xmldsigjs icon indicating copy to clipboard operation
xmldsigjs copied to clipboard

Published 20 hours ago verified publisher icon PeculiarVentures

Empty reference URI for enveloped signature

Open alphanso opened this issue 7 years ago • 11 comments

I was using this library for signing xml using the following: -

  • CanonicalizationMethod : http://www.w3.org/TR/2001/REC-xml-c14n-20010315
  • SignatureMethod : http://www.w3.org/2000/09/xmldsig#rsa-sha1
  • Transform : http://www.w3.org/2000/09/xmldsig#enveloped-signature

Signed XML is verified by vendor and they need empty URI or signature verification fails.

https://www.w3.org/TR/xmldsig-core/#sec-URI says

If the URI attribute is omitted altogether, the receiving application is expected to know the identity of the object.

I believe we should default to empty URI in case of enveloped signature and should make it possible to omit only by choice.

alphanso avatar Jul 28 '17 19:07 alphanso

I am OK with us taking that as a change, feel free to submit a PR, absent that we can look at this when we get time.

rmhrisk avatar Jul 28 '17 22:07 rmhrisk

@rmhrisk i think that there is bug on this.

If you set uri : "" in the ReferenceOptions, the code produced doesn't have the empty uri attribute. I'm trying to find where i can fix it, but i don't find the where. Can you point me.

gine avatar Feb 16 '18 15:02 gine

@gine xmldsig has default value for Reference.Uri https://github.com/PeculiarVentures/xmldsigjs/blob/master/src/xml/reference.ts#L45

URI is optional value in xmldsig XSD https://github.com/PeculiarVentures/xmldsigjs/blob/master/src/xml/reference.ts#L18

You can recompile xmdsig.js file and remove defaultValue from XmlAttribute decorator I think it'll fix your problem

microshine avatar Feb 16 '18 15:02 microshine

@microshine it seems intuitive that setting uri : "" in the ReferenceOptions would produce a value of "" and nul an empty one? Is that right?

rmhrisk avatar Feb 17 '18 05:02 rmhrisk

@rmhrisk I think so. I'll update library

microshine avatar Feb 17 '18 06:02 microshine

@gine I updated xmldsig. I can't publish it, cause it have some security/snyc issues. I'll fix it later. But you can try new version

npm i https://github.com/PeculiarVentures/xmldsigjs#update

If uri isn't in option, then <Reference> If uri is "", then <Reference Uri=""> If uri is "some-id", then <Reference Uri="some-id">

microshine avatar Feb 17 '18 12:02 microshine

I made a stupid fix. I presume that your fix is better. Tomorrow i'll try it

gine avatar Feb 18 '18 20:02 gine

Hello. I wanted to try the new version but i won't install properly. dist folder isn't generated. image Could you try it, @gine ?

Ameb avatar Feb 20 '18 16:02 Ameb

@Ameb I added prepare script to package.json. It must fix error. Can you try it again?

microshine avatar Feb 20 '18 18:02 microshine

Thank you! Nice to have <ds:Reference URI="">

Ameb avatar Feb 20 '18 21:02 Ameb

@Ameb I'll fix security/snyc issue and publish new version. Thank you for test

microshine avatar Feb 20 '18 21:02 microshine