Comments (12)
I had a look at the files and experimented a bit I found that the issue is in the referenced files; token.en.shtml and enter.en.shtml. In these files are segments of CDATA. Whenever anything (even if it is just a single whitespace) is written in such a segment the verification fails. Thus it seems that the different libraries handle CDATA differently.
Since everything in CDATA is user-decided I guess a quick fix is simply to avoid using CDATA. In fact, since even a non-special character messes up the verification it seems that XMLDSIGjs might not support CDATA at all? But I am not sure about this.
from xmldsigjs.
My first thought is that there is some digest calculating issue when the file content has mixed namespaces. What is the underlying library that calculates the digest for xmldsigjs?
from xmldsigjs.
C14N is hardest part of XMLDSIG, there are lots of different nuances that could result in this.
The way we would debug is use another implementation, for example the .NET one, changing but by bit until we figured out how to get the same hash.
We will find time to look at this but can not commit to a timeline.
from xmldsigjs.
@rmhrisk Thanks. Since I use Java mostly, I can dump the result of Java C14N. It's native support for XMLDSig for quite some years and sing the same tune as xmlsec C library. If you can show me a few lines of how to dump the canonicalised XML from JavaScript, I can do a byte-to-byte comparison with the Java's dump and find the culprit there. How do you think?
from xmldsigjs.
I do recall there being some historic issue with CDATA; it’s entirely possible we don’t C14N it right.
from xmldsigjs.
@colourful-land You can print to console incoming data here https://github.com/PeculiarVentures/xmldsigjs/blob/master/src/signed_xml.ts#L358 or here https://github.com/PeculiarVentures/xmldsigjs/blob/master/src/algorithm.ts#L45
from xmldsigjs.
C14N CDATA
xmldsigjs/src/canonicalizer.ts
Lines 67 to 72 in b9c644d
Lines 275 to 280 in 5dccd54
from xmldsigjs.
@colourful-land it looks like this particular document works fine in browser but not in node; that seems to be a function of xmldom's handling of CDATA.
from xmldsigjs.
@colourful-land it looks like this particular document works fine in browser but not in node; that seems to be a function of xmldom's handling of CDATA.
Later this month I set out to find the exact cause of this problem by stripping off all CDATA, then I will close this issue and start another with a specific test-case.
from xmldsigjs.
SGTM!
from xmldsigjs.
SGTM!
OKay, I stripped all CDATA and still, the code fails on 1/2 of the files I sent to test. On the other hand, all these signed XML files verify correctly in Java and TCL.
https://github.com/AlphaWallet/TokenScript/tree/xmldsig-verification-examples/xmldsig
So this problem is not limited to or caused by CDATA.
The above link provided how to reproduce the test, including a xmldsigverify.js which verifies all files given as command-line parameters; then a suite of test-files which you can get with git clone.
from xmldsigjs.
Ah, spent more than 5 hours to narrow down this problem to a simple 3-line XML test case that can demonstrate the problem. Let's close this issue and move the discussion to the new issue where the test case is presented. #47
from xmldsigjs.
Related Issues (20)
- How Can I verify a file with a External Certificate file (.cer) HOT 2
- XML error HOT 1
- canonicalization result incorrect if default `xmlns` presents and text node contains `&` HOT 7
- XmlDsigEnvelopedSignatureTransform shouldn't remove all found Signatures HOT 3
- Uncaught ReferenceError: regeneratorRuntime is not defined - non-functional in browser HOT 3
- problems compiling with typescript HOT 5
- One <Transform> and c14n HOT 10
- Namespace prefix on root creates invalid signatures HOT 7
- Signature\KeyInfo\KeyName support
- How to verify when the signature is in a different file than the content? HOT 14
- Support for multiple content references to external files HOT 3
- How to set CanonicalizationMethod or default ? HOT 2
- Cannot apply transform to SignedProperties
- Cannot `Verify` signature with transforms applied HOT 5
- How to setEngine for OpenSSL without node-webcrypto-ossl
- Update dependencies HOT 1
- Need to update dependencies
- modify default reference HOT 1
- Question about ApplyTransformers
- Example for Enveloping signature
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xmldsigjs.