-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rtc: Verify outermost XML signature of SII AECs #242
rtc: Verify outermost XML signature of SII AECs #242
Conversation
c3b78fe
to
7fff179
Compare
Codecov Report
@@ Coverage Diff @@
## develop #242 +/- ##
===========================================
+ Coverage 83.00% 83.24% +0.24%
===========================================
Files 32 33 +1
Lines 2500 2531 +31
Branches 349 355 +6
===========================================
+ Hits 2075 2107 +32
+ Misses 275 269 -6
- Partials 150 155 +5
Continue to review full report at Codecov.
|
4d769b9
to
dd48f4e
Compare
@jtrobles-cdd @glarrain-cdd This is what I found out so far:
The second error (XmlSignatureUnverified) is the one that is directly related to the changes in this PR. When analyzing a subset of the AEC documents that fail due to this error, what stands out the most is that these documents contain empty-element tags (e.g.
Note: Both Footnotes
|
This PR doesn't contain any changes related to XML canonicalization during signature verification. The script SignXML does perform XML canonicalization, but only because it must do that if the XML signature specifies a canonicalization method, as the following example shows: <Signature ...>
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
...
</Signature>
XML canonicalization isn't supposed to break an XML digital signature if the signature itself specifies it through |
You are absolutely right and in an ideal context these changes should be enough, but when it comes to SII, nothing works as expected. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm approving these changes because the solution is great, it works as expected, and they also had a high success rate (+ 96%) in AEC document signature verification tests on a large set of SII-approved AECs.
But we should document that one of the reasons why the signature verification process will fail is because the XML is not in its canonical form, even when a canonicalization algorithm is referenced in the SignedInfo
element.
Add a parameter to `verify_xml_signature` to enable support for XML documents that contain multiple signatures, assuming that a suitable custom XML signature verifier is used.
Test have not been implemented. Based on `scripts/clean_dte_xml_file.py`.
The file is the output of command: ```sh ./scripts/canonicalize_xml_file.py file \ 'tests/test_data/sii-rtc/AEC--76354771-K--33--170--SEQ-2.xml' \ 'tests/test_data/sii-rtc/AEC--76354771-K--33--170--SEQ-2-canonicalized-c14n.xml' ``` The MD5 checksum of the added file is f41e807aba2a08a3d42f0848a6621f72.
- Extract the Base64+DER–encoded certificate and the Base64-encoded signature value from the signature over `<DocumentoAEC>` from the AEC XML files `tests/test_data/sii-rtc/AEC--76354771-K--33--170--SEQ-2.xml` and `tests/test_data/sii-rtc/AEC--76399752-9--33--25568--SEQ-1.xml`. - Convert the DER-encoded certificates to PEM-encoded. Commands: ```sh cd 'tests/test_data/sii-crypto/' openssl x509 \ -inform DER -in 'AEC--76354771-K--33--170--SEQ-2-cert.der' \ -outform PEM -out 'AEC--76354771-K--33--170--SEQ-2-cert.pem' openssl x509 \ -inform DER -in 'AEC--76399752-9--33--25568--SEQ-1-cert.der' \ -outform PEM -out 'AEC--76399752-9--33--25568--SEQ-1-cert.pem' ``` (OpenSSL 1.1.1f (2020-03-31))
The three files are related to the canonicalized AEC XML file `tests/test_data/sii-rtc/AEC--76354771-K--33--170--SEQ-2-canonicalized-c14n.xml`.
An AEC XML document has multiple XML digital signatures. This commit implements the parsing of the signature over the AEC XML element `<DocumentoAEC>` (XPath: `/AEC/DocumentoAEC`).
Only the outermost signature of the AEC XML document is verified (i.e. the one over `/AEC/DocumentoAEC`).
dd48f4e
to
38821b8
Compare
@ycouce-cdd Can you create a GitHub issue for that? |
Done #246 |
There is a high number of AEC documents approved by the SII that cannot be instantiated because the validation that the AEC signature certificate is loadable fails. For the moment we will disable this validation so we can instantiate the AEC documents while we look for a solution to the issue loading the AEC signature certificate. Ref: https://cordada.aha.io/features/COMPCLDATA-13 Ref: #242 (comment)
There is a high number of AEC documents approved by the SII that cannot be instantiated because the validation that the AEC signature certificate is loadable fails. For the moment we will disable this validation so we can instantiate the AEC documents while we look for a solution to the issue loading the AEC signature certificate. Ref: https://cordada.aha.io/features/COMPCLDATA-13 Ref: #242 (comment)
Ref: https://cordada.aha.io/features/COMPCLDATA-5