search

PeculiarVentures / xmldsigjs

XMLDSIGjs provides an implementation of XMLDSIG in Typescript/Javascript based on WebCrypto
MIT License
44 stars 29 forks source link

Empty reference URI for enveloped signature #10

Open alphanso opened 7 years ago

alphanso commented 7 years ago

I was using this library for signing xml using the following: -

Signed XML is verified by vendor and they need empty URI or signature verification fails.

https://www.w3.org/TR/xmldsig-core/#sec-URI says

If the URI attribute is omitted altogether, the receiving application is expected to know the identity of the object.

I believe we should default to empty URI in case of enveloped signature and should make it possible to omit only by choice.

rmhrisk commented 7 years ago

I am OK with us taking that as a change, feel free to submit a PR, absent that we can look at this when we get time.

gine commented 6 years ago

@rmhrisk i think that there is bug on this.

If you set uri : "" in the ReferenceOptions, the code produced doesn't have the empty uri attribute. I'm trying to find where i can fix it, but i don't find the where. Can you point me.

microshine commented 6 years ago

@gine xmldsig has default value for Reference.Uri https://github.com/PeculiarVentures/xmldsigjs/blob/master/src/xml/reference.ts#L45

URI is optional value in xmldsig XSD https://github.com/PeculiarVentures/xmldsigjs/blob/master/src/xml/reference.ts#L18

You can recompile xmdsig.js file and remove defaultValue from XmlAttribute decorator I think it'll fix your problem

rmhrisk commented 6 years ago

@microshine it seems intuitive that setting uri : "" in the ReferenceOptions would produce a value of "" and nul an empty one? Is that right?

microshine commented 6 years ago

@rmhrisk I think so. I'll update library

microshine commented 6 years ago

@gine I updated xmldsig. I can't publish it, cause it have some security/snyc issues. I'll fix it later. But you can try new version

npm i https://github.com/PeculiarVentures/xmldsigjs#update

If uri isn't in option, then <Reference> If uri is "", then <Reference Uri=""> If uri is "some-id", then <Reference Uri="some-id">

gine commented 6 years ago

I made a stupid fix. I presume that your fix is better. Tomorrow i'll try it

Ameb commented 6 years ago

Hello. I wanted to try the new version but i won't install properly. dist folder isn't generated. image Could you try it, @gine ?

microshine commented 6 years ago

@Ameb I added prepare script to package.json. It must fix error. Can you try it again?

Ameb commented 6 years ago

Thank you! Nice to have <ds:Reference URI="">

microshine commented 6 years ago

@Ameb I'll fix security/snyc issue and publish new version. Thank you for test