feat: add XmlDSigSigner and XmlDSigValidator wrappers

Author: shunkica

.gitignore

@@ -12,3 +12,4 @@ npm-debug.log
 .nyc_output/
 coverage/
 .idea
+.aider*

.nvmrc

@@ -0,0 +1 @@
+v22.16.0

src/algorithms.ts

@@ -0,0 +1,44 @@
+/**
+ * Supported canonicalization algorithms
+ */
+const CANONICALIZATION_ALGORITHMS = {
+  C14N: "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
+  C14N_WITH_COMMENTS: "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments",
+  EXCLUSIVE_C14N: "http://www.w3.org/2001/10/xml-exc-c14n#",
+  EXCLUSIVE_C14N_WITH_COMMENTS: "http://www.w3.org/2001/10/xml-exc-c14n#WithComments",
+} as const;
+
+/**
+ * Supported transform algorithms (includes canonicalization + enveloped signature)
+ */
+const TRANSFORM_ALGORITHMS = {
+  ...CANONICALIZATION_ALGORITHMS,
+  ENVELOPED_SIGNATURE: "http://www.w3.org/2000/09/xmldsig#enveloped-signature",
+} as const;
+
+/**
+ * Supported hash/digest algorithms
+ */
+const HASH_ALGORITHMS = {
+  SHA1: "http://www.w3.org/2000/09/xmldsig#sha1",
+  SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
+  SHA512: "http://www.w3.org/2001/04/xmlenc#sha512",
+} as const;
+
+/**
+ * Supported signature algorithms
+ */
+const SIGNATURE_ALGORITHMS = {
+  RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+  RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+  RSA_SHA256_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1",
+  RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+  HMAC_SHA1: "http://www.w3.org/2000/09/xmldsig#hmac-sha1",
+} as const;
+
+export const Algorithms = {
+  canonicalization: CANONICALIZATION_ALGORITHMS,
+  transform: TRANSFORM_ALGORITHMS,
+  hash: HASH_ALGORITHMS,
+  signature: SIGNATURE_ALGORITHMS,
+};

src/index.ts

@@ -4,5 +4,8 @@ export {
   ExclusiveCanonicalizationWithComments,
 } from "./exclusive-canonicalization";
 export { SignedXml } from "./signed-xml";
+export { XmlDSigSigner } from "./xmldsig-signer";
+export { XmlDSigValidator } from "./xmldsig-validator";
+export { Algorithms } from "./algorithms";
 export * from "./types";
 export * from "./utils";

src/signed-xml.ts

@@ -8,6 +8,7 @@ import type {
   GetKeyInfoContentArgs,
   HashAlgorithm,
   HashAlgorithmType,
+  IdAttributeType,
   ObjectAttributes,
   Reference,
   SignatureAlgorithm,
@@ -29,7 +30,7 @@ import * as utils from "./utils";
 
 export class SignedXml {
   idMode?: "wssecurity";
-  idAttributes: string[];
+  idAttributes: IdAttributeType[];
   /**
    * A {@link Buffer} or pem encoded {@link String} containing your private key
    */
@@ -53,6 +54,7 @@ export class SignedXml {
       throw new Error("Not implemented");
     },
   };
+  private maxTransforms: number | null;
   implicitTransforms: ReadonlyArray<CanonicalizationOrTransformAlgorithmType> = [];
   keyInfoAttributes: { [attrName: string]: string } = {};
   getKeyInfoContent = SignedXml.getKeyInfoContent;
@@ -137,11 +139,13 @@ export class SignedXml {
     const {
       idMode,
       idAttribute,
+      idAttributes,
       privateKey,
       publicCert,
       signatureAlgorithm,
       canonicalizationAlgorithm,
       inclusiveNamespacesPrefixList,
+      maxTransforms,
       implicitTransforms,
       keyInfoAttributes,
       getKeyInfoContent,
@@ -151,7 +155,7 @@ export class SignedXml {
 
     // Options
     this.idMode = idMode;
-    this.idAttributes = ["Id", "ID", "id"];
+    this.idAttributes = idAttributes ?? ["Id", "ID", "id"];
     if (idAttribute) {
       this.idAttributes.unshift(idAttribute);
     }
@@ -164,6 +168,7 @@ export class SignedXml {
     } else if (utils.isArrayHasLength(inclusiveNamespacesPrefixList)) {
       this.inclusiveNamespacesPrefixList = inclusiveNamespacesPrefixList;
     }
+    this.maxTransforms = maxTransforms ?? null;
     this.implicitTransforms = implicitTransforms ?? this.implicitTransforms;
     this.keyInfoAttributes = keyInfoAttributes ?? this.keyInfoAttributes;
     this.getKeyInfoContent = getKeyInfoContent ?? this.getKeyInfoContent;
@@ -502,11 +507,18 @@ export class SignedXml {
     for (const ref of this.getReferences()) {
       const uri = ref.uri?.[0] === "#" ? ref.uri.substring(1) : ref.uri;
 
-      for (const attr of this.idAttributes) {
-        const elemId = elem.getAttribute(attr);
-        if (uri === elemId) {
-          ref.xpath = `//*[@*[local-name(.)='${attr}']='${uri}']`;
-          break; // found the correct element, no need to check further
+      for (const idAttr of this.idAttributes) {
+        if (typeof idAttr === "string") {
+          if (uri === elem.getAttribute(idAttr)) {
+            ref.xpath = `//*[@*[local-name(.)='${idAttr}']='${uri}']`;
+            break; // found the correct element, no need to check further
+          }
+        } else {
+          const attr = utils.findAttr(elem, idAttr.localName, idAttr.namespaceUri);
+          if (attr && uri === attr.value) {
+            ref.xpath = `//*[@*[local-name(.)='${idAttr.localName}' and namespace-uri(.)='${idAttr.namespaceUri}']='${uri}']`;
+            break; // found the correct element, no need to check further
+          }
         }
       }
 
@@ -533,8 +545,19 @@ export class SignedXml {
       throw new Error("Cannot validate a uri with quotes inside it");
     } else {
       let num_elements_for_id = 0;
-      for (const attr of this.idAttributes) {
-        const tmp_elemXpath = `//*[@*[local-name(.)='${attr}']='${uri}']`;
+      for (const idAttr of this.idAttributes) {
+        let tmp_elemXpath: string;
+
+        if (typeof idAttr === "string") {
+          tmp_elemXpath = `//*[@*[local-name(.)='${idAttr}']='${uri}']`;
+        } else {
+          if (idAttr.namespaceUri) {
+            tmp_elemXpath = `//*[@*[local-name(.)='${idAttr.localName}' and namespace-uri(.)='${idAttr.namespaceUri}']='${uri}']`;
+          } else {
+            tmp_elemXpath = `//*[@*[local-name(.)='${idAttr.localName}']='${uri}']`;
+          }
+        }
+
         const tmp_elem = xpath.select(tmp_elemXpath, doc);
         if (utils.isArrayHasLength(tmp_elem)) {
           num_elements_for_id += tmp_elem.length;
@@ -781,6 +804,14 @@ export class SignedXml {
       ? refNode.getAttribute("URI") || undefined
       : undefined;
 
+    if (this.maxTransforms) {
+      if (transforms.length > this.maxTransforms) {
+        throw new Error(
+          `Number of transforms (${transforms.length}) exceeds the maximum allowed (${this.maxTransforms})`,
+        );
+      }
+    }
+
     this.addReference({
       transforms,
       digestAlgorithm: digestAlgo,
@@ -1305,7 +1336,11 @@ export class SignedXml {
       );
     } else {
       this.idAttributes.some((idAttribute) => {
-        attr = utils.findAttr(node, idAttribute);
+        if (typeof idAttribute === "string") {
+          attr = utils.findAttr(node, idAttribute);
+        } else {
+          attr = utils.findAttr(node, idAttribute.localName, idAttribute.namespaceUri);
+        }
         return !!attr; // This will break the loop as soon as a truthy attr is found.
       });
     }
@@ -1329,7 +1364,26 @@ export class SignedXml {
         id,
       );
     } else {
-      node.setAttribute("Id", id);
+      // Use the first idAttribute to set the new ID
+      const firstIdAttr = this.idAttributes[0];
+      if (typeof firstIdAttr === "string") {
+        node.setAttribute(firstIdAttr, id);
+      } else {
+        if (firstIdAttr.prefix && firstIdAttr.namespaceUri) {
+          node.setAttributeNS(
+            "http://www.w3.org/2000/xmlns/",
+            `xmlns:${firstIdAttr.prefix}`,
+            firstIdAttr.namespaceUri,
+          );
+          node.setAttributeNS(
+            firstIdAttr.namespaceUri,
+            `${firstIdAttr.prefix}:${firstIdAttr.localName}`,
+            id,
+          );
+        } else {
+          node.setAttribute(firstIdAttr.localName, id);
+        }
+      }
     }
 
     return id;

src/types.ts

@@ -10,30 +10,15 @@ import * as crypto from "crypto";
 
 export type ErrorFirstCallback<T> = (err: Error | null, result?: T) => void;
 
-export type CanonicalizationAlgorithmType =
-  | "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
-  | "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
-  | "http://www.w3.org/2001/10/xml-exc-c14n#"
-  | "http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
-  | string;
-
-export type CanonicalizationOrTransformAlgorithmType =
-  | CanonicalizationAlgorithmType
-  | "http://www.w3.org/2000/09/xmldsig#enveloped-signature";
-
-export type HashAlgorithmType =
-  | "http://www.w3.org/2000/09/xmldsig#sha1"
-  | "http://www.w3.org/2001/04/xmlenc#sha256"
-  | "http://www.w3.org/2001/04/xmlenc#sha512"
-  | string;
-
-export type SignatureAlgorithmType =
-  | "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
-  | "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
-  | "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1"
-  | "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
-  | "http://www.w3.org/2000/09/xmldsig#hmac-sha1"
-  | string;
+export type IdAttributeType = string | { prefix: string; localName: string; namespaceUri: string };
+
+export type CanonicalizationAlgorithmType = string;
+
+export type CanonicalizationOrTransformAlgorithmType = string;
+
+export type HashAlgorithmType = string;
+
+export type SignatureAlgorithmType = string;
 
 /**
  * @param cert the certificate as a string or array of strings (@see https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-X509Data)
@@ -59,21 +44,25 @@ export interface ObjectAttributes {
   [key: string]: string | undefined;
 }
 
+export type KeySelectorFunction = (keyInfo?: Node | null) => string | null;
+
 /**
  * Options for the SignedXml constructor.
  */
 export interface SignedXmlOptions {
   idMode?: "wssecurity";
-  idAttribute?: string;
+  idAttribute?: IdAttributeType;
+  idAttributes?: IdAttributeType[];
   privateKey?: crypto.KeyLike;
   publicCert?: crypto.KeyLike;
   signatureAlgorithm?: SignatureAlgorithmType;
   canonicalizationAlgorithm?: CanonicalizationAlgorithmType;
   inclusiveNamespacesPrefixList?: string | string[];
+  maxTransforms?: number | null;
   implicitTransforms?: ReadonlyArray<CanonicalizationOrTransformAlgorithmType>;
   keyInfoAttributes?: Record<string, string>;
   getKeyInfoContent?(args?: GetKeyInfoContentArgs): string | null;
-  getCertFromKeyInfo?(keyInfo?: Node | null): string | null;
+  getCertFromKeyInfo?: KeySelectorFunction;
   objects?: Array<{ content: string; attributes?: ObjectAttributes }>;
 }