Should `transform` include both transform for if `option[:enveloped]` is true?
kunxi opened this issue · comments
First, thanks for your hard work to address the XML signature pain. I just curious for the logic in transform!
method, current implementation only includes one Transform
node, such as:
if options[:enveloped]
transform_node['Algorithm'] = 'http://www.w3.org/2000/09/xmldsig#enveloped-signature'
else
transform_node['Algorithm'] = 'http://www.w3.org/2001/10/xml-exc-c14n#'
end
I wonder whether the logic should be something like this as the xml-exc-c14n
is also a Transform
technically:
transform_nodes = [ TransformNode.new('http://www.w3.org/2001/10/xml-exc-c14n#')]
if options[:enveloped]
transform_nodes.append(TransformNode.new('http://www.w3.org/2000/09/xmldsig#enveloped-signature'))
end
In another word, should we always include xml-exc-c14n#
as a Transform
?
@kunxi I'm not sure. Looking at some examples https://www.di-mgt.com.au/xmldsig2.html, https://www.cryptosys.net/sc14n/example-signed-xmldsig.html most of them have single Transform
.
@ebeigarts I could not find any concrete examples to support my hypothesis, here are some circumstance evidences:
- XML Signature Syntax and Processing Version 1.1 indicates that the canonicalization can be treated as
Transform
.
6.6.1 Canonicalization
Any canonicalization algorithm that can be used for CanonicalizationMethod (such as those in Canonicalization Algorithms (section 6.5)) can be used as a Transform.
- In the XML Signature Best Practices,
For simple enveloped signatures: References URI must use local ID reference, and two transforms - Enveloped Signature and C14N, in that order
Does that imply we should include both?
Again, both of the statements are implicit.
@kunxi sounds like we should include both, I will be happy to merge a pull request.
Awesome, will work on it.