Comments (10)
Based on your duplicate bug I believe this is resolved so closing.
from xmldsigjs.
Ah, no, I can still not create a valid signature with xml-exc-c14n
...
from xmldsigjs.
@QAnders I updated you example and tested it on xmldsigjs
. xmlsec1
console application verifies it successfully
xmlsec1
> xmlsec1 --verify signed.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
TypeScript
const hash = 'SHA-1';
const alg: RsaHashedKeyGenParams = {
name: 'RSASSA-PKCS1-v1_5',
hash,
publicExponent: new Uint8Array([1,0,1]),
modulusLength: 2048,
};
const keys = await crypto.subtle.generateKey(alg, false, ["sign", "verify"]);
const key = keys.privateKey;
// const x509 = "MIHkMIGLAgEAMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASYC4z23gzhlt9SHiiAimnkFUQeU0JJyBo7a8s+s1xEwNXjTaFbDzKYaBrvW24IEaheFThkTNhP1qLD/anUCSvIoCkwJwYJKoZIhvcNAQkOMRowGDAWBggrBgEFBQcBGgQKMAigBhYENzA5SjAKBggqhkjOPQQDAgNIADBFAiBvFYdsjcu3TFwufUIoTyt9zVXpG3AX7h9FkKFrYhksHgIhAKxGcynSlwcr4YT1FroBznU3No4/D0BScAppZmvP0euK";
// XAdES-EPES
let xml = xmldsig.Parse("<root><child/></root>");
let digSigXml = new xmldsig.SignedXml();
const X509Data = new xmldsig.KeyInfoX509Data();
X509Data.AddSubjectName("CN=Some name");
digSigXml.XmlSignature.KeyInfo.Add(X509Data);
// no-go...
// digSigXml.CanonicalizationMethod = 'http://www.w3.org/2001/10/xml-exc-c14n#';
const signature = await digSigXml.Sign(
// Signing document
alg, // algorithm
key, // key
xml, // document
{
// options
references: [
{
hash,
transforms: ['enveloped', "exc-c14n"]
},
],
// signerRole: {
// claimed: ['Supplier']
// },
keyValue: keys.publicKey
// x509: [x509],
// signingCertificate: x509,
}
);
// append signature
xml.documentElement.appendChild(signature.GetXml()!);
// serialize XML
const oSerializer = new XMLSerializer();
const sXML = oSerializer.serializeToString(xml);
console.log(sXML.toString());
XML output
Not formatted
<root><child/><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>2/OkhsSSP3k9KIiGYPAXbrXaLYM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>abcdzzzOtx6fi0GvosLMDKB5HgtujoZVv/JgEgYp3v7p+1LZuNlW33ZRWv+A/pIc0aWgo0i0jGDnr9Z0vR4Ku4wdMzhmxkjfoakCk0j9XgksLUbxphZ4xTOybBLHhFrr7SQWyAT4WQpZPiNsPcss/dOKG30g0RoCSlU3l1s2Wvqz1+MQNSfWipC7Ek+piyhVzotOuUQhbKK92NTs2oMGnrFUTSuEKbR0xeSPF2AStx5BSmdx6wGA8n22uvZHYPMWm7O1PKKsag8mMrQY9LGM45Gacz07PP2nEeVCO5kbG0C4RFleOZIo2yBtByABrK1vTp++Y+vGahsfMZA8eXaf0A==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509SubjectName>CN=Some name</ds:X509SubjectName></ds:X509Data><ds:KeyValue><ds:RSAKeyValue><ds:Modulus>m8qFwzlYfR69SJKSyNpnrqA//D3IC/bJa9fBq9Z0vmNpmUbo6ZYXCD3VRamlBp5XdEnvGALnc0meGDQeJBmmJezpPIxrvpL3p+C1q6TPk1JavTONgq4wlFVaLRfIHO/uap5FIbAYlAIDsvLsAotbvADlXzCu1xXcmMwGf4pICQczdHYbK5gBiuLLjwOFKkxBEjR6P2MkuCuW4KFnFaV1NxwyrsC2LtFcTcdTPmZWvaiEXIY8ydmRvBuwjYEe+5JjOagnXSoBK1oZccp0RorumTyNpDtmoAQLISWvFC0ylZ3+7R1bNaWSLPAiurZPKeW2NYcdrqEVB3u0kxWQJfltrw==</ds:Modulus><ds:Exponent>AQAB</ds:Exponent></ds:RSAKeyValue></ds:KeyValue></ds:KeyInfo></ds:Signature></root>
Formatted
<root>
<child/>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference>
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>2/OkhsSSP3k9KIiGYPAXbrXaLYM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>abcdzzzOtx6fi0GvosLMDKB5HgtujoZVv/JgEgYp3v7p+1LZuNlW33ZRWv+A/pIc0aWgo0i0jGDnr9Z0vR4Ku4wdMzhmxkjfoakCk0j9XgksLUbxphZ4xTOybBLHhFrr7SQWyAT4WQpZPiNsPcss/dOKG30g0RoCSlU3l1s2Wvqz1+MQNSfWipC7Ek+piyhVzotOuUQhbKK92NTs2oMGnrFUTSuEKbR0xeSPF2AStx5BSmdx6wGA8n22uvZHYPMWm7O1PKKsag8mMrQY9LGM45Gacz07PP2nEeVCO5kbG0C4RFleOZIo2yBtByABrK1vTp++Y+vGahsfMZA8eXaf0A==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>CN=Some name</ds:X509SubjectName>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>m8qFwzlYfR69SJKSyNpnrqA//D3IC/bJa9fBq9Z0vmNpmUbo6ZYXCD3VRamlBp5XdEnvGALnc0meGDQeJBmmJezpPIxrvpL3p+C1q6TPk1JavTONgq4wlFVaLRfIHO/uap5FIbAYlAIDsvLsAotbvADlXzCu1xXcmMwGf4pICQczdHYbK5gBiuLLjwOFKkxBEjR6P2MkuCuW4KFnFaV1NxwyrsC2LtFcTcdTPmZWvaiEXIY8ydmRvBuwjYEe+5JjOagnXSoBK1oZccp0RorumTyNpDtmoAQLISWvFC0ylZ3+7R1bNaWSLPAiurZPKeW2NYcdrqEVB3u0kxWQJfltrw==</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</root>
from xmldsigjs.
Thanks @microshine , very much appreciated but you got two ds:Transform
elements in there which was my original issue (see the screen capture up top).
Also, your sample says <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
which don't seem right... It should be xml-exc-c14n
.
from xmldsigjs.
I'm not sure it's right replacing a default canonicalization c14n
to c14n-exec
. The current implementation doesn't allow to do it.
Lines 469 to 474 in a45ddb7
The easiest solution is to use a static option that determines which canonicalization is the default
from xmldsigjs.
Ah, ok, @microshine , thanks for clarifying that!
Then my issue is that if I only add the envelope transform the canonicalization becomes REC-xml-c14n-20010315
and not as they specify xml-exc-c14n
. Can I somehow get the xml-exc-c14n
canonicalization with only one transform?
from xmldsigjs.
Sorry for the late comeback... Been busy with other things but I now think I can shed some light on the differences of opinion... :)
According to https://www.w3.org/TR/xml-exc-c14n/ the REC-xml-c14n-20010315
which is now "stamped" by xmldsigjs
for an Enveloped signature is simply an older version of xml-exc-c14n
which I need...
Does that make sense?
from xmldsigjs.
To clearer show the differences, here's the signature created by xmldsigjs
:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <!-- incorrect -->
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference>
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <!-- one Transform only, correct -->
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>a4s/wYjMPdizK0NEZT7mIN3u/oU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>cm7wnxi/ /j7w==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data> <!-- Double ds:X509Data. Dosen't matter it seems -->
<ds:X509SubjectName>C=SE,O=Qvalia Group AB,OU=PEPPOL TEST SMP,CN=PSE000094</ds:X509SubjectName>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>MIIF1jC/ /0Fw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
And here's a fully "valid" Peppol signature:
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <!-- correct -->
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>U/ZIIw8hRac70uchtwLjBQPZHVE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>gujEB/ /8J7IQ==</SignatureValue>
<KeyInfo>
<X509Data> <!-- one X509Data -->
<X509SubjectName>CN=POP000306,OU=PEPPOL TEST SMP,O=Philip Helger IT Consulting e.U.,C=AT</X509SubjectName>
<X509Certificate>MIIF5/ /yNWgtS</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
So, it's the CanonicalizationMethod Algorithm
that is the culprit as Peppol requires it to be xml-exc-c14n
.
If I add c14n
I get a xml-exc-c14n
canonicalization BUT I also get two Transform elements (which is also invalid).
from xmldsigjs.
OMG! Well, this is irony for ya'!!!
I just got a copy of Peppol's upcoming version specification of the SMP data:
Seems no change is needed then! 👍
from xmldsigjs.
Closing as it is not needed anymore after Peppol changes their specification.
from xmldsigjs.
Related Issues (20)
- How Can I verify a file with a External Certificate file (.cer) HOT 2
- XML error HOT 1
- canonicalization result incorrect if default `xmlns` presents and text node contains `&` HOT 7
- XmlDsigEnvelopedSignatureTransform shouldn't remove all found Signatures HOT 3
- Uncaught ReferenceError: regeneratorRuntime is not defined - non-functional in browser HOT 3
- problems compiling with typescript HOT 5
- Namespace prefix on root creates invalid signatures HOT 7
- Signature\KeyInfo\KeyName support
- How to verify when the signature is in a different file than the content? HOT 14
- Support for multiple content references to external files HOT 3
- How to set CanonicalizationMethod or default ? HOT 2
- Cannot apply transform to SignedProperties
- Cannot `Verify` signature with transforms applied HOT 5
- How to setEngine for OpenSSL without node-webcrypto-ossl
- Update dependencies HOT 1
- Need to update dependencies
- modify default reference HOT 1
- Question about ApplyTransformers
- Example for Enveloping signature
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xmldsigjs.