-
-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
verify: Support XAdES encapsulated certificates #182
base: develop
Are you sure you want to change the base?
verify: Support XAdES encapsulated certificates #182
Conversation
Thank you for your contribution. To proceed with merging, we need unit tests to cover all new code paths introduced by this PR. Could you please add unit tests? Let me know if you run into any difficulties running the test suite. |
The XAdES-X-L form includes the full certificate path up to the root certificate, so that the verifier can accept any signature from a certificate that has some path to a trusted root. This is described at: https://www.w3.org/TR/XAdES/#Syntax_forXAdES-X-L_form This commit adds three certificates (and a script to re-generate them if necessary): root, intermediate, and leaf. In the XAdES-X-L test case, we sign with the leaf certificate but include all three in the certificate chain. Verifying these works when the root certificate is given as a trusted root, but fails when it is not considered a trusted root.
I've added a unit test now (see description in latest commit). Please let me know if this is sufficient. |
Thanks again for adding a test, and apologies for the delay in getting your contribution reviewed. I'm OK with merging partial/incremental support for XAdES, especially if it enables specific use cases that people have (like the LibreOffice one you point out). However from a security risk management standpoint, I'd like to sequester XAdES-specific functionality into subclasses that have to be specifically imported and used instead of being on by default. I want to do this because we don't have a full XAdES conformance test suite in place, and I don't have a good enough security analysis of XAdES in hand to be sure that this is safe from new types of substitution/wrapping attacks, etc. for general purpose XMLDSIG verification. If you can separate this functionality into XAdES specific classes, I'm happy to merge this now, otherwise I'll use your branch as a starting point for a more comprehensive XAdES implementation using e.g. https://github.com/esig/dss/tree/master/dss-xades/src/test/resources/validation and https://signatures-conformance-checker.etsi.org/pub/documents/XAdESConformanceTestChecker_v1.0.pdf as starting points. |
I think the latter is probably better. One simple thing I could do if you wanted is to create a subclass of An alternative approach would be to allow an optional I want to avoid doing a full implementation of XAdES since it's far beyond the scope of what I need (and couldn't justify the time for), so something like this would be good. I suggest you go ahead using my branch as a starting point, perhaps using the ideas above if appropriate. |
7a5c538
to
6baf513
Compare
6b21a86
to
6879c98
Compare
9717621
to
82ae152
Compare
7e7f504
to
b3de531
Compare
This change modifies the logic used to find X509 certificates within a Signature element to include
EncapsulatedX509Certificate
elements.This makes it possible to use the XMLVerifier with
documentsignatures.xml
files generated by LibreOffice, which places all certificates in the chain of trust from the signer to the root inEncapsulatedX509Certificate
elements.Related: #139