@f-o-t/digital-certificate 1.0.0

package/dist/index.d.ts

@@ -0,0 +1,184 @@
+/**
+* Digital Certificate Types
+*
+* Types for Brazilian A1 digital certificate handling,
+* XML-DSig signing, and mTLS configuration.
+*/
+interface CertificateSubject {
+	commonName: string | null;
+	organization: string | null;
+	organizationalUnit: string | null;
+	country: string | null;
+	state: string | null;
+	locality: string | null;
+	/** Full raw subject string */
+	raw: string;
+}
+interface CertificateIssuer {
+	commonName: string | null;
+	organization: string | null;
+	country: string | null;
+	raw: string;
+}
+interface CertificateValidity {
+	notBefore: Date;
+	notAfter: Date;
+}
+interface BrazilianFields {
+	/** CNPJ extracted from certificate (14 digits) */
+	cnpj: string | null;
+	/** CPF extracted from certificate (11 digits) */
+	cpf: string | null;
+}
+interface CertificateInfo {
+	/** Certificate serial number */
+	serialNumber: string;
+	/** Subject (who the certificate was issued to) */
+	subject: CertificateSubject;
+	/** Issuer (who issued the certificate) */
+	issuer: CertificateIssuer;
+	/** Validity period */
+	validity: CertificateValidity;
+	/** SHA-256 fingerprint of the certificate */
+	fingerprint: string;
+	/** Whether the certificate is currently valid */
+	isValid: boolean;
+	/** Brazilian-specific fields (CNPJ, CPF) */
+	brazilian: BrazilianFields;
+	/** PEM-encoded certificate */
+	certPem: string;
+	/** PEM-encoded private key */
+	keyPem: string;
+	/** Raw PFX buffer */
+	pfxBuffer: Buffer;
+	/** PFX password */
+	pfxPassword: string;
+}
+type SignatureAlgorithm = "sha1" | "sha256";
+interface SignOptions {
+	/** The parsed certificate to use for signing */
+	certificate: CertificateInfo;
+	/** The URI of the element to sign (e.g., "#NFe123") */
+	referenceUri: string;
+	/** Hash algorithm for digest and signature (default: "sha256") */
+	algorithm?: SignatureAlgorithm;
+	/** Tag name of the element where Signature will be inserted.
+	*  If not specified, the signature is appended to the root element. */
+	signatureParent?: string;
+	/** Whether to include the XML declaration in output (default: true) */
+	includeDeclaration?: boolean;
+}
+interface PemPair {
+	cert: string;
+	key: string;
+}
+interface MtlsOptions {
+	/** The parsed certificate to use */
+	certificate: CertificateInfo;
+	/** Additional CA certificates (PEM-encoded) */
+	caCerts?: string[];
+	/** Whether to reject unauthorized connections (default: true) */
+	rejectUnauthorized?: boolean;
+}
+/**
+* Parse a .pfx/.p12 certificate file and extract all relevant information
+*
+* @param pfx - The PFX/P12 file contents as a Buffer
+* @param password - The password to decrypt the PFX file
+* @returns Parsed certificate information
+* @throws {Error} If the PFX cannot be parsed or the password is wrong
+*/
+declare function parseCertificate(pfx: Buffer, password: string): CertificateInfo;
+/**
+* Check if a certificate is currently valid (not expired)
+*/
+declare function isCertificateValid(cert: CertificateInfo): boolean;
+/**
+* Get the number of days until certificate expiry
+* Returns negative if already expired
+*/
+declare function daysUntilExpiry(cert: CertificateInfo): number;
+/**
+* Get PEM pair (certificate + private key) from certificate info
+*/
+declare function getPemPair(cert: CertificateInfo): {
+	cert: string;
+	key: string;
+};
+import { z } from "zod";
+declare const signatureAlgorithmSchema: z.ZodEnum<{
+	sha1: "sha1";
+	sha256: "sha256";
+}>;
+declare const signOptionsSchema: z.ZodObject<{
+	referenceUri: z.ZodString;
+	algorithm: z.ZodDefault<z.ZodEnum<{
+		sha1: "sha1";
+		sha256: "sha256";
+	}>>;
+	signatureParent: z.ZodOptional<z.ZodString>;
+	includeDeclaration: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+declare const mtlsOptionsSchema: z.ZodObject<{
+	caCerts: z.ZodOptional<z.ZodArray<z.ZodString>>;
+	rejectUnauthorized: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+/**
+* Utility functions for digital certificate handling
+*
+* PEM encoding, OID maps for Brazilian certificate fields,
+* and ASN.1 helpers.
+*/
+/**
+* OIDs used in Brazilian ICP-Brasil certificates
+* to encode CNPJ and CPF in subject fields
+*/
+declare const BRAZILIAN_OIDS: Record<string, string>;
+/**
+* Parse an X.509 subject/issuer string into key-value pairs
+*
+* Handles formats like:
+* - "CN=Name, O=Org, C=BR"
+* - "/CN=Name/O=Org/C=BR"
+*/
+declare function parseDistinguishedName(dn: string): Record<string, string>;
+/**
+* Extract CNPJ from certificate subject string
+* Looks for patterns like:
+* - OU with CNPJ: "OU=CNPJ:12345678000190"
+* - Direct in CN or subject alternative names
+*/
+declare function extractCnpj(subjectRaw: string): string | null;
+/**
+* Extract CPF from certificate subject string
+*/
+declare function extractCpf(subjectRaw: string): string | null;
+/** Extract base64 content from PEM string (strips headers/whitespace) */
+declare function pemToBase64(pem: string): string;
+declare const XMLDSIG_NS = "http://www.w3.org/2000/09/xmldsig#";
+declare const EXC_C14N_NS = "http://www.w3.org/2001/10/xml-exc-c14n#";
+declare const DIGEST_ALGORITHMS: {
+	readonly sha1: {
+		readonly uri: "http://www.w3.org/2000/09/xmldsig#sha1";
+		readonly nodeAlgo: "sha1";
+	};
+	readonly sha256: {
+		readonly uri: "http://www.w3.org/2001/04/xmlenc#sha256";
+		readonly nodeAlgo: "sha256";
+	};
+};
+declare const SIGNATURE_ALGORITHMS: {
+	readonly sha1: {
+		readonly uri: "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
+		readonly nodeAlgo: "sha1";
+	};
+	readonly sha256: {
+		readonly uri: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
+		readonly nodeAlgo: "sha256";
+	};
+};
+declare const TRANSFORM_ALGORITHMS: {
+	readonly envelopedSignature: "http://www.w3.org/2000/09/xmldsig#enveloped-signature";
+	readonly excC14n: "http://www.w3.org/2001/10/xml-exc-c14n#";
+};
+export { signatureAlgorithmSchema, signOptionsSchema, pemToBase64, parseDistinguishedName, parseCertificate, mtlsOptionsSchema, isCertificateValid, getPemPair, extractCpf, extractCnpj, daysUntilExpiry, XMLDSIG_NS, TRANSFORM_ALGORITHMS, SignatureAlgorithm, SignOptions, SIGNATURE_ALGORITHMS, PemPair, MtlsOptions, EXC_C14N_NS, DIGEST_ALGORITHMS, CertificateValidity, CertificateSubject, CertificateIssuer, CertificateInfo, BrazilianFields, BRAZILIAN_OIDS };

package/dist/index.js

@@ -0,0 +1,149 @@
+import {
+  BRAZILIAN_OIDS,
+  DIGEST_ALGORITHMS,
+  EXC_C14N_NS,
+  SIGNATURE_ALGORITHMS,
+  TRANSFORM_ALGORITHMS,
+  XMLDSIG_NS,
+  extractCnpj,
+  extractCpf,
+  parseDistinguishedName,
+  pemToBase64
+} from "./shared/chunk-rkg27a9a.js";
+import {
+  mtlsOptionsSchema,
+  signOptionsSchema,
+  signatureAlgorithmSchema
+} from "./shared/chunk-ft0pdf3s.js";
+
+// src/certificate.ts
+import { execSync } from "node:child_process";
+import crypto from "node:crypto";
+function parseCertificate(pfx, password) {
+  const { certPem, keyPem } = extractPemFromPfx(pfx, password);
+  const x509 = new crypto.X509Certificate(certPem);
+  const subject = parseSubject(x509.subject);
+  const issuer = parseIssuer(x509.issuer);
+  const validity = parseValidity(x509);
+  const fingerprint = x509.fingerprint256.replace(/:/g, "").toLowerCase();
+  const isValid = checkValidity(validity);
+  const brazilian = extractBrazilianFields(x509.subject, x509.subjectAltName);
+  return {
+    serialNumber: x509.serialNumber,
+    subject,
+    issuer,
+    validity,
+    fingerprint,
+    isValid,
+    brazilian,
+    certPem,
+    keyPem,
+    pfxBuffer: pfx,
+    pfxPassword: password
+  };
+}
+function isCertificateValid(cert) {
+  return checkValidity(cert.validity);
+}
+function daysUntilExpiry(cert) {
+  const now = new Date;
+  const diff = cert.validity.notAfter.getTime() - now.getTime();
+  return Math.floor(diff / (1000 * 60 * 60 * 24));
+}
+function getPemPair(cert) {
+  return { cert: cert.certPem, key: cert.keyPem };
+}
+function extractPemFromPfx(pfx, password) {
+  const escapedPassword = escapeShellArg(password);
+  const certPem = opensslExtract(pfx, `-nokeys -clcerts -passin pass:${escapedPassword}`);
+  if (!certPem.includes("-----BEGIN CERTIFICATE-----")) {
+    throw new Error("Failed to extract certificate from PFX. Ensure the file is a valid PKCS#12 archive and the password is correct.");
+  }
+  const keyPem = opensslExtract(pfx, `-nocerts -passin pass:${escapedPassword} -passout pass: -nodes`);
+  if (!keyPem.includes("-----BEGIN PRIVATE KEY-----") && !keyPem.includes("-----BEGIN RSA PRIVATE KEY-----")) {
+    throw new Error("Failed to extract private key from PFX. Ensure the file is a valid PKCS#12 archive and the password is correct.");
+  }
+  return { certPem: certPem.trim(), keyPem: keyPem.trim() };
+}
+function opensslExtract(pfx, args) {
+  try {
+    return execSync(`openssl pkcs12 -in /dev/stdin ${args} -legacy`, {
+      input: pfx,
+      stdio: ["pipe", "pipe", "pipe"]
+    }).toString();
+  } catch {
+    try {
+      return execSync(`openssl pkcs12 -in /dev/stdin ${args}`, {
+        input: pfx,
+        stdio: ["pipe", "pipe", "pipe"]
+      }).toString();
+    } catch (e) {
+      const message = e instanceof Error ? e.message : String(e);
+      throw new Error(`OpenSSL PKCS12 extraction failed: ${message}`);
+    }
+  }
+}
+function escapeShellArg(arg) {
+  return arg.replace(/'/g, "'\\''");
+}
+function parseSubject(subjectStr) {
+  const fields = parseDistinguishedName(subjectStr);
+  return {
+    commonName: fields.CN ?? null,
+    organization: fields.O ?? null,
+    organizationalUnit: fields.OU ?? null,
+    country: fields.C ?? null,
+    state: fields.ST ?? null,
+    locality: fields.L ?? null,
+    raw: subjectStr
+  };
+}
+function parseIssuer(issuerStr) {
+  const fields = parseDistinguishedName(issuerStr);
+  return {
+    commonName: fields.CN ?? null,
+    organization: fields.O ?? null,
+    country: fields.C ?? null,
+    raw: issuerStr
+  };
+}
+function parseValidity(x509) {
+  return {
+    notBefore: new Date(x509.validFrom),
+    notAfter: new Date(x509.validTo)
+  };
+}
+function checkValidity(validity) {
+  const now = new Date;
+  return now >= validity.notBefore && now <= validity.notAfter;
+}
+function extractBrazilianFields(subject, subjectAltName) {
+  let cnpj = extractCnpj(subject);
+  let cpf = extractCpf(subject);
+  if (subjectAltName) {
+    if (!cnpj)
+      cnpj = extractCnpj(subjectAltName);
+    if (!cpf)
+      cpf = extractCpf(subjectAltName);
+  }
+  return { cnpj, cpf };
+}
+export {
+  signatureAlgorithmSchema,
+  signOptionsSchema,
+  pemToBase64,
+  parseDistinguishedName,
+  parseCertificate,
+  mtlsOptionsSchema,
+  isCertificateValid,
+  getPemPair,
+  extractCpf,
+  extractCnpj,
+  daysUntilExpiry,
+  XMLDSIG_NS,
+  TRANSFORM_ALGORITHMS,
+  SIGNATURE_ALGORITHMS,
+  EXC_C14N_NS,
+  DIGEST_ALGORITHMS,
+  BRAZILIAN_OIDS
+};

package/dist/mtls.d.ts

@@ -0,0 +1,100 @@
+import https from "node:https";
+import tls from "node:tls";
+/**
+* Digital Certificate Types
+*
+* Types for Brazilian A1 digital certificate handling,
+* XML-DSig signing, and mTLS configuration.
+*/
+interface CertificateSubject {
+	commonName: string | null;
+	organization: string | null;
+	organizationalUnit: string | null;
+	country: string | null;
+	state: string | null;
+	locality: string | null;
+	/** Full raw subject string */
+	raw: string;
+}
+interface CertificateIssuer {
+	commonName: string | null;
+	organization: string | null;
+	country: string | null;
+	raw: string;
+}
+interface CertificateValidity {
+	notBefore: Date;
+	notAfter: Date;
+}
+interface BrazilianFields {
+	/** CNPJ extracted from certificate (14 digits) */
+	cnpj: string | null;
+	/** CPF extracted from certificate (11 digits) */
+	cpf: string | null;
+}
+interface CertificateInfo {
+	/** Certificate serial number */
+	serialNumber: string;
+	/** Subject (who the certificate was issued to) */
+	subject: CertificateSubject;
+	/** Issuer (who issued the certificate) */
+	issuer: CertificateIssuer;
+	/** Validity period */
+	validity: CertificateValidity;
+	/** SHA-256 fingerprint of the certificate */
+	fingerprint: string;
+	/** Whether the certificate is currently valid */
+	isValid: boolean;
+	/** Brazilian-specific fields (CNPJ, CPF) */
+	brazilian: BrazilianFields;
+	/** PEM-encoded certificate */
+	certPem: string;
+	/** PEM-encoded private key */
+	keyPem: string;
+	/** Raw PFX buffer */
+	pfxBuffer: Buffer;
+	/** PFX password */
+	pfxPassword: string;
+}
+interface PemPair {
+	cert: string;
+	key: string;
+}
+interface MtlsOptions {
+	/** The parsed certificate to use */
+	certificate: CertificateInfo;
+	/** Additional CA certificates (PEM-encoded) */
+	caCerts?: string[];
+	/** Whether to reject unauthorized connections (default: true) */
+	rejectUnauthorized?: boolean;
+}
+/**
+* Create a TLS SecureContext for use with mTLS connections
+*
+* @param certificate - The parsed certificate
+* @param options - Additional mTLS options
+* @returns A tls.SecureContext configured for mTLS
+*/
+declare function createTlsContext(certificate: CertificateInfo, options?: Omit<MtlsOptions, "certificate">): tls.SecureContext;
+/**
+* Create an HTTPS Agent configured for mTLS
+*
+* Use this agent with Node.js http/https requests or compatible
+* HTTP clients (e.g., axios, node-fetch with agent option).
+*
+* @param certificate - The parsed certificate
+* @param options - Additional mTLS options
+* @returns An https.Agent configured for mTLS
+*/
+declare function createHttpsAgent(certificate: CertificateInfo, options?: Omit<MtlsOptions, "certificate">): https.Agent;
+/**
+* Get PEM pair (certificate + private key) for use with custom HTTP clients
+*
+* Useful when you need to pass cert/key as strings to HTTP libraries
+* that don't accept PFX directly (e.g., Bun.fetch with tls option).
+*
+* @param certificate - The parsed certificate
+* @returns Object with cert and key PEM strings
+*/
+declare function getMtlsPemPair(certificate: CertificateInfo): PemPair;
+export { getMtlsPemPair, createTlsContext, createHttpsAgent };

package/dist/mtls.js

@@ -0,0 +1,41 @@
+import {
+  mtlsOptionsSchema
+} from "./shared/chunk-ft0pdf3s.js";
+
+// src/mtls.ts
+import https from "node:https";
+import tls from "node:tls";
+function createTlsContext(certificate, options) {
+  const opts = mtlsOptionsSchema.parse(options ?? {});
+  const contextOptions = {
+    pfx: certificate.pfxBuffer,
+    passphrase: certificate.pfxPassword
+  };
+  if (opts.caCerts && opts.caCerts.length > 0) {
+    contextOptions.ca = opts.caCerts;
+  }
+  return tls.createSecureContext(contextOptions);
+}
+function createHttpsAgent(certificate, options) {
+  const opts = mtlsOptionsSchema.parse(options ?? {});
+  const agentOptions = {
+    pfx: certificate.pfxBuffer,
+    passphrase: certificate.pfxPassword,
+    rejectUnauthorized: opts.rejectUnauthorized
+  };
+  if (opts.caCerts && opts.caCerts.length > 0) {
+    agentOptions.ca = opts.caCerts;
+  }
+  return new https.Agent(agentOptions);
+}
+function getMtlsPemPair(certificate) {
+  return {
+    cert: certificate.certPem,
+    key: certificate.keyPem
+  };
+}
+export {
+  getMtlsPemPair,
+  createTlsContext,
+  createHttpsAgent
+};

package/dist/shared/chunk-ft0pdf3s.js

@@ -0,0 +1,15 @@
+// src/schemas.ts
+import { z } from "zod";
+var signatureAlgorithmSchema = z.enum(["sha1", "sha256"]);
+var signOptionsSchema = z.object({
+  referenceUri: z.string(),
+  algorithm: signatureAlgorithmSchema.default("sha256"),
+  signatureParent: z.string().optional(),
+  includeDeclaration: z.boolean().default(true)
+});
+var mtlsOptionsSchema = z.object({
+  caCerts: z.array(z.string()).optional(),
+  rejectUnauthorized: z.boolean().default(true)
+});
+
+export { signatureAlgorithmSchema, signOptionsSchema, mtlsOptionsSchema };

package/dist/shared/chunk-rkg27a9a.js

@@ -0,0 +1,101 @@
+// src/utils.ts
+var BRAZILIAN_OIDS = {
+  "2.16.76.1.3.1": "otherName-CPF",
+  "2.16.76.1.3.2": "otherName-ICP-Brasil-Name",
+  "2.16.76.1.3.3": "otherName-CNPJ",
+  "2.16.76.1.3.4": "otherName-ICP-Brasil-Responsible",
+  "2.16.76.1.3.5": "otherName-ICP-Brasil-Voter",
+  "2.16.76.1.3.6": "otherName-ICP-Brasil-INSS",
+  "2.16.76.1.3.7": "otherName-ICP-Brasil-CEI",
+  "2.16.76.1.3.8": "otherName-ICP-Brasil-OAB"
+};
+function parseDistinguishedName(dn) {
+  const result = {};
+  if (!dn)
+    return result;
+  let normalized = dn;
+  if (dn.startsWith("/")) {
+    normalized = dn.slice(1).split("/").join(", ");
+  } else if (dn.includes(`
+`)) {
+    normalized = dn.split(`
+`).join(", ");
+  }
+  const parts = splitDnParts(normalized);
+  for (const part of parts) {
+    const eqIdx = part.indexOf("=");
+    if (eqIdx !== -1) {
+      const key = part.slice(0, eqIdx).trim();
+      const value = part.slice(eqIdx + 1).trim();
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function splitDnParts(dn) {
+  const parts = [];
+  let current = "";
+  let inQuotes = false;
+  for (let i = 0;i < dn.length; i++) {
+    const ch = dn[i];
+    if (ch === '"') {
+      inQuotes = !inQuotes;
+      current += ch;
+    } else if (ch === "," && !inQuotes) {
+      parts.push(current.trim());
+      current = "";
+    } else {
+      current += ch;
+    }
+  }
+  if (current.trim()) {
+    parts.push(current.trim());
+  }
+  return parts;
+}
+function extractCnpj(subjectRaw) {
+  const cnpjMatch = subjectRaw.match(/CNPJ[:\s=]+(\d{14})/i);
+  if (cnpjMatch?.[1])
+    return cnpjMatch[1];
+  const ouMatch = subjectRaw.match(/OU\s*=\s*[^,]*?(\d{14})/);
+  if (ouMatch?.[1])
+    return ouMatch[1];
+  return null;
+}
+function extractCpf(subjectRaw) {
+  const cpfMatch = subjectRaw.match(/CPF[:\s=]+(\d{11})/i);
+  if (cpfMatch?.[1])
+    return cpfMatch[1];
+  return null;
+}
+function pemToBase64(pem) {
+  return pem.replace(/-----BEGIN [^-]+-----/, "").replace(/-----END [^-]+-----/, "").replace(/\s+/g, "");
+}
+var XMLDSIG_NS = "http://www.w3.org/2000/09/xmldsig#";
+var EXC_C14N_NS = "http://www.w3.org/2001/10/xml-exc-c14n#";
+var DIGEST_ALGORITHMS = {
+  sha1: {
+    uri: "http://www.w3.org/2000/09/xmldsig#sha1",
+    nodeAlgo: "sha1"
+  },
+  sha256: {
+    uri: "http://www.w3.org/2001/04/xmlenc#sha256",
+    nodeAlgo: "sha256"
+  }
+};
+var SIGNATURE_ALGORITHMS = {
+  sha1: {
+    uri: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+    nodeAlgo: "sha1"
+  },
+  sha256: {
+    uri: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+    nodeAlgo: "sha256"
+  }
+};
+var TRANSFORM_ALGORITHMS = {
+  envelopedSignature: "http://www.w3.org/2000/09/xmldsig#enveloped-signature",
+  excC14n: "http://www.w3.org/2001/10/xml-exc-c14n#"
+};
+
+export { BRAZILIAN_OIDS, parseDistinguishedName, extractCnpj, extractCpf, pemToBase64, XMLDSIG_NS, EXC_C14N_NS, DIGEST_ALGORITHMS, SIGNATURE_ALGORITHMS, TRANSFORM_ALGORITHMS };

package/dist/xml-signer.d.ts

@@ -0,0 +1,79 @@
+/**
+* Digital Certificate Types
+*
+* Types for Brazilian A1 digital certificate handling,
+* XML-DSig signing, and mTLS configuration.
+*/
+interface CertificateSubject {
+	commonName: string | null;
+	organization: string | null;
+	organizationalUnit: string | null;
+	country: string | null;
+	state: string | null;
+	locality: string | null;
+	/** Full raw subject string */
+	raw: string;
+}
+interface CertificateIssuer {
+	commonName: string | null;
+	organization: string | null;
+	country: string | null;
+	raw: string;
+}
+interface CertificateValidity {
+	notBefore: Date;
+	notAfter: Date;
+}
+interface BrazilianFields {
+	/** CNPJ extracted from certificate (14 digits) */
+	cnpj: string | null;
+	/** CPF extracted from certificate (11 digits) */
+	cpf: string | null;
+}
+interface CertificateInfo {
+	/** Certificate serial number */
+	serialNumber: string;
+	/** Subject (who the certificate was issued to) */
+	subject: CertificateSubject;
+	/** Issuer (who issued the certificate) */
+	issuer: CertificateIssuer;
+	/** Validity period */
+	validity: CertificateValidity;
+	/** SHA-256 fingerprint of the certificate */
+	fingerprint: string;
+	/** Whether the certificate is currently valid */
+	isValid: boolean;
+	/** Brazilian-specific fields (CNPJ, CPF) */
+	brazilian: BrazilianFields;
+	/** PEM-encoded certificate */
+	certPem: string;
+	/** PEM-encoded private key */
+	keyPem: string;
+	/** Raw PFX buffer */
+	pfxBuffer: Buffer;
+	/** PFX password */
+	pfxPassword: string;
+}
+type SignatureAlgorithm = "sha1" | "sha256";
+interface SignOptions {
+	/** The parsed certificate to use for signing */
+	certificate: CertificateInfo;
+	/** The URI of the element to sign (e.g., "#NFe123") */
+	referenceUri: string;
+	/** Hash algorithm for digest and signature (default: "sha256") */
+	algorithm?: SignatureAlgorithm;
+	/** Tag name of the element where Signature will be inserted.
+	*  If not specified, the signature is appended to the root element. */
+	signatureParent?: string;
+	/** Whether to include the XML declaration in output (default: true) */
+	includeDeclaration?: boolean;
+}
+/**
+* Sign an XML document with an enveloped XML-DSig signature
+*
+* @param xml - The XML string to sign
+* @param options - Signing options (certificate, reference URI, algorithm)
+* @returns The signed XML string
+*/
+declare function signXml(xml: string, options: SignOptions): string;
+export { signXml };

package/dist/xml-signer.js

@@ -0,0 +1,119 @@
+import {
+  DIGEST_ALGORITHMS,
+  EXC_C14N_NS,
+  SIGNATURE_ALGORITHMS,
+  TRANSFORM_ALGORITHMS,
+  XMLDSIG_NS,
+  pemToBase64
+} from "./shared/chunk-rkg27a9a.js";
+import {
+  signOptionsSchema
+} from "./shared/chunk-ft0pdf3s.js";
+
+// src/xml-signer.ts
+import crypto from "node:crypto";
+import {
+  getAttributeValue,
+  parseXml,
+  serializeXml,
+  XML_NODE_TYPES
+} from "@f-o-t/xml";
+import { canonicalize } from "@f-o-t/xml/canonicalize";
+function signXml(xml, options) {
+  const opts = signOptionsSchema.parse(options);
+  const algorithm = opts.algorithm;
+  const doc = parseXml(xml);
+  if (!doc.root) {
+    throw new Error("XML document has no root element");
+  }
+  const targetElement = findSignTarget(doc.root, opts.referenceUri);
+  if (!targetElement) {
+    throw new Error(`Could not find element with URI reference: ${opts.referenceUri}`);
+  }
+  const canonicalXml = canonicalize(targetElement, {
+    exclusive: true,
+    withComments: false
+  });
+  const digestValue = computeDigest(canonicalXml, algorithm);
+  const signedInfoXml = buildSignedInfoXml(opts.referenceUri, algorithm, digestValue);
+  const signedInfoDoc = parseXml(signedInfoXml);
+  const canonicalSignedInfo = canonicalize(signedInfoDoc.root, {
+    exclusive: true,
+    withComments: false
+  });
+  const signatureValue = computeSignature(canonicalSignedInfo, options.certificate.keyPem, algorithm);
+  const signatureXml = buildSignatureXml(signedInfoXml, signatureValue, options.certificate.certPem);
+  const signatureDoc = parseXml(signatureXml);
+  const signatureElement = signatureDoc.root;
+  const signatureParent = opts.signatureParent ? findElementByName(doc.root, opts.signatureParent) : targetElement;
+  if (!signatureParent) {
+    throw new Error(`Could not find signature parent element: ${opts.signatureParent}`);
+  }
+  signatureElement.parent = signatureParent;
+  signatureParent.children.push(signatureElement);
+  return serializeXml(doc, {
+    declaration: opts.includeDeclaration,
+    indent: "",
+    selfClose: true
+  });
+}
+function findSignTarget(root, referenceUri) {
+  if (referenceUri === "") {
+    return root;
+  }
+  const id = referenceUri.startsWith("#") ? referenceUri.slice(1) : referenceUri;
+  return findElementById(root, id);
+}
+function findElementById(element, id) {
+  const idAttrs = ["Id", "id", "ID"];
+  for (const attrName of idAttrs) {
+    const val = getAttributeValue(element, attrName);
+    if (val === id)
+      return element;
+  }
+  for (const child of element.children) {
+    if (child.type === XML_NODE_TYPES.ELEMENT) {
+      const found = findElementById(child, id);
+      if (found)
+        return found;
+    }
+  }
+  return null;
+}
+function findElementByName(element, name) {
+  if (element.name === name || element.localName === name) {
+    return element;
+  }
+  for (const child of element.children) {
+    if (child.type === XML_NODE_TYPES.ELEMENT) {
+      const found = findElementByName(child, name);
+      if (found)
+        return found;
+    }
+  }
+  return null;
+}
+function computeDigest(data, algorithm) {
+  const algo = DIGEST_ALGORITHMS[algorithm];
+  const hash = crypto.createHash(algo.nodeAlgo);
+  hash.update(data, "utf8");
+  return hash.digest("base64");
+}
+function computeSignature(data, privateKeyPem, algorithm) {
+  const algo = SIGNATURE_ALGORITHMS[algorithm];
+  const sign = crypto.createSign(`RSA-${algo.nodeAlgo.toUpperCase()}`);
+  sign.update(data, "utf8");
+  return sign.sign(privateKeyPem, "base64");
+}
+function buildSignedInfoXml(referenceUri, algorithm, digestValue) {
+  const sigAlgo = SIGNATURE_ALGORITHMS[algorithm];
+  const digAlgo = DIGEST_ALGORITHMS[algorithm];
+  return `<SignedInfo xmlns="${XMLDSIG_NS}"><CanonicalizationMethod Algorithm="${EXC_C14N_NS}"/><SignatureMethod Algorithm="${sigAlgo.uri}"/><Reference URI="${referenceUri}"><Transforms><Transform Algorithm="${TRANSFORM_ALGORITHMS.envelopedSignature}"/><Transform Algorithm="${TRANSFORM_ALGORITHMS.excC14n}"/></Transforms><DigestMethod Algorithm="${digAlgo.uri}"/><DigestValue>${digestValue}</DigestValue></Reference></SignedInfo>`;
+}
+function buildSignatureXml(signedInfoXml, signatureValue, certPem) {
+  const certBase64 = pemToBase64(certPem);
+  return `<Signature xmlns="${XMLDSIG_NS}">${signedInfoXml}<SignatureValue>${signatureValue}</SignatureValue><KeyInfo><X509Data><X509Certificate>${certBase64}</X509Certificate></X509Data></KeyInfo></Signature>`;
+}
+export {
+  signXml
+};

package/package.json

@@ -0,0 +1,80 @@
+{
+   "name": "@f-o-t/digital-certificate",
+   "version": "1.0.0",
+   "description": "Brazilian A1 digital certificate handling with .pfx/.p12 parsing, XML-DSig signing, certificate management, and mTLS support",
+   "type": "module",
+   "private": false,
+   "module": "./dist/index.js",
+   "types": "./dist/index.d.ts",
+   "exports": {
+      ".": {
+         "bun": "./src/index.ts",
+         "import": {
+            "default": "./dist/index.js",
+            "types": "./dist/index.d.ts"
+         },
+         "types": "./src/index.ts"
+      },
+      "./xml-signer": {
+         "bun": "./src/xml-signer.ts",
+         "import": {
+            "default": "./dist/xml-signer.js",
+            "types": "./dist/xml-signer.d.ts"
+         },
+         "types": "./src/xml-signer.ts"
+      },
+      "./mtls": {
+         "bun": "./src/mtls.ts",
+         "import": {
+            "default": "./dist/mtls.js",
+            "types": "./dist/mtls.d.ts"
+         },
+         "types": "./src/mtls.ts"
+      },
+      "./package.json": "./package.json"
+   },
+   "files": [
+      "dist"
+   ],
+   "scripts": {
+      "build": "bunup",
+      "check": "biome check --write .",
+      "dev": "bunup --watch",
+      "release": "bumpp --commit --push --tag",
+      "test": "bun test",
+      "test:coverage": "bun test --coverage",
+      "test:watch": "bun test --watch",
+      "typecheck": "tsc"
+   },
+   "dependencies": {
+      "@f-o-t/xml": "1.0.0",
+      "zod": "4.3.6"
+   },
+   "devDependencies": {
+      "@biomejs/biome": "2.3.12",
+      "@types/bun": "1.3.6",
+      "bumpp": "10.4.0",
+      "bunup": "0.16.20",
+      "typescript": "5.9.3"
+   },
+   "peerDependencies": {
+      "typescript": ">=4.5.0"
+   },
+   "peerDependenciesMeta": {
+      "typescript": {
+         "optional": true
+      }
+   },
+   "license": "MIT",
+   "repository": {
+      "type": "git",
+      "url": "https://github.com/F-O-T/contentta-nx.git"
+   },
+   "homepage": "https://github.com/F-O-T/contentta-nx/blob/master/libraries/digital-certificate",
+   "bugs": {
+      "url": "https://github.com/F-O-T/contentta-nx/issues"
+   },
+   "publishConfig": {
+      "access": "public"
+   }
+}