[BUG] EnvelopedSignature transform fails when signature is nested in child element

[shunkica]

Description

The library produces invalid signatures when using the enveloped-signature transform with nested signature placement using location.

Reproduction

import { SignedXml } from "../src/index";
import { generateKeyPairSync } from "crypto";
import { expect } from "chai";
import * as xpath from "xpath";
import * as xmldom from "@xmldom/xmldom";
import * as isDomNode from "@xmldom/is-dom-node";

describe("EnvelopedSignature with nested signature location", function () {
  it("should verify signature when signature is nested in a child element", function () {
    // Generate keys
    const { privateKey, publicKey } = generateKeyPairSync("rsa", {
      modulusLength: 2048,
      publicKeyEncoding: { type: "spki", format: "pem" },
      privateKeyEncoding: { type: "pkcs8", format: "pem" },
    });

    const xml = "<root><SignatureInformation/></root>";

    // Sign
    const sig = new SignedXml();
    sig.privateKey = privateKey;

    sig.addReference({
      xpath: "/*",
      transforms: [
        "http://www.w3.org/2000/09/xmldsig#enveloped-signature",
        "http://www.w3.org/2001/10/xml-exc-c14n#",
      ],
      digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256",
    });

    sig.canonicalizationAlgorithm = "http://www.w3.org/2001/10/xml-exc-c14n#";
    sig.signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";

    // Place signature inside SignatureInformation (not as direct child of root)
    sig.computeSignature(xml, {
      location: {
        action: "append",
        reference: "//*[local-name()='SignatureInformation']",
      },
    });

    const signedXml = sig.getSignedXml();

    // Verify
    const doc = new xmldom.DOMParser().parseFromString(signedXml);
    const signatureNode = xpath.select1(
      "//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']",
      doc,
    );
    isDomNode.assertIsNodeLike(signatureNode);

    const verifier = new SignedXml();
    verifier.publicCert = publicKey;
    verifier.loadSignature(signatureNode);

    const result = verifier.checkSignature(signedXml);

    expect(result, "Signature verification should succeed").to.be.true;
  });
});

[coderabbitai]

📝 CodeRabbit Plan Mode

Generate an implementation plan and prompts that you can use with your favorite coding agent.

• Create Plan

Examples

• Example 1
• Example 2

---

🔗 Similar Issues

Related Issues

• Failed to generate a correct signature #484
• how to sign XML string correctly #510
• v6.1.0 computeSignature() causes DeprecationWarning #497
• Remove originalXmlWithIds #512

👤 Suggested Assignees

• hsan8
• davi-canuto
• strawberrycz
• shunkica

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!