UNPKG

xml-crypto

Version:

Xml digital signature and encryption library for Node.js

github.com/node-saml/xml-crypto

node-saml/xml-crypto

227 lines (226 loc) 10.3 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
/// <reference types="node" /> import type { CanonicalizationAlgorithmType, CanonicalizationOrTransformAlgorithmType, CanonicalizationOrTransformationAlgorithm, CanonicalizationOrTransformationAlgorithmProcessOptions, ComputeSignatureOptions, ErrorFirstCallback, GetKeyInfoContentArgs, HashAlgorithm, HashAlgorithmType, Reference, SignatureAlgorithm, SignatureAlgorithmType, SignedXmlOptions } from "./types"; import * as crypto from "crypto"; export declare class SignedXml { idMode?: "wssecurity"; idAttributes: string[]; /** * A {@link Buffer} or pem encoded {@link String} containing your private key */ privateKey?: crypto.KeyLike; publicCert?: crypto.KeyLike; /** * One of the supported signature algorithms. * @see {@link SignatureAlgorithmType} */ signatureAlgorithm?: SignatureAlgorithmType; /** * Rules used to convert an XML document into its canonical form. */ canonicalizationAlgorithm?: CanonicalizationAlgorithmType; /** * It specifies a list of namespace prefixes that should be considered "inclusive" during the canonicalization process. */ inclusiveNamespacesPrefixList: string[]; namespaceResolver: XPathNSResolver; implicitTransforms: ReadonlyArray<CanonicalizationOrTransformAlgorithmType>; keyInfoAttributes: { [attrName: string]: string; }; getKeyInfoContent: typeof SignedXml.getKeyInfoContent; getCertFromKeyInfo: typeof SignedXml.getCertFromKeyInfo; private id; private signedXml; private signatureXml; private signatureNode; private signatureValue; private originalXmlWithIds; private keyInfo; /** * Contains the references that were signed. * @see {@link Reference} */ private references; /** * Contains the canonicalized XML of the references that were validly signed. * * This populates with the canonical XML of the reference only after * verifying the signature is cryptographically authentic. */ private signedReferences; /** * To add a new transformation algorithm create a new class that implements the {@link TransformationAlgorithm} interface, and register it here. More info: {@link https://github.com/node-saml/xml-crypto#customizing-algorithms|Customizing Algorithms} */ CanonicalizationAlgorithms: Record<CanonicalizationOrTransformAlgorithmType, new () => CanonicalizationOrTransformationAlgorithm>; /** * To add a new hash algorithm create a new class that implements the {@link HashAlgorithm} interface, and register it here. More info: {@link https://github.com/node-saml/xml-crypto#customizing-algorithms|Customizing Algorithms} */ HashAlgorithms: Record<HashAlgorithmType, new () => HashAlgorithm>; /** * To add a new signature algorithm create a new class that implements the {@link SignatureAlgorithm} interface, and register it here. More info: {@link https://github.com/node-saml/xml-crypto#customizing-algorithms|Customizing Algorithms} */ SignatureAlgorithms: Record<SignatureAlgorithmType, new () => SignatureAlgorithm>; static defaultNsForPrefix: { ds: string; }; static noop: () => null; /** * The SignedXml constructor provides an abstraction for sign and verify xml documents. The object is constructed using * @param options {@link SignedXmlOptions} */ constructor(options?: SignedXmlOptions); /** * Due to key-confusion issues, it's risky to have both hmac * and digital signature algorithms enabled at the same time. * This enables HMAC and disables other signing algorithms. */ enableHMAC(): void; /** * Builds the contents of a KeyInfo element as an XML string. * * For example, if the value of the prefix argument is 'foo', then * the resultant XML string will be "<foo:X509Data></foo:X509Data>" * * @return an XML string representation of the contents of a KeyInfo element, or `null` if no `KeyInfo` element should be included */ static getKeyInfoContent({ publicCert, prefix }: GetKeyInfoContentArgs): string | null; /** * Returns the value of the signing certificate based on the contents of the * specified KeyInfo. * * @param keyInfo KeyInfo element (@see https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-X509Data) * @return the signing certificate as a string in PEM format */ static getCertFromKeyInfo(keyInfo?: Node | null): string | null; /** * Validates the signature of the provided XML document synchronously using the configured key info provider. * * @param xml The XML document containing the signature to be validated. * @returns `true` if the signature is valid * @throws Error if no key info resolver is provided. */ checkSignature(xml: string): boolean; /** * Validates the signature of the provided XML document synchronously using the configured key info provider. * * @param xml The XML document containing the signature to be validated. * @param callback Callback function to handle the validation result asynchronously. * @throws Error if the last parameter is provided and is not a function, or if no key info resolver is provided. */ checkSignature(xml: string, callback: (error: Error | null, isValid?: boolean) => void): void; private getCanonSignedInfoXml; private getCanonReferenceXml; private calculateSignatureValue; private findSignatureAlgorithm; private findCanonicalizationAlgorithm; private findHashAlgorithm; validateElementAgainstReferences(elemOrXpath: Element | string, doc: Document): Reference; private validateReference; findSignatures(doc: Node): Node[]; /** * Loads the signature information from the provided XML node or string. * * @param signatureNode The XML node or string representing the signature. */ loadSignature(signatureNode: Node | string): void; /** * Load the reference xml node to a model * */ private loadReference; /** * Adds a reference to the signature. * * @param xpath The XPath expression to select the XML nodes to be referenced. * @param transforms An array of transform algorithms to be applied to the selected nodes. * @param digestAlgorithm The digest algorithm to use for computing the digest value. * @param uri The URI identifier for the reference. If empty, an empty URI will be used. * @param digestValue The expected digest value for the reference. * @param inclusiveNamespacesPrefixList The prefix list for inclusive namespace canonicalization. * @param isEmptyUri Indicates whether the URI is empty. Defaults to `false`. */ addReference({ xpath, transforms, digestAlgorithm, uri, digestValue, inclusiveNamespacesPrefixList, isEmptyUri, }: Partial<Reference> & Pick<Reference, "xpath">): void; /** * @deprecated Use `.getSignedReferences()` instead. * Returns the list of references. */ getReferences: () => Reference[]; getSignedReferences(): string[]; /** * Compute the signature of the given XML (using the already defined settings). * * @param xml The XML to compute the signature for. * @param callback A callback function to handle the signature computation asynchronously. * @returns void * @throws TypeError If the xml can not be parsed. */ computeSignature(xml: string): void; /** * Compute the signature of the given XML (using the already defined settings). * * @param xml The XML to compute the signature for. * @param callback A callback function to handle the signature computation asynchronously. * @returns void * @throws TypeError If the xml can not be parsed. */ computeSignature(xml: string, callback: ErrorFirstCallback<SignedXml>): void; /** * Compute the signature of the given XML (using the already defined settings). * * @param xml The XML to compute the signature for. * @param opts An object containing options for the signature computation. * @returns If no callback is provided, returns `this` (the instance of SignedXml). * @throws TypeError If the xml can not be parsed, or Error if there were invalid options passed. */ computeSignature(xml: string, options: ComputeSignatureOptions): void; /** * Compute the signature of the given XML (using the already defined settings). * * @param xml The XML to compute the signature for. * @param opts An object containing options for the signature computation. * @param callback A callback function to handle the signature computation asynchronously. * @returns void * @throws TypeError If the xml can not be parsed, or Error if there were invalid options passed. */ computeSignature(xml: string, options: ComputeSignatureOptions, callback: ErrorFirstCallback<SignedXml>): void; private getKeyInfo; /** * Generate the Reference nodes (as part of the signature process) * */ private createReferences; getCanonXml(transforms: Reference["transforms"], node: Node, options?: CanonicalizationOrTransformationAlgorithmProcessOptions): string; /** * Ensure an element has Id attribute. If not create it with unique value. * Work with both normal and wssecurity Id flavour */ private ensureHasId; /** * Create the SignedInfo element * */ private createSignedInfo; /** * Create the Signature element * */ private createSignature; /** * Returns just the signature part, must be called only after {@link computeSignature} * * @returns The signature XML. */ getSignatureXml(): string; /** * Returns the original xml with Id attributes added on relevant elements (required for validation), must be called only after {@link computeSignature} * * @returns The original XML with IDs. */ getOriginalXmlWithIds(): string; /** * Returns the original xml document with the signature in it, must be called only after {@link computeSignature} * * @returns The signed XML. */ getSignedXml(): string; }