xml-crypto
Advanced tools
The xml-crypto npm package is a library that provides tools for signing and verifying XML digital signatures, which are used to ensure the integrity and authenticity of XML documents. It is based on the standards of XML Signature and XML Encryption.
Signing XML documents
This feature allows you to sign XML documents. You can specify references to the parts of the XML that you want to sign, provide your private key, and then compute and obtain the signed XML.
const fs = require('fs');
const { SignedXml } = require('xml-crypto');
let sig = new SignedXml();
sig.addReference("//*[local-name(.)='x']");
sig.signingKey = fs.readFileSync('private.pem');
sig.computeSignature('<x xmlns="urn:xmpp:delay">example</x>');
fs.writeFileSync('signed.xml', sig.getSignedXml());Verifying XML signatures
This feature allows you to verify the signature of an XML document. You can load the signed XML, provide the corresponding public key, and check if the signature is valid.
const fs = require('fs');
const { SignedXml } = require('xml-crypto');
let xml = fs.readFileSync('signed.xml').toString();
let sig = new SignedXml();
sig.keyInfoProvider = {
getKeyInfo: function(key) {
return '<X509Data></X509Data>';
},
getKey: function(keyInfo) {
return fs.readFileSync('public.pem');
}
};
sig.loadSignature(xml);
let result = sig.checkSignature(xml);
console.log('Signature is', result ? 'valid' : 'invalid');Working with KeyInfo
This feature allows you to work with KeyInfo, which is an XML structure that contains information about the key used for signing. You can create a KeyInfoProvider with your key and obtain the KeyInfo XML.
const { KeyInfoProvider } = require('xml-crypto');
let keyInfoProvider = new KeyInfoProvider('key.pem');
let keyInfo = keyInfoProvider.getKeyInfo();xml-encryption is a package specifically focused on XML Encryption. While xml-crypto also supports encryption, xml-encryption is dedicated to this aspect and provides a more specialized API for encrypting and decrypting XML data.
xadesjs is a package for building XMLDSIG and XAdES (XML Advanced Electronic Signatures) signatures. It is based on the Web Cryptography API and provides a more modern approach compared to xml-crypto, which might be beneficial for certain use cases.
A pure javascript xml digital signature library. Xml encryption is coming soon.
For more information visit my blog.
Install with npm:
npm install xml-crypto
A pre requisite it to have openssl installed and its /bin to be on the system path (this is so that node's built-in crypto module would work - xml-crypto does not use openssl directly) I used version 1.0.1c but it should probably work on older versions too.
var SignedXml = require('xml-crypto').SignedXml
, FileKeyInfo = require('xml-crypto').FileKeyInfo
, fs = require('fs')
var xml = "<library>" +
"<book>" +
"<name>Harry Potter</name>" +
"</book>"
"</library>"
var sig = new SignedXml()
sig.addReference("//*[local-name(.)='book']")
sig.signingKey = fs.readFileSync("client.pem")
sig.computeSignature(xml)
fs.writeFileSync("signed.xml", sig.getSignedXml())
Notes:
sig.getSignedXml() returns the original xml document, with the signature pushed as the last child of the root node:
<library>
<book>
...
</book>
<Signature>
...
</Signature>
</library>
This assumes you are not signing the root node but only sub node(s), otherwise it is not legal to put anything inside the root node (including the signature). If you do sign the root node, or have any other reason not to put the signature inside the signed document, you can alternatively call sig.getSignatureXml() to get just the signature element. You can then call sig.getOriginalXmlWithIds() to get the original xml, without the signature, but with the Id attrributes that the signature added on it so it can be validated.
This sample uses xmldom for xml dom manipulation. You can use whichever dom parser you want.
var select = require('xml-crypto').SelectNodes
, dom = require('xmldom').DOMParser
, SignedXml = require('xml-crypto').SignedXml
, FileKeyInfo = require('xml-crypto').FileKeyInfo
, fs = require('fs')
var xml = fs.readFileSync("signed.xml").toString()
var doc = new dom().parseFromString(xml)
var signature = select(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0]
var sig = new SignedXml()
sig.keyInfoProvider = new FileKeyInfo("client_public.pem")
sig.loadSignature(signature.toString())
var res = sig.checkSignature(xml)
if (!res) console.log(sig.validationErrors)
Note:
The xml-crypto api requires you to supply it separately the xml signature ("...") and the signed xml. The signed xml may contain the signature in it, but you are still required to supply the signature separately. As mentioned before, if the signature is inside the signed document it is not allowed to be under the scope of a signed element since it will make the signature invalid (unless special canonicalization is used).
The first release always uses the following algorithems:
you are able to extend xml-crypto with further algorithms.
The following sample shows how to sign a message using custom algorithms:
var SignedXml = require('xml-crypto').SignedXml
, FileKeyInfo = require('xml-crypto').FileKeyInfo
, fs = require('fs')
/*A key info provider to extract and construct the key and the KeyInfo xml section*/
function MyKeyInfo() {
this.getKeyInfo = function(key) {
return "this will appear under <KeyInfo></KeyInfo>"
}
this.getKey = function(keyInfo) {
//you can use the keyInfo parameter to extract the key in any way you want
return fs.readFileSync("key.pem")
}
}
/*A custom hash algorithm*/
function MyDigest() {
this.getHash = function(xml) {
return "the base64 hash representation of the given xml string"
}
this.getAlgorithmName = function() {
return "http://myDigestAlgorithm"
}
}
/*A custom signing algorithm*/
function MySignatureAlgorithm() {
/*sign the given SignedInfo using the key. return base64 signature value*/
this.getSignature = function(signedInfo, signingKey) {
return "signature as base64..."
}
this.getAlgorithmName = function() {
return "http://mySigningAlgorithm"
}
}
/*Custom transformation (canonicalization) algorithm*/
function MyTransformation() {
/*given a node (from the xmldom module) return its canonical representation (as string)*/
this.process = function(node) {
return "< x/>"
}
this.getAlgorithmName = function() {
return "http://myTransformation"
}
}
/*Custom canonicalization algorithm. same as MyTransformation*/
function MyCanonicalization() {
/*given a node (from the xmldom module) return its canonical representation (as string)*/
this.process = function(node) {
return "< x/>"
}
this.getAlgorithmName = function() {
return "http://myCanonicalization"
}
}
/*register all the custom algorithms*/
SignedXml.CanonicalizationAlgorithms["http://MyTransformation"] = MyTransformation
SignedXml.CanonicalizationAlgorithms["http://MyCanonicalization"] = MyCanonicalization
SignedXml.HashAlgorithms["http://myDigestAlgorithm"] = MyDigest
SignedXml.SignatureAlgorithms["http://mySigningAlgorithm"] = MySignatureAlgorithm
function signXml(xml, xpath, key, dest)
{
var sig = new SignedXml()
/*configure the signature object to use the custom algorithms*/
sig.signatureAlgorithm = "http://mySignatureAlgorithm"
sig.keyInfoProvider = new MyKeyInfo()
sig.canonicalizationAlgorithm = "http://MyCanonicalization"
sig.addReference("//*[local-name(.)='x']", ["http://MyTransformation"], "http://myDigestAlgorithm")
sig.signingKey = fs.readFileSync(key)
sig.addReference(xpath)
sig.computeSignature(xml)
fs.writeFileSync(dest, sig.getSignedXml())
}
var xml = "<library>" +
"<book>" +
"<name>Harry Potter</name>" +
"</book>"
"</library>"
signXml(xml,
"//*[local-name(.)='book']",
"client.pem",
"result.xml")
You can always look at the actual code as a sample (or drop me a mail).
Xml-Crypto internally relies on node's crypto module. This means pem encoded certificates are supported. So to sign an xml use key.pem that looks like this (only the begining of the key content is shown):
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0...
-----END PRIVATE KEY-----
And for verification use key_public.pem:
-----BEGIN CERTIFICATE-----
MIIBxDCCAW6gAwIBAgIQxUSX...
-----END CERTIFICATE-----
Converting .pfx certificates to pem Convert .pfx to .pem using openssl](http://www.openssl.org/): openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\cag.pem
Then you could use the result as is for the purpose of signing. For the purpose of validation open the .pem with a text editor and copy from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- (including) to a new .pem file.
FAQs
Xml digital signature and encryption library for Node.js
The npm package xml-crypto receives a total of 0 weekly downloads. As such, xml-crypto popularity was classified as not popular.
We found that xml-crypto demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.