From 54d20e80c62762870d4480325c5f272c6894e4f0 Mon Sep 17 00:00:00 2001
From: Reko Tiira <reko@tiira.net>
Date: Wed, 11 Jan 2017 08:52:36 +0200
Subject: [PATCH] Only add references for the soap:Body and
 wsse:Security/Timestamp elements in WSSecurityCert (#911)

---
 lib/client.js                   |  2 +-
 lib/security/WSSecurityCert.js  | 14 +++++++-------
 test/security/WSSecurityCert.js |  9 ++++++++-
 3 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/lib/client.js b/lib/client.js
index 2c61d7114..58c456f21 100644
--- a/lib/client.js
+++ b/lib/client.js
@@ -265,7 +265,7 @@ Client.prototype._invoke = function(method, args, location, callback, options, e
     "</" + envelopeKey + ":Envelope>";
 
   if(self.security && self.security.postProcess){
-    xml = self.security.postProcess(xml);
+    xml = self.security.postProcess(xml, envelopeKey);
   }
 
   self.lastMessage = message;
diff --git a/lib/security/WSSecurityCert.js b/lib/security/WSSecurityCert.js
index bbbc20263..cd6e8cf97 100644
--- a/lib/security/WSSecurityCert.js
+++ b/lib/security/WSSecurityCert.js
@@ -47,12 +47,6 @@ function WSSecurityCert(privatePEM, publicP12PEM, password, encoding) {
   this.signer.signingKey = this.privateKey.toPrivatePem();
   this.x509Id = "x509-" + generateId();
 
-  var references = ["http://www.w3.org/2000/09/xmldsig#enveloped-signature",
-    "http://www.w3.org/2001/10/xml-exc-c14n#"];
-
-  this.signer.addReference("//*[local-name(.)='Body']", references);
-  this.signer.addReference("//*[local-name(.)='Timestamp']", references);
-
   var _this = this;
   this.signer.keyInfoProvider = {};
   this.signer.keyInfoProvider.getKeyInfo = function (key) {
@@ -60,7 +54,7 @@ function WSSecurityCert(privatePEM, publicP12PEM, password, encoding) {
   };
 }
 
-WSSecurityCert.prototype.postProcess = function (xml) {
+WSSecurityCert.prototype.postProcess = function (xml, envelopeKey) {
   this.created = generateCreated();
   this.expires = generateExpires();
 
@@ -73,6 +67,12 @@ WSSecurityCert.prototype.postProcess = function (xml) {
 
   var xmlWithSec = insertStr(secHeader, xml, xml.indexOf('</soap:Header>'));
 
+  var references = ["http://www.w3.org/2000/09/xmldsig#enveloped-signature",
+    "http://www.w3.org/2001/10/xml-exc-c14n#"];
+
+  this.signer.addReference("//*[name(.)='" + envelopeKey + ":Body']", references);
+  this.signer.addReference("//*[name(.)='wsse:Security']/*[local-name(.)='Timestamp']", references);
+
   this.signer.computeSignature(xmlWithSec);
 
   return insertStr(this.signer.getSignatureXml(), xmlWithSec, xmlWithSec.indexOf('</wsse:Security>'));
diff --git a/test/security/WSSecurityCert.js b/test/security/WSSecurityCert.js
index dfe3c0cbb..ed63c8f2d 100644
--- a/test/security/WSSecurityCert.js
+++ b/test/security/WSSecurityCert.js
@@ -48,7 +48,7 @@ describe('WSSecurityCert', function() {
 
   it('should insert a WSSecurity signing block when postProcess is called', function() {
     var instance = new WSSecurityCert(key, cert, '', 'utf8');
-    var xml = instance.postProcess('<soap:Header></soap:Header><soap:Body></soap:Body>');
+    var xml = instance.postProcess('<soap:Header></soap:Header><soap:Body></soap:Body>', 'soap');
 
     xml.should.containEql('<wsse:Security');
     xml.should.containEql('http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd');
@@ -69,4 +69,11 @@ describe('WSSecurityCert', function() {
     xml.should.containEql(instance.publicP12PEM);
     xml.should.containEql(instance.signer.getSignatureXml());
   });
+
+  it('should only add two Reference elements, for Soap Body and Timestamp inside wsse:Security element', function() {
+    var instance = new WSSecurityCert(key, cert, '', 'utf8');
+    var xml = instance.postProcess('<soap:Header></soap:Header><soap:Body><Body></Body><Timestamp></Timestamp></soap:Body>', 'soap');
+
+    xml.match(/<Reference URI="#/g).should.have.length(2);
+  });
 });