Parallel Signature support

[brunovianarezende]

I'm trying to use xadesjs to support multiple paralles signatures in a document. My use case is:

1. a document might be signed by multiple users
2. each signature is indepedent of the other signatures, i.e. when signing the document, the part of the document that will be signed won't contain the existing signatures

this would allow, for example, the users to remove their signatures from the document without the need to re-sign the document.

I've tried to use multiple enveloped signatures, but it hasn't worked: it seems like the enveloped signature transformation only removes a single enveloped signature fom the document before signing or validation process.

Then, I decided as a new approach to have the original document wrapped by other tag and then sign it by using xpath transforms, pointing to the original content. It would be something like:

<wrappingTag>
<originalContent />
<signature xpath="//originalContent">...</signature>
<signature xpath="//originalContent">...</signature>
...
</wrappingTag>

But then it seems xadesjs doesn't support xpath transform. I've seen in PeculiarVentures/xmldsigjs#32 that xpath transform support was, in theory, added to xmldsigjs and as a consequence to xadesjs, but I couldn't make it work. First, I couldn't put anywhere the xpath I want to use. I changed the code and, for exploration purpose, I hard-coded the xpah I wanted to use, but it didn't work, it seems like the node-set returned by the xpath is just ignored.

is it possible to do what I want (parallel signature support using xpath or not) using xadesjs?

[brunovianarezende]

what is described in example 23 at https://www.w3.org/TR/xmldsig-core/#sec-XPath would be perfect to me.

[brunovianarezende]

it seems like using #ID references will be far easier and should just work. I'll comment back in case I make it work.

[microshine]

looks like we can fix it by updating XmlDsigEnvelopedSignatureTransform

public GetOutput(): any {
    if (!this.innerXml) {
        throw new XmlError(XE.PARAM_REQUIRED, "innerXml");
    }

    const signatures = Select(this.innerXml, ".//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']");
    for (let i = 0; i < signatures.length; i++) {
        const signature = signatures[i];
        if (signature.parentNode) {
            signature.parentNode.removeChild(signature);
        }
    }
    return this.innerXml;
}

[microshine]

but I've got a problem with NodeJS version. XMLDOM module serializes a bad XML document. It doesn't add a namespace to the second Signature object

Wrong XML

<root>
  <child/>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
  <ds:Signature/>
</root>

Correct XML

<root>
  <child/>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</root>

[microshine]

@brunovianarezende Please check the latest version. I fixed the problem with multiple signatures. xmldsigjs includes a test for that case https://github.com/PeculiarVentures/xmldsigjs/blob/master/test/transforms.ts#L183

[brunovianarezende]

@microshine : is this correct? I'm reading the xmldsig document (https://www.w3.org/2000/02/xmldsig) and it says (https://www.w3.org/2000/02/xmldsig#def-SignatureEnveloped): "Obviously, enveloped signatures must take care not to include their own value in the calculation of the SignatureValue.", i.e. it doesn't talk about other enveloped signatures in the same document. Looking at https://www.w3.org/TR/xmldsig-core/#sec-EnvelopedSignature I see that the enveloped signature transform should use the xpath

count(ancestor-or-self::dsig:Signature | here()/ancestor::dsig:Signature[1]) > count(ancestor-or-self::dsig:Signature)

to find out what must be removed, i.e. it will only remove itself from the document, not all the signature tags.