
)
signer.namespaces = {None: namespaces.ds}

signed_xml = self._signer.sign(
    xml,
    key=self._key,
    cert=self._cert.decode("utf-8"),
)

When validating the signed XML, the following code is used:

element = (
   XMLVerifier()
   .verify(
       xml,
       x509_cert=x509.load_pem_x509_certificate(self._cert, default_backend()),
   )
   .signed_xml
)
return element is not None

Steps to Reproduce

Use the XMLSigner function with the following options:

signer = XMLSigner(method="enveloped", digest_algorithm="sha256", signature_algorithm="rsa-sha256")
signed_xml = signer.sign(xml_tree, key=key_pem, cert=cert_pem)

Sign an XML document using an X.509 certificate.

Attempt to validate the signed XML using the XMLVerifier() function:

XMLVerifier().verify(signed_xml, x509_cert=cert_pem)

An error will be raised indicating that the element has an incorrect namespace.

Example of Generated XML

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
        <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <Reference URI="">
            <Transforms>
                <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <DigestValue>up+cY/DEYshLIgY9MO0KvcBRMjbiM6CmgXoEB5LoDW8=</DigestValue>
        </Reference>
    </SignedInfo>
    <SignatureValue>DoK38M+OpkbimgtWJF+TvUqdM4cmeLa6LO2FGz7Ogw==</SignatureValue>
    <KeyInfo>
        <X509Data>
            <X509Certificate>MIIHKTCCBRGgAwIBAgIJAND2FRy/7FwhMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
BAYTAkJSMRMwEQYDVQQKDApJQ1AtQnJhc2lsMRgwFgYDVQQLDA9BQyBESUdJVEFM
IE1BSVMxHzAdBgNVBAMMFkFDIERJR0lUQUwgTVVMVElQTEEgRzEwHhcNMjQwMzA2
MTUwMjM2WhcNMjUwMzA</X509Certificate>
        </X509Data>
    </KeyInfo>
</Signature>