Rename signingCert -> publicCert and signingKey -> privateKey (#315)

cjbarth · web-flow · commit 78329fbae34c · 2023-06-18T07:33:41.000-04:00
diff --git a/README.md b/README.md
@@ -67,7 +67,7 @@ _Signature Algorithm:_ RSA-SHA1 http://www.w3.org/2000/09/xmldsig#rsa-sha1
 
 When signing a xml document you can specify the following properties on a `SignedXml` instance to customize the signature process:
 
-- `sign.signingKey` - **[required]** a `Buffer` or pem encoded `String` containing your private key
+- `sign.privateKey` - **[required]** a `Buffer` or pem encoded `String` containing your private key
 - `sign.signatureAlgorithm` - **[optional]** one of the supported [signature algorithms](#signature-algorithms). Ex: `sign.signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"`
 - `sign.canonicalizationAlgorithm` - **[optional]** one of the supported [canonicalization algorithms](#canonicalization-and-transformation-algorithms). Ex: `sign.canonicalizationAlgorithm = "http://www.w3.org/2001/10/xml-exc-c14n#WithComments"`
 
@@ -81,7 +81,7 @@ var xml = "<library>" + "<book>" + "<name>Harry Potter</name>" + "</book>" + "</
 
 var sig = new SignedXml();
 sig.addReference("//*[local-name(.)='book']");
-sig.signingKey = fs.readFileSync("client.pem");
+sig.privateKey = fs.readFileSync("client.pem");
 sig.computeSignature(xml);
 fs.writeFileSync("signed.xml", sig.getSignedXml());
 ```
@@ -118,9 +118,9 @@ To generate a `<X509Data></X509Data>` element in the signature you must provide
 
 When verifying a xml document you must specify the following properties on a ``SignedXml` instance:
 
-- `sign.signingCert` - **[optional]** your certificate as a string, a string of multiple certs in PEM format, or a Buffer, see [customizing algorithms](#customizing-algorithms) for an implementation example
+- `sign.publicCert` - **[optional]** your certificate as a string, a string of multiple certs in PEM format, or a Buffer, see [customizing algorithms](#customizing-algorithms) for an implementation example
 
-The certificate that will be used to check the signature will first be determined by calling `.getCertFromKeyInfo()`, which function you can customize as you see fit. If that returns `null`, then `.signingCert` is used. If that is `null`, then `.signingKey` is used (for symmetrical signing applications).
+The certificate that will be used to check the signature will first be determined by calling `.getCertFromKeyInfo()`, which function you can customize as you see fit. If that returns `null`, then `.publicCert` is used. If that is `null`, then `.privateKey` is used (for symmetrical signing applications).
 
 You can use any dom parser you want in your code (or none, depending on your usage). This sample uses [xmldom](https://github.com/jindw/xmldom) so you should install it first:
 
@@ -144,7 +144,7 @@ var signature = select(
   "//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"
 )[0];
 var sig = new SignedXml();
-sig.signingCert = new FileKeyInfo("client_public.pem");
+sig.publicCert = new FileKeyInfo("client_public.pem");
 sig.loadSignature(signature);
 var res = sig.checkSignature(xml);
 if (!res) console.log(sig.validationErrors);
@@ -179,7 +179,7 @@ If you keep failing verification, it is worth trying to guess such a hidden tran
 ```javascript
 var option = { implicitTransforms: ["http://www.w3.org/TR/2001/REC-xml-c14n-20010315"] };
 var sig = new SignedXml(null, option);
-sig.signingCert = new FileKeyInfo("client_public.pem");
+sig.publicCert = new FileKeyInfo("client_public.pem");
 sig.loadSignature(signature);
 var res = sig.checkSignature(xml);
 ```
@@ -272,7 +272,7 @@ A custom signing algorithm. The default is RSA-SHA1.
 ```javascript
 function MySignatureAlgorithm() {
   /*sign the given SignedInfo using the key. return base64 signature value*/
-  this.getSignature = function (signedInfo, signingKey) {
+  this.getSignature = function (signedInfo, privateKey) {
     return "signature of signedInfo as base64...";
   };
 
@@ -333,15 +333,15 @@ function signXml(xml, xpath, key, dest) {
 
   /*configure the signature object to use the custom algorithms*/
   sig.signatureAlgorithm = "http://mySignatureAlgorithm";
-  sig.signingCert = fs.readFileSync("my_public_cert.pem", "latin1");
+  sig.publicCert = fs.readFileSync("my_public_cert.pem", "latin1");
   sig.canonicalizationAlgorithm = "http://MyCanonicalization";
   sig.addReference(
     "//*[local-name(.)='x']",
     ["http://MyTransformation"],
     "http://myDigestAlgorithm"
   );
 
-  sig.signingKey = fs.readFileSync(key);
+  sig.privateKey = fs.readFileSync(key);
   sig.addReference(xpath);
   sig.computeSignature(xml);
   fs.writeFileSync(dest, sig.getSignedXml());
@@ -361,10 +361,10 @@ If the private key is not stored locally and you wish to use a signing server or
 
 ```javascript
 function AsyncSignatureAlgorithm() {
-  this.getSignature = function (signedInfo, signingKey, callback) {
+  this.getSignature = function (signedInfo, privateKey, callback) {
     var signer = crypto.createSign("RSA-SHA1");
     signer.update(signedInfo);
-    var res = signer.sign(signingKey, "base64");
+    var res = signer.sign(privateKey, "base64");
     //Do some asynchronous things here
     callback(null, res);
   };
@@ -427,7 +427,7 @@ var xml = "<library>" + "<book>" + "<name>Harry Potter</name>" + "</book>" + "</
 
 var sig = new SignedXml();
 sig.addReference("//*[local-name(.)='book']");
-sig.signingKey = fs.readFileSync("client.pem");
+sig.privateKey = fs.readFileSync("client.pem");
 sig.computeSignature(xml, {
   prefix: "ds",
 });
@@ -451,7 +451,7 @@ var xml = "<library>" + "<book>" + "<name>Harry Potter</name>" + "</book>" + "</
 
 var sig = new SignedXml();
 sig.addReference("//*[local-name(.)='book']");
-sig.signingKey = fs.readFileSync("client.pem");
+sig.privateKey = fs.readFileSync("client.pem");
 sig.computeSignature(xml, {
   location: { reference: "//*[local-name(.)='book']", action: "after" }, //This will place the signature after the book element
 });
diff --git a/example/example.js b/example/example.js
@@ -7,7 +7,7 @@ const fs = require("fs");
 
 function signXml(xml, xpath, key, dest) {
   const sig = new SignedXml();
-  sig.signingKey = fs.readFileSync(key);
+  sig.privateKey = fs.readFileSync(key);
   sig.addReference(xpath);
   sig.computeSignature(xml);
   fs.writeFileSync(dest, sig.getSignedXml());
@@ -20,7 +20,7 @@ function validateXml(xml, key) {
     doc
   )[0];
   const sig = new SignedXml();
-  sig.signingCert = key;
+  sig.publicCert = key;
   sig.loadSignature(signature.toString());
   const res = sig.checkSignature(xml);
   if (!res) {
diff --git a/index.d.ts b/index.d.ts
@@ -97,7 +97,7 @@ export interface HashAlgorithm {
 export interface SignatureAlgorithm {
   getAlgorithmName(): SignatureAlgorithmType;
 
-  getSignature(signedInfo: Node, signingKey: Buffer): string;
+  getSignature(signedInfo: Node, privateKey: Buffer): string;
 }
 
 /** Implement this to create a new TransformAlgorithm */
@@ -110,8 +110,8 @@ export interface TransformAlgorithm {
 /**
  * ### Sign
  * #### Properties
- * - {@link SignedXml#signingKey} [required]
- * - {@link SignedXml#keyInfoProvider} [optional]
+ * - {@link SignedXml#privateKey} [required]
+ * - {@link SignedXml#publicCert} [optional]
  * - {@link SignedXml#signatureAlgorithm} [optional]
  * - {@link SignedXml#canonicalizationAlgorithm} [optional]
  * #### Api
@@ -123,7 +123,7 @@ export interface TransformAlgorithm {
  *
  * ### Verify
  * #### Properties
- * -  {@link SignedXml#keyInfoProvider} [required]
+ * -  {@link SignedXml#publicCert} [optional]
  * #### Api
  *  - {@link SignedXml#loadSignature}
  *  - {@link SignedXml#checkSignature}
diff --git a/lib/signed-xml.js b/lib/signed-xml.js
@@ -58,10 +58,10 @@ function RSASHA1() {
    * Sign the given string using the given key
    *
    */
-  this.getSignature = function (signedInfo, signingKey, callback) {
+  this.getSignature = function (signedInfo, privateKey, callback) {
     const signer = crypto.createSign("RSA-SHA1");
     signer.update(signedInfo);
-    const res = signer.sign(signingKey, "base64");
+    const res = signer.sign(privateKey, "base64");
     if (callback) {
       callback(null, res);
     }
@@ -96,10 +96,10 @@ function RSASHA256() {
    * Sign the given string using the given key
    *
    */
-  this.getSignature = function (signedInfo, signingKey, callback) {
+  this.getSignature = function (signedInfo, privateKey, callback) {
     const signer = crypto.createSign("RSA-SHA256");
     signer.update(signedInfo);
-    const res = signer.sign(signingKey, "base64");
+    const res = signer.sign(privateKey, "base64");
     if (callback) {
       callback(null, res);
     }
@@ -134,10 +134,10 @@ function RSASHA512() {
    * Sign the given string using the given key
    *
    */
-  this.getSignature = function (signedInfo, signingKey, callback) {
+  this.getSignature = function (signedInfo, privateKey, callback) {
     const signer = crypto.createSign("RSA-SHA512");
     signer.update(signedInfo);
-    const res = signer.sign(signingKey, "base64");
+    const res = signer.sign(privateKey, "base64");
     if (callback) {
       callback(null, res);
     }
@@ -175,8 +175,8 @@ function HMACSHA1() {
     return "http://www.w3.org/2000/09/xmldsig#hmac-sha1";
   };
 
-  this.getSignature = function (signedInfo, signingKey) {
-    const verifier = crypto.createHmac("SHA1", signingKey);
+  this.getSignature = function (signedInfo, privateKey) {
+    const verifier = crypto.createHmac("SHA1", privateKey);
     verifier.update(signedInfo);
     const res = verifier.digest("base64");
     return res;
@@ -311,8 +311,8 @@ function SignedXml(idMode, options) {
   this.idMode = idMode;
   this.references = [];
   this.id = 0;
-  this.signingKey = null;
-  this.signingCert = null;
+  this.privateKey = null;
+  this.publicCert = null;
   this.signatureAlgorithm =
     this.options.signatureAlgorithm || "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
   this.canonicalizationAlgorithm =
@@ -504,7 +504,7 @@ SignedXml.prototype.validateSignatureValue = function (doc, callback) {
   const signer = this.findSignatureAlgorithm(this.signatureAlgorithm);
   const res = signer.verifySignature(
     signedInfoCanon,
-    this.getCertFromKeyInfo(this.keyInfo) || this.signingCert || this.signingKey,
+    this.getCertFromKeyInfo(this.keyInfo) || this.publicCert || this.privateKey,
     this.signatureValue,
     callback
   );
@@ -519,7 +519,7 @@ SignedXml.prototype.validateSignatureValue = function (doc, callback) {
 SignedXml.prototype.calculateSignatureValue = function (doc, callback) {
   const signedInfoCanon = this.getCanonSignedInfoXml(doc);
   const signer = this.findSignatureAlgorithm(this.signatureAlgorithm);
-  this.signatureValue = signer.getSignature(signedInfoCanon, this.signingKey, callback);
+  this.signatureValue = signer.getSignature(signedInfoCanon, this.privateKey, callback);
 };
 
 SignedXml.prototype.findSignatureAlgorithm = function (name) {
@@ -954,7 +954,7 @@ SignedXml.prototype.getKeyInfo = function (prefix) {
       keyInfoAttrs += " " + name + '="' + this.keyInfoAttributes[name] + '"';
     });
   }
-  const keyInfoContent = this.getKeyInfoContent({ publicCert: this.signingCert, prefix });
+  const keyInfoContent = this.getKeyInfoContent({ publicCert: this.publicCert, prefix });
   if (keyInfoAttrs !== "" || keyInfoContent != null) {
     res += "<" + currentPrefix + "KeyInfo" + keyInfoAttrs + ">";
     res += keyInfoContent;
diff --git a/test/document-test.js b/test/document-test.js
@@ -17,7 +17,7 @@ describe("Document tests", function () {
         .toString()
     );
     const sig = new crypto.SignedXml();
-    sig.signingCert = fs.readFileSync("./test/static/feide_public.pem");
+    sig.publicCert = fs.readFileSync("./test/static/feide_public.pem");
     sig.loadSignature(signature);
     const result = sig.checkSignature(xml);
 
@@ -37,7 +37,7 @@ describe("Document tests", function () {
     );
     const sig = new crypto.SignedXml();
     const feidePublicCert = fs.readFileSync("./test/static/feide_public.pem");
-    sig.signingCert = feidePublicCert;
+    sig.publicCert = feidePublicCert;
     sig.loadSignature(signature);
     const result = sig.checkSignature(xml);
 
diff --git a/test/hmac-tests.js b/test/hmac-tests.js
@@ -15,7 +15,7 @@ describe("HMAC tests", function () {
     )[0];
     const sig = new crypto.SignedXml();
     sig.enableHMAC();
-    sig.signingCert = fs.readFileSync("./test/static/hmac.key");
+    sig.publicCert = fs.readFileSync("./test/static/hmac.key");
     sig.loadSignature(signature);
     const result = sig.checkSignature(xml);
 
@@ -31,7 +31,7 @@ describe("HMAC tests", function () {
     )[0];
     const sig = new crypto.SignedXml();
     sig.enableHMAC();
-    sig.signingCert = fs.readFileSync("./test/static/hmac-foobar.key");
+    sig.publicCert = fs.readFileSync("./test/static/hmac-foobar.key");
     sig.loadSignature(signature);
     const result = sig.checkSignature(xml);
 
@@ -42,7 +42,7 @@ describe("HMAC tests", function () {
     const xml = "<library>" + "<book>" + "<name>Harry Potter</name>" + "</book>" + "</library>";
     const sig = new crypto.SignedXml();
     sig.enableHMAC();
-    sig.signingKey = fs.readFileSync("./test/static/hmac.key");
+    sig.privateKey = fs.readFileSync("./test/static/hmac.key");
     sig.signatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#hmac-sha1";
     sig.addReference("//*[local-name(.)='book']");
     sig.computeSignature(xml);
@@ -54,7 +54,7 @@ describe("HMAC tests", function () {
     )[0];
     const verify = new crypto.SignedXml();
     verify.enableHMAC();
-    verify.signingCert = fs.readFileSync("./test/static/hmac.key");
+    verify.publicCert = fs.readFileSync("./test/static/hmac.key");
     verify.loadSignature(signature);
     const result = verify.checkSignature(sig.getSignedXml());
 
diff --git a/test/key-info-tests.js b/test/key-info-tests.js
@@ -10,8 +10,8 @@ describe("KeyInfo tests", function () {
   it("adds X509Certificate element during signature", function () {
     const xml = "<root><x /></root>";
     const sig = new SignedXml();
-    sig.signingKey = fs.readFileSync("./test/static/client.pem");
-    sig.signingCert = fs.readFileSync("./test/static/client_public.pem");
+    sig.privateKey = fs.readFileSync("./test/static/client.pem");
+    sig.publicCert = fs.readFileSync("./test/static/client_public.pem");
     sig.computeSignature(xml);
     const signedXml = sig.getSignedXml();
     const doc = new xmldom.DOMParser().parseFromString(signedXml);
@@ -22,8 +22,8 @@ describe("KeyInfo tests", function () {
   it("make sure private hmac key is not leaked due to key confusion", function () {
     const xml = "<library>" + "<book>" + "<name>Harry Potter</name>" + "</book>" + "</library>";
     const sig = new crypto.SignedXml();
-    sig.signingKey = fs.readFileSync("./test/static/hmac.key");
-    sig.signingCert = fs.readFileSync("./test/static/hmac.key");
+    sig.privateKey = fs.readFileSync("./test/static/hmac.key");
+    sig.publicCert = fs.readFileSync("./test/static/hmac.key");
     sig.signatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#hmac-sha1";
     sig.enableHMAC();
     sig.addReference("//*[local-name(.)='book']");
diff --git a/test/saml-response-test.js b/test/saml-response-test.js
@@ -13,7 +13,7 @@ describe("SAML response tests", function () {
       doc
     )[0];
     const sig = new crypto.SignedXml();
-    sig.signingCert = fs.readFileSync("./test/static/feide_public.pem");
+    sig.publicCert = fs.readFileSync("./test/static/feide_public.pem");
     sig.loadSignature(signature);
     const result = sig.checkSignature(xml);
 
@@ -29,7 +29,7 @@ describe("SAML response tests", function () {
       assertion
     )[0];
     const sig = new crypto.SignedXml();
-    sig.signingCert = fs.readFileSync("./test/static/feide_public.pem");
+    sig.publicCert = fs.readFileSync("./test/static/feide_public.pem");
     sig.loadSignature(signature);
     expect(function () {
       sig.checkSignature(xml);
@@ -46,7 +46,7 @@ describe("SAML response tests", function () {
       doc
     )[0];
     const sig = new crypto.SignedXml();
-    sig.signingCert = fs.readFileSync("./test/static/saml_external_ns.pem");
+    sig.publicCert = fs.readFileSync("./test/static/saml_external_ns.pem");
     sig.loadSignature(signature);
     const result = sig.checkSignature(xml);
     expect(result).to.be.true;
@@ -61,7 +61,7 @@ describe("SAML response tests", function () {
       assertion
     )[0];
     const sig = new crypto.SignedXml();
-    sig.signingCert = fs.readFileSync("./test/static/feide_public.pem");
+    sig.publicCert = fs.readFileSync("./test/static/feide_public.pem");
     sig.loadSignature(signature);
     expect(function () {
       sig.checkSignature(xml);
@@ -76,7 +76,7 @@ describe("SAML response tests", function () {
       doc
     )[0];
     const sig = new crypto.SignedXml();
-    sig.signingCert = fs.readFileSync("./test/static/feide_public.pem");
+    sig.publicCert = fs.readFileSync("./test/static/feide_public.pem");
     sig.loadSignature(signature);
     const result = sig.checkSignature(xml);
     // This doesn't matter, just want to make sure that we don't fail due to unknown algorithm
diff --git a/test/signature-integration-tests.js b/test/signature-integration-tests.js
diff --git a/test/signature-unit-tests.js b/test/signature-unit-tests.js
diff --git a/test/wsfed-metadata-test.js b/test/wsfed-metadata-test.js
