How to sign KeyInfo?

[calvarezm70]

How to sign the KeyInfo (#KeyInfo001), which is part of the signature element itself?

<ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#' Id='Signature001'>
   <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315' />
     <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' />
     <ds:Reference URI=''>
       <ds:Transforms>
         <ds:Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature' />
       </ds:Transforms>
       <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
       <ds:DigestValue>sXe2PnaG...</ds:DigestValue>
     </ds:Reference>
     **<ds:Reference URI='#KeyInfo001'>**
       <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
       <ds:DigestValue>ZOS23PQ9TcDu+G...</ds:DigestValue>
     </ds:Reference>
   </ds:SignedInfo>
   <ds:SignatureValue>jTLX0/8XkY2aCte7...</ds:SignatureValue>
     **<ds:KeyInfo Id='KeyInfo001'>**
       <ds:X509Data>
         <ds:X509Certificate>E3wdSY4n7MgUmJzMIGfMA0...</ds:X509Certificate>
     </ds:X509Data>
   </ds:KeyInfo>
</ds:Signature>

[microshine]

You can do it programmatically before Sign method calling.

const xmlsig = new XmlDSigJs.SignedXml();

// Set Id for KeyInfo
xmlsig.XmlSignature.KeyInfo.Id = "KeyInfo001";

// Create Reference for KeyInfo
const keyInfoRef = new XmlDSigJs.Reference("#KeyInfo001");
keyInfoRef.DigestMethod.Algorithm = XmlDSigJs.SHA1_NAMESPACE;

// Add Reference to SignedInfo
xmlsig.XmlSignature.SignedInfo.References.Add(keyInfoRef);

[microshine]

This is source code for Reference creation from options

[calvarezm70]

@microshine, thanks for your reply. Now I get the following error when 'npm run build' src/index.ts → dist/xades.js... (!) Missing exports https://github.com/rollup/rollup/wiki/Troubleshooting#name-is-not-exported-by-module src/signed_xml.ts SHA1_NAMESPACE is not exported by node_modules/xmldsigjs/lib/index.js 2018-05-25 0:49 GMT-06:00 Miroshin Stepan <notifications@github.com>:

…

You can do it programmatically before Sign method calling. // Set Id for KeyInfothis.XmlSignature.KeyInfo.Id = "KeyInfo001"; // Create Reference for KeyInfoconst keyInfoRef = new XmlDSigJs.Reference("#KeyInfo001");keyInfoRef.DigestMethod.Algorithm = XmlDSigJs.SHA1_NAMESPACE; // Add Reference to SignedInfothis.XmlSignature.SignedInfo.References.Add(keyInfoRef); — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#69 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AQpy2vIohFzrSlaOJw5kezU-bbmGhKC6ks5t16ljgaJpZM4UNGlc> .

[microshine]

This is my error. You can use http://www.w3.org/2000/09/xmldsig#sha1 instead of SHA1_NAMESPACE

[calvarezm70]

When trying to sign the document the following error occurs.

XmlError {
prefix: 'XMLJS',
code: 13,
name: 'XmlError',
message: 'XMLJS0013: Cryptographic error: Cannot get object by reference: KeyInfoId-Signature-f56f20fc-325a-4d4d-bda1-645fc1240adf',
stack: 'Error: XMLJS0013: Cryptographic error: Cannot get object by reference: KeyInfoId-Signature-f56f20fc-325a-4d4d-bda1-645fc1240adf\n at new XmlError (../xadesjs/dist/xades.js:395:16)\n at ../xadesjs/dist/xades.js:17344:15\n at ' }

[microshine]

xmldsigjs doesn't look through Signature items.
https://github.com/PeculiarVentures/xmldsigjs/blob/master/src/signed_xml.ts#L310

Can you fix it and make PR? I don't have enough time to fix it right now. I have to finish some tasks in another project

[nayrban]

Hi all,
did someone has a chance to solve this?, I still have the same issue!! :(

[microshine]

I published new version of xmldsigjs@2.0.21 which fixes this problem

Here is example for Id adding to KeyInfo and Signature nodes

const XmlDSigJs = require("xmldsigjs");
const CryptoOssl = require("node-webcrypto-ossl");

const crypto = new CryptoOssl();
XmlDSigJs.Application.setEngine("OpenSSL", crypto);

async function main() {
  const xml = `<root><child/></root>`;
  const xmlsig = new XmlDSigJs.SignedXml();
  const alg = {
    name: "RSASSA-PKCS1-v1_5",
    hash: "SHA-256",
    publicExponent: new Uint8Array([1, 0, 1]),
    modulusLength: 2048,
  };

  const keys = await crypto.subtle.generateKey(alg, false, ["sign", "verify"]);

  // Set Id for <Signature>
  xmlsig.XmlSignature.Id = "Signature001";
  // Set Id for <KeyInfo>
  xmlsig.XmlSignature.KeyInfo.Id = "KeyInfo001";

  // Create <Reference> for <KeyInfo>
  const keyInfoRef = new XmlDSigJs.Reference("#KeyInfo001");
  keyInfoRef.DigestMethod.Algorithm = XmlDSigJs.SHA256_NAMESPACE;
  
  // Create <Reference> for #Document
  const docRef = new XmlDSigJs.Reference("");
  keyInfoRef.DigestMethod.Algorithm = XmlDSigJs.SHA256_NAMESPACE;

  // Add <Reference>s to <SignedInfo>
  xmlsig.XmlSignature.SignedInfo.References.Add(keyInfoRef);
  xmlsig.XmlSignature.SignedInfo.References.Add(docRef);

  // Add <KeyValue>
  const keyValue = new XmlDSigJs.KeyValue();
  await keyValue.importKey(keys.publicKey);
  xmlsig.XmlSignature.KeyInfo.Add(keyValue)

  await xmlsig.Sign(                                  // Signing document
    alg,                                                  // algorithm 
    keys.privateKey,                                      // key 
    XmlDSigJs.Parse(xml),                                 // document)
  );
  console.log(xmlsig.toString());       // <xml> document with signature
}

main().catch((err) => console.log(err));

Output XML

<ds:Signature Id="Signature001" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#KeyInfo001"><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>xbYj0PRnLx7qwiHhEsPei8+hgdCoBrUHy4b+aER/e3s=</ds:DigestValue></ds:Reference><ds:Reference><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>4wQQXfn5Is9mlAMiJ5RaZ0vgHBcI7SjV626tOAWVpnM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>PHCEGvH8nWAXERbwhKxmdcN5DHC9iu1coccKQDUIPvTdfQRlWgVMBM39I4nEo/PxMrQaz/Tv/QvklyZ7AniGd68gE7uxPy8UXwU0OTbZ2hlR5M9mtDKo8qXXCmjSISxbG4MkMbt3Hc3Dnv/vxX3ObDGsoy2DwnbklvwE+s6HoTCaXJatxpo4JomK+1Ckp34dJ1tAiQoo0Ucj0k8sh7yJd+wn+Xg2vvVjXacORabb5GnJua+j+1MK8yQqVvWrMsfLioNJekh4YQZ3UwEwPNQr8H2je7vNg7voYcewZs2DFzLNejOFbekbCvFITh3aUq3QrxSQRo8capbcPhz2Nigaog==</ds:SignatureValue><ds:KeyInfo Id="KeyInfo001"><ds:KeyValue><ds:RSAKeyValue><ds:Modulus>2jQpT1nTi4OGv6XO+3KNVqpt86fPzGyYGQm9Orz/Dh8dpZp7vrlY/Y3K2OseocVcAg/Uaa76poCqGjh/Bq1E6dM/dV+JVus8lcLPxiPBC4fcxiZng+SKzoIQCY366qe055Jc4zcdXeKjEbv1VqkCsyHkK6cwo93V0CzPGT8uQaFza/vsXBM7HZJz9FPIoxZl8uDfbgzV0FxMvQ05ms9RM9iTTXBrqfYQwd9ViPvC4+uuFG8KTU5Qc5M5yi0jdCFBYW0Lcqu4oj+vblJoLCvwx6QsB0aW/kYDGvtSQliF+L97i9+rjppk+5GAsz36x+Dg3HHS9HrO5lCgH+TTQ4IOFQ==</ds:Modulus><ds:Exponent>AQAB</ds:Exponent></ds:RSAKeyValue></ds:KeyValue></ds:KeyInfo></ds:Signature>

[calvarezm70]

Many thanks for the excellent help. Now even KeyInfo is being signed.

I just need to be able to set the Id of the SignatureValue, as in the following example:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature001">
    ...
    <ds:SignatureValue Id="SignatureValue001">
        ...
    </ds:SignatureValue>
    ...    
</ds:Signature>