xml-crypto - npm Package Compare versions

Comparing version 0.0.22 to 0.0.23

example/example.js

@@ -31,3 +31,3 @@ var select = require('xml-crypto').xpath
               "<name>Harry Potter</name>" +
-            "</book>"
+            "</book>" +
           "</library>"
@@ -34,0 +34,0 @@

lib/enveloped-signature.js

@@ -8,7 +8,6 @@ var xpath = require('xpath.js');
 
-EnvelopedSignature.prototype.process = function (node) {   
-  var signature = xpath(node.ownerDocument, "//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0];  
-  if (signature) signature.parentNode.removeChild(signature)
-  //return node.toString();
-  return node
+EnvelopedSignature.prototype.process = function (node) {
+  var signature = xpath(node, ".//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0];  
+  if (signature) signature.parentNode.removeChild(signature);
+  return node;
 };
@@ -15,0 +14,0 @@

lib/signed-xml.js

@@ -331,6 +331,6 @@ var select = require('xpath.js')
 
-  this.addReference(null, transforms, digestAlgo, utils.findAttr(ref, "URI").value, digestValue, inclusiveNamespacesPrefixList)
+  this.addReference(null, transforms, digestAlgo, utils.findAttr(ref, "URI").value, digestValue, inclusiveNamespacesPrefixList, false)
 }
 
-SignedXml.prototype.addReference = function(xpath, transforms, digestAlgorithm, uri, digestValue, inclusiveNamespacesPrefixList) {    
+SignedXml.prototype.addReference = function(xpath, transforms, digestAlgorithm, uri, digestValue, inclusiveNamespacesPrefixList, isEmptyUri) {    
   this.references.push({
@@ -342,3 +342,4 @@ "xpath": xpath,
     "digestValue": digestValue,
-    "inclusiveNamespacesPrefixList": inclusiveNamespacesPrefixList
+    "inclusiveNamespacesPrefixList": inclusiveNamespacesPrefixList,
+    "isEmptyUri": isEmptyUri
   });
@@ -406,8 +407,12 @@ }
     for (var h in nodes) {      
-      var node = nodes[h]
-      var id = this.ensureHasId(node); 
-      ref.uri = id
-      res += "<Reference URI=\"#" + id + "\">" + 
-                           "<Transforms>"      
-      
+      var node = nodes[h]    
+      if (ref.isEmptyUri) {
+        res += "<Reference URI=\"\">"
+      }
+      else {
+        var id = this.ensureHasId(node); 
+        ref.uri = id
+        res += "<Reference URI=\"#" + id + "\">"
+      }
+      res += "<Transforms>"
       for (var t in ref.transforms) {
@@ -414,0 +419,0 @@ var trans = ref.transforms[t]

package.json

 {
     "name": "xml-crypto",
-    "version": "0.0.22",
+    "version": "0.0.23",
     "description": "Xml digital signature and encryption library for Node.js",
@@ -5,0 +5,0 @@ "engines": { "node": ">=0.4.0" },

test/canonicalization-unit-tests.js

@@ -331,3 +331,16 @@ var ExclusiveCanonicalization = require("../lib/exclusive-canonicalization").ExclusiveCanonicalization
   }, 
- 
+
+  "Enveloped-signature canonicalization respects currentnode": function(test) {
+    // older versions of enveloped-signature removed the first signature in the whole doc, but should
+    //   be the signature inside the current node if we want to be able to verify multiple signatures
+    //   in a document.
+    var xml = '<x><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" /><y><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" /></y></x>';
+    var doc = new Dom().parseFromString(xml);
+    var node = select(doc, "//*[local-name(.)='y']")[0];
+    var sig = new SignedXml();
+    var transforms = ["http://www.w3.org/2000/09/xmldsig#enveloped-signature"];
+    var res = sig.getCanonXml(transforms, node);
+    test.equal("<y/>", res );
+    test.done();
+  },
 }

test/signature-integration-tests.js

@@ -8,6 +8,7 @@ var select = require('xpath.js')
 module.exports = {    
-/*
+
+
   "verify signature": function (test) {
   	var xml = "<root><x xmlns=\"ns\"></x><y z_attr=\"value\" a_attr1=\"foo\"></y><z><ns:w ns:attr=\"value\" xmlns:ns=\"myns\"></ns:w></z></root>"
-    verifySignature(test, xml, [
+    verifySignature(test, xml, "./test/static/integration/expectedVerify.xml", [
       "//*[local-name(.)='x']", 
@@ -18,2 +19,4 @@ "//*[local-name(.)='y']",
 
+
+
   "verify signature of complex element": function (test) {
@@ -30,6 +33,7 @@ var xml = "<library>" +
 
-    verifySignature(test, xml, ["//*[local-name(.)='book']"])
+    verifySignature(test, xml,  "./test/static/integration/expectedVerifyComplex.xml", ["//*[local-name(.)='book']"])
   },
 
 
+
   "empty URI reference should consider the whole document": function(test) {    
@@ -64,2 +68,3 @@
 
+
   "windows store signature": function(test) {    
@@ -81,2 +86,4 @@
 
+
+
   "signature with inclsuive namespaces": function(test) {    
@@ -96,4 +103,7 @@
     test.done();
-  },*/
+  },
 
+
+
+
   "should create single root xml document when signing inner node": function(test) {
@@ -136,3 +146,3 @@ var xml = "<library>" +
     */
-        
+     
     test.ok(doc.documentElement.nodeName == "library", "root node = <library>.");
@@ -147,7 +157,4 @@ test.ok(doc.childNodes.length == 1, "only one root node is expected.");
 
-function verifySignature(test, xml, xpath) {  
-  if (process.platform !== 'win32') {
-    test.done();
-    return;
-  }
+function verifySignature(test, xml, expected, xpath) {  
+  
   var sig = new SignedXml()
@@ -162,4 +169,7 @@ sig.signingKey = fs.readFileSync("./test/static/client.pem")
 
-  fs.writeFileSync("./test/validators/XmlCryptoUtilities/XmlCryptoUtilities/bin/Debug/signedExample.xml", signed)    
-  
+  //fs.writeFileSync("./test/validators/XmlCryptoUtilities/XmlCryptoUtilities/bin/Debug/signedExample.xml", signed)    
+  var expectedContent = fs.readFileSync(expected).toString()
+  test.equal(signed, expectedContent, "signature xml different than expected")
+  test.done()
+  /*
   var spawn = require('child_process').spawn
@@ -179,4 +189,5 @@ var proc = spawn('./test/validators/XmlCryptoUtilities/XmlCryptoUtilities/bin/Debug/XmlCryptoUtilities.exe', ['verify'])
     test.done()
-  }); 
+  });
+  */ 
 
 }

test/signature-unit-tests.js

@@ -292,2 +292,18 @@ var select = require('xpath.js')
 
+  "allow empty reference uri when signing": function(test) {
+    var xml = "<root><x /></root>"
+    var sig = new SignedXml()
+    sig.signingKey = fs.readFileSync("./test/static/client.pem")
+    sig.keyInfoProvider = null
+
+    sig.addReference("//*[local-name(.)='root']", ["http://www.w3.org/2000/09/xmldsig#enveloped-signature"], "http://www.w3.org/2000/09/xmldsig#sha1", "", "", "", true)  
+
+    sig.computeSignature(xml)
+    var signedXml = sig.getSignedXml()    
+    var doc = new dom().parseFromString(signedXml)    
+    var URI = select(doc, "//*[local-name(.)='Reference']/@URI")[0]            
+    test.equal(URI.value, "", "uri should be empty but instead was " + URI.value)
+    test.done()
+  }
+
 }
@@ -294,0 +310,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Shell access

Supply chain risk

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

244007

increased by1.66%

Number of package files

60

increased by3.45%

Lines of code

1479

increased by2.14%

Number of medium supply chain risk alerts

3

decreased by-25%

No dependency changes