diff --git a/signxml/xades/xades.py b/signxml/xades/xades.py index 1149a61..6ffcb63 100644 --- a/signxml/xades/xades.py +++ b/signxml/xades/xades.py @@ -272,8 +272,9 @@ class XAdESVerifier(XAdESProcessor, XMLVerifier): def _verify_signing_time(self, verify_result: VerifyResult): pass - def _verify_cert_digest(self, signing_cert_node, expect_cert): - for cert in self._findall(signing_cert_node, "xades:Cert"): + def _verify_cert_digest(self, signing_cert_node, expect_cert, idx): + cert = self._find(signing_cert_node, "xades:Cert[{0}]".format(idx), False) + if cert is not None: cert_digest = self._find(cert, "xades:CertDigest") digest_alg = DigestAlgorithm(self._find(cert_digest, "DigestMethod").get("Algorithm")) digest_value = self._find(cert_digest, "DigestValue") @@ -285,20 +286,23 @@ def _verify_cert_digest(self, signing_cert_node, expect_cert): def _verify_cert_digests(self, verify_result: VerifyResult): x509_data = verify_result.signature_xml.find("ds:KeyInfo/ds:X509Data", namespaces=namespaces) - cert_from_key_info = load_certificate( - FILETYPE_PEM, add_pem_header(self._find(x509_data, "X509Certificate").text) - ) - signed_signature_props = self._find(verify_result.signed_xml, "xades:SignedSignatureProperties") - signing_cert = self._find(signed_signature_props, "xades:SigningCertificate", require=False) - signing_cert_v2 = self._find(signed_signature_props, "xades:SigningCertificateV2", require=False) - if signing_cert is None and signing_cert_v2 is None: - raise InvalidInput("Expected to find XML element xades:SigningCertificate or xades:SigningCertificateV2") - if signing_cert is not None and signing_cert_v2 is not None: - raise InvalidInput("Expected to find exactly one of xades:SigningCertificate or xades:SigningCertificateV2") - if signing_cert is not None: - self._verify_cert_digest(signing_cert, expect_cert=cert_from_key_info) - elif signing_cert_v2 is not None: - self._verify_cert_digest(signing_cert_v2, expect_cert=cert_from_key_info) + for idx, x_cert in enumerate(self._findall(x509_data, "X509Certificate")): + cert_from_key_info = load_certificate(FILETYPE_PEM, add_pem_header(x_cert.text)) + signed_signature_props = self._find(verify_result.signed_xml, "xades:SignedSignatureProperties") + signing_cert = self._find(signed_signature_props, "xades:SigningCertificate", require=False) + signing_cert_v2 = self._find(signed_signature_props, "xades:SigningCertificateV2", require=False) + if signing_cert is None and signing_cert_v2 is None: + raise InvalidInput( + "Expected to find XML element xades:SigningCertificate or xades:SigningCertificateV2" + ) + if signing_cert is not None and signing_cert_v2 is not None: + raise InvalidInput( + "Expected to find exactly one of xades:SigningCertificate or xades:SigningCertificateV2" + ) + if signing_cert is not None: + self._verify_cert_digest(signing_cert, expect_cert=cert_from_key_info, idx=(idx + 1)) + elif signing_cert_v2 is not None: + self._verify_cert_digest(signing_cert_v2, expect_cert=cert_from_key_info, idx=(idx + 1)) def _verify_signature_policy(self, verify_result: VerifyResult, expect_signature_policy: XAdESSignaturePolicy): signed_signature_props = self._find(verify_result.signed_xml, "xades:SignedSignatureProperties") diff --git a/test/test.py b/test/test.py index 69782d1..2992101 100755 --- a/test/test.py +++ b/test/test.py @@ -740,7 +740,6 @@ def test_xades_interop_examples(self): "corrupted-cert": etree.DocumentInvalid, # FIXME - flaky validation "cert-v2-wrong-digest": InvalidDigest, "wrong-sign-cert-digest": InvalidDigest, - "nonconformant-X_BE_CONN_10": InvalidDigest, "sigPolStore-noDigest": InvalidInput, } for sig_file in glob(os.path.join(os.path.dirname(__file__), "xades", "*.xml")):