Comments (5)
bjrmatos
commented on September 2, 2024
basically what you're asking is support for validate detached signatures, external signatures that are not part of the signed document.
this feature is planned, see #66
checkSignature will support a new argument to specify the external signature document, and the validation will resolve the references correctly (we are investigating how to make this)
your solution seems a little confusing to use correctly, so until we can support detached signatures the best you can do is to modify xml-crypto to meet your needs :(
from xml-crypto.
dominykas
commented on September 2, 2024
It's not exactly an "external signature document" per se - there are multiple files to be checksumed, and they're all inside the ASiC container (which means there's multiple streams to be handled [careful not to cross them], and could potentially be done over network, etc etc) - I'm not sure it's really a good idea to make xml-crypto aware of such (or any other) containers, or at least it feels to me that it wouldn't be the node way :)
As for using correctly - I'm suggesting to keep the default as is. As for non-default behavior - a lot of the "using correctly" part would come from properly naming the options - maybe strictReferenceValidation, allowExternalUris, ignoreExternalUris, ignoreMissingReferences is all that's needed. As for the second part - getting a list of what was ignored - for my current purposes actually the current approach is OK - all information gets stuffed into validationErrors anyways.
Even the implementation is not that tricky:
- I'd suggest to change https://github.com/yaronn/xml-crypto/blob/master/lib/signed-xml.js#L286 to
var missingReferences = true; continue;[this way current implementation won't do an early exit, but instead will gather all missing references) - Similarly update https://github.com/yaronn/xml-crypto/blob/master/lib/signed-xml.js#L298
- Change https://github.com/yaronn/xml-crypto/blob/master/lib/signed-xml.js#L301 to return false if
missingReferencesis true and the option to ignore missing references was not set.
Like I said - I'm happy to PR (and I'd be somewhat less happy to maintain my own fork just for this...)
from xml-crypto.
dominykas
commented on September 2, 2024
Oh, another way to achieve what I need would be to have some configurable getHashByUri method - in which case I could provide the result from my program (by reading and checksumming the container streams that I have).
from xml-crypto.
bjrmatos
commented on September 2, 2024
I need to read the ASiC and XAdES specifications to see if this is the best solution.
But maybe @yaronn knows more about this than me
@yaronn would you like to comment on this?
from xml-crypto.
cjbarth
commented on September 2, 2024
Closing due to inactivity; reply to reopen.
from xml-crypto.
Related Issues (20)
- A Proposal for Moving Forward HOT 1
- refactor: deprecate `SignedXml.signingKey` in favor of `SignedXml.publicKey` and `SignedXml.privateKey` HOT 1
- `xpath` dependency "problem" HOT 10
- [ENHANCEMENT]: Signature compliant to http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 HOT 5
- [ENHANCEMENT]: Export `C14nCanonicalization`, `ExclusiveCanonicalization` HOT 1
- [ENHANCEMENT]: Remove files, folders not needed on the release HOT 2
- Add Reference for the KeyInfo node
- [BUG]: keyInfo usage HOT 4
- invalid signature: for uri calculated digest is '*' but the xml to validate supplies digest '*' HOT 9
- Issue with Signature Verification When 'Transforms' Tag is Absent in 'Reference' Element HOT 5
- How to sign a SAML assertion? HOT 1
- Potentially unsafe default impl for `getKeyInfo()` HOT 2
- [BUG?]: duplicate reference in signature HOT 6
- The declared digest does not match the actual calculated digest HOT 3
- Bug/Outdated README: unclear whether signatureAlgorithm required or not HOT 2
- [ENHANCEMENT]: AddObject to SignedXml instance HOT 4
- [ENHANCEMENT]: wssecurity - getCertFromKeyInfo not possible HOT 1
- [ENHANCEMENT]: Improve experience of adding a `Reference` to the `Signature`.
- [ENHANCEMENT]: Making the signature wrap the content that it's signing HOT 4
- digest is invalid because the computed digest differs from the digest in the XML HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xml-crypto.