no validation against CAP root CA ?

[maaikelimper]

According to README.md self-signed certificates should not pass validation:
https://github.com/wmo-im/capvalidator/blob/main/README.md?plain=1#L14-L19

However, when testing the signature check I noticed that my test-XML did pass validation despite using a locally generated certificate.

I've checked the code and I note that the signature checks against the embedded certificate and I do not see any reference to a root CA:
https://github.com/wmo-im/capvalidator/blob/main/src/capvalidator/validate.py#L55-L71

What is the CAP root CA and/or how does the signature ensure that the certificate was not self-signed ?

[maaikelimper]

here's an AI-based analysis of the code

The code provided does not validate whether the certificate used in the signature verification is issued by an authoritative Root Certificate Authority (CA). It only checks the integrity of the XML signature and ensures that the digital signature corresponds to the content of the XML document. Here’s why and what’s missing:

What the Code Does:

• Locate the Certificate: It retrieves the ds:X509Certificate element from the XML and extracts the embedded X.509 certificate.
• Verify the Signature: The XMLVerifier().verify method checks the digital signature of the XML document. It ensures:
• The signature cryptographically matches the content of the XML.
• The signature was created using the private key corresponding to the public key in the provided certificate.

What the Code Does Not Do:

• Validate the Certificate Chain: It does not verify if the X.509 certificate presented is signed by a trusted Root CA or intermediate CA.
• Check Revocation Status: It does not query Certificate Revocation Lists (CRLs) or use the Online Certificate Status Protocol (OCSP) to ensure the certificate has not been revoked.
• Verify the Certificate's Purpose: It does not confirm that the certificate has been issued for the purpose of signing documents (via the Key Usage or Extended Key Usage extensions).