Only add references for the soap:Body and wsse:Security/Timestamp ele…

…ments in WSSecurityCert (#911)
vpulim · Jan 11, 2017 · 54d20e8 · 54d20e8
1 parent daa4fb0
commit 54d20e8
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 9 deletions.
diff --git a/lib/client.js b/lib/client.js
@@ -265,7 +265,7 @@ Client.prototype._invoke = function(method, args, location, callback, options, e
     "</" + envelopeKey + ":Envelope>";
 
   if(self.security && self.security.postProcess){
-    xml = self.security.postProcess(xml);
+    xml = self.security.postProcess(xml, envelopeKey);
   }
 
   self.lastMessage = message;

diff --git a/lib/security/WSSecurityCert.js b/lib/security/WSSecurityCert.js
@@ -47,20 +47,14 @@ function WSSecurityCert(privatePEM, publicP12PEM, password, encoding) {
   this.signer.signingKey = this.privateKey.toPrivatePem();
   this.x509Id = "x509-" + generateId();
 
-  var references = ["http://www.w3.org/2000/09/xmldsig#enveloped-signature",
-    "http://www.w3.org/2001/10/xml-exc-c14n#"];
-
-  this.signer.addReference("//*[local-name(.)='Body']", references);
-  this.signer.addReference("//*[local-name(.)='Timestamp']", references);
-
   var _this = this;
   this.signer.keyInfoProvider = {};
   this.signer.keyInfoProvider.getKeyInfo = function (key) {
     return wsseSecurityTokenTemplate({ x509Id: _this.x509Id });
   };
 }
 
-WSSecurityCert.prototype.postProcess = function (xml) {
+WSSecurityCert.prototype.postProcess = function (xml, envelopeKey) {
   this.created = generateCreated();
   this.expires = generateExpires();
 
@@ -73,6 +67,12 @@ WSSecurityCert.prototype.postProcess = function (xml) {
 
   var xmlWithSec = insertStr(secHeader, xml, xml.indexOf('</soap:Header>'));
 
+  var references = ["http://www.w3.org/2000/09/xmldsig#enveloped-signature",
+    "http://www.w3.org/2001/10/xml-exc-c14n#"];
+
+  this.signer.addReference("//*[name(.)='" + envelopeKey + ":Body']", references);
+  this.signer.addReference("//*[name(.)='wsse:Security']/*[local-name(.)='Timestamp']", references);
+
   this.signer.computeSignature(xmlWithSec);
 
   return insertStr(this.signer.getSignatureXml(), xmlWithSec, xmlWithSec.indexOf('</wsse:Security>'));

diff --git a/test/security/WSSecurityCert.js b/test/security/WSSecurityCert.js
@@ -48,7 +48,7 @@ describe('WSSecurityCert', function() {
 
   it('should insert a WSSecurity signing block when postProcess is called', function() {
     var instance = new WSSecurityCert(key, cert, '', 'utf8');
-    var xml = instance.postProcess('<soap:Header></soap:Header><soap:Body></soap:Body>');
+    var xml = instance.postProcess('<soap:Header></soap:Header><soap:Body></soap:Body>', 'soap');
 
     xml.should.containEql('<wsse:Security');
     xml.should.containEql('http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd');
@@ -69,4 +69,11 @@ describe('WSSecurityCert', function() {
     xml.should.containEql(instance.publicP12PEM);
     xml.should.containEql(instance.signer.getSignatureXml());
   });
+
+  it('should only add two Reference elements, for Soap Body and Timestamp inside wsse:Security element', function() {
+    var instance = new WSSecurityCert(key, cert, '', 'utf8');
+    var xml = instance.postProcess('<soap:Header></soap:Header><soap:Body><Body></Body><Timestamp></Timestamp></soap:Body>', 'soap');
+
+    xml.match(/<Reference URI="#/g).should.have.length(2);
+  });
 });