Ahmet-Kaplan / xades4j

Automatically exported from code.google.com/p/xades4j
GNU Lesser General Public License v3.0
0 stars 0 forks source link

Verification does not work for italian FatturaPA #89

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
The library currently does not support verification for italian FatturaPA.
1. I have downloaded an xml file signed with XAdES-BES signature from here
http://fatturapa.gov.it/export/fatturazione/sdi/fatturapa/v1.0/IT01234567890_X11
11.xml
2. I run the XAdES verification
3. The verification fails

What version of the product are you using? On what operating system?
Last version 1.3.1. 
Unix.

Please provide any additional information below.

I created a clone that you can see it from here:
https://code.google.com/r/ruolui-fatturapa/

I created a test that reproduces the problem.

The problem is the following:

The signed file does not contain the property SigningCertificate.
The specification for italian FatturaPA (written in document ETSI TS 101 903) 
provides that the certificate info may be indicated in ds:KeyInfo.

In static inner class XAdES_BES_Desc at line 128 in XAdESFormChecker is checked 
only presence of property SigningCertificate.

Original issue reported on code.google.com by ruolui on 27 Jun 2014 at 8:46

GoogleCodeExporter commented 9 years ago
When the certificate is included only in ds:KeyInfo it must be signed. It is 
hard (not sure if possible on the Apache Santurario API) to ensure that the 
signing certificate is in fact signed. Also, XAdES Baseline Profile [1] 
mandates the usage of SigningCertificate.

Nevertheless, this is an aspect I'd like to solve, despite not having high 
priority. This could also allow for simple XML-DSIG validation.

[1] 
http://www.etsi.org/deliver/etsi_ts/103100_103199/103171/02.01.01_60/ts_103171v0
20101p.pdf

Original comment by luis.fgoncalv on 5 Jul 2014 at 8:30

GoogleCodeExporter commented 9 years ago
Thanks for your response, Luis.

This constraints are indicated in section 4.4.1 of ETSI TS 101 903 V1.4.1 
(2009-06), downloadable at this link 

http://uri.etsi.org/01903/v1.4.1/ts_101903v010401p.pdf

I created a proposal for a solution at this repository

https://github.com/entaksi/xades4j

Original comment by ruolui on 7 Jul 2014 at 3:28

GoogleCodeExporter commented 9 years ago
I know about the constraints. What I meant on the previous comment is that they 
are hard to enforce. Your proposal is a possible first approach but:

 * Doesn't support the case where only the certificate is signed and not the whole KeyInfo.
 * Doesn't account for transforms over the KeyInfo reference. If no restrictions are made on the transforms, just checking the referenc's URI is not enough.

Nevertheless, I'll take this into account if/when I tackle this issue. Thanks!

Original comment by luis.fgoncalv on 13 Jul 2014 at 11:19