kislyuk
commented
5 months ago Correct, that is the default behavior.
Closed msetina closed 5 months ago
kislyuk
commented
5 months ago Correct, that is the default behavior.
msetina
commented
5 months ago The problem is that signing with a key that has not certificate will produce a signed XMl document that has only KeyVaue
kislyuk
commented
5 months ago Sorry, I'm not quite following. Can you provide a complete example with a specific description of observed vs. expected behavior and either a reference to how the behavior is not consistent with the spec or a description of why the behavior is invalid?
msetina
commented
5 months ago I got to this by having a simple process that signs and then verifies the result. When I signed with only a private key the XMLSigner produced a signed document that had just KeyValue populated with public key information. In the step where the signed document is verified, the verifier complained that it had no X509 ceritificate. I can not find in the specification (https://www.w3.org/TR/xmldsig-core2/ or https://www.w3.org/TR/xmldsig-core1/) that X509 certificate is needed. For validation procedure it refers to KeyInfo, which is present.
kislyuk
commented
5 months ago Correct, by default the validation procedure in SignXML requires an X.509 certificate, because that is the common behavior and the safe default. You have to explicitly configure it with a key to override that behavior.
Verify will fail if only KeyValue is present to represent signing key. Certificate needs to be provided. signxml.exceptions.InvalidInput: Expected a X.509 certificate based signature