search

moov-io / signedxml

pure go library for processing signed XML documents
MIT License
52 stars 44 forks source link

Panic when Reference does not have any transform when signing #55

Closed vokup closed 3 months ago

vokup commented 3 months ago

Hello, thank you for your great library.

Currently, I'm playing with this library and found that when I have some ds:Reference that does not have any ds:Transforms (not appear in XML document) the library will panic when I try to sign the XML document.

I dig through the code and find that this line is nil when the XML document doesn't have any ds:Transforms in ds:Reference causing panic (empty ds:Transforms is OK).

My current workaround

Example XML Before Signing

<Root>
  <Inner>
    <Text>Hello World!</Text>
  </Inner>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    Id="xmldsig-186cb59f-c7be-4e9d-a1e8-9fa311754f7e">
    <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" />
      <ds:Reference Id="xmldsig-186cb59f-c7be-4e9d-a1e8-9fa311754f7e-ref0">
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512" />
        <ds:DigestValue></ds:DigestValue>
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
      </ds:Reference>
      <ds:Reference Type="http://uri.etsi.org/01903#SignedProperties">
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512" />
        <ds:DigestValue></ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue></ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>HIDDEN</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
    <ds:Object xmlns:xades="http://uri.etsi.org/01903/v1.3.2#"
      xmlns:xades141="http://uri.etsi.org/01903/v1.4.1#" Target="">
      <xades:SignedProperties Id="xmldsig-186cb59f-c7be-4e9d-a1e8-9fa311754f7e-signedprops">
        <xades:SignedSignatureProperties>
          <xades:SigningTime>2024-06-04T16:13:09.320+07:00</xades:SigningTime>
          <xades:SigningCertificate>
            <xades:Cert>
              <xades:CertDigest>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512" />
                <ds:DigestValue>kiffFUcHZhaLu0OkrPZ1Ui99V784vgh4zJrJNNn82+XWUfDzz24SKy4GMId/hxDFxiQaak0AdJRWHPtLUgutIA==</ds:DigestValue>
              </xades:CertDigest>
            </xades:Cert>
            <xades:IssuerSerial>
              <ds:X509IssuerName>HIDDEN</ds:X509IssuerName>
              <ds:X509SerialNumber>HIDDEN</ds:X509SerialNumber>
            </xades:IssuerSerial>
          </xades:SigningCertificate>
        </xades:SignedSignatureProperties>
      </xades:SignedProperties>
    </ds:Object>
  </ds:Signature>
</Root>

PS. I'm also new to XML signing but I did walk through the XMLDSIG spec, and found that the min occurrence of ds:Transforms can be 0.

Thank you.

adamdecaf commented 3 months ago

Thanks for providing the xml. That really helps create a test case. I've fixed the panic and will make a release shortly.