From 9443fb2716c520ea9edb94196a0d1acd6ad80ef5 Mon Sep 17 00:00:00 2001
From: shunkica <shunkica.dev@gmail.com>
Date: Sun, 28 Dec 2025 11:35:04 +0100
Subject: [PATCH 1/2] Add failing test for issue #525

---
 test/signature-integration-tests.spec.ts | 33 ++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/test/signature-integration-tests.spec.ts b/test/signature-integration-tests.spec.ts
index 02da0949..7efe3073 100644
--- a/test/signature-integration-tests.spec.ts
+++ b/test/signature-integration-tests.spec.ts
@@ -223,4 +223,37 @@ describe("Signature integration tests", function () {
       "<library> should have two child nodes : <book> and <Signature>",
     ).to.equal(2);
   });
+
+  it("should create valid signature when signature location is nested in child element", function () {
+    const xml = "<root><child/></root>";
+
+    const sig = new SignedXml();
+    sig.privateKey = fs.readFileSync("./test/static/client.pem");
+    sig.addReference({
+      xpath: "/*",
+      transforms: [
+        "http://www.w3.org/2000/09/xmldsig#enveloped-signature",
+        "http://www.w3.org/2001/10/xml-exc-c14n#",
+      ],
+      digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256",
+    });
+    sig.canonicalizationAlgorithm = "http://www.w3.org/2001/10/xml-exc-c14n#";
+    sig.signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
+
+    sig.computeSignature(xml, {
+      location: { action: "append", reference: "//*[local-name()='child']" },
+    });
+
+    const signedXml = sig.getSignedXml();
+
+    const doc = new xmldom.DOMParser().parseFromString(signedXml);
+    const signatureNode = xpath.select1("//*[local-name(.)='Signature']", doc);
+    isDomNode.assertIsNodeLike(signatureNode);
+
+    const verifier = new SignedXml();
+    verifier.publicCert = fs.readFileSync("./test/static/client_public.pem");
+    verifier.loadSignature(signatureNode);
+
+    expect(verifier.checkSignature(signedXml)).to.be.true;
+  });
 });

From 8c1af971d5a3949a681a58554d7b26dadf8bb736 Mon Sep 17 00:00:00 2001
From: shunkica <shunkica.dev@gmail.com>
Date: Sun, 28 Dec 2025 13:06:53 +0100
Subject: [PATCH 2/2] fix: Support nested enveloped signature location (#525)

Update XPath query to find Signature elements at any depth within the
document, not just direct children. This fixes an issue where signatures
nested within other elements were not properly detected and removed.
---
 src/enveloped-signature.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/enveloped-signature.ts b/src/enveloped-signature.ts
index 5c74c362..56599872 100644
--- a/src/enveloped-signature.ts
+++ b/src/enveloped-signature.ts
@@ -17,7 +17,7 @@ export class EnvelopedSignature implements CanonicalizationOrTransformationAlgor
   process(node: Node, options: CanonicalizationOrTransformationAlgorithmProcessOptions): Node {
     if (null == options.signatureNode) {
       const signature = xpath.select1(
-        "./*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']",
+        ".//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']",
         node,
       );
       if (isDomNode.isNodeLike(signature) && signature.parentNode) {