I am not very knowledgeable in signing and "crypto" but tried to get a solution runnin

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Thanks <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-u

I'm not sure it's right replacing a default canonicalization <code class="notranslate"

Ah, ok, <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-

To clearer show the differences, here's the signature created by <code class="notransl

One <Transform> and c14n,about peculiarventures/xmldsigjs

Comments (10)

rmhrisk commented on June 14, 2024

Based on your duplicate bug I believe this is resolved so closing.

from xmldsigjs.

QAnders commented on June 14, 2024

Ah, no, I can still not create a valid signature with xml-exc-c14n...

from xmldsigjs.

microshine commented on June 14, 2024

@QAnders I updated you example and tested it on xmldsigjs. xmlsec1 console application verifies it successfully

xmlsec1

> xmlsec1 --verify signed.xml 
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

TypeScript

    const hash = 'SHA-1';
    const alg: RsaHashedKeyGenParams = {
        name: 'RSASSA-PKCS1-v1_5',
        hash,
        publicExponent: new Uint8Array([1,0,1]),
        modulusLength: 2048,
    };

    const keys = await crypto.subtle.generateKey(alg, false, ["sign", "verify"]);
    const key = keys.privateKey;
    // const x509 = "MIHkMIGLAgEAMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASYC4z23gzhlt9SHiiAimnkFUQeU0JJyBo7a8s+s1xEwNXjTaFbDzKYaBrvW24IEaheFThkTNhP1qLD/anUCSvIoCkwJwYJKoZIhvcNAQkOMRowGDAWBggrBgEFBQcBGgQKMAigBhYENzA5SjAKBggqhkjOPQQDAgNIADBFAiBvFYdsjcu3TFwufUIoTyt9zVXpG3AX7h9FkKFrYhksHgIhAKxGcynSlwcr4YT1FroBznU3No4/D0BScAppZmvP0euK";

    // XAdES-EPES
    let xml = xmldsig.Parse("<root><child/></root>");

    let digSigXml = new xmldsig.SignedXml();

    const X509Data = new xmldsig.KeyInfoX509Data();
    X509Data.AddSubjectName("CN=Some name");
    digSigXml.XmlSignature.KeyInfo.Add(X509Data);

    // no-go...
    // digSigXml.CanonicalizationMethod = 'http://www.w3.org/2001/10/xml-exc-c14n#';

    const signature = await digSigXml.Sign(
        // Signing document
        alg, // algorithm
        key, // key
        xml, // document
        {
            // options
            references: [
                {
                    hash,
                    transforms: ['enveloped', "exc-c14n"]
                },
            ],
            // signerRole: {
            //     claimed: ['Supplier']
            // },
            keyValue: keys.publicKey
            // x509: [x509],
            // signingCertificate: x509,
        }
    );

    // append signature
    xml.documentElement.appendChild(signature.GetXml()!);

    // serialize XML
    const oSerializer = new XMLSerializer();
    const sXML = oSerializer.serializeToString(xml);
    console.log(sXML.toString());

XML output

Not formatted

<root><child/><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>2/OkhsSSP3k9KIiGYPAXbrXaLYM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>abcdzzzOtx6fi0GvosLMDKB5HgtujoZVv/JgEgYp3v7p+1LZuNlW33ZRWv+A/pIc0aWgo0i0jGDnr9Z0vR4Ku4wdMzhmxkjfoakCk0j9XgksLUbxphZ4xTOybBLHhFrr7SQWyAT4WQpZPiNsPcss/dOKG30g0RoCSlU3l1s2Wvqz1+MQNSfWipC7Ek+piyhVzotOuUQhbKK92NTs2oMGnrFUTSuEKbR0xeSPF2AStx5BSmdx6wGA8n22uvZHYPMWm7O1PKKsag8mMrQY9LGM45Gacz07PP2nEeVCO5kbG0C4RFleOZIo2yBtByABrK1vTp++Y+vGahsfMZA8eXaf0A==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509SubjectName>CN=Some name</ds:X509SubjectName></ds:X509Data><ds:KeyValue><ds:RSAKeyValue><ds:Modulus>m8qFwzlYfR69SJKSyNpnrqA//D3IC/bJa9fBq9Z0vmNpmUbo6ZYXCD3VRamlBp5XdEnvGALnc0meGDQeJBmmJezpPIxrvpL3p+C1q6TPk1JavTONgq4wlFVaLRfIHO/uap5FIbAYlAIDsvLsAotbvADlXzCu1xXcmMwGf4pICQczdHYbK5gBiuLLjwOFKkxBEjR6P2MkuCuW4KFnFaV1NxwyrsC2LtFcTcdTPmZWvaiEXIY8ydmRvBuwjYEe+5JjOagnXSoBK1oZccp0RorumTyNpDtmoAQLISWvFC0ylZ3+7R1bNaWSLPAiurZPKeW2NYcdrqEVB3u0kxWQJfltrw==</ds:Modulus><ds:Exponent>AQAB</ds:Exponent></ds:RSAKeyValue></ds:KeyValue></ds:KeyInfo></ds:Signature></root>

Formatted

<root>
  <child/>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference>
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>2/OkhsSSP3k9KIiGYPAXbrXaLYM=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>abcdzzzOtx6fi0GvosLMDKB5HgtujoZVv/JgEgYp3v7p+1LZuNlW33ZRWv+A/pIc0aWgo0i0jGDnr9Z0vR4Ku4wdMzhmxkjfoakCk0j9XgksLUbxphZ4xTOybBLHhFrr7SQWyAT4WQpZPiNsPcss/dOKG30g0RoCSlU3l1s2Wvqz1+MQNSfWipC7Ek+piyhVzotOuUQhbKK92NTs2oMGnrFUTSuEKbR0xeSPF2AStx5BSmdx6wGA8n22uvZHYPMWm7O1PKKsag8mMrQY9LGM45Gacz07PP2nEeVCO5kbG0C4RFleOZIo2yBtByABrK1vTp++Y+vGahsfMZA8eXaf0A==</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509SubjectName>CN=Some name</ds:X509SubjectName>
      </ds:X509Data>
      <ds:KeyValue>
        <ds:RSAKeyValue>
          <ds:Modulus>m8qFwzlYfR69SJKSyNpnrqA//D3IC/bJa9fBq9Z0vmNpmUbo6ZYXCD3VRamlBp5XdEnvGALnc0meGDQeJBmmJezpPIxrvpL3p+C1q6TPk1JavTONgq4wlFVaLRfIHO/uap5FIbAYlAIDsvLsAotbvADlXzCu1xXcmMwGf4pICQczdHYbK5gBiuLLjwOFKkxBEjR6P2MkuCuW4KFnFaV1NxwyrsC2LtFcTcdTPmZWvaiEXIY8ydmRvBuwjYEe+5JjOagnXSoBK1oZccp0RorumTyNpDtmoAQLISWvFC0ylZ3+7R1bNaWSLPAiurZPKeW2NYcdrqEVB3u0kxWQJfltrw==</ds:Modulus>
          <ds:Exponent>AQAB</ds:Exponent>
        </ds:RSAKeyValue>
      </ds:KeyValue>
    </ds:KeyInfo>
  </ds:Signature>
</root>

from xmldsigjs.

QAnders commented on June 14, 2024

Thanks @microshine , very much appreciated but you got two ds:Transform elements in there which was my original issue (see the screen capture up top).

Also, your sample says <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> which don't seem right... It should be xml-exc-c14n.

from xmldsigjs.

microshine commented on June 14, 2024

I'm not sure it's right replacing a default canonicalization c14n to c14n-exec. The current implementation doesn't allow to do it.

xmldsigjs/src/signed_xml.ts

Lines 469 to 474 in a45ddb7

    
           // Apply C14N transform if Reference has only one transform EnvelopedSignature 
        
           if (transforms.Count === 1 && transforms.Item(0) instanceof Transforms.XmlDsigEnvelopedSignatureTransform) { 
        
               const c14n = new Transforms.XmlDsigC14NTransform(); 
        
               c14n.LoadInnerXml(input); 
        
               output = c14n.GetOutput(); 
        
           }

The easiest solution is to use a static option that determines which canonicalization is the default

from xmldsigjs.

QAnders commented on June 14, 2024

Ah, ok, @microshine , thanks for clarifying that!

Then my issue is that if I only add the envelope transform the canonicalization becomes REC-xml-c14n-20010315 and not as they specify xml-exc-c14n. Can I somehow get the xml-exc-c14n canonicalization with only one transform?

from xmldsigjs.

QAnders commented on June 14, 2024

Sorry for the late comeback... Been busy with other things but I now think I can shed some light on the differences of opinion... :)

According to https://www.w3.org/TR/xml-exc-c14n/ the REC-xml-c14n-20010315 which is now "stamped" by xmldsigjs for an Enveloped signature is simply an older version of xml-exc-c14n which I need...

Does that make sense?

from xmldsigjs.

QAnders commented on June 14, 2024

To clearer show the differences, here's the signature created by xmldsigjs:

  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <!-- incorrect -->
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference>
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>  <!-- one Transform only, correct -->
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>a4s/wYjMPdizK0NEZT7mIN3u/oU=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>cm7wnxi/  /j7w==</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data> <!-- Double ds:X509Data. Dosen't matter it seems -->
        <ds:X509SubjectName>C=SE,O=Qvalia Group AB,OU=PEPPOL TEST SMP,CN=PSE000094</ds:X509SubjectName>
      </ds:X509Data>
      <ds:X509Data>
        <ds:X509Certificate>MIIF1jC/  /0Fw==</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>

And here's a fully "valid" Peppol signature:

  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <!-- correct -->
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <Reference URI="">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>U/ZIIw8hRac70uchtwLjBQPZHVE=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>gujEB/  /8J7IQ==</SignatureValue>
    <KeyInfo>
      <X509Data> <!-- one X509Data -->
        <X509SubjectName>CN=POP000306,OU=PEPPOL TEST SMP,O=Philip Helger IT Consulting e.U.,C=AT</X509SubjectName>
        <X509Certificate>MIIF5/  /yNWgtS</X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>

So, it's the CanonicalizationMethod Algorithm that is the culprit as Peppol requires it to be xml-exc-c14n.

If I add c14n I get a xml-exc-c14n canonicalization BUT I also get two Transform elements (which is also invalid).

from xmldsigjs.

QAnders commented on June 14, 2024

OMG! Well, this is irony for ya'!!!

I just got a copy of Peppol's upcoming version specification of the SMP data:

Seems no change is needed then! 👍

from xmldsigjs.

QAnders commented on June 14, 2024

Closing as it is not needed anymore after Peppol changes their specification.

from xmldsigjs.

One <Transform> and c14n about xmldsigjs HOT 10 CLOSED

Comments (10)

xmlsec1

TypeScript

XML output

Not formatted

Formatted

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

	// Apply C14N transform if Reference has only one transform EnvelopedSignature
	if (transforms.Count === 1 && transforms.Item(0) instanceof Transforms.XmlDsigEnvelopedSignatureTransform) {
	const c14n = new Transforms.XmlDsigC14NTransform();
	c14n.LoadInnerXml(input);
	output = c14n.GetOutput();
	}