Remove wasProcessed property

cjbarth · shunkica · commit d0a19ae5cc03 · 2025-10-23T21:22:23.000+02:00
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -6,8 +6,12 @@
     "codecov",
     "feide",
     "HMAC",
+    "posteb",
+    "preeb",
     "reserialization",
+    "stricttextualmsg",
     "wsfederation",
-    "wssecurity"
+    "wssecurity",
+    "xades"
   ]
 }
diff --git a/src/signed-xml.ts b/src/signed-xml.ts
@@ -72,7 +72,7 @@ export class SignedXml {
    * Contains the references that were signed.
    * @see {@link Reference}
    */
-  private references: (Reference & { wasProcessed: boolean })[] = [];
+  private references: Reference[] = [];
 
   /**
    * Contains the canonicalized XML of the references that were validly signed.
@@ -833,7 +833,6 @@ export class SignedXml {
       isEmptyUri,
       id,
       type,
-      wasProcessed: false,
       getValidatedNode: () => {
         throw new Error(
           "Reference has not been validated yet; Did you call `sig.checkSignature()`?",
@@ -1182,7 +1181,6 @@ export class SignedXml {
           `<${prefix}DigestValue>${digestAlgorithm.getHash(canonXml)}</${prefix}DigestValue>` +
           `</${prefix}Reference>`;
       }
-      ref.wasProcessed = true;
     }
 
     return res;
@@ -1328,9 +1326,8 @@ export class SignedXml {
    * This is called after the initial signature has been created to handle references to signature elements
    */
   private processSignatureReferences(doc: Document, signatureElem: Element, prefix?: string) {
-    // Get unprocessed references
-    const unprocessedReferences = this.references.filter((ref) => !ref.wasProcessed);
-    if (unprocessedReferences.length === 0) {
+    const pendingRefs = this.references;
+    if (!utils.isArrayHasLength(pendingRefs)) {
       return;
     }
 
@@ -1352,7 +1349,7 @@ export class SignedXml {
     const signatureDoc = signatureElem.ownerDocument;
 
     // Process each unprocessed reference
-    for (const ref of unprocessedReferences) {
+    for (const ref of pendingRefs) {
       const nodes = xpath.selectWithResolver(ref.xpath ?? "", doc, this.namespaceResolver);
 
       if (!utils.isArrayHasLength(nodes)) {
@@ -1374,19 +1371,28 @@ export class SignedXml {
           );
         }
 
-        // Create the reference element directly using DOM methods to avoid namespace issues
-        const referenceElem = signatureDoc.createElementNS(
-          signatureNamespace,
-          `${prefix}Reference`,
-        );
+        // Compute the target URI we intend to add
+        let targetUri: string;
         if (ref.isEmptyUri) {
-          referenceElem.setAttribute("URI", "");
+          targetUri = "";
         } else {
           const id = this.ensureHasId(node);
           ref.uri = id;
-          referenceElem.setAttribute("URI", `#${id}`);
+          targetUri = `#${id}`;
+        }
+
+        // Skip if a Reference with this URI already exists
+        if (utils.hasReferenceWithUri(signedInfoNode, targetUri, signatureNamespace)) {
+          continue;
         }
 
+        // Create the reference element directly using DOM methods to avoid namespace issues
+        const referenceElem = signatureDoc.createElementNS(
+          signatureNamespace,
+          `${prefix}Reference`,
+        );
+        referenceElem.setAttribute("URI", targetUri);
+
         if (ref.id) {
           referenceElem.setAttribute("Id", ref.id);
         }
@@ -1448,7 +1454,6 @@ export class SignedXml {
         // Append the reference element to SignedInfo
         signedInfoNode.appendChild(referenceElem);
       }
-      ref.wasProcessed = true;
     }
   }
 
diff --git a/src/types.ts b/src/types.ts
@@ -45,7 +45,7 @@ export interface GetKeyInfoContentArgs {
 }
 
 /**
- * Object attributes as defined in XMLDSig spec
+ * Object attributes as defined in XMLDSig spec and are emitted verbatim
  * @see https://www.w3.org/TR/xmldsig-core/#sec-Object
  */
 export interface ObjectAttributes {
diff --git a/src/utils.ts b/src/utils.ts
@@ -331,3 +331,18 @@ export function isDescendantOf(node: Node, parent: Node): boolean {
 
   return false;
 }
+
+export function hasReferenceWithUri(
+  signedInfoNode: Element,
+  uri: string,
+  signatureNamespace: string,
+): boolean {
+  const refs = findChildren(signedInfoNode, "Reference", signatureNamespace);
+  for (const el of refs) {
+    const uriAttr = findAttr(el, "URI"); // attribute is un-namespaced in xmldsig
+    if (uriAttr && uriAttr.value === uri) {
+      return true;
+    }
+  }
+  return false;
+}
diff --git a/test/signature-object-tests.spec.ts b/test/signature-object-tests.spec.ts
@@ -203,7 +203,7 @@ describe("ds:Object support in XML signatures", function () {
     expect(objectNodesWithEmpty.length).to.equal(0);
   });
 
-  it("should handle Rerefence to Object", function () {
+  it("should handle Reference to Object", function () {
     const xml = "<root></root>";
 
     const sig = new SignedXml({

Original file line number	Diff line number	Diff line change
`@@ -6,8 +6,12 @@`
`6`	`6`	`"codecov",`
`7`	`7`	`"feide",`
`8`	`8`	`"HMAC",`
	`9`	`+ "posteb",`
	`10`	`+ "preeb",`
`9`	`11`	`"reserialization",`
	`12`	`+ "stricttextualmsg",`
`10`	`13`	`"wsfederation",`
`11`		`- "wssecurity"`
	`14`	`+ "wssecurity",`
	`15`	`+ "xades"`
`12`	`16`	`]`
`13`	`17`	`}`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ export interface GetKeyInfoContentArgs {`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`/**`
`48`		`- * Object attributes as defined in XMLDSig spec`
	`48`	`+ * Object attributes as defined in XMLDSig spec and are emitted verbatim`
`49`	`49`	`* @see https://www.w3.org/TR/xmldsig-core/#sec-Object`
`50`	`50`	`*/`
`51`	`51`	`export interface ObjectAttributes {`