shouldn't the XML be canonicalized before calculating the digest/hash value?

Question

shouldn't the XML be canonicalized before calculating the digest/hash value?

dcu opened this issue 3 years ago · 8 comments

from what I see in the code it is only canonicalized when calculating the signature

Answer 1 · 2021-08-26T22:21:33.000Z

What you're saying makes sense, but its been quite awhile since I've committed to or used this library. So, I can't recall all the details. Its possible that the tests and my use cases at the time didn't catch a potential issue here.

Its unlikely that I'll be able to spend much time looking into this, but I'd be happy to accept a PR that addresses your use cases/concerns.

Answer 2 · 2021-08-27T02:37:02.000Z

I've been looking at this but I still don't have a solution, the transform block is supposed not canonicalize the block but apparently it isn't doing it.
I'll try to continue investigating on weekend

Answer 3 · 2021-08-29T14:59:05.000Z

so after commenting out this if https://github.com/ma314smith/signedxml/blob/master/exclusivecanonicalization.go#L199 requests to SOAP servers work, at least in my case.
but that condition should be there for a reason so I'm not sure how to proceed

I'm comparing the signature procedure against:

xmlsec1 --sign --store-signatures --store-references --print-debug --privkey-pem priv.pem --id-attr:Id Body example3.xml

actually xmlsec creates an attribute with the namespace, signedxml do not creates it and if you add it to the original document it is removed

Another issue I had was the id attribute when finding a referenced section is case sensitive, must be ID

Answer 4 · 2021-09-02T22:13:24.000Z

That might be an issue with your InclusiveNamespaces or it might be a bug. Its hard to say without the xml.
https://www.w3.org/TR/xml-exc-c14n/

namespace nodes that are not on the InclusiveNamespaces PrefixList are expressed only in start tags where they are visible and if they are not in effect from an output ancestor of that tag.

This was contributed awhile back which may help with your reference issue:
https://github.com/ma314smith/signedxml#using-a-custom-reference-id-attribute

Answer 5 · 2021-09-03T01:05:55.000Z

I tried adding inclusive namespaces but it didn't work and xmlsec which is what everybody uses doesn't need it, it automatically adds the missing namespace

Answer 6 · 2023-04-21T18:09:51.000Z

@dcu Are you still seeing this issue with the v1.0.0 release of signedxml?

Answer 7 · 2023-04-21T21:49:04.000Z

I haven't tested but my forked repo works at least for my case dcu/signedxml

Answer 8 · 2023-05-08T14:43:13.000Z

@dcu I see a small change as the only difference between moov-io/signedxml and dcu/signedxml. Could you try moov-io and see if we've fixed the issue? It may be a small change/fix needed otherwise.

Diff: master...dcu:signedxml:master