Description
First off, thanks so much for this module, awesome!
Next, I am not too familiar with XML singing and have had a difficult time actually verifying that the signature is OK but it has been running fine for some time...
The problem being that we add two elements in order to produce a valid signature.
You can see the signed request here:
http://b-0389251a222dab85cf34ef28fa5672f0.iso6523-actorid-upis.acc.edelivery.tech.ec.europa.eu/iso6523-actorid-upis::0007:5567321707/services/busdox-docid-qns::urn:oasis:names:specification:ubl:schema:xsd:Invoice-2::Invoice##urn:cen.eu:en16931:2017#compliant#urn:fdc:peppol.eu:2017:poacc:billing:3.0::2.1
It is part of a standardized listing for Peppol SMP (Peppol.eu).
The XML is, as I said, valid and signed correctly but the specification states:
If I remove the additional it is not producing a valid XML signature anymore.
My code is as follows:
const SignedXml = require('xml-crypto').SignedXml;
let sig = new SignedXml();
sig.addReference(
".//*[local-name(.)='SignedServiceMetadata']",
[
'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
'http://www.w3.org/2001/10/xml-exc-c14n#'
],
'http://www.w3.org/2000/09/xmldsig#sha1',
'',
'',
'',
true
);
sig.signatureAlgorithm = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1';
sig.canonicalizationAlgorithm =
'http://www.w3.org/TR/2001/REC-xml-c14n-20010315';
sig.signingKey = SMP_QVALIA_PRIVKEY;
sig.keyInfoProvider = {
getKeyInfo: (key, prefix) => {
return `<X509Data><X509SubjectName>${process.env.SMP_QVALIA_CN}</X509SubjectName><X509Certificate>${SMP_QVALIA_PUBKEY}</X509Certificate></X509Data>`;
}
};
sig.computeSignature(xml);
let signedXml = sig.getSignedXml();
The above creates teh valid signing but according to the spex I need to remove 'http://www.w3.org/2001/10/xml-exc-c14n#' but doing that the signature becomes invalid...
I think this issue is related: #210