Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If you failed verifying XML signature, read this #158

Closed
Hinaser opened this issue Jun 11, 2018 · 5 comments · Fixed by #161
Closed

If you failed verifying XML signature, read this #158

Hinaser opened this issue Jun 11, 2018 · 5 comments · Fixed by #161

Comments

@Hinaser
Copy link
Contributor

Hinaser commented Jun 11, 2018
edited
Loading

Summary

At the latest commit(6e22854), there is a known bug for handling non-exclusive canonicalization.

If your failing XML contains canonicalization method like these

then, you have a chance you can verify signature using patched version of xml-crypto

If it doesn't, you still have a chance. Please read this post carefully.

Install

I created fixed version of xml-crypto here.
You can install it by the command below.

npm install --save https://github.com/Hinaser/xml-crypto.git#patch-for-non-exclusive-c14n

Note: If you already installed xml-crypto, uninstall it first.

npm uninstall xml-crypto

Note: Implicit transform

The specification of XML signature is bit complicated, thus there seems to be many XML signed in wrong way.

One of those misunderstanding is Implicit transform.
XML signature should be verified after it is transformed by an algorithm specified in <Transform Algorithm='...'>.

For example, transform http://www.w3.org/2000/09/xmldsig#enveloped-signature is often applied to almost all signed XML.
This transform strips off <Signature> element from XML being verified.

Although every transform being applied should be defined in <Transform>, so many XML signer adds implicit transform without describing it to <Transform>.

Sometimes it is http://www.w3.org/TR/2001/REC-xml-c14n-20010315, and sometimes http://www.w3.org/2001/10/xml-exc-c14n#.

So I added an option to specify additional Transform Algorithm which might be hidden but actually applied.

Example:

let sig = new SignedXml(null, {
  implicitTransforms: ["http://www.w3.org/2001/10/xml-exc-c14n#"]
});

Long version:

const fs = require('fs');
const {SignedXml, FileKeyInfo, xpath} = require('xml-crypto');
const {DOMParser} = require('xmldom');

let xml = fs.readFileSync("path-to-xml").toString();
let pemPath = "path-to-cert-pem";

let doc = new DOMParser().parseFromString(xml);
let signatureNode = xpath(doc, '//*[local-name()="Signature"]');

let option = {implicitTransforms: ["http://www.w3.org/2001/10/xml-exc-c14n#"]};
let sig = new SignedXml(null, option);
sig.keyInfoProvider = new FileKeyInfo(pemPath);
sig.loadSignature(signatureNode[0]);
let result = sig.checkSignature(xml);

console.log("sig.checkSignature(xml) = ", result);

This is just an option which might solve your problem.
Hope you have a good luck.

What implicit transform is applied

I cannot say which. It depends on signers.
You have to try one by one.
Possible candidates might be as follows:

  • http://www.w3.org/2001/10/xml-exc-c14n#
  • http://www.w3.org/TR/2001/REC-xml-c14n-20010315
  • http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
sig = new SignedXml(null, {
  implicitTransforms: ["http://www.w3.org/2001/10/xml-exc-c14n#"]
});
...
sig.checkSignature(xml);

// If failed, then next
let sig = new SignedXml(null, {
  implicitTransforms: ["http://www.w3.org/TR/2001/REC-xml-c14n-20010315"]
});
...
sig.checkSignature(xml);
...
// repeat until verified successfully
@Hinaser Hinaser changed the title If you failed verifying XML signature, you can try this one If you failed verifying XML signature, read this Jun 13, 2018
@VincentNewkirk
Copy link

I'm confused about this. The commit that caused this bug was created last year. This issue was opened just a couple weeks ago.

I've recently been having trouble verifying xml signature about and came across this, but I'm wondering if this is actually the cause of my issue.

@VincentNewkirk
Copy link

Let me clarify my question.
Did this issue begin happening when this issue was created? Or has this issue been happening since last year when the commit was made?

@Hinaser
Copy link
Contributor Author

Hinaser commented Jul 2, 2018

Hi @VincentNewkirk
I just started to use this library xml-crypto few weeks ago, so I have no idea whether this issue did not present before last year.

It is possible that your issue is in XML signature itself, not the commit created last year.
It is possible that signer changed signing/c14n algorithm last year.

Either way, I cannot say where the root cause of your issue stands.

@LoneRifle
Copy link
Collaborator

fwiw, the team at Asana have forked this library and have applied @Hinaser 's changes along with more fixes for canonicalization.

@LoneRifle LoneRifle mentioned this issue Sep 6, 2018
Merged
@huineng huineng mentioned this issue Dec 4, 2018
Closed
@Mehulagrawal710
Copy link

Can implicitTransforms be used for signing XMLs as well?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Merge changes from datagovsg fork datagovsg/xml-crypto
4 participants
@LoneRifle @Hinaser @VincentNewkirk @Mehulagrawal710