From 6d9f30ae4485b45b8c5349ee4466c41494d40707 Mon Sep 17 00:00:00 2001 From: Ming Zhang Date: Mon, 2 Dec 2019 16:58:43 +0800 Subject: [PATCH 1/2] cert is reworked to be optional, since it is not mandatory for xml signature library --- lib/saml11.js | 24 +++++++++++------------- lib/saml20.js | 22 ++++++++++------------ package.json | 2 +- test/saml11.tests.js | 10 ++++++++++ test/saml20.tests.js | 21 ++++++++++++++++++++- 5 files changed, 52 insertions(+), 27 deletions(-) diff --git a/lib/saml11.js b/lib/saml11.js index f359aa54..7156d609 100644 --- a/lib/saml11.js +++ b/lib/saml11.js @@ -3,8 +3,8 @@ var utils = require('./utils'), Parser = require('xmldom').DOMParser, SignedXml = require('xml-crypto').SignedXml, xmlenc = require('xml-encryption'), - moment = require('moment'); - async = require('async'); + moment = require('moment'), + async = require('async'), crypto = require('crypto'); var fs = require('fs'); @@ -28,26 +28,24 @@ exports.create = function(options, callback) { if (!options.key) throw new Error('Expect a private key in pem format'); - if (!options.cert) - throw new Error('Expect a public key cert in pem format'); - options.signatureAlgorithm = options.signatureAlgorithm || 'rsa-sha256'; options.digestAlgorithm = options.digestAlgorithm || 'sha256'; - var cert = utils.pemToCert(options.cert); - var sig = new SignedXml(null, { signatureAlgorithm: algorithms.signature[options.signatureAlgorithm], idAttribute: 'AssertionID' }); sig.addReference("//*[local-name(.)='Assertion']", ["http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/2001/10/xml-exc-c14n#"], algorithms.digest[options.digestAlgorithm]); sig.signingKey = options.key; - - sig.keyInfoProvider = { - getKeyInfo: function () { - return "" + cert + ""; - } - }; + + if (options.cert) { + var cert = utils.pemToCert(options.cert); + sig.keyInfoProvider = { + getKeyInfo: function () { + return "" + cert + ""; + } + }; + } var doc; try { diff --git a/lib/saml20.js b/lib/saml20.js index 21c1f278..8cf7c968 100644 --- a/lib/saml20.js +++ b/lib/saml20.js @@ -59,9 +59,6 @@ exports.create = function(options, callback) { if (!options.key) throw new Error('Expect a private key in pem format'); - if (!options.cert) - throw new Error('Expect a public key cert in pem format'); - options.signatureAlgorithm = options.signatureAlgorithm || 'rsa-sha256'; options.digestAlgorithm = options.digestAlgorithm || 'sha256'; @@ -72,21 +69,22 @@ exports.create = function(options, callback) { options.signatureNamespacePrefix = options.signatureNamespacePrefix || options.prefix; options.signatureNamespacePrefix = typeof options.signatureNamespacePrefix === 'string' ? options.signatureNamespacePrefix : '' ; - var cert = utils.pemToCert(options.cert); - var sig = new SignedXml(null, { signatureAlgorithm: algorithms.signature[options.signatureAlgorithm], idAttribute: 'ID' }); sig.addReference("//*[local-name(.)='Assertion']", ["http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/2001/10/xml-exc-c14n#"], algorithms.digest[options.digestAlgorithm]); sig.signingKey = options.key; - - sig.keyInfoProvider = { - getKeyInfo: function (key, prefix) { - prefix = prefix ? prefix + ':' : prefix; - return "<" + prefix + "X509Data><" + prefix + "X509Certificate>" + cert + ""; - } - }; + + if (options.cert) { + var cert = utils.pemToCert(options.cert); + sig.keyInfoProvider = { + getKeyInfo: function (key, prefix) { + prefix = prefix ? prefix + ':' : prefix; + return "<" + prefix + "X509Data><" + prefix + "X509Certificate>" + cert + ""; + } + }; + } var doc; try { diff --git a/package.json b/package.json index 2eacb838..d2a1ae21 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "saml", - "version": "0.13.0", + "version": "0.13.1", "devDependencies": { "mocha": "3.5.3", "should": "~1.2.1" diff --git a/test/saml11.tests.js b/test/saml11.tests.js index d924c278..a72337c2 100644 --- a/test/saml11.tests.js +++ b/test/saml11.tests.js @@ -22,6 +22,16 @@ describe('saml 1.1', function () { var isValid = utils.isValidSignature(signedAssertion, options.cert); assert.equal(true, isValid); }); + + it('should ignore cert if not present', function () { + var options = { + key: fs.readFileSync(__dirname + '/test-auth0.key') + }; + + var signedAssertion = saml11.create(options); + var isValid = utils.isValidSignature(signedAssertion, fs.readFileSync(__dirname + '/test-auth0.pem'),); + assert.equal(true, isValid); + }); it('should support specifying Issuer property', function () { var options = { diff --git a/test/saml20.tests.js b/test/saml20.tests.js index e351cfa3..0487ff8b 100644 --- a/test/saml20.tests.js +++ b/test/saml20.tests.js @@ -56,6 +56,26 @@ describe('saml 2.0', function () { assert.equal('urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified', authnContextClassRef.textContent); }); + + it('should ignore cert if not present', function () { + var options = { + key: fs.readFileSync(__dirname + '/test-auth0.key'), + issuer: 'urn:issuer', + lifetimeInSeconds: 600, + audiences: 'urn:myapp', + attributes: { + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'foo@bar.com', + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar' + }, + nameIdentifier: 'foo', + nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' + }; + + var signedAssertion = saml.create(options); + var isValid = utils.isValidSignature(signedAssertion, fs.readFileSync(__dirname + '/test-auth0.pem')); + assert.equal(true, isValid); + }); + it('should set attributes', function () { var options = { cert: fs.readFileSync(__dirname + '/test-auth0.pem'), @@ -440,7 +460,6 @@ describe('saml 2.0', function () { assert.equal('saml:Conditions', signature[0].previousSibling.nodeName); }); - it('should not include AudienceRestriction when there are no audiences', function () { var options = { cert: fs.readFileSync(__dirname + '/test-auth0.pem'), From b98c3ba141ac1dd84e04dedc7672dd4a43f03d9a Mon Sep 17 00:00:00 2001 From: Ming Zhang Date: Mon, 2 Dec 2019 17:58:19 +0800 Subject: [PATCH 2/2] fix syntax error in test case --- test/saml11.tests.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/saml11.tests.js b/test/saml11.tests.js index a72337c2..f4314122 100644 --- a/test/saml11.tests.js +++ b/test/saml11.tests.js @@ -29,7 +29,7 @@ describe('saml 1.1', function () { }; var signedAssertion = saml11.create(options); - var isValid = utils.isValidSignature(signedAssertion, fs.readFileSync(__dirname + '/test-auth0.pem'),); + var isValid = utils.isValidSignature(signedAssertion, fs.readFileSync(__dirname + '/test-auth0.pem')); assert.equal(true, isValid); });