feat: add certificate truststore validation, certificate expiration, refactor XmlDSigValidator interface, reuse SignedXml

Author: shunkica

example/xmldsig-validator-example.js

@@ -24,9 +24,13 @@ function validateStandardExample(signedXml) {
 
   // Create a validator with configuration
   const validator = new XmlDSigValidator({
-    publicCert: fs.readFileSync("./test/static/client_public.pem"),
+    keySelector: {
+      publicCert: fs.readFileSync("./test/static/client_public.pem"),
+    },
     throwOnError: false, // Return errors in result instead of throwing
-    maxTransforms: 5, // Allow up to 5 transforms per reference
+    security: {
+      maxTransforms: 5, // Allow up to 5 transforms per reference
+    },
   });
 
   try {
@@ -55,10 +59,14 @@ function validateWithCustomIdAttributesExample(signedXml) {
 
   // Create a validator with custom ID attributes
   const validator = new XmlDSigValidator({
-    publicCert: fs.readFileSync("./test/static/client_public.pem"),
+    keySelector: {
+      publicCert: fs.readFileSync("./test/static/client_public.pem"),
+    },
     idAttributeQNames: ["customId", "id", "Id"], // Same order as used in signing
     throwOnError: false,
-    maxTransforms: 3,
+    security: {
+      maxTransforms: 3,
+    },
   });
 
   try {
@@ -80,13 +88,17 @@ function validateWSSecurityModeExample(signedXml) {
 
   // Create a validator with WS-Security mode
   const validator = new XmlDSigValidator({
-    publicCert: fs.readFileSync("./test/static/client_public.pem"),
+    keySelector: {
+      publicCert: fs.readFileSync("./test/static/client_public.pem"),
+    },
     idAttributeQNames: ["wsu:Id"],
     namespaceMap: {
       wsu: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd",
     },
     throwOnError: false,
-    maxTransforms: 4,
+    security: {
+      maxTransforms: 4,
+    },
     implicitTransforms: [Algorithms.transform.EXCLUSIVE_C14N], // Default transforms
   });
 
@@ -112,14 +124,18 @@ function validateWithKeyInfoCertExample(signedXml) {
 
   // Create a validator with getCertFromKeyInfo function
   const validator = new XmlDSigValidator({
-    getCertFromKeyInfo: (keyInfo) => {
-      console.log("Extracting certificate from KeyInfo...");
-      // In a real scenario, you would extract the certificate from KeyInfo
-      // For this example, we'll just return the test certificate
-      return fs.readFileSync("./test/static/client_public.pem", "utf8");
+    keySelector: {
+      getCertFromKeyInfo: (keyInfo) => {
+        console.log("Extracting certificate from KeyInfo...");
+        // In a real scenario, you would extract the certificate from KeyInfo
+        // For this example, we'll just return the test certificate
+        return fs.readFileSync("./test/static/client_public.pem", "utf8");
+      },
     },
     throwOnError: false,
-    maxTransforms: 6,
+    security: {
+      maxTransforms: 6,
+    },
   });
 
   try {
@@ -142,7 +158,9 @@ function validateWithCertificateOverrideExample(signedXml) {
   // Create a validator with a specific certificate
   const specificCert = fs.readFileSync("./test/static/client_public.pem");
   const validator = new XmlDSigValidator({
-    publicCert: specificCert,
+    keySelector: {
+      publicCert: specificCert,
+    },
     throwOnError: false,
   });
 
@@ -164,7 +182,9 @@ function validateReusableExample(signedXml) {
   console.log("\n=== Reusable Validator Example ===");
 
   const validator = new XmlDSigValidator({
-    publicCert: fs.readFileSync("./test/static/client_public.pem"),
+    keySelector: {
+      publicCert: fs.readFileSync("./test/static/client_public.pem"),
+    },
     throwOnError: false,
   });
 
@@ -195,7 +215,9 @@ function validateMultipleSignaturesExample() {
   const signedTwice = multipleSignaturesExample();
 
   const validator = new XmlDSigValidator({
-    publicCert: fs.readFileSync("./test/static/client_public.pem"),
+    keySelector: {
+      publicCert: fs.readFileSync("./test/static/client_public.pem"),
+    },
   });
 
   // This will fail because multiple signatures are present
@@ -220,7 +242,9 @@ function validateErrorHandlingExample() {
   console.log("\n=== Error Handling Example ===");
 
   const validator = new XmlDSigValidator({
-    publicCert: fs.readFileSync("./test/static/client_public.pem"),
+    keySelector: {
+      publicCert: fs.readFileSync("./test/static/client_public.pem"),
+    },
     throwOnError: false, // Don't throw, return errors in result
   });
 
@@ -240,7 +264,9 @@ function validateErrorHandlingExample() {
 
   // Test with throwOnError: true
   const throwingValidator = new XmlDSigValidator({
-    publicCert: fs.readFileSync("./test/static/client_public.pem"),
+    keySelector: {
+      publicCert: fs.readFileSync("./test/static/client_public.pem"),
+    },
     throwOnError: true,
   });
 

src/signed-xml.ts

@@ -55,6 +55,7 @@ export class SignedXml {
       throw new Error("Not implemented");
     },
   };
+  private maxTransforms: number | null;
   implicitTransforms: ReadonlyArray<CanonicalizationOrTransformAlgorithmType> = [];
   keyInfoAttributes: { [attrName: string]: string } = {};
   getKeyInfoContent = SignedXml.getKeyInfoContent;
@@ -146,6 +147,7 @@ export class SignedXml {
       signatureAlgorithm,
       canonicalizationAlgorithm,
       inclusiveNamespacesPrefixList,
+      maxTransforms,
       implicitTransforms,
       keyInfoAttributes,
       getKeyInfoContent,
@@ -170,6 +172,7 @@ export class SignedXml {
     } else if (utils.isArrayHasLength(inclusiveNamespacesPrefixList)) {
       this.inclusiveNamespacesPrefixList = inclusiveNamespacesPrefixList;
     }
+    this.maxTransforms = maxTransforms ?? null;
     this.implicitTransforms = implicitTransforms ?? this.implicitTransforms;
     this.keyInfoAttributes = keyInfoAttributes ?? this.keyInfoAttributes;
     this.getKeyInfoContent = getKeyInfoContent ?? this.getKeyInfoContent;
@@ -830,6 +833,14 @@ export class SignedXml {
       ? refNode.getAttribute("URI") || undefined
       : undefined;
 
+    if (this.maxTransforms) {
+      if (transforms.length > this.maxTransforms) {
+        throw new Error(
+          `Number of transforms (${transforms.length}) exceeds the maximum allowed (${this.maxTransforms})`,
+        );
+      }
+    }
+
     this.addReference({
       transforms,
       digestAlgorithm: digestAlgo,

src/types.ts

@@ -42,6 +42,8 @@ export interface ObjectAttributes {
   [key: string]: string | undefined;
 }
 
+export type KeySelectorFunction = (keyInfo?: Node | null) => string | null;
+
 /**
  * Options for the SignedXml constructor.
  */
@@ -55,10 +57,11 @@ export interface SignedXmlOptions {
   signatureAlgorithm?: SignatureAlgorithmType;
   canonicalizationAlgorithm?: CanonicalizationAlgorithmType;
   inclusiveNamespacesPrefixList?: string | string[];
+  maxTransforms?: number | null;
   implicitTransforms?: ReadonlyArray<CanonicalizationOrTransformAlgorithmType>;
   keyInfoAttributes?: Record<string, string>;
   getKeyInfoContent?(args?: GetKeyInfoContentArgs): string | null;
-  getCertFromKeyInfo?(keyInfo?: Node | null): string | null;
+  getCertFromKeyInfo?: KeySelectorFunction;
   objects?: Array<{ content: string; attributes?: ObjectAttributes }>;
 }