xml-crypto-next 7.0.3 → 8.0.0

package/{lib → build}/signed-xml.js

@@ -1,101 +1,141 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.SignedXml = void 0;
-const isDomNode = require("@xmldom/is-dom-node");
-const xmldom = require("@xmldom/xmldom");
-const util_1 = require("util");
-const xpath = require("xpath");
-const c14n = require("./c14n-canonicalization");
-const envelopedSignatures = require("./enveloped-signature");
-const execC14n = require("./exclusive-canonicalization");
-const hashAlgorithms = require("./hash-algorithms");
-const signatureAlgorithms = require("./signature-algorithms");
-const utils = require("./utils");
-class SignedXml {
+import * as isDomNode from "@xmldom/is-dom-node";
+import * as xmldom from "@xmldom/xmldom";
+import { deprecate } from "util";
+import * as xpath from "xpath";
+import * as c14n from "./c14n-canonicalization.js";
+import * as c14n2 from "./c14n-canonicalization-2.js";
+import * as envelopedSignatures from "./enveloped-signature.js";
+import * as execC14n from "./exclusive-canonicalization.js";
+import * as xmldsig2 from "./xmldsig2-transform.js";
+import * as hashAlgorithms from "./hash-algorithms.js";
+import * as signatureAlgorithms from "./signature-algorithms.js";
+import * as utils from "./utils.js";
+export class SignedXml {
+    idMode;
+    idAttributes;
+    /**
+     * A {@link Buffer} or pem encoded {@link String} containing your private key
+     */
+    privateKey;
+    publicCert;
+    /**
+     * One of the supported signature algorithms.
+     * @see {@link SignatureAlgorithmType}
+     */
+    signatureAlgorithm = undefined;
+    /**
+     * Rules used to convert an XML document into its canonical form.
+     */
+    canonicalizationAlgorithm = undefined;
+    /**
+     * It specifies a list of namespace prefixes that should be considered "inclusive" during the canonicalization process.
+     */
+    inclusiveNamespacesPrefixList = [];
+    namespaceResolver = {
+        lookupNamespaceURI: function ( /* prefix */) {
+            throw new Error("Not implemented");
+        },
+    };
+    implicitTransforms = [];
+    keyInfoAttributes = {};
+    getKeyInfoContent = SignedXml.getKeyInfoContent;
+    getCertFromKeyInfo = SignedXml.getCertFromKeyInfo;
+    objects;
+    // Internal state
+    id = 0;
+    signedXml = "";
+    signatureXml = "";
+    signatureNode = null;
+    signatureValue = "";
+    originalXmlWithIds = "";
+    keyInfo = null;
+    /**
+     * Contains the references that were signed.
+     * @see {@link Reference}
+     */
+    references = [];
+    /**
+     * Contains the canonicalized XML of the references that were validly signed.
+     *
+     * This populates with the canonical XML of the reference only after
+     * verifying the signature is cryptographically authentic.
+     */
+    signedReferences = [];
+    /**
+     *  To add a new transformation algorithm create a new class that implements the {@link TransformationAlgorithm} interface, and register it here. More info: {@link https://github.com/node-saml/xml-crypto#customizing-algorithms|Customizing Algorithms}
+     */
+    CanonicalizationAlgorithms = {
+        // XMLDSig 1.0/1.1 - Compatibility Mode
+        "http://www.w3.org/TR/2001/REC-xml-c14n-20010315": c14n.C14nCanonicalization,
+        "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments": c14n.C14nCanonicalizationWithComments,
+        "http://www.w3.org/2001/10/xml-exc-c14n#": execC14n.ExclusiveCanonicalization,
+        "http://www.w3.org/2001/10/xml-exc-c14n#WithComments": execC14n.ExclusiveCanonicalizationWithComments,
+        "http://www.w3.org/2000/09/xmldsig#enveloped-signature": envelopedSignatures.EnvelopedSignature,
+        // XMLDSig 2.0
+        "http://www.w3.org/2010/xml-c14n2": c14n2.C14nCanonicalization2,
+        "http://www.w3.org/2010/xml-c14n2#WithComments": c14n2.C14nCanonicalization2WithComments,
+        "http://www.w3.org/2010/xmldsig2#transform": xmldsig2.XmlDsig2Transform,
+    };
+    // TODO: In v7.x we may consider deprecating sha1
+    /**
+     * To add a new hash algorithm create a new class that implements the {@link HashAlgorithm} interface, and register it here. More info: {@link https://github.com/node-saml/xml-crypto#customizing-algorithms|Customizing Algorithms}
+     */
+    HashAlgorithms = {
+        // XMLDSig 1.0/1.1
+        "http://www.w3.org/2000/09/xmldsig#sha1": hashAlgorithms.Sha1,
+        "http://www.w3.org/2001/04/xmlenc#sha256": hashAlgorithms.Sha256,
+        "http://www.w3.org/2001/04/xmlenc#sha384": hashAlgorithms.Sha384,
+        "http://www.w3.org/2001/04/xmlenc#sha512": hashAlgorithms.Sha512,
+        // XMLDSig 2.0 - Required
+        "http://www.w3.org/2001/04/xmldsig-more#sha224": hashAlgorithms.Sha224,
+        // XMLDSig 2.0 - Optional
+        "http://www.w3.org/2001/04/xmldsig-more#shake256": hashAlgorithms.Shake256,
+    };
+    // TODO: In v7.x we may consider deprecating sha1
+    /**
+     * To add a new signature algorithm create a new class that implements the {@link SignatureAlgorithm} interface, and register it here. More info: {@link https://github.com/node-saml/xml-crypto#customizing-algorithms|Customizing Algorithms}
+     */
+    SignatureAlgorithms = {
+        // XMLDSig 1.0/1.1 - RSA
+        "http://www.w3.org/2000/09/xmldsig#rsa-sha1": signatureAlgorithms.RsaSha1,
+        "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256": signatureAlgorithms.RsaSha256,
+        "http://www.w3.org/2001/04/xmldsig-more#rsa-sha224": signatureAlgorithms.RsaSha224,
+        "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384": signatureAlgorithms.RsaSha384,
+        "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512": signatureAlgorithms.RsaSha512,
+        // XMLDSig 1.0/1.1 - RSA-PSS
+        "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1": signatureAlgorithms.RsaSha256Mgf1,
+        "http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1": signatureAlgorithms.RsaSha384Mgf1,
+        "http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1": signatureAlgorithms.RsaSha512Mgf1,
+        // XMLDSig 1.0/1.1 - ECDSA
+        "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1": signatureAlgorithms.EcdsaSha1,
+        "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224": signatureAlgorithms.EcdsaSha224,
+        "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256": signatureAlgorithms.EcdsaSha256,
+        "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384": signatureAlgorithms.EcdsaSha384,
+        "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512": signatureAlgorithms.EcdsaSha512,
+        // XMLDSig 1.0/1.1 - DSA
+        "http://www.w3.org/2000/09/xmldsig#dsa-sha1": signatureAlgorithms.DsaSha1,
+        "http://www.w3.org/2009/xmldsig11#dsa-sha256": signatureAlgorithms.DsaSha256,
+        // XMLDSig 1.0/1.1 - EdDSA
+        "http://www.w3.org/2007/05/xmldsig-more#eddsa-ed25519": signatureAlgorithms.Ed25519,
+        "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448": signatureAlgorithms.Ed448,
+        // XMLDSig 1.0/1.1 - HMAC
+        "http://www.w3.org/2000/09/xmldsig#hmac-sha1": signatureAlgorithms.HmacSha1,
+        "http://www.w3.org/2001/04/xmldsig-more#hmac-sha224": signatureAlgorithms.HmacSha224,
+        "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256": signatureAlgorithms.HmacSha256,
+        "http://www.w3.org/2001/04/xmldsig-more#hmac-sha384": signatureAlgorithms.HmacSha384,
+        "http://www.w3.org/2001/04/xmldsig-more#hmac-sha512": signatureAlgorithms.HmacSha512,
+        // Disabled by default due to key confusion concerns.
+        // 'http://www.w3.org/2000/09/xmldsig#hmac-sha1': SignatureAlgorithms.HmacSha1
+    };
+    static defaultNsForPrefix = {
+        ds: "http://www.w3.org/2000/09/xmldsig#",
+    };
+    static noop = () => null;
     /**
      * The SignedXml constructor provides an abstraction for sign and verify xml documents. The object is constructed using
      * @param options {@link SignedXmlOptions}
      */
     constructor(options = {}) {
-        /**
-         * One of the supported signature algorithms.
-         * @see {@link SignatureAlgorithmType}
-         */
-        this.signatureAlgorithm = undefined;
-        /**
-         * Rules used to convert an XML document into its canonical form.
-         */
-        this.canonicalizationAlgorithm = undefined;
-        /**
-         * It specifies a list of namespace prefixes that should be considered "inclusive" during the canonicalization process.
-         */
-        this.inclusiveNamespacesPrefixList = [];
-        this.namespaceResolver = {
-            lookupNamespaceURI: function ( /* prefix */) {
-                throw new Error("Not implemented");
-            },
-        };
-        this.implicitTransforms = [];
-        this.keyInfoAttributes = {};
-        this.getKeyInfoContent = SignedXml.getKeyInfoContent;
-        this.getCertFromKeyInfo = SignedXml.getCertFromKeyInfo;
-        // Internal state
-        this.id = 0;
-        this.signedXml = "";
-        this.signatureXml = "";
-        this.signatureNode = null;
-        this.signatureValue = "";
-        this.originalXmlWithIds = "";
-        this.keyInfo = null;
-        /**
-         * Contains the references that were signed.
-         * @see {@link Reference}
-         */
-        this.references = [];
-        /**
-         * Contains the canonicalized XML of the references that were validly signed.
-         *
-         * This populates with the canonical XML of the reference only after
-         * verifying the signature is cryptographically authentic.
-         */
-        this.signedReferences = [];
-        /**
-         *  To add a new transformation algorithm create a new class that implements the {@link TransformationAlgorithm} interface, and register it here. More info: {@link https://github.com/node-saml/xml-crypto#customizing-algorithms|Customizing Algorithms}
-         */
-        this.CanonicalizationAlgorithms = {
-            "http://www.w3.org/TR/2001/REC-xml-c14n-20010315": c14n.C14nCanonicalization,
-            "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments": c14n.C14nCanonicalizationWithComments,
-            "http://www.w3.org/2001/10/xml-exc-c14n#": execC14n.ExclusiveCanonicalization,
-            "http://www.w3.org/2001/10/xml-exc-c14n#WithComments": execC14n.ExclusiveCanonicalizationWithComments,
-            "http://www.w3.org/2000/09/xmldsig#enveloped-signature": envelopedSignatures.EnvelopedSignature,
-        };
-        // TODO: In v7.x we may consider deprecating sha1
-        /**
-         * To add a new hash algorithm create a new class that implements the {@link HashAlgorithm} interface, and register it here. More info: {@link https://github.com/node-saml/xml-crypto#customizing-algorithms|Customizing Algorithms}
-         */
-        this.HashAlgorithms = {
-            "http://www.w3.org/2000/09/xmldsig#sha1": hashAlgorithms.Sha1,
-            "http://www.w3.org/2001/04/xmlenc#sha256": hashAlgorithms.Sha256,
-            "http://www.w3.org/2001/04/xmlenc#sha384": hashAlgorithms.Sha384,
-            "http://www.w3.org/2001/04/xmlenc#sha512": hashAlgorithms.Sha512,
-        };
-        // TODO: In v7.x we may consider deprecating sha1
-        /**
-         * To add a new signature algorithm create a new class that implements the {@link SignatureAlgorithm} interface, and register it here. More info: {@link https://github.com/node-saml/xml-crypto#customizing-algorithms|Customizing Algorithms}
-         */
-        this.SignatureAlgorithms = {
-            "http://www.w3.org/2000/09/xmldsig#rsa-sha1": signatureAlgorithms.RsaSha1,
-            "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256": signatureAlgorithms.RsaSha256,
-            "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1": signatureAlgorithms.RsaSha256Mgf1,
-            "http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1": signatureAlgorithms.RsaSha384Mgf1,
-            "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384": signatureAlgorithms.RsaSha384,
-            "http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1": signatureAlgorithms.RsaSha512Mgf1,
-            "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512": signatureAlgorithms.RsaSha512,
-            "http://www.w3.org/2007/05/xmldsig-more#eddsa-ed25519": signatureAlgorithms.Ed25519,
-            "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448": signatureAlgorithms.Ed488,
-            // Disabled by default due to key confusion concerns.
-            // 'http://www.w3.org/2000/09/xmldsig#hmac-sha1': SignatureAlgorithms.HmacSha1
-        };
         const { idMode, idAttribute, privateKey, publicCert, signatureAlgorithm, canonicalizationAlgorithm, inclusiveNamespacesPrefixList, implicitTransforms, keyInfoAttributes, getKeyInfoContent, getCertFromKeyInfo, objects, } = options;
         // Options
         this.idMode = idMode;
@@ -369,7 +409,9 @@ class SignedXml {
         let elem;
         if (typeof elemOrXpath === "string") {
             const firstElem = xpath.select1(elemOrXpath, doc);
+            // @ts-expect-error misssing Node properties are not needed
             isDomNode.assertIsElementNode(firstElem);
+            // @ts-expect-error misssing Node properties are not needed
             elem = firstElem;
         }
         else {
@@ -388,7 +430,7 @@ class SignedXml {
             const canonXml = this.getCanonReferenceXml(doc, ref, elem);
             const hash = this.findHashAlgorithm(ref.digestAlgorithm);
             const digest = hash.getHash(canonXml);
-            if (utils.validateDigestValue(digest, ref.digestValue)) {
+            if (ref.digestValue != null && typeof ref.digestValue === "string" && utils.validateDigestValue(digest, ref.digestValue)) {
                 return ref;
             }
         }
@@ -421,7 +463,7 @@ class SignedXml {
                 }
             }
         }
-        ref.getValidatedNode = (0, util_1.deprecate)((xpathSelector) => {
+        ref.getValidatedNode = deprecate((xpathSelector) => {
             xpathSelector = xpathSelector || ref.xpath;
             if (typeof xpathSelector !== "string" || ref.validationError != null) {
                 return null;
@@ -437,7 +479,7 @@ class SignedXml {
         const canonXml = this.getCanonReferenceXml(doc, ref, elem);
         const hash = this.findHashAlgorithm(ref.digestAlgorithm);
         const digest = hash.getHash(canonXml);
-        if (!utils.validateDigestValue(digest, ref.digestValue)) {
+        if (ref.digestValue == null || typeof ref.digestValue !== "string" || !utils.validateDigestValue(digest, ref.digestValue)) {
             const validationError = new Error(`invalid signature: for uri ${ref.uri} calculated digest is ${digest} but the xml to validate supplies digest ${ref.digestValue}`);
             ref.validationError = validationError;
             return false;
@@ -689,6 +731,7 @@ class SignedXml {
             } // No specific nodes to ID for empty URI
             const nodes = xpath.selectWithResolver(ref.xpath ?? "", doc, this.namespaceResolver);
             for (const node of nodes) {
+                // @ts-expect-error misssing Node properties are not needed
                 isDomNode.assertIsElementNode(node);
                 this.ensureHasId(node);
             }
@@ -805,6 +848,7 @@ class SignedXml {
         const signatureNamespace = "http://www.w3.org/2000/09/xmldsig#";
         // Find the SignedInfo element to append to
         const signedInfoNode = xpath.select1(`./*[local-name(.)='SignedInfo']`, signatureElem);
+        // @ts-expect-error misssing Node properties are not needed
         isDomNode.assertIsElementNode(signedInfoNode); // Type-safe assertion
         // Signature document is technically the same document as the one we are signing,
         // but we will extract it here for clarity (and also make it support detached signatures in the future)
@@ -817,10 +861,12 @@ class SignedXml {
             }
             // Process the reference
             for (const node of nodes) {
+                // @ts-expect-error misssing Node properties are not needed
                 isDomNode.assertIsElementNode(node);
                 // Must not be a reference to Signature, SignedInfo, or a child of SignedInfo
                 if (node === signatureElem ||
                     node === signedInfoNode ||
+                    // @ts-expect-error misssing Node properties are not needed
                     utils.isDescendantOf(node, signedInfoNode)) {
                     throw new Error(`Cannot sign a reference to the Signature or SignedInfo element itself: ${ref.xpath}`);
                 }
@@ -867,6 +913,7 @@ class SignedXml {
                 referenceElem.appendChild(digestMethodElem);
                 referenceElem.appendChild(digestValueElem);
                 // Append the reference element to SignedInfo
+                // @ts-expect-error misssing Node properties are not needed
                 signedInfoNode.appendChild(referenceElem);
             }
         }
@@ -1034,9 +1081,3 @@ class SignedXml {
         return this.signedXml;
     }
 }
-exports.SignedXml = SignedXml;
-SignedXml.defaultNsForPrefix = {
-    ds: "http://www.w3.org/2000/09/xmldsig#",
-};
-SignedXml.noop = () => null;
-//# sourceMappingURL=signed-xml.js.map

package/{lib → build}/types.d.ts

@@ -1,9 +1,22 @@
 import * as crypto from "crypto";
 export type ErrorFirstCallback<T> = (err: Error | null, result?: T) => void;
-export type CanonicalizationAlgorithmType = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" | "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" | "http://www.w3.org/2001/10/xml-exc-c14n#" | "http://www.w3.org/2001/10/xml-exc-c14n#WithComments" | string;
-export type CanonicalizationOrTransformAlgorithmType = CanonicalizationAlgorithmType | "http://www.w3.org/2000/09/xmldsig#enveloped-signature";
-export type HashAlgorithmType = "http://www.w3.org/2000/09/xmldsig#sha1" | "http://www.w3.org/2001/04/xmlenc#sha256" | "http://www.w3.org/2001/04/xmlenc#sha384" | "http://www.w3.org/2001/04/xmlenc#sha512" | "http://www.w3.org/2001/04/xmlenc#sha3-512" | string;
-export type SignatureAlgorithmType = "http://www.w3.org/2000/09/xmldsig#rsa-sha1" | "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" | "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1" | "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384" | "http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1" | "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" | "http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1" | "http://www.w3.org/2007/05/xmldsig-more#eddsa-ed25519" | "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448" | "http://www.w3.org/2000/09/xmldsig#hmac-sha1" | string;
+/**
+ * XML Version support
+ * XML 1.0: https://www.w3.org/TR/xml/
+ * XML 1.1: https://www.w3.org/TR/xml11/
+ */
+export type XmlVersion = "1.0" | "1.1";
+/**
+ * XML Signature Version
+ * XMLDSig 1.0: https://www.w3.org/TR/xmldsig-core/
+ * XMLDSig 1.1: https://www.w3.org/TR/xmldsig-core1/
+ * XMLDSig 2.0: https://www.w3.org/TR/xmldsig-core2/
+ */
+export type XmlSignatureVersion = "1.0" | "1.1" | "2.0";
+export type CanonicalizationAlgorithmType = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" | "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" | "http://www.w3.org/2006/12/xml-c14n11" | "http://www.w3.org/2006/12/xml-c14n11#WithComments" | "http://www.w3.org/2001/10/xml-exc-c14n#" | "http://www.w3.org/2001/10/xml-exc-c14n#WithComments" | "http://www.w3.org/2010/xml-c14n2" | "http://www.w3.org/2010/xml-c14n2#WithComments" | string;
+export type CanonicalizationOrTransformAlgorithmType = CanonicalizationAlgorithmType | "http://www.w3.org/2000/09/xmldsig#enveloped-signature" | "http://www.w3.org/2010/xmldsig2#transform";
+export type HashAlgorithmType = "http://www.w3.org/2000/09/xmldsig#sha1" | "http://www.w3.org/2001/04/xmlenc#sha256" | "http://www.w3.org/2001/04/xmlenc#sha384" | "http://www.w3.org/2001/04/xmlenc#sha512" | "http://www.w3.org/2001/04/xmldsig-more#sha224" | "http://www.w3.org/2001/04/xmldsig-more#shake256" | string;
+export type SignatureAlgorithmType = "http://www.w3.org/2000/09/xmldsig#rsa-sha1" | "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" | "http://www.w3.org/2001/04/xmldsig-more#rsa-sha224" | "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384" | "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" | "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1" | "http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1" | "http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1" | "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1" | "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224" | "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256" | "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384" | "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512" | "http://www.w3.org/2000/09/xmldsig#dsa-sha1" | "http://www.w3.org/2009/xmldsig11#dsa-sha256" | "http://www.w3.org/2007/05/xmldsig-more#eddsa-ed25519" | "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448" | "http://www.w3.org/2000/09/xmldsig#hmac-sha1" | "http://www.w3.org/2001/04/xmldsig-more#hmac-sha224" | "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256" | "http://www.w3.org/2001/04/xmldsig-more#hmac-sha384" | "http://www.w3.org/2001/04/xmldsig-more#hmac-sha512" | string;
 /**
  * @param cert the certificate as a string or array of strings (@see https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-X509Data)
  * @param prefix an optional namespace alias to be used for the generated XML
@@ -85,22 +98,46 @@ export interface ComputeSignatureOptions {
 }
 /**
  * Represents a reference node for XML digital signature.
+ *
+ * For XMLDSig 2.0 mode:
+ * - URI attribute MUST NOT be present
+ * - Must contain exactly one Transform with algorithm "http://www.w3.org/2010/xmldsig2#transform"
+ * - Selection is specified via dsig2:Selection element
  */
 export interface Reference {
     xpath?: string;
     transforms: ReadonlyArray<CanonicalizationOrTransformAlgorithmType>;
     digestAlgorithm: HashAlgorithmType;
-    uri: string;
+    uri?: string;
     digestValue?: unknown;
     inclusiveNamespacesPrefixList: string[];
-    isEmptyUri: boolean;
+    isEmptyUri?: boolean;
     id?: string;
     type?: string;
     ancestorNamespaces?: NamespacePrefix[];
+    selectionMethod?: "xpath" | "xpointer" | "stream" | "xpath-filter";
+    selectionExpression?: string;
     validationError?: Error;
     getValidatedNode(xpathSelector?: string): Node | null;
     signedReference?: string;
 }
+/**
+ * XMLDSig 2.0 Reference with Selection element
+ */
+export interface Reference2 extends Reference {
+    uri?: never;
+    selectionMethod: "xpath" | "xpointer" | "stream" | "xpath-filter";
+    selectionExpression: string;
+}
+/**
+ * KeyInfoReference for XMLDSig 2.0
+ * Provides a secure way to reference KeyInfo elements
+ * @see https://www.w3.org/TR/xmldsig-core2/#sec-KeyInfoReference
+ */
+export interface KeyInfoReference {
+    uri: string;
+    inclusiveNamespacesPrefixList?: string[];
+}
 /** Implement this to create a new CanonicalizationOrTransformationAlgorithm */
 export interface CanonicalizationOrTransformationAlgorithm {
     process(node: Node, options: CanonicalizationOrTransformationAlgorithmProcessOptions): Node | string;

package/build/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AAEjC,MAAM,MAAM,kBAAkB,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,GAAG,IAAI,EAAE,MAAM,CAAC,EAAE,CAAC,KAAK,IAAI,CAAC;AAE5E;;;;GAIG;AACH,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG,KAAK,CAAC;AAEvC;;;;;GAKG;AACH,MAAM,MAAM,mBAAmB,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC;AAExD,MAAM,MAAM,6BAA6B,GAErC,iDAAiD,GACjD,8DAA8D,GAC9D,sCAAsC,GACtC,mDAAmD,GACnD,yCAAyC,GACzC,qDAAqD,GAErD,kCAAkC,GAClC,+CAA+C,GAC/C,MAAM,CAAC;AAEX,MAAM,MAAM,wCAAwC,GAChD,6BAA6B,GAC7B,uDAAuD,GAEvD,2CAA2C,CAAC;AAEhD,MAAM,MAAM,iBAAiB,GAEzB,wCAAwC,GACxC,yCAAyC,GACzC,yCAAyC,GACzC,yCAAyC,GAEzC,+CAA+C,GAE/C,iDAAiD,GACjD,MAAM,CAAC;AAEX,MAAM,MAAM,sBAAsB,GAE9B,4CAA4C,GAC5C,mDAAmD,GACnD,mDAAmD,GACnD,mDAAmD,GACnD,mDAAmD,GACnD,wDAAwD,GACxD,wDAAwD,GACxD,wDAAwD,GAExD,mDAAmD,GACnD,qDAAqD,GACrD,qDAAqD,GACrD,qDAAqD,GACrD,qDAAqD,GAErD,4CAA4C,GAC5C,6CAA6C,GAE7C,sDAAsD,GACtD,oDAAoD,GAEpD,6CAA6C,GAC7C,oDAAoD,GACpD,oDAAoD,GACpD,oDAAoD,GACpD,oDAAoD,GACpD,MAAM,CAAC;AAEX;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,UAAU,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,4BAA4B;IAC5B,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,mCAAmC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,uCAAuC;IACvC,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC;IAC5B,kBAAkB,CAAC,EAAE,sBAAsB,CAAC;IAC5C,yBAAyB,CAAC,EAAE,6BAA6B,CAAC;IAC1D,6BAA6B,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAClD,kBAAkB,CAAC,EAAE,aAAa,CAAC,wCAAwC,CAAC,CAAC;IAC7E,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE3C,iBAAiB,CAAC,CAAC,IAAI,CAAC,EAAE,qBAAqB,GAAG,MAAM,GAAG,IAAI,CAAC;IAEhE,kBAAkB,CAAC,CAAC,OAAO,CAAC,EAAE,IAAI,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAAC;IAE1D,OAAO,CAAC,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,gBAAgB,CAAA;KAAE,CAAC,CAAC;CACrE;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,uDAAuD;IACtE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5C,kBAAkB,CAAC,EAAE,eAAe,EAAE,CAAC;IACvC,aAAa,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC5B,6BAA6B,CAAC,EAAE,MAAM,EAAE,CAAC;CAC1C;AAED,MAAM,WAAW,+BAA+B;IAC9C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,QAAQ,GAAG,SAAS,GAAG,QAAQ,GAAG,OAAO,CAAC;CACpD;AAED;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,uBAAuB;IACtC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,QAAQ,CAAC,EAAE,+BAA+B,CAAC;IAC3C,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3C;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,SAAS;IAExB,KAAK,CAAC,EAAE,MAAM,CAAC;IAGf,UAAU,EAAE,aAAa,CAAC,wCAAwC,CAAC,CAAC;IAGpE,eAAe,EAAE,iBAAiB,CAAC;IAInC,GAAG,CAAC,EAAE,MAAM,CAAC;IAGb,WAAW,CAAC,EAAE,OAAO,CAAC;IAGtB,6BAA6B,EAAE,MAAM,EAAE,CAAC;IAGxC,UAAU,CAAC,EAAE,OAAO,CAAC;IAGrB,EAAE,CAAC,EAAE,MAAM,CAAC;IAGZ,IAAI,CAAC,EAAE,MAAM,CAAC;IAGd,kBAAkB,CAAC,EAAE,eAAe,EAAE,CAAC;IAGvC,eAAe,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,QAAQ,GAAG,cAAc,CAAC;IAGnE,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAE7B,eAAe,CAAC,EAAE,KAAK,CAAC;IAExB,gBAAgB,CAAC,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAAC;IAEtD,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,UAAW,SAAQ,SAAS;IAE3C,GAAG,CAAC,EAAE,KAAK,CAAC;IAEZ,eAAe,EAAE,OAAO,GAAG,UAAU,GAAG,QAAQ,GAAG,cAAc,CAAC;IAElE,mBAAmB,EAAE,MAAM,CAAC;CAC7B;AAED;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAE/B,GAAG,EAAE,MAAM,CAAC;IAGZ,6BAA6B,CAAC,EAAE,MAAM,EAAE,CAAC;CAC1C;AAED,+EAA+E;AAC/E,MAAM,WAAW,yCAAyC;IACxD,OAAO,CACL,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,uDAAuD,GAC/D,IAAI,GAAG,MAAM,CAAC;IAEjB,gBAAgB,IAAI,wCAAwC,CAAC;CAC9D;AAED,mDAAmD;AACnD,MAAM,WAAW,aAAa;IAC5B,gBAAgB,IAAI,iBAAiB,CAAC;IAEtC,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;CAC9B;AAED,qDAAqD;AACrD,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC,OAAO,GAAG,MAAM,CAAC;IAEhF,YAAY,CACV,UAAU,EAAE,MAAM,CAAC,UAAU,EAC7B,UAAU,EAAE,MAAM,CAAC,OAAO,EAC1B,QAAQ,CAAC,EAAE,kBAAkB,CAAC,MAAM,CAAC,GACpC,IAAI,CAAC;IAER;;;;OAIG;IACH,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,OAAO,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC;IAExF,eAAe,CACb,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,CAAC,OAAO,EACnB,cAAc,EAAE,MAAM,EACtB,QAAQ,CAAC,EAAE,kBAAkB,CAAC,OAAO,CAAC,GACrC,IAAI,CAAC;IAER,gBAAgB,IAAI,sBAAsB,CAAC;CAC5C;AAED,wDAAwD;AACxD,MAAM,WAAW,kBAAkB;IACjC,gBAAgB,IAAI,wCAAwC,CAAC;IAE7D,OAAO,CAAC,IAAI,EAAE,IAAI,GAAG,MAAM,CAAC;CAC7B;AA8BD;;;;;GAKG;AACH,wBAAgB,8BAA8B,CAAC,CAAC,EAAE,CAAC,SAAS,OAAO,EAAE,EACnE,WAAW,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,KAAK,CAAC,GAC7B;IACD,CAAC,GAAG,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC;IAChB,CAAC,GAAG,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;CAChD,CAiBA"}

package/{lib → build}/types.js

@@ -1,11 +1,8 @@
-"use strict";
 /* eslint-disable no-unused-vars */
 // Type definitions for @node-saml/xml-crypto
 // Project: https://github.com/node-saml/xml-crypto#readme
 // Original definitions by: Eric Heikes <https://github.com/eheikes>
 //                          Max Chehab <https://github.com/maxchehab>
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createOptionalCallbackFunction = createOptionalCallbackFunction;
 /**
  * ### Sign
  * #### Properties
@@ -36,7 +33,7 @@ function isErrorFirstCallback(possibleCallback) {
  * This follows the factory pattern.
  * Just call this function, passing the function that you'd like to add a callback version of.
  */
-function createOptionalCallbackFunction(syncVersion) {
+export function createOptionalCallbackFunction(syncVersion) {
     return ((...args) => {
         const possibleCallback = args[args.length - 1];
         if (isErrorFirstCallback(possibleCallback)) {
@@ -53,4 +50,3 @@ function createOptionalCallbackFunction(syncVersion) {
         }
     });
 }
-//# sourceMappingURL=types.js.map

package/{lib → build}/utils.d.ts

@@ -1,11 +1,29 @@
-import type { NamespacePrefix } from "./types";
+import type { NamespacePrefix } from "./types.js";
 export declare function isArrayHasLength(array: unknown): array is unknown[];
-export declare function findAttr(element: Element, localName: string, namespace?: string): Attr | null;
+export declare function findAttr(element: Element, localName: string, namespace?: string): Attr;
 export declare function findChildren(node: Node | Document, localName: string, namespace?: string): Element[];
 /** @deprecated */
 export declare function findChilds(node: Node | Document, localName: string, namespace?: string): Element[];
-export declare function encodeSpecialCharactersInAttribute(attributeValue: any): any;
+/**
+ * Encode special characters in attribute values for XML 1.0
+ */
+export declare function encodeSpecialCharactersInAttribute(attributeValue: string): string;
+/**
+ * Encode special characters in text content for XML 1.0
+ */
 export declare function encodeSpecialCharactersInText(text: string): string;
+/**
+ * Encode special characters in attribute values for XML 1.1
+ * XML 1.1 requires escaping additional control characters
+ * @see https://www.w3.org/TR/xml11/#charsets
+ */
+export declare function encodeSpecialCharactersInAttributeXml11(attributeValue: string): string;
+/**
+ * Encode special characters in text content for XML 1.1
+ * XML 1.1 requires escaping additional control characters
+ * @see https://www.w3.org/TR/xml11/#charsets
+ */
+export declare function encodeSpecialCharactersInTextXml11(text: string): string;
 /**
  * PEM format has wide range of usages, but this library
  * is enforcing RFC7468 which focuses on PKIX, PKCS and CMS.
@@ -61,5 +79,17 @@ export declare function derToPem(der: string | Buffer, pemLabel?: "CERTIFICATE"
  * @returns i.e. [{prefix: "saml", namespaceURI: "urn:oasis:names:tc:SAML:2.0:assertion"}]
  */
 export declare function findAncestorNs(doc: Document, docSubsetXpath?: string, namespaceResolver?: XPathNSResolver): NamespacePrefix[];
-export declare function validateDigestValue(digest: any, expectedDigest: any): boolean;
+/**
+ * Validate digest value with timing-safe comparison
+ */
+export declare function validateDigestValue(digest: string, expectedDigest: string): boolean;
 export declare function isDescendantOf(node: Node, parent: Node): boolean;
+/**
+ * Check if a character is valid in XML 1.1
+ * @see https://www.w3.org/TR/xml11/#charsets
+ */
+export declare function isValidXml11Char(char: string): boolean;
+/**
+ * Validate if a string is valid XML 1.1
+ */
+export declare function isValidXml11String(str: string): boolean;

package/build/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAUlD,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,OAAO,EAAE,CAEnE;AAaD,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,QAY/E;AAED,wBAAgB,YAAY,CAAC,IAAI,EAAE,IAAI,GAAG,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,aAcxF;AAED,kBAAkB;AAClB,wBAAgB,UAAU,CAAC,IAAI,EAAE,IAAI,GAAG,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,aAEtF;AAyFD;;GAEG;AACH,wBAAgB,kCAAkC,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CASjF;AAED;;GAEG;AACH,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CASlE;AAED;;;;GAIG;AACH,wBAAgB,uCAAuC,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAKtF;AAED;;;;GAIG;AACH,wBAAgB,kCAAkC,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAIvE;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gBAAgB,QAG5B,CAAC;AACF,eAAO,MAAM,kBAAkB,QAG9B,CAAC;AACF,eAAO,MAAM,YAAY,QAGxB,CAAC;AAEF;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAOhD;AAED;;GAEG;AACH,wBAAgB,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAY5C;AAED;;;GAGG;AACH,wBAAgB,QAAQ,CACtB,GAAG,EAAE,MAAM,GAAG,MAAM,EACpB,QAAQ,CAAC,EAAE,aAAa,GAAG,aAAa,GAAG,gBAAgB,GAC1D,MAAM,CAsBR;AA6CD;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAC5B,GAAG,EAAE,QAAQ,EACb,cAAc,CAAC,EAAE,MAAM,EACvB,iBAAiB,CAAC,EAAE,eAAe,GAClC,eAAe,EAAE,CA0CnB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAkBnF;AAkBD,wBAAgB,cAAc,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,OAAO,CAehE;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAQtD;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAOvD"}