Signature is invalid when created with StateOrProvince or more than one Role

[informatik01]

Disclaimer I have not deeply researched the cause of the following errors, so I am not absolutely sure whether those bugs are in the DigiDoc4j library code or in the libdigidocpp library code. But because I am using DigiDoc4j in the first place I'm reporting them here

---

I am signing documents using external signing scenario (with the help of hwcrypto.js). All goes fine until I create signature with the following meta-data:

1) StateOrProvince (found by Kertu Hiire from RIA)

So if this info is added to the signature the signing process completes successfully ("Signing BDoc successfully completed") and BDOC container is also successfully saved to a file. But when opening this container with DigiDoc3 klient (version 3.12.1.1450 - latest version as of now) it cannot be opened and the following error is shown:

BDoc.cpp:456 Failed to parse signature 'META-INF/signatures0.xml'. SignatureBES.cpp:300 Failed to parse signature XML: :1:4124 error: element 'StateOrProvince' is not allowed for content model '(City?,StateOrProvince?,PostalCode?,CountryName?)'

2) Roles

When adding more that one role to a signature, again all is fine on the DigiDoc4j side: both signing and saving a container to a file. But when opening the container with DigiDoc3 client, although it still can be opened (unlike the previous case) it is shown that the signature is not valid:

---

Other thoughts

And as you may see in BOTH issue 1 and 2 error messages it is the code in the SignatureBES.cpp file that is responsible for generating those errors. For instance, the restriction (only one role) is enforced ONLY for BDoc-BES format as is seen the code inside the SignatureBES.cpp file.

But important part is that I am explicitly using either Time-mark (SignatureProfile.LT_TM) or Time-stamp (SignatureProfile.TS) so why not SignatureTS.cpp or SignatureTM.cpp are used when opening containers created with the related profiles?

In other words I am not quite sure what is the reason for those errors, i.e. was BDOC container constructed incorrectly or DiciDoc3 client does something wrong.

---

Here is a code excerpt that shows how I create DataToSign object that is to be externally signed:

DataToSign dataToSign = SignatureBuilder.
                aSignature(container).
                withSigningCertificate(signingCert).
                withSignatureDigestAlgorithm(DigestAlgorithm.SHA256).
                withSignatureProfile(SignatureProfile.LT).
                withCountry("Estonia").
                withStateOrProvince("Harjumaa").
                withCity("Tallinn").
                withPostalCode("12618").
                withRoles("Developer", "Sportsman").
                buildDataToSign();

[rvillido]

Thank you for the feedback.

We will investigate where it should be fixed.

[rvillido]

We have investigated the problem and split it into two issues

1. The StateOrProvince issue will be fixed within DigiDoc4j (and perhaps the schema validation rules will be relaxed in the Client application) https://www.pivotaltracker.com/story/show/120521065
2. Support for multiple roles will be added to DigiDoc Client

Thanks for a detailed report

[informatik01]

You're welcome!

[rvillido]

This problem has been fixed in the latest 1.0.4 release.

Signatures can have stateOrProvince and other signature parameter fields filled. Such containers can be opened with DigiDoc Client without problems.

Support for multiple roles must be added to DigiDoc Client separately.

Thanks for the bug report.