From ec53c51c35dc9b76d9128578e84d3edf517bec20 Mon Sep 17 00:00:00 2001
From: Boris <burantino@gmail.com>
Date: Tue, 13 Oct 2020 22:36:52 +0300
Subject: [PATCH] Fixing bug: if options.signatureAlgorithm = ..sha256 => will
 be generated two Reference to Body. (#1128)

- added test to reproduce problem
- replace usage of constant as bodyXpath for predefined reference with placeholder, resolved later for correct xpath

Co-authored-by: boris.vnukov <boris.vnukov@bolt.eu>
---
 src/security/WSSecurityCert.ts  | 13 ++++++++++++-
 test/security/WSSecurityCert.js |  7 +++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/security/WSSecurityCert.ts b/src/security/WSSecurityCert.ts
index f79c57d92..e27ccd810 100644
--- a/src/security/WSSecurityCert.ts
+++ b/src/security/WSSecurityCert.ts
@@ -28,7 +28,16 @@ function generateId(): string {
   return uuidv4().replace(/-/gm, '');
 }
 
+function resolvePlaceholderInReferences(references: any[], bodyXpath: string) {
+  for (const ref of references) {
+    if (ref.xpath === bodyXpathPlaceholder) {
+      ref.xpath = bodyXpath;
+    }
+  }
+}
+
 const oasisBaseUri = 'http://docs.oasis-open.org/wss/2004/01';
+const bodyXpathPlaceholder = '[[bodyXpath]]';
 
 export interface IWSSecurityCertOptions {
   hasTimeStamp?: boolean;
@@ -65,7 +74,7 @@ export class WSSecurityCert implements ISecurity {
     if (options.signatureAlgorithm === 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256') {
       this.signer.signatureAlgorithm = options.signatureAlgorithm;
       this.signer.addReference(
-        '//*[name(.)="soap:Body"]',
+          bodyXpathPlaceholder,
         [ 'http://www.w3.org/2001/10/xml-exc-c14n#' ],
         'http://www.w3.org/2001/04/xmlenc#sha256',
       );
@@ -134,6 +143,8 @@ export class WSSecurityCert implements ISecurity {
     const references = this.signatureTransformations;
 
     const bodyXpath = `//*[name(.)='${envelopeKey}:Body']`;
+    resolvePlaceholderInReferences(this.signer.references, bodyXpath);
+
     if (!(this.signer.references.filter((ref) => (ref.xpath === bodyXpath)).length > 0)) {
       this.signer.addReference(bodyXpath, references);
     }
diff --git a/test/security/WSSecurityCert.js b/test/security/WSSecurityCert.js
index 3446aecae..07efeaf9e 100644
--- a/test/security/WSSecurityCert.js
+++ b/test/security/WSSecurityCert.js
@@ -95,6 +95,13 @@ describe('WSSecurityCert', function () {
     xml.match(/<Reference URI="#/g).should.have.length(1);
   });
 
+  it('should only add one Reference elements, for Soap Body wsse:Security element when addTimestamp is false and SignatureMethod Algorithm=sha256', function () {
+    var instance = new WSSecurityCert(key, cert, '', { hasTimeStamp: false,  signatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" });
+    var xml = instance.postProcess('<soap:Header></soap:Header><soap:Body><Body></Body><Timestamp></Timestamp></soap:Body>', 'soap');
+    xml.match(/<Reference URI="#/g).should.have.length(1);
+  });
+
+
   it('double post process should not add extra alments', function () {
     var instance = new WSSecurityCert(key, cert, '');
     var _ = instance.postProcess('<soap:Header></soap:Header><soap:Body><Body></Body><Timestamp></Timestamp></soap:Body>', 'soap');