Working with Estonian BDOC format

Thanks for such a wonderful project! I'm trying to parse (and validate) BDOC signature files (spec, reference implementation), which are used widely across the Estonia as a replacement for physical signatures. Those are basically zip archives containing the files being signed, along with an xml following xmldsig spec.

They work fine with the xmlsec1 tool, e. g.:

# with ca:
$ xmlsec1 verify --trusted-pem ESTEID-SK_2015.pem --url-map:PGP-claim.txt fixtures/bdoc/PGP-claim.txt fixtures/bdoc/META-INF/signatures0.xml 
OK
SignedInfo References (ok/all): 2/2
Manifests References (ok/all): 0/0

# or with cert pinning:
$ xmlsec1 verify --pubkey-cert-pem my_est_id.pem --url-map:PGP-claim.txt fixtures/bdoc/PGP-claim.txt fixtures/bdoc/META-INF/signatures0.xml 
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=347:obj=x509-store:subj=unknown:error=71:certificate verification failed:X509_verify_cert: subject=/C=EE/O=ESTEID/OU=digital signature/CN=PUSHKOV,ALEKSANDR,39705270051/SN=PUSHKOV/GN=ALEKSANDR/serialNumber=39705270051; issuer=/C=EE/O=AS Sertifitseerimiskeskus/organizationIdentifier=NTREE-10747013/CN=ESTEID-SK 2015; err=20; msg=unable to get local issuer certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=386:obj=x509-store:subj=unknown:error=71:certificate verification failed:subject=/C=EE/O=ESTEID/OU=digital signature/CN=PUSHKOV,ALEKSANDR,39705270051/SN=PUSHKOV/GN=ALEKSANDR/serialNumber=39705270051; issuer=/C=EE/O=AS Sertifitseerimiskeskus/organizationIdentifier=NTREE-10747013/CN=ESTEID-SK 2015; err=20; msg=unable to get local issuer certificate
OK
SignedInfo References (ok/all): 2/2
Manifests References (ok/all): 0/0

However, when I try to validate them using signxml, I get errors:

>>> from signxml import XMLVerifier
>>> 
>>> XMLVerifier().verify(
...     open("fixtures/bdoc/META-INF/signatures0.xml", "rb").read(),
...     uri_resolver=lambda url: open(f"fixtures/bdoc/{url}", "r").read(),
...     ca_pem_file="ESTEID-SK_2015.pem",
... )
Traceback (most recent call last):
  File "/home/ale/dev/digidoc/.venv/lib/python3.7/site-packages/signxml/util/__init__.py", line 197, in _add_cert_to_store
    X509StoreContext(store, cert).verify_certificate()
  File "/home/ale/dev/digidoc/.venv/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1797, in verify_certificate
    raise self._exception_from_context()
OpenSSL.crypto.X509StoreContextError: [2, 1, 'unable to get issuer certificate']

During handling of the above exception, another exception occurred:

... (i'll snip these ones as it just wraps the PyOpenSSL exception)

>>> # or with cert pinning:
>>> XMLVerifier().verify(
...     open("fixtures/bdoc/META-INF/signatures0.xml", "rb").read(),
...     uri_resolver=lambda url: open(f"fixtures/bdoc/{url}", "r").read(),
...     x509_cert=open("my_est_id.pem", "rb").read(),
... )
Traceback (most recent call last):
  File "/home/ale/dev/digidoc/.venv/lib/python3.7/site-packages/signxml/__init__.py", line 729, in verify
    verify(signing_cert, raw_signature, signed_info_c14n, signature_digest_method)
  File "/home/ale/dev/digidoc/.venv/lib/python3.7/site-packages/OpenSSL/crypto.py", line 2928, in verify
    _raise_current_error()
  File "/home/ale/dev/digidoc/.venv/lib/python3.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.crypto.Error: [('asn1 encoding routines', 'asn1_check_tlen', 'wrong tag'), ('asn1 encoding routines', 'asn1_item_embed_d2i', 'nested asn1 error')]

During handling of the above exception, another exception occurred:
...

Here are the files I'm using:

bdoc.zip
ESTEID-SK_2015.pem (CA)
my_est_id.pem (my certificate)

Could I kindly ask if there's something wrong I'm doing here? Thank you!

XML-Security / signxml

Working with Estonian BDOC format #131