Open potatocode420 opened 5 months ago
You will be able to see from the last changed dates in the repository it's not been update in some time so my response is going to be affected by that.
Things may have changed but three years ago xmlseclibs did not implement transformations well. Maybe that's why there's no loop? Based on the information provided it's not really possible to give much of an answer. Does the containing XPath element include a namespace for 'cac'?
Yup, the XML looks something like this: https://[sdk.myinvois.hasil.gov.my/files/one-doc-signed.xml](https://sdk.myinvois.hasil.gov.my/files/one-doc-signed.xml)
Update - I found that the xpath query actually is returning some namespaces. So now I will just try to figure out why the C14N method that is giving us an empty string.
update 2: No, xpath query was not returning anything.
Good idea. On the way to work it occurred to me to me maybe the parameters passed to the C14N function are not right.
But you might check the
<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<XPath xmlns:dsig="&dsig;">
not(ancestor-or-self::dsig:Signature)
</XPath>
</Transform>
You can see the
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<ds:XPath>not(//ancestor-or-self::ext:UBLExtensions)</ds:XPath>
</ds:Transform>
If the C14N function is not passed the namespace for 'cac' it will not be able to find the elements. Maybe this will have an effect?
I do not have any experience using a signature that is in a namespace that is not 'http://www.w3.org/2000/09/xmldsig#'. It maybe the code expects to use the DSig namespace not the cac namespace.
The namespace is there because I tried to change the xpath to (ancestor-or-self::cac:Signature) and it worked. Something seems to be up with this "not" in XPath here - it can't select anything even in XPath testers. I believe this is the reason why the C14N method wasn't able to detect the path. As a result the document also probably has not been canonicalized at all.
If it turns out that the XPath is really screwed, I might consider a workaround where I manually canonicalize and append transform nodes.
Thanks for the help!
My transformation xpath (e.g. not(//ancestor-or-self::cac:Signature)) is returning a false value. Because of this, canonicalizeData method will also give me an empty string (but I still need this exact same transform value to be there).
I have checked the original xmlseclibs library and it doesn't do a loop. Would it be possible to start with a fresh copy of objData at the start of each foreach iteration, or would that ruin the whole purpose of the transforms since the xpath doesn't seem to be correct anyway?