consolidate signature reference processing logic, add tests

shunkica · shunkica · commit 77f860cbf1f8 · 2025-06-21T12:42:46.000+02:00
diff --git a/src/signed-xml.ts b/src/signed-xml.ts
@@ -1334,37 +1334,23 @@ export class SignedXml {
     prefix = prefix ? `${prefix}:` : prefix;
     const signatureNamespace = "http://www.w3.org/2000/09/xmldsig#";
 
+    // Find the SignedInfo element to append to
+    const signedInfoNode = xpath.select1(
+      `.//*[local-name(.)='SignedInfo']`,
+      signatureDoc,
+    ) as Element;
+    if (!signedInfoNode) {
+      throw new Error("Could not find SignedInfo element in signature");
+    }
+
     // Process each signature reference
     for (const ref of signatureReferences) {
-      const uri = ref.uri?.[0] === "#" ? ref.uri.substring(1) : ref.uri;
-      if (!uri) {
-        continue;
-      }
-
-      // Find the referenced element in the document
-      const objectXpath = `//*[@Id='${uri}']`;
-      const selectResult = xpath.select(objectXpath, signatureDoc);
-
-      // Ensure result is an array of nodes
-      const nodes: Node[] = [];
-      if (Array.isArray(selectResult)) {
-        selectResult.forEach((node) => nodes.push(node));
-      } else if (selectResult !== null) {
-        // If it's a single node, add it to the array
-        nodes.push(selectResult as Node);
-      }
+      const nodes = xpath.selectWithResolver(ref.xpath ?? "", signatureDoc, this.namespaceResolver);
 
       if (!utils.isArrayHasLength(nodes)) {
-        throw new Error(`Could not find element with ID ${uri} for signature reference`);
-      }
-
-      // Find the SignedInfo element to append to
-      const signedInfoNode = xpath.select1(
-        `.//*[local-name(.)='SignedInfo']`,
-        signatureDoc,
-      ) as Element;
-      if (!signedInfoNode) {
-        throw new Error("Could not find SignedInfo element in signature");
+        throw new Error(
+          `the following xpath cannot be signed because it was not found: ${ref.xpath}`,
+        );
       }
 
       // Process the reference
@@ -1374,7 +1360,13 @@ export class SignedXml {
           signatureNamespace,
           `${prefix}Reference`,
         );
-        referenceElem.setAttribute("URI", `#${uri}`);
+        if (ref.isEmptyUri) {
+          referenceElem.setAttribute("URI", "");
+        } else {
+          const id = this.ensureHasId(node);
+          ref.uri = id;
+          referenceElem.setAttribute("URI", `#${id}`);
+        }
 
         const transformsElem = signatureDoc.createElementNS(
           signatureNamespace,
diff --git a/test/signature-object-tests.spec.ts b/test/signature-object-tests.spec.ts
@@ -229,6 +229,288 @@ describe("Object support in XML signatures", function () {
     expect(isValid).to.be.true;
   });
 
+  it("should sign Object with SHA256 digest algorithm", function () {
+    // Create a simple XML document to sign
+    const xml = '<root><x xmlns="ns"></x><y attr="value"></y><z><w></w></z></root>';
+
+    // Create a SignedXml instance with custom getObjectContent
+    const sig = new SignedXml({
+      getObjectContent: () => [
+        {
+          content: "<Data>Test data for SHA256 digest</Data>",
+          attributes: {
+            Id: "object1",
+            MimeType: "text/xml",
+          },
+        },
+      ],
+    });
+
+    // Set up the signature
+    sig.privateKey = fs.readFileSync("./test/static/client.pem");
+
+    // Add a reference to the document element
+    sig.addReference({
+      xpath: "//*[local-name(.)='x']",
+      digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256",
+      transforms: ["http://www.w3.org/2001/10/xml-exc-c14n#"],
+    });
+
+    // Add a reference to the Object element with SHA256
+    sig.addReference({
+      xpath: "//*[@Id='object1']",
+      digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256",
+      transforms: ["http://www.w3.org/2001/10/xml-exc-c14n#"],
+      isSignatureReference: true,
+    });
+
+    // Set required algorithms
+    sig.canonicalizationAlgorithm = "http://www.w3.org/2001/10/xml-exc-c14n#";
+    sig.signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
+
+    // Compute the signature
+    sig.computeSignature(xml);
+
+    // Get the signed XML
+    const signedXml = sig.getSignedXml();
+
+    // Parse the signed XML
+    const doc = new xmldom.DOMParser().parseFromString(signedXml);
+
+    // Verify that the ds:Object element exists
+    const objectNodes = xpath.select("//*[local-name(.)='Object']", doc);
+    isDomNode.assertIsArrayOfNodes(objectNodes);
+    expect(objectNodes.length).to.equal(1);
+
+    // Verify that there are two Reference elements
+    const referenceNodes = xpath.select("//*[local-name(.)='Reference']", doc);
+    isDomNode.assertIsArrayOfNodes(referenceNodes);
+    expect(referenceNodes.length).to.equal(2);
+
+    // Verify that the references use SHA256
+    const digestMethodNodes = xpath.select("//*[local-name(.)='DigestMethod']", doc);
+    isDomNode.assertIsArrayOfNodes(digestMethodNodes);
+
+    for (const digestMethod of digestMethodNodes) {
+      isDomNode.assertIsElementNode(digestMethod);
+      expect(digestMethod.getAttribute("Algorithm")).to.equal(
+        "http://www.w3.org/2001/04/xmlenc#sha256",
+      );
+    }
+
+    // Verify that the signature method is RSA-SHA256
+    const signatureMethod = xpath.select1("//*[local-name(.)='SignatureMethod']", doc);
+    isDomNode.assertIsElementNode(signatureMethod);
+    expect(signatureMethod.getAttribute("Algorithm")).to.equal(
+      "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+    );
+
+    // Verify that the signature is still valid
+    const verifier = new SignedXml();
+    verifier.publicCert = fs.readFileSync("./test/static/client_public.pem");
+
+    // First load the signature
+    const signatureNode = xpath.select1(
+      "//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']",
+      doc,
+    );
+    isDomNode.assertIsNodeLike(signatureNode);
+    verifier.loadSignature(signatureNode);
+
+    // Then check the signature
+    const isValid = verifier.checkSignature(signedXml);
+    expect(isValid).to.be.true;
+  });
+
+  it("should sign Object with SHA512 digest algorithm and RSA-SHA512 signature", function () {
+    // Create a simple XML document to sign
+    const xml = '<root><x xmlns="ns"></x><y attr="value"></y><z><w></w></z></root>';
+
+    // Create a SignedXml instance with custom getObjectContent
+    const sig = new SignedXml({
+      getObjectContent: () => [
+        {
+          content: "<Data>Test data for SHA512 digest</Data>",
+          attributes: {
+            Id: "object1",
+            MimeType: "text/xml",
+          },
+        },
+      ],
+    });
+
+    // Set up the signature
+    sig.privateKey = fs.readFileSync("./test/static/client.pem");
+
+    // Add a reference to the document element
+    sig.addReference({
+      xpath: "//*[local-name(.)='x']",
+      digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha512",
+      transforms: ["http://www.w3.org/2001/10/xml-exc-c14n#"],
+    });
+
+    // Add a reference to the Object element with SHA512
+    sig.addReference({
+      xpath: "//*[@Id='object1']",
+      digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha512",
+      transforms: ["http://www.w3.org/2001/10/xml-exc-c14n#"],
+      isSignatureReference: true,
+    });
+
+    // Set required algorithms
+    sig.canonicalizationAlgorithm = "http://www.w3.org/2001/10/xml-exc-c14n#";
+    sig.signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";
+
+    // Compute the signature
+    sig.computeSignature(xml);
+
+    // Get the signed XML
+    const signedXml = sig.getSignedXml();
+
+    // Parse the signed XML
+    const doc = new xmldom.DOMParser().parseFromString(signedXml);
+
+    // Verify that the ds:Object element exists
+    const objectNodes = xpath.select("//*[local-name(.)='Object']", doc);
+    isDomNode.assertIsArrayOfNodes(objectNodes);
+    expect(objectNodes.length).to.equal(1);
+
+    // Verify that there are two Reference elements
+    const referenceNodes = xpath.select("//*[local-name(.)='Reference']", doc);
+    isDomNode.assertIsArrayOfNodes(referenceNodes);
+    expect(referenceNodes.length).to.equal(2);
+
+    // Verify that the references use SHA512
+    const digestMethodNodes = xpath.select("//*[local-name(.)='DigestMethod']", doc);
+    isDomNode.assertIsArrayOfNodes(digestMethodNodes);
+
+    for (const digestMethod of digestMethodNodes) {
+      isDomNode.assertIsElementNode(digestMethod);
+      expect(digestMethod.getAttribute("Algorithm")).to.equal(
+        "http://www.w3.org/2001/04/xmlenc#sha512",
+      );
+    }
+
+    // Verify that the signature method is RSA-SHA512
+    const signatureMethod = xpath.select1("//*[local-name(.)='SignatureMethod']", doc);
+    isDomNode.assertIsElementNode(signatureMethod);
+    expect(signatureMethod.getAttribute("Algorithm")).to.equal(
+      "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+    );
+
+    // Verify that the signature is still valid
+    const verifier = new SignedXml();
+    verifier.publicCert = fs.readFileSync("./test/static/client_public.pem");
+
+    // First load the signature
+    const signatureNode = xpath.select1(
+      "//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']",
+      doc,
+    );
+    isDomNode.assertIsNodeLike(signatureNode);
+    verifier.loadSignature(signatureNode);
+
+    // Then check the signature
+    const isValid = verifier.checkSignature(signedXml);
+    expect(isValid).to.be.true;
+  });
+
+  it("should sign Object with C14N canonicalization algorithm", function () {
+    // Create a simple XML document to sign
+    const xml = '<root><x xmlns="ns"></x><y attr="value"></y><z><w></w></z></root>';
+
+    // Create a SignedXml instance with custom getObjectContent
+    const sig = new SignedXml({
+      getObjectContent: () => [
+        {
+          content: "<Data>Test data for C14N canonicalization</Data>",
+          attributes: {
+            Id: "object1",
+            MimeType: "text/xml",
+          },
+        },
+      ],
+    });
+
+    // Set up the signature
+    sig.privateKey = fs.readFileSync("./test/static/client.pem");
+
+    // Add a reference to the document element
+    sig.addReference({
+      xpath: "//*[local-name(.)='x']",
+      digestAlgorithm: "http://www.w3.org/2000/09/xmldsig#sha1",
+      transforms: ["http://www.w3.org/TR/2001/REC-xml-c14n-20010315"],
+    });
+
+    // Add a reference to the Object element
+    sig.addReference({
+      xpath: "//*[@Id='object1']",
+      digestAlgorithm: "http://www.w3.org/2000/09/xmldsig#sha1",
+      transforms: ["http://www.w3.org/TR/2001/REC-xml-c14n-20010315"],
+      isSignatureReference: true,
+    });
+
+    // Set required algorithms
+    sig.canonicalizationAlgorithm = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315";
+    sig.signatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
+
+    // Compute the signature
+    sig.computeSignature(xml);
+
+    // Get the signed XML
+    const signedXml = sig.getSignedXml();
+
+    // Parse the signed XML
+    const doc = new xmldom.DOMParser().parseFromString(signedXml);
+
+    // Verify that the ds:Object element exists
+    const objectNodes = xpath.select("//*[local-name(.)='Object']", doc);
+    isDomNode.assertIsArrayOfNodes(objectNodes);
+    expect(objectNodes.length).to.equal(1);
+
+    // Verify that there are two Reference elements
+    const referenceNodes = xpath.select("//*[local-name(.)='Reference']", doc);
+    isDomNode.assertIsArrayOfNodes(referenceNodes);
+    expect(referenceNodes.length).to.equal(2);
+
+    // Verify that the transforms use C14N
+    const transforms = xpath.select(
+      "//*[local-name(.)='Reference']/*[local-name(.)='Transforms']/*[local-name(.)='Transform']",
+      doc,
+    );
+    isDomNode.assertIsArrayOfNodes(transforms);
+
+    for (const transform of transforms) {
+      isDomNode.assertIsElementNode(transform);
+      expect(transform.getAttribute("Algorithm")).to.equal(
+        "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
+      );
+    }
+
+    // Verify that the CanonicalizationMethod is C14N
+    const canonMethod = xpath.select1("//*[local-name(.)='CanonicalizationMethod']", doc);
+    isDomNode.assertIsElementNode(canonMethod);
+    expect(canonMethod.getAttribute("Algorithm")).to.equal(
+      "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
+    );
+
+    // Verify that the signature is still valid
+    const verifier = new SignedXml();
+    verifier.publicCert = fs.readFileSync("./test/static/client_public.pem");
+
+    // First load the signature
+    const signatureNode = xpath.select1(
+      "//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']",
+      doc,
+    );
+    isDomNode.assertIsNodeLike(signatureNode);
+    verifier.loadSignature(signatureNode);
+
+    // Then check the signature
+    const isValid = verifier.checkSignature(signedXml);
+    expect(isValid).to.be.true;
+  });
+
   it("should add a reference to an Object element", function () {
     // Create a simple XML document to sign
     const xml = '<root><x xmlns="ns"></x><y attr="value"></y><z><w></w></z></root>';
@@ -259,7 +541,6 @@ describe("Object support in XML signatures", function () {
     // Add a reference to the Object element by its ID
     sig.addReference({
       xpath: "//*[@Id='object1']",
-      uri: "#object1",
       digestAlgorithm: "http://www.w3.org/2000/09/xmldsig#sha1",
       transforms: ["http://www.w3.org/2001/10/xml-exc-c14n#"],
       isSignatureReference: true,
@@ -347,7 +628,7 @@ describe("Object support in XML signatures", function () {
 
     // Add a reference to the Object element by its ID only, marking it as a signature reference
     sig.addReference({
-      uri: "#object1",
+      xpath: "//*[@Id='object1']",
       digestAlgorithm: "http://www.w3.org/2000/09/xmldsig#sha1",
       transforms: ["http://www.w3.org/2001/10/xml-exc-c14n#"],
       isSignatureReference: true,
