IOS>> xadesjs>> 返回
项目作者: PeculiarVentures

项目描述 :
A pure Typescript/Javascript implementation of XAdES based on XMLDSIGjs. (Keywords: WebCrypto, XMLDSIG, XADES, eIDAS, Trust List, X.509, CRL, OCSP)
高级语言: TypeScript
项目地址: git://github.com/PeculiarVentures/xadesjs.git
创建时间: 2016-03-23T04:43:21Z
项目社区:https://github.com/PeculiarVentures/xadesjs
开源协议:MIT License
下载


XAdESjs

license
CircleCI
Coverage Status
npm version

NPM

XAdES is short for “XML Advanced Electronic Signatures”, it is a superset of XMLDSIG. This library aims to provide an implementation of XAdES in Typescript/Javascript that is built on XMLDSIGjs.

Since it is based on XMLDSIGjs and that library uses Web Crypto for cryptographic operations it can be used both in browsers and in Node.js (when used with a polyfill like webcrypto, node-webcrypto-ossl or node-webcrypto-p11).

There are seven different profiles of XAdES, they are:

  • Basic Electronic Signature (XAdES-BES)
  • XAdES with Timestamp (XAdES-T)
  • XAdES with Complete Validation Data (XAdES-C)
  • XAdES with Extended Validation Data (XAdES-X)
  • XAdES with Extended Long Term Validation Data (XAdES-X-L)
  • XAdES with Archiving Validation Data (XAdES-A)
  • XAdES with Explicit policy electronic signatures (XAdES-EPES)

They differ slightly based on what is included in the signature:

Provides Digital Signature Includes Cryptographic Timestamp Includes Revocation References Includes Revocation Data Allows Secure Timestamp Countersignature
XAdES-BES Yes No No No No
XAdES-EPES Yes No No No No
XAdES-T Yes Yes No No No
XAdES-C Yes Yes Yes No No
XAdES-X Yes Yes Yes No No
XAdES-X-L Yes Yes Yes Yes No
XAdES-A Yes Yes Yes Yes Yes
  • Only XAdES-BES (in BOLD) is fully supported by XAdESjs. For the other variants can be created, decoded and verified but the caller must do the construction and policy to ensure compliant messages on their own.

INSTALLING

  1. npm install xadesjs

The npm module has a dist folder with the following files:

Name Size Description
index.js 105 Kb UMD module with external modules. Has comments
xades.js 803 Kb UMD bundle module. Has comments
xades.min.js 296 Kb minified UMD bundle module

There is also a lib folder with an ES2015 JS file which you can use with rollup bundler.

COMPATABILITY

CRYPTOGRAPHIC ALGORITHM SUPPORT

Name SHA1 SHA2-256 SHA2-384 SHA2-512
RSASSA-PKCS1-v1_5 X X X X
RSA-PSS X X X X
ECDSA X X X X
HMAC X X X X

CANONICALIZATION ALGORITHM SUPPORT

  • XmlDsigC14NTransform
  • XmlDsigC14NWithCommentsTransform
  • XmlDsigExcC14NTransform
  • XmlDsigExcC14NWithCommentsTransform
  • XmlDsigEnvelopedSignatureTransform
  • XmlDsigBase64Transform

PLATFORM SUPPORT

XAdESjs works with any browser that suppports Web Crypto. Since node does not have Web Crypto you will need a polyfill on this platform, for this reason the npm package includes webcrypto; browsers do not need this dependency and in those cases though it will be installed it will be ignored.

If you need to use a Hardware Security Module we have also created a polyfill for Web Crypto that supports PKCS #11. Our polyfill for this is node-webcrypto-p11.

To use node-webcrypto-ossl you need to specify you want to use it, that looks like this:

  1. var xadesjs = require("./built/xades.js");
  2. var { Crypto } = require("@peculiar/webcrypto");
  4. xadesjs.Application.setEngine("NodeJS", new Crypto());

The node-webcrypto-p11 polyfill will work the same way. The only difference is that you have to specify the details about your PKCS #11 device when you instansiate it:

  1. var xadesjs = require("./built/xades.js");
  2. var WebCrypto = require("node-webcrypto-p11").WebCrypto;
  4. xadesjs.Application.setEngine("PKCS11", new WebCrypto({
  5.     library: "/path/to/pkcs11.so",
  6.     name: "Name of PKCS11 lib",
  7.     slot: 0,
  8.     sessionFlags: 2 | 4, // RW_SESSION | SERIAL_SESSION
  9.     pin: "token pin"
  10. }));

WARNING

Using XMLDSIG is a bit like running with scissors, that said it is needed for interoperability with a number of systems, for this reason, we have done this implementation.

Usage

Sign

  1. SignedXml.Sign(algorithm: Algorithm, key: CryptoKey, data: Document, options?: OptionsXAdES): PromiseLike<Signature>;

Parameters

Name Description
algorithm Signing Algorithm
key Signing Key
data XML document which must be signed
options Additional options

Options

  1. interface OptionsXAdES {
  2.     /**
  3.      * Public key for KeyInfo block
  4.      */
  5.     keyValue?: CryptoKey;
  6.     /**
  7.      * List of X509 Certificates
  8.      */
  9.     x509?: string[];
  10.     /**
  11.      * List of Reference
  12.      * Default is Reference with hash alg SHA-256 and exc-c14n transform  
  13.      */
  14.     references?: OptionsSignReference[];
  16.     // Signed signature properties
  18.     signingCertificate?: string;
  19.     signingTime?: OptionsSigningTime;
  20.     policy?: OptionsPolicyId;
  21.     productionPlace?: OptionsProductionPlace;
  22.     signerRole?: OptionsSignerRole;
  23. }
  25. interface OptionsSignReference {
  26.     /**
  27.      * Id of Reference
  28.      */
  29.     id?: string;
  30.     uri?: string;
  31.     /**
  32.      * Hash algorithm
  33.      */
  34.     hash: AlgorithmIdentifier;
  35.     /**
  36.      * List of transforms
  37.      */
  38.     transforms?: OptionsSignTransform[];
  39. }
  41. type OptionsSignTransform = "enveloped" | "c14n" | "exc-c14n" | "c14n-com" | "exc-c14n-com" | "base64";
  43. interface OptionsSigningTime {
  44.     value?: Date;
  45.     format?: string;
  46. }
  48. interface OptionsSignerRole {
  49.     claimed?: string[];
  50.     certified?: string[];
  51. }
  53. interface OptionsProductionPlace {
  54.     city?: string;
  55.     state?: string;
  56.     code?: string;
  57.     country?: string;
  58. }
  60. interface OptionsPolicyId {
  61. }

Verify

  1. Verify(key?: CryptoKey): PromiseLike<boolean>;

Parameters

Name Description
key Verifying Key. Optional. If key not set it looks for keys in KeyInfo element of Signature.

EXAMPLES

Create XAdES-BES Signature

In Node

  1. var xadesjs = require("xadesjs");
  2. var { Crypto } = require("@peculiar/webcrypto");
  4. xadesjs.Application.setEngine("NodeJS", new Crypto());
  6. // Generate RSA key pair
  7. var privateKey, publicKey;
  8. xadesjs.Application.crypto.subtle.generateKey(
  9.     {
  10.         name: "RSASSA-PKCS1-v1_5",
  11.         modulusLength: 1024, //can be 1024, 2048, or 4096,
  12.         publicExponent: new Uint8Array([1, 0, 1]),
  13.         hash: { name: "SHA-1" }, //can be "SHA-1", "SHA-256", "SHA-384", or "SHA-512"
  14.     },
  15.     false, //whether the key is extractable (i.e. can be used in exportKey)
  16.     ["sign", "verify"] //can be any combination of "sign" and "verify"
  17. )
  18.     .then(function (keyPair) {
  19.         // Push ganerated keys to global variable
  20.         privateKey = keyPair.privateKey;
  21.         publicKey = keyPair.publicKey;
  23.         // Call sign function
  24.         var xmlString = '<player bats="left" id="10012" throws="right">\n\t<!-- Here\'s a comment -->\n\t<name>Alfonso Soriano</name>\n\t<position>2B</position>\n\t<team>New York Yankees</team>\n</player>';
  25.         return SignXml(xmlString, keyPair, { name: "RSASSA-PKCS1-v1_5", hash: { name: "SHA-1" } });
  26.     })
  27.     .then(function (signedDocument) {
  28.         console.log("Signed document:\n\n", signedDocument);
  29.     })
  30.     .catch(function (e) {
  31.         console.error(e);
  32.     });
  35. function SignXml(xmlString, keys, algorithm) {
  36.     return Promise.resolve()
  37.         .then(() => {
  38.             var xmlDoc = xadesjs.Parse(xmlString);
  39.             var signedXml = new xadesjs.SignedXml();
  41.             return signedXml.Sign(               // Signing document
  42.                 algorithm,                              // algorithm
  43.                 keys.privateKey,                        // key
  44.                 xmlDoc,                                 // document
  45.                 {                                       // options
  46.                     keyValue: keys.publicKey,
  47.                     references: [
  48.                         { hash: "SHA-256", transforms: ["enveloped"] }
  49.                     ],
  50.                     productionPlace: {
  51.                         country: "Country",
  52.                         state: "State",
  53.                         city: "City",
  54.                         code: "Code",
  55.                     },
  56.                     signingCertificate: "MIIGgTCCBGmgAwIBAgIUeaHFHm5f58zYv20JfspVJ3hossYwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAk5MMSAwHgYDVQQKExdRdW9WYWRpcyBUcnVzdGxpbmsgQi5WLjEoMCYGA1UECxMfSXNzdWluZyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTE3MDUGA1UEAxMuUXVvVmFkaXMgRVUgSXNzdWluZyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBHMjAeFw0xMzEwMzAxMjI3MTFaFw0xNjEwMzAxMjI3MTFaMHoxCzAJBgNVBAYTAkJFMRAwDgYDVQQIEwdCcnVzc2VsMRIwEAYDVQQHEwlFdHRlcmJlZWsxHDAaBgNVBAoTE0V1cm9wZWFuIENvbW1pc3Npb24xFDASBgNVBAsTC0luZm9ybWF0aWNzMREwDwYDVQQDDAhFQ19ESUdJVDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJgkkqvJmZaknQC7c6H6LEr3dGtQ5IfOB3HAZZxOZbb8tdM1KMTO3sAifJC5HNFeIWd0727uZj+V5kBrUv36zEs+VxiN1yJBmcJznX4J2TCyPfLk2NRELGu65VwrK2Whp8cLLANc+6pQn/5wKh23ehZm21mLXcicZ8whksUGb/h8p6NDe1cElD6veNc9CwwK2QT0G0mQiEYchqjJkqyY8HEak8t+CbIC4Rrhyxh3HI1fCK0WKS9JjbPQFbvGmfpBZuLPYZYzP4UXIqfBVYctyodcSAnSfmy6tySMqpVSRhjRn4KP0EfHlq7Ec+H3nwuqxd0M4vTJlZm+XwYJBzEFzFsCAwEAAaOCAeQwggHgMFgGA1UdIARRME8wCAYGBACLMAECMEMGCisGAQQBvlgBgxAwNTAzBggrBgEFBQcCARYnaHR0cDovL3d3dy5xdW92YWRpc2dsb2JhbC5ubC9kb2N1bWVudGVuMCQGCCsGAQUFBwEDBBgwFjAKBggrBgEFBQcLAjAIBgYEAI5GAQEwdAYIKwYBBQUHAQEEaDBmMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5xdW92YWRpc2dsb2JhbC5jb20wOAYIKwYBBQUHMAKGLGh0dHA6Ly90cnVzdC5xdW92YWRpc2dsb2JhbC5jb20vcXZldWNhZzIuY3J0MEYGCiqGSIb3LwEBCQEEODA2AgEBhjFodHRwOi8vdHNhMDEucXVvdmFkaXNnbG9iYWwuY29tL1RTUy9IdHRwVHNwU2VydmVyMBMGCiqGSIb3LwEBCQIEBTADAgEBMA4GA1UdDwEB/wQEAwIGQDAfBgNVHSMEGDAWgBTg+A751LXyf0kjtsN5x6M1H4Z6iDA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLnF1b3ZhZGlzZ2xvYmFsLmNvbS9xdmV1Y2FnMi5jcmwwHQYDVR0OBBYEFDc3hgIFJTDamDEeQczI7Lot4uaVMA0GCSqGSIb3DQEBBQUAA4ICAQAZ8EZ48RgPimWY6s4LjZf0M2MfVJmNh06Jzmf6fzwYtDtQLKzIDk8ZtosqYpNNBoZIFICMZguGRAP3kuxWvwANmrb5HqyCzXThZVPJTmKEzZNhsDtKu1almYBszqX1UV7IgZp+jBZ7FyXzXrXyF1tzXQxHGobDV3AEE8vdzEZtwDGpZJPnEPCBzifdY+lrrL2rDBjbv0VeildgOP1SIlL7dh1O9f0T6T4ioS6uSdMt6b/OWjqHadsSpKry0A6pqfOqJWAhDiueqgVB7vus6o6sSmfG4SW9EWW+BEZ510HjlQU/JL3PPmf+Xs8s00sm77LJ/T/1hMUuGp6TtDsJe+pPBpCYvpm6xu9GL20CsArFWUeQ2MSnE1jsrb00UniCKslcM63pU7I0VcnWMJQSNY28OmnFESPK6s6zqoN0ZMLhwCVnahi6pouBwTb10M9/Anla9xOT42qxiLr14S2lHy18aLiBSQ4zJKNLqKvIrkjewSfW+00VLBYbPTmtrHpZUWiCGiRS2SviuEmPVbdWvsBUaq7OMLIfBD4nin1FlmYnaG9TVmWkwVYDsFmQepwPDqjPs4efAxzkgUFHWn0gQFbqxRocKrCsOvCDHOHORA97UWcThmgvr0Jl7ipvP4Px//tRp08blfy4GMzYls5WF8f6JaMrNGmpfPasd9NbpBNp7A=="
  57.                 })
  58.             })
  59.             .then(signature => signature.toString());
  60. }

In the browser

  1. <!DOCTYPE html>
  2. <html>
  4. <head>
  5.     <meta charset="utf-8" />
  6.     <title>XADESJS Signature Sample</title>
  7. </head>
  9. <body>
  10.     <pre id="signature"><code></code></pre>
  11.     <script src="https://cdnjs.cloudflare.com/ajax/libs/babel-polyfill/7.7.0/polyfill.min.js"></script>
  12.     <script src="https://cdnjs.cloudflare.com/ajax/libs/asmCrypto/2.3.2/asmcrypto.all.es5.min.js"></script>
  13.     <script src="https://cdn.rawgit.com/indutny/elliptic/master/dist/elliptic.min.js"></script>
  14.     <script src="https://unpkg.com/webcrypto-liner@1.1.2/build/webcrypto-liner.shim.min.js"></script>
  15.     <script src="https://unpkg.com/xadesjs@2.0.16/build/xades.js"></script>
  16.     <script type="text/javascript">
  17.         // Generate RSA key pair
  18.         var privateKey, publicKey;
  19.         window.crypto.subtle.generateKey(
  20.             {
  21.                 name: "ECDSA",
  22.                 namedCurve: "P-256"
  23.             },
  24.             false, //whether the key is extractable (i.e. can be used in exportKey)
  25.             ["sign", "verify"] //can be any combination of "sign" and "verify"
  26.         )
  27.             .then(function (keyPair) {
  28.                 // Push ganerated keys to global variable
  29.                 privateKey = keyPair.privateKey;
  30.                 publicKey = keyPair.publicKey;
  31.                 // Call sign function
  32.                 var xmlString = '<player bats="left" id="10012" throws="right">\n\t<!-- Here\'s a comment -->\n\t<name>Alfonso Soriano</name>\n\t<position>2B</position>\n\t<team>New York Yankees</team>\n</player>';
  33.                 return SignXml(xmlString, keyPair, { name: "ECDSA", hash: { name: "SHA-1" } });
  34.             })
  35.             .then(function (signedDocument) {
  36.                 document.getElementById("signature").textContent = signedDocument;
  37.                 console.log("Signed document:\n\n", signedDocument);
  38.             })
  39.             .catch(function (e) {
  40.                 console.error(e);
  41.             });
  43.         function SignXml(xmlString, keys, algorithm) {
  44.             var signedXml;
  45.             return Promise.resolve()
  46.                 .then(() => {
  47.                     var xmlDoc = XAdES.Parse(xmlString);
  48.                     signedXml = new XAdES.SignedXml();
  50.                     return signedXml.Sign(               // Signing document
  51.                         algorithm,                              // algorithm
  52.                         keys.privateKey,                        // key
  53.                         xmlDoc,                                 // document
  54.                         {                                       // options
  55.                             keyValue: keys.publicKey,
  56.                             references: [
  57.                                 { hash: "SHA-256", transforms: ["enveloped"] }
  58.                             ],
  59.                             productionPlace: {
  60.                                 country: "Country",
  61.                                 state: "State",
  62.                                 city: "City",
  63.                                 code: "Code",
  64.                             },
  65.                             signerRole: {
  66.                                 claimed: ["Some role"]
  67.                             }
  68.                         })
  69.                 })
  70.                 .then(() => signedXml.toString());
  71.         }
  72.     </script>
  73. </body>
  75. </html>

Check XAdES-BES Signature

In Node

  1. var XAdES = require("xadesjs");
  2. var { Crypto } = require("@peculiar/webcrypto");
  4. XAdES.Application.setEngine("NodeJS", new Crypto());
  6. var fs = require("fs");
  7. var xmlString = fs.readFileSync("some.xml","utf8");
  9. var signedDocument = XAdES.Parse(xmlString, "application/xml");
  10. var xmlSignature = signedDocument.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
  12. var signedXml = new xadesjs.SignedXml(signedDocument);
  13. signedXml.LoadXml(xmlSignature[0]);
  14. signedXml.Verify()
  15.     .then(res => {
  16.         console.log((res ? "Valid" : "Invalid") + " signature");
  17.     })
  18.     .catch(function (e) {
  19.         console.error(e);
  20.     });

In the browser

  1. <!DOCTYPE html>
  2. <html>
  4. <head>
  5.     <meta charset="utf-8" />
  6.     <title>XADESJS Signature Sample</title>
  7. </head>
  9. <body>
  10.     <pre id="signature"><code></code></pre>
  11.     <script src="https://cdnjs.cloudflare.com/ajax/libs/babel-polyfill/7.7.0/polyfill.min.js"></script>
  12.     <script src="https://cdnjs.cloudflare.com/ajax/libs/asmCrypto/2.3.2/asmcrypto.all.es5.min.js"></script>
  13.     <script src="https://cdn.rawgit.com/indutny/elliptic/master/dist/elliptic.min.js"></script>
  14.     <script src="https://unpkg.com/webcrypto-liner@1.1.2/build/webcrypto-liner.shim.min.js"></script>
  15.     <script src="https://unpkg.com/xadesjs@2.0.16/build/xades.js"></script>
  16.     <script type="text/javascript">
  17.         "use strict";
  18.         fetch("https://cdn.rawgit.com/PeculiarVentures/xadesjs/master/test/static/valid_signature.xml")
  19.             .then(response => response.text())
  20.             .then(body => {
  21.                 var xmlString = body;
  23.                 var signedDocument = XAdES.Parse(xmlString);
  24.                 var xmlSignature = signedDocument.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
  26.                 var signedXml = new xadesjs.SignedXml(signedDocument);
  27.                 signedXml.LoadXml(xmlSignature[0]);
  28.                 signedXml.Verify()
  29.                     .then(function (signedDocument) {
  30.                         alert((res ? "Valid" : "Invalid") + " signature");
  31.                     })
  32.                     .catch(function (e) {
  33.                         alert(e.message);
  34.                     });
  35.             })
  36.     </script>
  37. </body>
  39. </html>

XAdES-EPES signature

  1. const fs = require("fs");
  2. var { Crypto } = require("@peculiar/webcrypto");
  3. const xadesjs = require("xadesjs");
  4. const { XMLSerializer } = require("xmldom");
  7. const crypto = new Crypto();
  8. xadesjs.Application.setEngine("NodeJS", );
  10. function preparePem(pem) {
  11.     return pem
  12.         // remove BEGIN/END
  13.         .replace(/-----(BEGIN|END)[\w\d\s]+-----/g, "")
  14.         // remove \r, \n
  15.         .replace(/[\r\n]/g, "");
  16. }
  18. function pem2der(pem) {
  19.     pem = preparePem(pem);
  20.     // convert base64 to ArrayBuffer
  21.     return new Uint8Array(Buffer.from(pem, "base64")).buffer;
  22. }
  24. async function main() {
  25.     const hash = "SHA-256"
  26.     const alg = {
  27.         name: "RSASSA-PKCS1-v1_5",
  28.         hash,
  29.     }
  31.     // Read cert
  32.     const certPem = fs.readFileSync("cert.pem", { encoding: "utf8" });
  33.     const certDer = pem2der(certPem);
  35.     // Read key
  36.     const keyPem = fs.readFileSync("key.pem", { encoding: "utf8" });
  37.     const keyDer = pem2der(keyPem);
  38.     const key = await crypto.subtle.importKey("pkcs8", keyDer, alg, false, ["sign"]);
  40.     // XAdES-EPES
  41.     var xmlString = `<Test><Document attr="Hello"></Document></Test>`;
  42.     var xml = xadesjs.Parse(xmlString);
  44.     var xadesXml = new xadesjs.SignedXml();
  45.     const x509 = preparePem(certPem);
  46.     const signature = await xadesXml.Sign(   // Signing document
  47.         alg,                                    // algorithm
  48.         key,                                    // key
  49.         xml,                                    // document
  50.         {                                       // options
  51.             references: [
  52.                 { hash, transforms: ["c14n", "enveloped"] }
  53.             ],
  54.             policy: {
  55.                 hash,
  56.                 identifier: {
  57.                     qualifier: "OIDAsURI",
  58.                     value: "quilifier.uri",
  59.                 },
  60.                 qualifiers: [
  61.                     {
  62.                         noticeRef: {
  63.                             organization: "PeculiarVentures",
  64.                             noticeNumbers: [1, 2, 3, 4, 5]
  65.                         }
  66.                     }
  67.                 ]
  68.             },
  69.             productionPlace: {
  70.                 country: "Russia",
  71.                 state: "Marij El",
  72.                 city: "Yoshkar-Ola",
  73.                 code: "424000",
  74.             },
  75.             signingCertificate: x509
  76.         });
  78.     // append signature
  79.     xml.documentElement.appendChild(signature.GetXml());
  81.     // serialize XML
  82.     const oSerializer = new XMLSerializer();
  83.     const sXML = oSerializer.serializeToString(xml);
  84.     console.log(sXML.toString())
  85. }
  87. main()
  88.     .catch((err) => {
  89.         console.error(err);
  90.     });

TESTING

In NodeJS:

  1. npm test

THANKS AND ACKNOWLEDGEMENT

This project takes inspiration (style, approach, design and code) from both the Mono System.Security.Cryptography.Xml implementation as well as xml-crypto.