Decode DigestValue for validation (#160)

Author: xdmnl

lib/signed-xml.js

@@ -480,7 +480,7 @@ SignedXml.prototype.validateReferences = function(doc) {
     var hash = this.findHashAlgorithm(ref.digestAlgorithm)
     var digest = hash.getHash(canonXml)
 
-    if (digest!=ref.digestValue) {
+    if (!validateDigestValue(digest, ref.digestValue)) {
       this.validationErrors.push("invalid signature: for uri " + ref.uri +
                                 " calculated digest is "  + digest +
                                 " but the xml to validate supplies digest " + ref.digestValue)
@@ -491,6 +491,36 @@ SignedXml.prototype.validateReferences = function(doc) {
   return true
 }
 
+function validateDigestValue(digest, expectedDigest) {
+  var buffer, expectedBuffer;
+
+  if (typeof Buffer.from === 'function') {
+    buffer = Buffer.from(digest, 'base64');
+    expectedBuffer = Buffer.from(expectedDigest, 'base64');
+  } else {
+    // Compatibility with Node < 5.10.0
+    buffer = new Buffer(digest, 'base64');
+    expectedBuffer = new Buffer(expectedDigest, 'base64');
+  }
+
+  if (typeof buffer.equals === 'function') {
+    return buffer.equals(expectedBuffer);
+  }
+
+  // Compatibility with Node < 0.11.13
+  if (buffer.length !== expectedBuffer.length) {
+    return false;
+  }
+
+  for (var i = 0; i < buffer.length; i++) {
+    if (buffer[i] !== expectedBuffer[i]) {
+      return false;
+    }
+  }
+
+  return true;
+}
+
 SignedXml.prototype.loadSignature = function(signatureNode) {
   if (typeof signatureNode === 'string') {
     this.signatureNode = signatureNode = new Dom().parseFromString(signatureNode);

test/signature-unit-tests.js

@@ -486,6 +486,7 @@ module.exports = {
     passValidSignature(test, "./test/static/valid_signature_with_lowercase_id_attribute.xml");
     passValidSignature(test, "./test/static/valid_signature wsu.xml", "wssecurity")
     passValidSignature(test, "./test/static/valid_signature_with_reference_keyInfo.xml")
+    passValidSignature(test, "./test/static/valid_signature_with_whitespace_in_digestvalue.xml")
     passValidSignature(test, "./test/static/valid_signature_utf8.xml")
     test.done()
   },

test/static/valid_signature_with_whitespace_in_digestvalue.xml

@@ -0,0 +1,4 @@
+<root><x xmlns="ns" Id="_0"/><y z_attr="value" a_attr1="foo" Id="_1"/><z><ns:w ns:attr="value" xmlns:ns="myns" Id="_2"/></z><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#_0"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>b5GCZ2xpP5T7tbLWBTkOl4CYupQ=
+</DigestValue></Reference><Reference URI="#_1"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>K4dI497ZCxzweDIrbndUSmtoezY=
+</DigestValue></Reference><Reference URI="#_2"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>sH1gxKve8wlU8LlFVa2l6w3HMJ0=
+</DigestValue></Reference></SignedInfo><SignatureValue>gGp+jskU2HohMdhaeGTdJBbN/rngzWrQs0+N4bqJDzHQEqUm6rVk0mDoFybJaW0AEXf/dSVhM0faYTwQK0p9aipsAORTaPq677GcdKwyEHHRnly064D8GlikyQ49451SEViy89kYZO1yf+x5MNHNyCi7VVRIixbsSLOUgu0A9Yo=</SignatureValue></Signature></root>