Comments (6)
Hi Andrey Kislyuk,
I would like to propose an alternative method to solve this problem:
Perhaps an easier method would be to include an x_path parameter in the verify function that resolves any conflicts if multiple Signatures are present in the document. The user can use the x_path parameter to select the correct Signature element that belongs to the certificate. This might also be a more efficient way compared to checking every Signature element.
This method is also used in the XML Security Library of Aleksey e.g.
xmlsec1 --verify --pub-certkey cert.cer --node-xpath <XPATH EXPRESSION> file.xml
. This allows me to succesfully verify documents with two signatures, where the first result of the breadth-first traversal does not yield the desired Signature element.
I'm willing to commit to this open issue considering this is a function I desire in my implementation (using the signxml library).
I look forward to hearing from you soon.
Kind regards,
Diederik Florijn
from signxml.
Hi @dflorijn, I'm fine with this approach, you're welcome to submit a PR.
from signxml.
Hi Andrey @kislyuk ,
I've been quite busy at work so I wasn't able to make much progression lately. Nonetheless, it seems my addition of the xpath expression in the verify function to distinguished between signature elements works (or at least on the XML files I need to verify that contain multiple signatures).
What are the next steps before I can make a PR? I suppose make some additions to the test file so to ensure it works properly? I have ran the testfile but I receive 1 error on an expired certificate:
File "test.py", line 233, in test_xmldsig_interop
ca_pem_file=get_ca_pem_file(signature_file))
File "/Users/Diederik/git/signxml/signxml/__init__.py", line 732, in verify
signing_cert = verify_x509_cert_chain(cert_chain, ca_pem_file=ca_pem_file, ca_path=ca_path)
File "/Users/Diederik/git/signxml/signxml/util/__init__.py", line 234, in verify_x509_cert_chain
raise last_error
File "/Users/Diederik/git/signxml/signxml/util/__init__.py", line 223, in verify_x509_cert_chain
end_of_chain = _add_cert_to_store(store, cert)
File "/Users/Diederik/git/signxml/signxml/util/__init__.py", line 193, in _add_cert_to_store
raise InvalidCertificate(e)
signxml.exceptions.InvalidCertificate: [10, 0, 'certificate has expired']
Kind regards,
Diederik
from signxml.
I just committed a fix for the test failure, please try again.
You are correct that you will need to add a test case and change the docstring to document your new functionality.
from signxml.
Hi Andrey @kislyuk ,
Thank you for your quick response and action! I ran the test yesterday and it was successful with the alteration I made. The last step is adding cases to the unit tests. Do you have a suggestion on what testcases I should create?
My idea is to create some sample xml files containing multiple signatures and check these with the xpath parameter. However, I can also copy and change several existing testcases, and simply add the xnode parameter. This ensures that the xpath works, however it excludes documents with multiple signatures.
Looking forward to hearing from you.
Kind regards,
Diederik
from signxml.
Yes, you should add new test files that contain multiple signatures, and test selecting each of the signatures and any error conditions you can think of (xpath not resolving to anything, etc.)
from signxml.
Related Issues (20)
- PKCS#11 support HOT 15
- Failed to sign in the desired format HOT 2
- Allow pretty-printing
- Problem with the strip_pem_header function HOT 4
- Sign xml with thumbprint HOT 3
- _check_key_value_matches_cert_public_key overwrites public_key variable for ECDSA HOT 1
- XAdESSigner creates certificate digests that fail to verify HOT 7
- XADES sign has always_add_key_value: bool = True
- Support for multiple signatures HOT 6
- <ds:KeyValue> is not enough for XMLVerifier to verify signature HOT 5
- Validate x.509 cert value is a valid certificate before inlining contents into signature HOT 3
- How to sign xml using SHA1 HOT 2
- RSA signature did not verify HOT 2
- Bad Signature - unsure of how to debug further HOT 1
- Can not run the synopsis example: Missing child element(s). HOT 3
- DeprecationWarning: verify() from OpenSSL.crypto is deprecated HOT 5
- Return type incorrect for `XMLVerifier.verify` when `expect_references=1` HOT 3
- xml sample from samltool.io does not verify HOT 1
- OpenSSL Verify is deprecated HOT 2
- Kantara interop profile requirements
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from signxml.