Undefined method xpath for String

[xxswingxx]

Hi, I'm having to sign an xml with the canonicalization as the first transformation:

...
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-63c35f38-2b5f-4600-b3da-3ddee86d62b3-Signature">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
      <ds:Reference Id="Reference-7e6f3481-4acc-47de-90fd-67878ad15e8e" Type="http://www.w3.org/2000/09/xmldsig#Object" URI="">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
            <ds:XPath xmlns:ds="http://www.w3.org/2000/09/xmldsig#">not(ancestor-or-self::ds:Signature)</ds:XPath>
          </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
        <ds:DigestValue>2hkA19hRLUHwVlkmokFcnIUGv96nrhi8ZIgSoYuTNJ98wgoKE8iT1UzdgGJzDQ79+3LjjH6qzZEMwSYewyVNcg==</ds:DigestValue>
...

However it seems that by applying that first canonicalization as the first transformation node, the @node variable from https://github.com/benoist/xmldsig/blob/master/lib/xmldsig/transforms.rb#L7 is converted from a Nokogiri::XML::Element to a regular String which makes all the subsequent transformation to fail.

Given my inexperience with signing xml I'm not sure if applying the canonicalization as the first transformation is a regular or correct use case or if it's just unsupported by the gem.

[benoist]

Nokogiri returns an XML string after canonicalization which makes sense as the order of the elements is then guaranteed.

I'm not sure if it solves your case, but something that can be tried is to always do the canonicalization last, regardless of the order in the XML.

That would have to be changed here:
https://github.com/benoist/xmldsig/blob/master/lib/xmldsig/transforms.rb

Not sure if you have time to create a PR for this?
Unfortunately I won't have time to implement this.

[xxswingxx]

Hi @benoist thanks for the prompt reply. I think I might write a PR for this but as I mentioned I don't have too much experience with XML signing so I have some doubts about the signature (not the process of signing). Is the order of the canonicalization important? Does it affect the signature value?

[benoist]

Canonicalization means that XML will be converted to a format based on rules. So anyone can create XML with attribute orders as they like, no order guarantee required.

Canonicalization ensures all attributes are put in the correct order, whitespace is managed properly etc. Every byte before signing is significant. So yes order is also important.
If you modify the XML after canonicalization, you won't have the guarantee the attributes remain the correct order and whitespace is preserved correctly, so AFAIK it needs to be done last.