Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support omitting SigningCertificate property #289

Closed
luisgoncalves opened this issue Jul 29, 2024 · 8 comments · Fixed by #296
Closed

Support omitting SigningCertificate property #289

luisgoncalves opened this issue Jul 29, 2024 · 8 comments · Fixed by #296
Assignees
@luisgoncalves
Milestone
2.3.0

Comments

@luisgoncalves
Copy link
Owner

Add new configuration option to skip adding the SigningCertificate property if the signing certificate (or its issuer/serial) is included in KeyInfo and KeyInfo is signed.

This is a bit against the recommendations (namely the baseline profile), but it may help in some cases.

Not including SigningCertificate is allowed by the spec if "incorporating the signing certificate within the ds:KeyInfo element and signing at least the signing certificate.".

More details:
@luisgoncalves luisgoncalves self-assigned this Jul 29, 2024
@luisgoncalves luisgoncalves added this to the 2.3.0 milestone Aug 3, 2024
@luisgoncalves luisgoncalves mentioned this issue Aug 3, 2024
Merged
@luisgoncalves
Copy link
Owner Author

@hanadderia a new release will be out soon. There's a new omitSigningCertificateProperty option in BasicSignatureOptions. It can only be enabled if the signing certificate (or its issuer/serial) is included in KeyInfo and KeyInfo is signed.

@hanadderia
Copy link

Hello @luisgoncalves,

Thank you for the swift update and for adding the omitSigningCertificateProperty option to the BasicSignatureOptions. We appreciate your effort in accommodating our request. The ability to enable this option when the signing certificate is included in KeyInfo and KeyInfo is signed will be incredibly helpful for our project.

Looking forward to the new release!

Best regards,

@luisgoncalves
Copy link
Owner Author

You're welcome. Let me know in case something is still off.

The new release should be up by now.

Best regards.

@hanadderia
Copy link

hanadderia commented Aug 9, 2024
edited
Loading

Thanks @luisgoncalves, It's working as expected.

<ds:Object>
    <xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#">
        <xades:SignedProperties xmlns:ns6="http://uri.etsi.org/01903/v1.4.1#" Id="_4cd24fac-f005-472b-be86-dd85b40c91bb-signedprops">
            <xades:SignedSignatureProperties>
                <xades:SigningTime>2024-08-09T00:00:00Z</xades:SigningTime>
            </xades:SignedSignatureProperties>
        </xades:SignedProperties>
    </xades:QualifyingProperties>
</ds:Object>

But, when enabled this property omitSigningCertificateProperty the verifier fails with the following error:
Signature doesn't follow any of the XAdES forms

@luisgoncalves
Copy link
Owner Author

@hanadderia I missed the last part of your previous message.

Right, I didn't add support for the verifier to process signatures without SigningCertificate. Perhaps I could do that.

Do you also mean that the target system rejects it?

@hanadderia
Copy link

hanadderia commented Sep 10, 2024
edited
Loading

Hello @luisgoncalves, No, the target system is accepting the signature, but the local verifier is not working.

Thanks that will help a lot.

@luisgoncalves luisgoncalves mentioned this issue Sep 12, 2024
Closed
@luisgoncalves
Copy link
Owner Author

Created #302 as a follow-up. It may be tricky to implement, so not sure if I'll end-up doing it.

@luisgoncalves
Copy link
Owner Author

@hanadderia I've implemented the follow-up ticket, to be able to validate signatures without SigningCertificate property but including the signing certificate in a KeyInfo element which is itself covered by the signature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@luisgoncalves luisgoncalves

Labels
None yet
Projects
None yet
Milestone
2.3.0
Development

Successfully merging a pull request may close this issue.

Support omitting SigningCertificate property luisgoncalves/xades4j
2 participants
@luisgoncalves @hanadderia