digest correct in some xml files but not others about xmldsigjs HOT 12 CLOSED

I had a look at the files and experimented a bit I found that the issue is in the referenced files; token.en.shtml and enter.en.shtml. In these files are segments of CDATA. Whenever anything (even if it is just a single whitespace) is written in such a segment the verification fails. Thus it seems that the different libraries handle CDATA differently.
Since everything in CDATA is user-decided I guess a quick fix is simply to avoid using CDATA. In fact, since even a non-special character messes up the verification it seems that XMLDSIGjs might not support CDATA at all? But I am not sure about this.

from xmldsigjs.

My first thought is that there is some digest calculating issue when the file content has mixed namespaces. What is the underlying library that calculates the digest for xmldsigjs?

from xmldsigjs.

C14N is hardest part of XMLDSIG, there are lots of different nuances that could result in this.

The way we would debug is use another implementation, for example the .NET one, changing but by bit until we figured out how to get the same hash.

We will find time to look at this but can not commit to a timeline.

from xmldsigjs.

@rmhrisk Thanks. Since I use Java mostly, I can dump the result of Java C14N. It's native support for XMLDSig for quite some years and sing the same tune as xmlsec C library. If you can show me a few lines of how to dump the canonicalised XML from JavaScript, I can do a byte-to-byte comparison with the Java's dump and find the culprit there. How do you think?

from xmldsigjs.

I do recall there being some historic issue with CDATA; it’s entirely possible we don’t C14N it right.

from xmldsigjs.

@colourful-land You can print to console incoming data here https://github.com/PeculiarVentures/xmldsigjs/blob/master/src/signed_xml.ts#L358 or here https://github.com/PeculiarVentures/xmldsigjs/blob/master/src/algorithm.ts#L45

from xmldsigjs.

C14N CDATA

from xmldsigjs.

@colourful-land it looks like this particular document works fine in browser but not in node; that seems to be a function of xmldom's handling of CDATA.

from xmldsigjs.

@colourful-land it looks like this particular document works fine in browser but not in node; that seems to be a function of xmldom's handling of CDATA.

Later this month I set out to find the exact cause of this problem by stripping off all CDATA, then I will close this issue and start another with a specific test-case.

from xmldsigjs.

SGTM!

from xmldsigjs.

SGTM!

OKay, I stripped all CDATA and still, the code fails on 1/2 of the files I sent to test. On the other hand, all these signed XML files verify correctly in Java and TCL.

https://github.com/AlphaWallet/TokenScript/tree/xmldsig-verification-examples/xmldsig

So this problem is not limited to or caused by CDATA.

The above link provided how to reproduce the test, including a xmldsigverify.js which verifies all files given as command-line parameters; then a suite of test-files which you can get with git clone.

from xmldsigjs.

Ah, spent more than 5 hours to narrow down this problem to a simple 3-line XML test case that can demonstrate the problem. Let's close this issue and move the discussion to the new issue where the test case is presented. #47

from xmldsigjs.