Provide an option to ignore missing URIs #67
Comments
|
basically what you're asking is support for validate detached signatures, external signatures that are not part of the signed document. this feature is planned, see #66
your solution seems a little confusing to use correctly, so until we can support detached signatures the best you can do is to modify xml-crypto to meet your needs :( |
|
It's not exactly an "external signature document" per se - there are multiple files to be checksumed, and they're all inside the ASiC container (which means there's multiple streams to be handled [careful not to cross them], and could potentially be done over network, etc etc) - I'm not sure it's really a good idea to make As for using correctly - I'm suggesting to keep the default as is. As for non-default behavior - a lot of the "using correctly" part would come from properly naming the options - maybe Even the implementation is not that tricky:
Like I said - I'm happy to PR (and I'd be somewhat less happy to maintain my own fork just for this...) |
|
Oh, another way to achieve what I need would be to have some configurable |
|
Closing due to inactivity; reply to reopen. |
I'm working on a library to verify ASiC containers - they are essentially a ZIP with a signatures.xml. The signatures.xml contains XAdES which can happily be verified using this library, except that it contains URIs which are outside of the document itself, i.e. the URIs do not reference the IDs inside the XML, but reference the files inside the ZIP. Since URIs with and without the starting
#can be treated as reference IDs, I don't see an easy way to automagically determine which is which, therefore I need a way to tell this library to ignore missing elements. I think a good way to achieve that would be to have an option that instead of failing here: https://github.com/yaronn/xml-crypto/blob/master/lib/signed-xml.js#L284 would rather stuff the information into some "missing URIs" property, that can later be used to verify the documents externally.In short - I'd like to see a way to treat missing URIs as warnings, not as failures.
I'm happy to submit a PR, if we can agree on the contract - where to add the option and how to name the "missing URIs" property. What do you think about
options.failOnMissingUris [default: true]andSignedXml.validationWarnings(array of objects withwarningTypeand custom data which differs per type) or a simplerSignedXml.validationMissingUris?Reference:
ASiC: http://www.etsi.org/deliver/etsi_ts/102900_102999/102918/01.03.01_60/ts_102918v010301p.pdf
XAdES: http://www.etsi.org/deliver/etsi_ts%5C101900_101999%5C101903%5C01.04.02_60%5Cts_101903v010402p.pdf
The text was updated successfully, but these errors were encountered: