Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

invalid signature #200

Closed
joeljb opened this issue Dec 15, 2019 · 4 comments
Closed

invalid signature #200

joeljb opened this issue Dec 15, 2019 · 4 comments

Comments

@joeljb
Copy link

joeljb commented Dec 15, 2019

Buenos días estoy tratando de firmar un xml cuando coloco

sig.addReference(xpath, ["http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"],"http://www.w3.org/2001/04/xmlenc#sha256","","","",false)
lo valida pero cuando cuando coloco

sig.addReference(xpath, ["http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"],"http://www.w3.org/2001/04/xmlenc#sha256","","","",true)

me devuelve el siguiente error
[ 'invalid signature: for uri calculated digest is oUP1akifFqmjvHDVtpeQC8h0l9LqL1YLf+PPOxzj8Rs= but the xml to validate supplies digest yY+OHWVStrsKgaqmoVNfy3hHoZf1lXomRKflwW4bhc0=' ]

lo que quiero es quitar Id="_0" y
URI="#_0" dejarlo URI=""
@SmartLayer
Copy link

Looking at the code,

  • If you give isEmptyUri a false value, as in your first example, then the ID of the node at xpath will be used, which works in your first example.

  • If you give isEmptyUri a true value, then the first parameter will be ignored, which caused the digest error in your second example.

https://github.com/yaronn/xml-crypto/blob/40bd9e8f8787c9c996572fe5937572506b9e43d1/lib/signed-xml.js#L790-L797

Personally I think APIs can be designed to avoid misuses. I recommend having 2 APIs:

addReference = function(
xpath, transforms, digestAlgorithm, uri, digestValue, inclusiveNamespacesPrefixList)

and

addReferenceEmptyURI = function(transforms, digestAlgorithm, uri, digestValue, inclusiveNamespacesPrefixList)

XMLDSig is complicated enough any effort from the library to make developers less able to produce non-working calls is of great help!

¿Por cierto, puedes modificar el título? La mitad de las personas viven aquí con un problema para verificar una firma (las otras una problema para firmar), por lo tanto, "invalid signature" no transmte información.

@mightypenguin
Copy link

Not sure if this is related but I get the "invalid signature" error from v1.4.1 onwards (using passport-saml v1.3.3)

@mightypenguin mightypenguin mentioned this issue Apr 15, 2020
Closed
@Rodrigobanselmo
Copy link

Rodrigobanselmo commented Nov 11, 2022
edited
Loading

I hade the same problem and to sove this you have to add xpath as /*

sig.addReference(
    // reference to the root node
    "/*",
    [
      'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
      'http://www.w3.org/2001/10/xml-exc-c14n#'
    ],
    'http://www.w3.org/2000/09/xmldsig#sha1',
    '',
    '',
    '',
    // let the URI attribute with an empty value,
    // this is the signal that the signature is affecting the whole xml document
    true
);

on #122 explains that

@cjbarth
Copy link
Contributor

cjbarth commented May 29, 2023

It seems that this issue has been resolved. If this is not the case, please reply to reopen.

@cjbarth cjbarth closed this as completed May 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@SmartLayer @mightypenguin @cjbarth @joeljb @Rodrigobanselmo