New XML Signing Options, extra tags to sign and small bug fix

Readme.md

@@ -864,6 +864,20 @@ WS-Security X509 Certificate support.
   var privateKey = fs.readFileSync(privateKeyPath);
   var publicKey = fs.readFileSync(publicKeyPath);
   var password = ''; // optional password
+  var options = {
+    hasTimeStamp: true,
+    additionalReferences: [
+        'wsa:Action',
+        'wsa:ReplyTo',
+        'wsa:To',
+    ],
+    signerOptions: {
+        prefix: 'ds',
+        attrs: { Id: 'Signature' },
+        existingPrefixes: {
+            wsse: 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd',
+        }
+  }
   var wsSecurity = new soap.WSSecurityCert(privateKey, publicKey, password, options);
   client.setSecurity(wsSecurity);
 ```
@@ -872,8 +886,12 @@ the `options` object is optional and can contain the following properties:
 * `hasTimeStamp`: adds Timestamp element (default: `true`)
 * `signatureTransformations`: sets the Reference Transforms Algorithm (default ['http://www.w3.org/2000/09/xmldsig#enveloped-signature', 'http://www.w3.org/2001/10/xml-exc-c14n#']). Type is a string array
 * `signatureAlgorithm`: set to `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256` to use sha256
-* `signerOptions`: passed options to the XML Signer package - from (https://github.com/yaronn/xml-crypto) 
+* `additionalReferences` : Array of Soap headers that need to be signed.  This need to be added using `client.addSoapHeader('header')`
+* `signerOptions`: passes options to the XML Signer package - from (https://github.com/yaronn/xml-crypto) 
   * `existingPrefixes`: A hash of prefixes and namespaces prefix: namespace that shouldn't be in the signature because they already exist in the xml (default: `{ 'wsse': 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' }`)
+  * `prefix`: Adds this value as a prefix for the generated signature tags.
+  * `attrs`: A hash of attributes and values attrName: value to add to the signature root node 
+
 
 ### NTLMSecurity
 

src/client.ts

@@ -398,7 +398,7 @@ export class Client extends EventEmitter {
         } else {
           return header;
         }
-      }).join('\n');
+      }).join(' ');
     }
 
     xml = '<?xml version="1.0" encoding="utf-8"?>' +

src/security/WSSecurityCert.ts

@@ -1,4 +1,3 @@
-
 import { v4 as uuid4 } from 'uuid';
 import { SignedXml } from 'xml-crypto';
 import { ISecurity } from '../types';
@@ -22,7 +21,7 @@ function generateExpires(): string {
 }
 
 function insertStr(src: string, dst: string, pos: number): string {
-  return [dst.slice(0, pos), src, dst.slice(pos)].join('');
+  return [ dst.slice(0, pos), src, dst.slice(pos) ].join('');
 }
 
 function generateId(): string {
@@ -35,10 +34,13 @@ export interface IWSSecurityCertOptions {
   hasTimeStamp?: boolean;
   signatureTransformations?: string[];
   signatureAlgorithm?: string;
+  additionalReferences?: string[];
   signerOptions?: IXmlSignerOptions;
 }
 
 export interface IXmlSignerOptions {
+  prefix?: string;
+  attrs?: { [key: string]: string };
   existingPrefixes?: { [key: string]: string };
 }
 
@@ -51,6 +53,7 @@ export class WSSecurityCert implements ISecurity {
   private signatureTransformations: string[];
   private created: string;
   private expires: string;
+  private additionalReferences: string[] = [];
 
   constructor(privatePEM: any, publicP12PEM: any, password: any, options: IWSSecurityCertOptions = {}) {
     this.publicP12PEM = publicP12PEM.toString()
@@ -63,13 +66,27 @@ export class WSSecurityCert implements ISecurity {
       this.signer.signatureAlgorithm = options.signatureAlgorithm;
       this.signer.addReference(
         '//*[name(.)="soap:Body"]',
-        ['http://www.w3.org/2001/10/xml-exc-c14n#'],
+        [ 'http://www.w3.org/2001/10/xml-exc-c14n#' ],
         'http://www.w3.org/2001/04/xmlenc#sha256',
       );
     }
 
-    this.signerOptions = (options.signerOptions) ? this.signerOptions = options.signerOptions
-      : this.signerOptions = { existingPrefixes: { wsse: `${oasisBaseUri}/oasis-200401-wss-wssecurity-secext-1.0.xsd` } };
+    if (options.additionalReferences && options.additionalReferences.length > 0) {
+      this.additionalReferences = options.additionalReferences;
+    }
+
+    if (options.signerOptions) {
+      const { signerOptions } = options;
+      this.signerOptions = signerOptions;
+      if (!this.signerOptions.existingPrefixes) {
+        this.signerOptions.existingPrefixes = {};
+      }
+      if (this.signerOptions.existingPrefixes && !this.signerOptions.existingPrefixes.wsse) {
+        this.signerOptions.existingPrefixes.wsse = `${oasisBaseUri}/oasis-200401-wss-wssecurity-secext-1.0.xsd`;
+      }
+    } else {
+      this.signerOptions = { existingPrefixes: { wsse: `${oasisBaseUri}/oasis-200401-wss-wssecurity-secext-1.0.xsd` } };
+    }
 
     this.signer.signingKey = {
       key: privatePEM,
@@ -78,7 +95,7 @@ export class WSSecurityCert implements ISecurity {
     this.x509Id = `x509-${generateId()}`;
     this.hasTimeStamp = typeof options.hasTimeStamp === 'undefined' ? true : !!options.hasTimeStamp;
     this.signatureTransformations = Array.isArray(options.signatureTransformations) ? options.signatureTransformations
-      : ['http://www.w3.org/2000/09/xmldsig#enveloped-signature', 'http://www.w3.org/2001/10/xml-exc-c14n#'];
+      : [ 'http://www.w3.org/2000/09/xmldsig#enveloped-signature', 'http://www.w3.org/2001/10/xml-exc-c14n#' ];
 
     this.signer.keyInfoProvider = {};
     this.signer.keyInfoProvider.getKeyInfo = (key) => {
@@ -96,19 +113,19 @@ export class WSSecurityCert implements ISecurity {
     if (this.hasTimeStamp) {
       timestampStr =
         `<Timestamp xmlns="${oasisBaseUri}/oasis-200401-wss-wssecurity-utility-1.0.xsd" Id="_1">` +
-          `<Created>${this.created}</Created>` +
-          `<Expires>${this.expires}</Expires>` +
+        `<Created>${this.created}</Created>` +
+        `<Expires>${this.expires}</Expires>` +
         `</Timestamp>`;
     }
 
     const secHeader =
       `<wsse:Security xmlns:wsse="${oasisBaseUri}/oasis-200401-wss-wssecurity-secext-1.0.xsd" ` +
-          `xmlns:wsu="${oasisBaseUri}/oasis-200401-wss-wssecurity-utility-1.0.xsd" ` +
-          `soap:mustUnderstand="1">` +
+      `xmlns:wsu="${oasisBaseUri}/oasis-200401-wss-wssecurity-utility-1.0.xsd" ` +
+      `soap:mustUnderstand="1">` +
       `<wsse:BinarySecurityToken ` +
-          `EncodingType="${oasisBaseUri}/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ` +
-          `ValueType="${oasisBaseUri}/oasis-200401-wss-x509-token-profile-1.0#X509v3" ` +
-          `wsu:Id="${this.x509Id}">${this.publicP12PEM}</wsse:BinarySecurityToken>` +
+      `EncodingType="${oasisBaseUri}/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ` +
+      `ValueType="${oasisBaseUri}/oasis-200401-wss-x509-token-profile-1.0#X509v3" ` +
+      `wsu:Id="${this.x509Id}">${this.publicP12PEM}</wsse:BinarySecurityToken>` +
       timestampStr +
       `</wsse:Security>`;
 
@@ -121,6 +138,13 @@ export class WSSecurityCert implements ISecurity {
       this.signer.addReference(bodyXpath, references);
     }
 
+    for (const name of this.additionalReferences) {
+      const xpath = `//*[name(.)='${name}']`;
+      if (!(this.signer.references.filter((ref) => (ref.xpath === xpath)).length > 0)) {
+        this.signer.addReference(xpath, references);
+      }
+    }
+
     const timestampXpath = `//*[name(.)='wsse:Security']/*[local-name(.)='Timestamp']`;
     if (this.hasTimeStamp && !(this.signer.references.filter((ref) => (ref.xpath === timestampXpath)).length > 0)) {
       this.signer.addReference(timestampXpath, references);

test/security/WSSecurityCert.js

@@ -111,7 +111,10 @@ describe('WSSecurityCert', function () {
   });
 
   it('should use rsa-sha256 signature method when the signatureAlgorithm option is set to WSSecurityCert', function () {
-    var instance = new WSSecurityCert(key, cert, '', { hasTimeStamp: false, signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' });
+    var instance = new WSSecurityCert(key, cert, '', {
+      hasTimeStamp: false,
+      signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
+    });
     var xml = instance.postProcess('<soap:Header></soap:Header><soap:Body><Body></Body></soap:Body>', 'soap');
     xml.should.containEql('SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"');
   });
@@ -120,7 +123,13 @@ describe('WSSecurityCert', function () {
     var instance = new WSSecurityCert(key, cert, '');
     var xml = instance.postProcess('<soap:Header></soap:Header><soap:Body><Body></Body><Timestamp></Timestamp></soap:Body>', 'soap')
     xml.should.containEql('xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"');
-  })
+  });
+  it('should still add wsse if another signerOption attribute is passed through ', function(){
+    var instance = new WSSecurityCert(key, cert, '', { signerOptions: { prefix: 'ds'} });
+    var xml = instance.postProcess('<soap:Header></soap:Header><soap:Body><Body></Body><Timestamp></Timestamp></soap:Body>', 'soap')
+    xml.should.containEql('xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"');
+    xml.should.containEql('<ds:SignedInfo>');
+  });
   it('should contain a provided prefix when signerOptions.existingPrefixes is provided', function () {
     var instance = new WSSecurityCert(key, cert, '', {
       signerOptions: {
@@ -130,6 +139,43 @@ describe('WSSecurityCert', function () {
     });
     var xml = instance.postProcess('<soap:Header></soap:Header><soap:Body><Body></Body><Timestamp></Timestamp></soap:Body>', 'soap')
     xml.should.containEql('<wsse:SecurityTokenReference xmlns:wsse="https://localhost/node-soap.xsd">');
-  })
-
+  });
+  it('should contain the prefix to the generated Signature tags', function () {
+    var instance = new WSSecurityCert(key, cert, '', {
+      signerOptions: {
+        prefix: 'ds',
+      }
+    });
+    var xml = instance.postProcess('<soap:Header></soap:Header><soap:Body><Body></Body><Timestamp></Timestamp></soap:Body>', 'soap');
+    xml.should.containEql('<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">');
+    xml.should.containEql('<ds:SignedInfo>');
+    xml.should.containEql('<ds:CanonicalizationMethod');
+    xml.should.containEql('<ds:SignatureMethod ');
+    xml.should.containEql('<ds:Reference URI="#_1">');
+    xml.should.containEql('<ds:Transforms>');
+    xml.should.containEql('<ds:Transform');
+    xml.should.containEql('<ds:DigestMethod');
+    xml.should.containEql('<ds:DigestValue>');
+    xml.should.containEql('</ds:DigestValue>');
+  });
+  it('should add attributes to the security tag', function () {
+    var instance = new WSSecurityCert(key, cert, '', {
+      signerOptions: {
+        attrs: { Id: 'security_123' },
+      }
+    });
+    var xml = instance.postProcess('<soap:Header></soap:Header><soap:Body><Body></Body><Timestamp></Timestamp></soap:Body>', 'soap');
+    xml.should.containEql('<Signature Id="security_123" xmlns="http://www.w3.org/2000/09/xmldsig#">');
+  });
+  it('should sign additional headers that are added via additionalReferences', function () {
+    var instance = new WSSecurityCert(key, cert, '', {
+      additionalReferences: [
+        'To',
+        'Action'
+      ],
+    });
+    var xml = instance.postProcess('<soap:Header><To Id="To">localhost.com</To><Action Id="action-1234">testing</Action></soap:Header><soap:Body><Body></Body><Timestamp></Timestamp></soap:Body>', 'soap');
+    xml.should.containEql('<Reference URI="#To">');
+    xml.should.containEql('<Reference URI="#action-1234">');
+  });
 });