bseddon
commented
3 years ago My apologies for any interruption this message has caused. After working through the issue today, the people who wrote the code to use the .NET Framework SignedXml class did not enable the option to preserve white space on XML document load. As a result whitespace within <SignedInfo> was being removed so the production of the signature value operated on a different sequence of bytes. When the option to preserve whitespace is enabled .NET Framework SignedXml class validates the signature.
I have been double-checking my understanding of what the XAdESCC tool is checking. As well as checking the structure of the signature elements, it also appears to verify the computed <ds:Reference> digests and the <ds:SignatureValue>. To check these beliefs I have been manually modifying the generated XML to cause errors.
However, one of my investigation tests causes the report of an error I'm not expecting so I'm hoping you will kind enough to let me know if the the XAdESCC tool does also check the signature. A summary of my investigation leading to this request is included below.
The reason for wanting to be sure about the tests performed by XAdESCC is that I am also using the SignedXml class from Microsoft's .NET Framework to verify signatures I generate. However, this class fails to verify the signatures I generate while XAdESCC does.
As mentioned, as a result of my investigations, I'm not 100% sure about the check on the <ds:SignatureValue>. When I use the file 'signature-xbrlquery-remote.xml' (which is in the attached zip file) XAdESCC reports just the two errors we corresponded about in issue #19. These are errors you are no longer able to see when using your local copy. That is, it appears to agree the signature is OK. The full report produced by XAdESCC includes a 'success' indicator for 'CheckIfIsXAdESSignature'.
When I use the file 'signature-xbrlquery-remote-with-space.xml' (also in the attached zip) I see an error but not the one I expect. If you were to compare the two files in the zip file you will find they are different by just a single space within <SignedInfo>. This is my attempt to invalidate the signature value.
However, the error I see is shown in the partial screenshot. I was expecting something perhaps like 'CheckIfIsXAdESSignature' with an 'error' indicator. Instead the error reported is 'CheckIfSignerCertIsInKeyInfo'. It seems the addition of a space has made it impossible for XAdESCC to find the signing certificate.
xadescc-tests.zip