XMLVerifier.verify processes the first reference and calls the XMLVerifier._apply_transforms method, and because transformation algorithm http://www.w3.org/2000/09/xmldsig#enveloped-signature is being used, the function _remove_sig is called, which has the effect of detaching signature_ref from root;
XMLVerifier.verify then processes the second reference, and tries to locate the element with URI #xades-id-7881ca95cf9ee505158353417687039e in root - however, because the signature has been detached from root, and the element with that ID is enveloped by the signature, the _resolve_references method cannot find the referenced element, and fails;
I would solve the issue in the following way: in the loop that processes the references, instead of operating on root and signature_ref directly, the handling would be done on a copy of the root variable, and signature_ref would be re-resolved from the copy of root.
Please do not hesitate in giving your feedback, if you have any issues. Otherwise, I will try to make a PR implementing the solution above in the coming days.
I am trying to validate the following document:
https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-mp.xml
If you look at the document content, you will see that it has the following Signed Information:
In other words, for the first reference, the signature is enveloped, and for the second, the signature is enveloping.
In the 2.6.0 implementation of
XMLVerifier.verify
, I cannot validate this document, because the following sequence happens:root
and extracts the signature to variablesignature_ref
;XMLVerifier.verify
processes the first reference and calls theXMLVerifier._apply_transforms
method, and because transformation algorithmhttp://www.w3.org/2000/09/xmldsig#enveloped-signature
is being used, the function_remove_sig
is called, which has the effect of detachingsignature_ref
fromroot
;XMLVerifier.verify
then processes the second reference, and tries to locate the element with URI#xades-id-7881ca95cf9ee505158353417687039e
inroot
- however, because the signature has been detached fromroot
, and the element with that ID is enveloped by the signature, the_resolve_references
method cannot find the referenced element, and fails;I would solve the issue in the following way: in the loop that processes the references, instead of operating on
root
andsignature_ref
directly, the handling would be done on a copy of theroot
variable, andsignature_ref
would be re-resolved from the copy ofroot
.Please do not hesitate in giving your feedback, if you have any issues. Otherwise, I will try to make a PR implementing the solution above in the coming days.