Add method for checking if element is signed

cjbarth · cjbarth · commit 24fad1b3f377 · 2023-07-29T01:53:33.000-04:00
diff --git a/README.md b/README.md
@@ -152,11 +152,19 @@ If the verification process fails `sig.validationErrors` will contain the errors
 In order to protect from some attacks we must check the content we want to use is the one that has been signed:
 
 ```javascript
-var elem = select(doc, "/xpath_to_interesting_element");
+// Roll your own
+var elem = xpath.select("/xpath_to_interesting_element", doc);
 var uri = sig.references[0].uri; // might not be 0 - depending on the document you verify
 var id = uri[0] === "#" ? uri.substring(1) : uri;
 if (elem.getAttribute("ID") != id && elem.getAttribute("Id") != id && elem.getAttribute("id") != id)
   throw new Error("the interesting element was not the one verified by the signature");
+
+// Use the built-in method
+let elem = xpath.select("/xpath_to_interesting_element", doc);
+const matchingReference = sig.validateElementAgainstReferences(elem, doc);
+if (!matchingReference) {
+  throw new Error("the interesting element was not the one verified by the signature");
+}
 ```
 
 Note:
diff --git a/src/signed-xml.ts b/src/signed-xml.ts
@@ -59,18 +59,23 @@ export class SignedXml {
   /**
    * Specifies the data to be signed within an XML document. See {@link Reference}
    */
-  private references: Reference[] = [];
   private id = 0;
   private signedXml = "";
   private signatureXml = "";
   private signatureNode: Node | null = null;
   private signatureValue = "";
   private originalXmlWithIds = "";
+  private keyInfo: Node | null = null;
+
+  /**
+   * Contains the references that were signed. See {@link Reference}
+   */
+  references: Reference[] = [];
+
   /**
    * Contains validation errors (if any) after {@link checkSignature} method is called
    */
   validationErrors: string[] = [];
-  private keyInfo: Node | null = null;
 
   /**
    *  To add a new transformation algorithm create a new class that implements the {@link TransformationAlgorithm} interface, and register it here. More info: {@link https://github.com/node-saml/xml-crypto#customizing-algorithms|Customizing Algorithms}
@@ -389,6 +394,37 @@ export class SignedXml {
     }
   }
 
+  validateElementAgainstReferences(elem: Element, doc: Document): Reference | false {
+    for (const ref of this.references) {
+      const uri = ref.uri?.[0] === "#" ? ref.uri.substring(1) : ref.uri;
+      let targetElem: xpath.SelectSingleReturnType;
+
+      for (const attr of this.idAttributes) {
+        const elemId = elem.getAttribute(attr);
+        if (uri === elemId) {
+          targetElem = elem;
+          ref.xpath = `//*[@*[local-name(.)='${attr}']='${uri}']`;
+          break; // found the correct element, no need to check further
+        }
+      }
+
+      // @ts-expect-error This is a problem with the types on `xpath`
+      if (!xpath.isNodeLike(targetElem)) {
+        continue;
+      }
+
+      const canonXml = this.getCanonReferenceXml(doc, ref, targetElem);
+      const hash = this.findHashAlgorithm(ref.digestAlgorithm);
+      const digest = hash.getHash(canonXml);
+
+      if (utils.validateDigestValue(digest, ref.digestValue)) {
+        return ref;
+      }
+    }
+
+    return false; // No references passed validation
+  }
+
   validateReferences(doc) {
     for (const ref of this.references) {
       let elemXpath;
diff --git a/test/signature-unit-tests.spec.ts b/test/signature-unit-tests.spec.ts
@@ -82,7 +82,6 @@ describe("Signature unit tests", function () {
       const checkedSignature = sig.checkSignature(xml);
       expect(checkedSignature).to.be.true;
 
-      // @ts-expect-error FIXME
       expect(sig.references.length).to.equal(3);
 
       const digests = [
@@ -91,9 +90,17 @@ describe("Signature unit tests", function () {
         "sH1gxKve8wlU8LlFVa2l6w3HMJ0=",
       ];
 
+      const firstGrandchild = doc.firstChild?.firstChild;
       // @ts-expect-error FIXME
-      for (let i = 0; i < sig.references.length; i++) {
+      if (xpath.isElement(firstGrandchild)) {
+        const matchedReference = sig.validateElementAgainstReferences(firstGrandchild, doc);
+        expect(matchedReference).to.not.be.false;
+      } else {
         // @ts-expect-error FIXME
+        expect(xpath.isElement(firstGrandchild)).to.be.true;
+      }
+
+      for (let i = 0; i < sig.references.length; i++) {
         const ref = sig.references[i];
         const expectedUri = `#_${i}`;
         expect(
