node-soap icon indicating copy to clipboard operation
node-soap copied to clipboard
verified publisher icon vpulim

WSSecurityCert generates duplicate IDs for Body and Timestamp elements, causing "Incorrect reference digest value" errors

Open hankthemason opened this issue 2 months ago • 2 comments

Bug Description

WSSecurityCert assigns the same ID (_1) to both Timestamp and Body elements, causing duplicate Reference URIs in the XML signature. This results in "Incorrect reference digest value" SOAP faults.

Environment

  • node-soap version: 1.1.10 (also tested with 1.6.0)
  • Node.js version: 22.5.1
  • Operating System: MacOS 15.6.1

Expected Behavior

  • Body and Timestamp elements should have unique IDs
  • Custom IDs from signerOptions.attrs.Id should be respected
  • XML signature should validate properly

Actual Behavior

<Timestamp Id="_1">
<soap:Body Id="_1">  <!-- Same ID! -->
<Reference URI="#_1">  <!-- First reference -->
<Reference URI="#_1">  <!-- Duplicate reference to same element -->

Configuration Attempted

const wsSecurityOptions = {
  hasTimeStamp: true,
  signerOptions: {
    attrs: {
      Id: `_body_${Date.now()}`, // This is ignored
    },
  },
};

Error Response

<faultstring>Incorrect reference digest value</faultstring>

Reproduction Steps

  1. Create WSSecurityCert with custom Body ID in signerOptions
  2. Make SOAP request with both timestamp and signature
  3. Observe duplicate IDs in generated XML
  4. Receive SOAP fault from service

Investigation Notes

  • Constructor accepts signerOptions but doesn't apply attrs.Id
  • Both v1.1.10 and v1.6.0 show same issue
  • Library initializes this.signerOptions = {} without copying provided options

Would appreciate guidance on proper configuration or confirmation if this is a bug that needs fixing.

hankthemason avatar Nov 04 '25 20:11 hankthemason

Hello @hankthemason might need more details on your setup, perhaps with a MWE. The test here specifically for this issue overriding Id in signedOptions passes: https://github.com/vpulim/node-soap/blob/45f82e5c39a4784f767c56b50ee6c2ab3f6faa8c/test/security/WSSecurityCert.js#L209

And the test here checks for uniqueness of generated IDs, including for Body and Timestamp, also passes: https://github.com/vpulim/node-soap/blob/45f82e5c39a4784f767c56b50ee6c2ab3f6faa8c/test/security/WSSecurityCert.js#L228

So it's unclear how you get to the behaviour you are describing in order to reproduce it.

smokhov avatar Nov 09 '25 03:11 smokhov

I agree with @smokhov, need an example that replicates the problem.

w666 avatar Nov 12 '25 08:11 w666