feat: add id and type attributes to Reference elements in XML signature

Author: shunkica

README.md

@@ -269,11 +269,13 @@ A `SignedXml` object provides the following methods:
 
 To sign xml documents:
 
-- `addReference(xpath, transforms, digestAlgorithm)` - adds a reference to a xml element where:
+- `addReference({ xpath, transforms, digestAlgorithm, isSignatureReference, id, type })` - adds a reference to a xml element where:
   - `xpath` - a string containing a XPath expression referencing a xml element
   - `transforms` - an array of [transform algorithms](#canonicalization-and-transformation-algorithms), the referenced element will be transformed for each value in the array
   - `digestAlgorithm` - one of the supported [hashing algorithms](#hashing-algorithms)
   - `isSignatureReference` - boolean - default `false` - indicates whether the target of this reference is located inside the `<Signature>` element (e.g. an `<Object>`)
+  - `id` - an optional `Id` attribute to add to the reference element
+  - `type` - the optional `Type` attribute to add to the reference element (represented as a URI)
 - `computeSignature(xml, [options])` - compute the signature of the given xml where:
   - `xml` - a string containing a xml document
   - `options` - an object with the following properties:

src/signed-xml.ts

@@ -810,6 +810,8 @@ export class SignedXml {
    * @param inclusiveNamespacesPrefixList The prefix list for inclusive namespace canonicalization.
    * @param isEmptyUri Indicates whether the URI is empty. Defaults to `false`.
    * @param isSignatureReference Indicates whether this reference points to an element in the signature itself (like an Object element).
+   * @param id An optional `Id` attribute for the reference.
+   * @param type An optional `Type` attribute for the reference.
    */
   addReference({
     xpath,
@@ -820,6 +822,8 @@ export class SignedXml {
     inclusiveNamespacesPrefixList = [],
     isEmptyUri = false,
     isSignatureReference = false,
+    id = undefined,
+    type = undefined,
   }: Partial<Reference> & Pick<Reference, "xpath">): void {
     if (digestAlgorithm == null) {
       throw new Error("digestAlgorithm is required");
@@ -838,6 +842,8 @@ export class SignedXml {
       inclusiveNamespacesPrefixList,
       isEmptyUri,
       isSignatureReference,
+      id,
+      type,
       getValidatedNode: () => {
         throw new Error(
           "Reference has not been validated yet; Did you call `sig.checkSignature()`?",
@@ -1148,13 +1154,25 @@ export class SignedXml {
       }
 
       for (const node of nodes) {
+        let referenceAttrs = "";
+
         if (ref.isEmptyUri) {
-          res += `<${prefix}Reference URI="">`;
+          referenceAttrs = 'URI=""';
         } else {
           const id = this.ensureHasId(node);
           ref.uri = id;
-          res += `<${prefix}Reference URI="#${id}">`;
+          referenceAttrs = `URI="#${id}"`;
+        }
+
+        if (ref.id) {
+          referenceAttrs += ` Id="${ref.id}"`;
+        }
+
+        if (ref.type) {
+          referenceAttrs += ` Type="${ref.type}"`;
         }
+
+        res += `<${prefix}Reference ${referenceAttrs}>`;
         res += `<${prefix}Transforms>`;
         for (const trans of ref.transforms || []) {
           const transform = this.findCanonicalizationAlgorithm(trans);
@@ -1368,6 +1386,14 @@ export class SignedXml {
           referenceElem.setAttribute("URI", `#${id}`);
         }
 
+        if (ref.id) {
+          referenceElem.setAttribute("Id", ref.id);
+        }
+
+        if (ref.type) {
+          referenceElem.setAttribute("Type", ref.type);
+        }
+
         const transformsElem = signatureDoc.createElementNS(
           signatureNamespace,
           `${prefix}Transforms`,

src/types.ts

@@ -146,6 +146,12 @@ export interface Reference {
   // Optional. Indicates if this reference points to an element within the Signature
   isSignatureReference?: boolean;
 
+  // Optional. The `Id` attribute of the reference node.
+  id?: string;
+
+  // Optional. The `Type` attribute of the reference node.
+  type?: string;
+
   // Optional. The type of the reference node.
   ancestorNamespaces?: NamespacePrefix[];
 

test/signature-object-tests.spec.ts

@@ -683,15 +683,14 @@ describe("Object support in XML signatures", function () {
 
 describe("XAdES Object support in XML signatures", function () {
   it("should be able to add and sign XAdES objects", function () {
-    const rootId = "root_0";
     const signatureId = "signature_0";
     const signedPropertiesId = "signedProperties_0";
 
     const privateKey = fs.readFileSync("./test/static/client.pem");
     const publicCert = fs.readFileSync("./test/static/client_public.pem");
     const publicCertDer = fs.readFileSync("./test/static/client_public.der");
     const publicCertDigest = new Sha256().getHash(publicCertDer);
-    const xml = `<root Id="${rootId}"><content>text</content></root>`;
+    const xml = `<root><content>text</content></root>`;
 
     const sig = new SignedXml({
       publicCert: publicCert,
@@ -701,7 +700,7 @@ describe("XAdES Object support in XML signatures", function () {
       getObjectContent: () => [
         {
           content:
-            `<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#${rootId}">` +
+            `<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#${signatureId}">` +
             `<xades:SignedProperties Id="${signedPropertiesId}">` +
             `<xades:SignedSignatureProperties>` +
             `<xades:SigningTime>2025-06-21T12:00:00Z</xades:SigningTime>` +
@@ -717,7 +716,8 @@ describe("XAdES Object support in XML signatures", function () {
     });
 
     sig.addReference({
-      xpath: `//*[@Id='${rootId}']`,
+      xpath: `/*`,
+      isEmptyUri: true,
       digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256",
       transforms: [
         "http://www.w3.org/2000/09/xmldsig#enveloped-signature",
@@ -727,6 +727,7 @@ describe("XAdES Object support in XML signatures", function () {
 
     sig.addReference({
       xpath: `//*[@Id='${signedPropertiesId}']`,
+      type: "http://uri.etsi.org/01903#SignedProperties",
       digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256",
       transforms: ["http://www.w3.org/2001/10/xml-exc-c14n#"],
       isSignatureReference: true,

test/signature-unit-tests.spec.ts

@@ -1279,4 +1279,42 @@ describe("Signature unit tests", function () {
       "MIIDZ",
     );
   });
+
+  it("adds id and type attributes to Reference elements when provided", function () {
+    const xml = "<root><x /></root>";
+    const sig = new SignedXml();
+    sig.privateKey = fs.readFileSync("./test/static/client.pem");
+
+    sig.addReference({
+      xpath: "//*[local-name(.)='x']",
+      digestAlgorithm: "http://www.w3.org/2000/09/xmldsig#sha1",
+      transforms: ["http://www.w3.org/2001/10/xml-exc-c14n#"],
+      id: "ref-1",
+      type: "http://www.w3.org/2000/09/xmldsig#Object",
+    });
+
+    sig.canonicalizationAlgorithm = "http://www.w3.org/2001/10/xml-exc-c14n#";
+    sig.signatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
+    sig.computeSignature(xml);
+    const signedXml = sig.getSignedXml();
+
+    const doc = new xmldom.DOMParser().parseFromString(signedXml);
+    const referenceElements = xpath.select("//*[local-name(.)='Reference']", doc);
+    isDomNode.assertIsArrayOfNodes(referenceElements);
+    expect(referenceElements.length, "Reference element should exist").to.equal(1);
+
+    const referenceElement = referenceElements[0];
+    isDomNode.assertIsElementNode(referenceElement);
+
+    const idAttribute = referenceElement.getAttribute("Id");
+    expect(idAttribute, "Reference element should have the correct Id attribute value").to.equal(
+      "ref-1",
+    );
+
+    const typeAttribute = referenceElement.getAttribute("Type");
+    expect(
+      typeAttribute,
+      "Reference element should have the correct Type attribute value",
+    ).to.equal("http://www.w3.org/2000/09/xmldsig#Object");
+  });
 });