Double Transform elements works, but causing issues

[QAnders]

First off, thanks so much for this module, awesome!
Next, I am not too familiar with XML singing and have had a difficult time actually verifying that the signature is OK but it has been running fine for some time...

The problem being that we add two elements in order to produce a valid signature.
You can see the signed request here:
http://b-0389251a222dab85cf34ef28fa5672f0.iso6523-actorid-upis.acc.edelivery.tech.ec.europa.eu/iso6523-actorid-upis::0007:5567321707/services/busdox-docid-qns::urn:oasis:names:specification:ubl:schema:xsd:Invoice-2::Invoice##urn:cen.eu:en16931:2017#compliant#urn:fdc:peppol.eu:2017:poacc:billing:3.0::2.1

It is part of a standardized listing for Peppol SMP (Peppol.eu).

The XML is, as I said, valid and signed correctly but the specification states:

If I remove the additional it is not producing a valid XML signature anymore.

My code is as follows:

  const SignedXml = require('xml-crypto').SignedXml;

  let sig = new SignedXml();

  sig.addReference(
    ".//*[local-name(.)='SignedServiceMetadata']",
    [
      'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
      'http://www.w3.org/2001/10/xml-exc-c14n#'
    ],
    'http://www.w3.org/2000/09/xmldsig#sha1',
    '',
    '',
    '',
    true
  );

  sig.signatureAlgorithm = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1';
  sig.canonicalizationAlgorithm =
    'http://www.w3.org/TR/2001/REC-xml-c14n-20010315';

  sig.signingKey = SMP_QVALIA_PRIVKEY;

  sig.keyInfoProvider = {
    getKeyInfo: (key, prefix) => {
      return `<X509Data><X509SubjectName>${process.env.SMP_QVALIA_CN}</X509SubjectName><X509Certificate>${SMP_QVALIA_PUBKEY}</X509Certificate></X509Data>`;
    }
  };

  sig.computeSignature(xml);

  let signedXml = sig.getSignedXml();

The above creates teh valid signing but according to the spex I need to remove 'http://www.w3.org/2001/10/xml-exc-c14n#' but doing that the signature becomes invalid...

I think this issue is related: #210

[QAnders]

I can also add that if I am using Canonicalization http://www.w3.org/2001/10/xml-exc-c14n# it is showing again as an invalid signing and only http://www.w3.org/TR/2001/REC-xml-c14n-20010315 works with it.

According to the specification I am trying to follow we should be using http://www.w3.org/2001/10/xml-exc-c14n#.

The edited code as this seems to be OK:

const SignedXml = require('xml-crypto').SignedXml;

  let sig = new SignedXml();

  sig.addReference(
    ".//*[local-name(.)='SignedServiceMetadata']",
    [
      'http://www.w3.org/2000/09/xmldsig#enveloped-signature'
    ],
    'http://www.w3.org/2000/09/xmldsig#sha1',
    '',
    '',
    '',
    true
  );

  sig.signatureAlgorithm = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1';
  sig.canonicalizationAlgorithm = 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315';

  sig.signingKey = SMP_QVALIA_PRIVKEY;

  sig.keyInfoProvider = {
    getKeyInfo: (key, prefix) => {
      return `<X509Data><X509SubjectName>${process.env.SMP_QVALIA_CN}</X509SubjectName><X509Certificate>${SMP_QVALIA_PUBKEY}</X509Certificate></X509Data>`;
    }
  };
  

  sig.computeSignature(xml);

  let signedXml = sig.getSignedXml();

However, changing sig.canonicalizationAlgorithm = 'http://www.w3.org/2001/10/xml-exc-c14n#'; breaks the signature again...

[artkarki]

I have exactly same problem. Third party API gives me the same error. Any solutions yet?

[abhinandanValetEZ]

any response on this?

[cyberrspiritt]

We have a workaround where we're ignoring the second transform from being added inside the library.

In the following file: xml-crypto/lib/signed-xml.js on line no 909, add the following 2 lines:

if(transform.getAlgorithmName() == 'http://www.w3.org/2001/10/xml-exc-c14n#')
          continue;

It would ignore the second transform from being added in the signed xml.

[clucher91]

Any solution? I have the same problem, just i need envelopedsignature

[cyberrspiritt]

We have a workaround where we're ignoring the second transform from being added inside the library.

In the following file: xml-crypto/lib/signed-xml.js on line no 909, add the following 2 lines:

if(transform.getAlgorithmName() == 'http://www.w3.org/2001/10/xml-exc-c14n#')
          continue;

It would ignore the second transform from being added in the signed xml.

Refer this. It works for us.

[clucher91]

Refer this. It works for us.

Thanks @cyberrspiritt for your help!, my problem is another now.
I was able to sign the xml as requested, but when i try to sign a xml with schema requested digest value is wrong.
I'm trying to sign "SetDTE".
Any suggestions??

Failed digest value

<EnvioBOLETA xmlns="http://www.sii.cl/SiiDte"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.sii.cl/SiiDte EnvioBOLETA_v11.xsd" version="1.0">
    <SetDTE>
...

OK digest value

<EnvioBOLETA>
    <SetDTE>
...

[cjbarth]

@cyberrspiritt , if that solution worked for you, would you mind creating a PR with a test suite and making a PR so that the community can benefit and so that you don't have to maintain a fork?