From ef49b7e07e6134326625c50cd41f06bfe2b51594 Mon Sep 17 00:00:00 2001 From: cornzz <39997278+cornzz@users.noreply.github.com> Date: Thu, 13 Feb 2025 16:46:30 +0100 Subject: [PATCH 1/2] Add support for sha256-rsa-MGF1 signing algorithm (#328) --- src/signature-algorithms.ts | 47 +++++++++++++++++++++++++++++++++++++ src/signed-xml.ts | 1 + src/types.ts | 1 + 3 files changed, 49 insertions(+) diff --git a/src/signature-algorithms.ts b/src/signature-algorithms.ts index ab1e919f..c5a96a0d 100644 --- a/src/signature-algorithms.ts +++ b/src/signature-algorithms.ts @@ -53,6 +53,53 @@ export class RsaSha256 implements SignatureAlgorithm { }; } +export class RsaSha256Mgf1 implements SignatureAlgorithm { + getSignature = createOptionalCallbackFunction( + (signedInfo: crypto.BinaryLike, privateKey: crypto.KeyLike): string => { + if (!(typeof privateKey === "string" || Buffer.isBuffer(privateKey))) { + throw new Error("keys must be strings or buffers"); + } + const signer = crypto.createSign("RSA-SHA256"); + signer.update(signedInfo); + const res = signer.sign( + { + key: privateKey, + padding: crypto.constants.RSA_PKCS1_PSS_PADDING, + saltLength: crypto.constants.RSA_PSS_SALTLEN_DIGEST, + }, + "base64", + ); + + return res; + }, + ); + + verifySignature = createOptionalCallbackFunction( + (material: string, key: crypto.KeyLike, signatureValue: string): boolean => { + if (!(typeof key === "string" || Buffer.isBuffer(key))) { + throw new Error("keys must be strings or buffers"); + } + const verifier = crypto.createVerify("RSA-SHA256"); + verifier.update(material); + const res = verifier.verify( + { + key: key, + padding: crypto.constants.RSA_PKCS1_PSS_PADDING, + saltLength: crypto.constants.RSA_PSS_SALTLEN_DIGEST, + }, + signatureValue, + "base64", + ); + + return res; + }, + ); + + getAlgorithmName = () => { + return "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1"; + }; +} + export class RsaSha512 implements SignatureAlgorithm { getSignature = createOptionalCallbackFunction( (signedInfo: crypto.BinaryLike, privateKey: crypto.KeyLike): string => { diff --git a/src/signed-xml.ts b/src/signed-xml.ts index e5d80af7..8e918a2a 100644 --- a/src/signed-xml.ts +++ b/src/signed-xml.ts @@ -102,6 +102,7 @@ export class SignedXml { SignatureAlgorithms: Record SignatureAlgorithm> = { "http://www.w3.org/2000/09/xmldsig#rsa-sha1": signatureAlgorithms.RsaSha1, "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256": signatureAlgorithms.RsaSha256, + "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1": signatureAlgorithms.RsaSha256Mgf1, "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512": signatureAlgorithms.RsaSha512, // Disabled by default due to key confusion concerns. // 'http://www.w3.org/2000/09/xmldsig#hmac-sha1': SignatureAlgorithms.HmacSha1 diff --git a/src/types.ts b/src/types.ts index 090c944e..9591aff1 100644 --- a/src/types.ts +++ b/src/types.ts @@ -30,6 +30,7 @@ export type HashAlgorithmType = export type SignatureAlgorithmType = | "http://www.w3.org/2000/09/xmldsig#rsa-sha1" | "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" + | "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1" | "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" | "http://www.w3.org/2000/09/xmldsig#hmac-sha1" | string; From d4908f40af7a294aa7ac694cab1b7b5512d4cd30 Mon Sep 17 00:00:00 2001 From: cornzz <39997278+cornzz@users.noreply.github.com> Date: Fri, 14 Feb 2025 14:57:11 +0100 Subject: [PATCH 2/2] Update README.md with new signature algorithm --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 2d8d82bc..bfc826ba 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,7 @@ A pre requisite it to have [openssl](http://www.openssl.org/) installed and its - RSA-SHA1 - RSA-SHA256 +- RSA-SHA256 with MGF1 - RSA-SHA512 HMAC-SHA1 is also available but it is disabled by default