-
-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added option to exclude c14n tranformation from Transform
XML node
#104
base: main
Are you sure you want to change the base?
Conversation
Some software can uses hard restrictions on Transform XML node, that prohibit include c14n transformation into Transform XML node.
Codecov Report
@@ Coverage Diff @@
## master #104 +/- ##
==========================================
+ Coverage 94.89% 94.91% +0.01%
==========================================
Files 3 3
Lines 588 590 +2
==========================================
+ Hits 558 560 +2
Misses 30 30
Continue to review full report at Codecov.
|
a8dc0e5
to
02e538c
Compare
4a7ead8
to
8e2e234
Compare
brew return error if package already installed - changed scripts to check package installation. For python3 use venv module instead virtualenv
Thank you for your contribution. Generally, I am unwilling to add options to the main codebase that result in signatures that don't pass validation by other XML Signature implementations (such as https://github.com/lsh123/xmlsec and https://github.com/yaronn/xml-crypto). In this case I don't have enough information to gather whether or not that is the case, so I have to ask you to give me some details about which XML signature implementations are able to verify the resulting signature. Similarly, I'd like to understand whether setting this option to Aside from that, there are a couple of practical issues with the PR:
This library is built to be extensible. Even if this option is not introduced into the library, you have the option of subclassing the |
There is a project https://github.com/vo-va/signxml-test/tree/master with Docker container that verify signed document with xmlsec and xml-crypto. I used xmlsec1 util and example from xml-crypto docs to verify signature.
If I understand correctly xmlsign tests verify signed document with this scheme https://github.com/XML-Security/signxml/blob/master/signxml/schemas/xmldsig-core-schema.xsd Also standard scheme is not limit amount of transformation https://github.com/XML-Security/signxml/blob/master/signxml/schemas/xmldsig-core-schema.xsd#L117 I am not sure what my changes will test all cases. Can you look at my changes and say is it enough or not? |
Hi @kislyuk, I do not want to bother you, but can you review pull request and say me your verdict? Reject/Accept? Or maybe I should change something? |
Thank you for your patience. I want you to know that I haven't forgotten about this PR, but currently have no time to review it (and the nature of the changes is such that this requires a substantial review). I'll get back to this ASAP, hopefully sometime around next weekend. |
Any chance of getting this merged? I too am hitting the same issue. |
Thank you for your work on this PR so far, @vo-va, and sorry about the delays in handling this. I don't currently use software that is incompatible with the way SignXML produces signatures. It's clear that there is demand for fixing the underlying issue here, which as far as I know is that SignXML only produces "Compatibility Mode" signatures, and not "2.0" signatures (thank you @tjeb for pointing toward that fact). I have described the issue in further detail in #142. With apologies for not having had time to look at this issue in this level of detail sooner, I must ask that someone familiar with these applications write a principled solution for #142, with a separate test case, if you want this issue to be resolved. I'm going to leave this PR open as a reference, but it has major issues that prevent it from being merged. The PR:
A solution to this issue should address these problems. Again, apologies for the delays in handling this, but I am one person maintaining this library in my spare time outside my line of work, and it carries serious security requirements. Handling issues in this library requires substantial time, focus and clarity in understanding the underlying problems, given the issues in the underlying standard and the diversity of software interfacing with it. If you want to help, please contribute clear, maintainer-friendly solutions. |
04b5d0e
to
c6b7dec
Compare
8f30f82
to
06e5f93
Compare
7a5c538
to
6baf513
Compare
6b21a86
to
6879c98
Compare
9717621
to
82ae152
Compare
Might I inquire as to the current progress for this PR? Are you still looking for a more robust PR, or have you already implemented this? |
@davidcolclazier please see #104 (comment) - PRs that address the points that I made in that comment are welcome. |
7e7f504
to
b3de531
Compare
Some software can uses hard restrictions on Transform XML node, that prohibit include c14n transformation into Transform XML node.
Pull request to resolve issue #43