-
-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XAdESSigner creates certificate digests that fail to verify #246
Comments
Looking at XADES spec I see there can also be digests for CA chain so writing part is ok. The verify should probably go by list index? |
Hi, thanks for pointing this out. Your analysis sounds notionally correct, although I'll need to take a closer look at the spec to confirm. PRs are welcome, or I might be able to carve out some time to fix this on a weekend in the next few weeks. |
I can fix verification so it works by list index for start. Is that OK? |
#247 fixes the erroneus |
Test suite has some problems linked to problematic code. I added:
and confirmed: |
By continuing test, I found test cases with 2 X509Certificate and only one xades:Cert.
and they were not marked as raising error. Can we ignore the missing CertDigest? |
Ignoring missing xades:Cert nodes and removing erroneus error_condition, alows test suite to finish OK. |
Adding 3 certificates to XAdESSigner cert parameter creates 3 X509Certificate nodes in X509Data and 3 xades:Certxades:CertDigest elements. This is not the problem.
If this goes to XAdESVerifier if fails with:
signxml.exceptions.InvalidDigest: Digest mismatch for certificate digest
Looking at the code, I think it does not match a certificate with its digest.
_verify_cert_digest goes over a list and compares to one given in call parameter. In the given case this will always raise an exception of not matching.
The cert parameter to XAdESSigner delineates that it can accept multiple certs. The one that represents the signature and its CA chain.
If I read the spec properly (https://www.w3.org/TR/xmldsig-core/#sec-X509Data). The certificate representing the signature should be in separate X509Data with detailed info from certificate, and CA chain certificates should be in separate X509Data with X509Certificate elementc. This would also eliminate the problem as there would be only one xades:Cert, the one for signing certificate, that would be checked against the data in separate X509Data element for signing certificate. The rest of CA chain would be ignored for comparing to CertDigest.
The text was updated successfully, but these errors were encountered: