How to verify when the signature is in a different file than the content? about xmldsigjs HOT 14 CLOSED

can I send them to the email account in your GitHub profile?

Yes, you can. Please send me files to [email protected]

from xmldsigjs.

@microshine Just got the permission and sent you the files. Thanks! :)

from xmldsigjs.

@linkurzweg Thank you for the files you've shared. I found the problem and going to understand the reason for it and fix it.

The problem is that canonicalized reference doesn't have the new line char at the end of the XML document (xmlsec1 has that char).

from xmldsigjs.

yes

from xmldsigjs.

Here is an example of the problem

var doc = new DOMParser().parseFromString(`<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Root/>\n`, "application/xml");

new XMLSerializer().serializeToString(doc);
// '<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Root/>'

As you can see \n doesn't present in the serialized document.

I'm looking for a solution how to solve it

from xmldsigjs.

@linkurzweg Thank you for the congratulation. Happy new year too!

I've just published the new version of [email protected]. It fixes the issue.

const sigFile = fs.readFileSync("/path/to/file.sign.xml", { encoding: "utf-8" });
const dataFile = fs.readFileSync("/path/to/file.xml"); // You may use any file format (not only XML)

const sig = new xmldsig.SignedXml();
sig.LoadXml(sigFile);
const ok = await sig.Verify({
    content: dataFile,
});
assert.ok(ok); // success

Please try this version

from xmldsigjs.

@microshine I just tried it and can confirm it works now! Thank you so much :)

from xmldsigjs.

Could you share your files for testing?

from xmldsigjs.

Sorry, I am not allowed to, because the files contain confidential information :/

from xmldsigjs.

Perhaps the canonicalization method returns the incorrect result.

Could you run xmlsec1 application with --store-references option? It must print the result of <dsig:Reference/> element processing just before calculating the digest. And log canonOutput variable from DigestMethod?
https://github.com/PeculiarVentures/xmldsigjs/blob/master/src/signed_xml.ts#L360

It could help to compare canonicalized results from different applications and catch the problem

from xmldsigjs.

@microshine Thank you very much for replying so quickly! I am not sure I understand. I ran xmlsec1 with the --store-references option, but I am not sure which part of the printed output I'd need. Also, how exactly would I log the canonOutput variable from my code? Unfortunately I don't really have a clue about how XML signature verification works.

In the meantime I have asked If I could make an exception and be allowed to send you two example files for testing. If I get the permission, can I send them to the email account in your GitHub profile? Thanks again!

from xmldsigjs.

@microshine Thank you very much for looking into it! So there's nothing I need to do on my side, just wait for an update on the package?

from xmldsigjs.

Very happy to read that it can be solved. Kind of crazy that a new line char is enough to break the signature verification.

from xmldsigjs.

@microshine Happy new year! Any news on this issue? Sorry for pestering you, just asking because I'm under a bit of pressure regarding my project. Thank you! :)

from xmldsigjs.