diff --git a/src/libsaml.ts b/src/libsaml.ts index a0e62232..2b97f3e3 100644 --- a/src/libsaml.ts +++ b/src/libsaml.ts @@ -545,7 +545,7 @@ const libSaml = () => { // Embed with node-rsa module const decryptedKey = new nrsa( utility.readPrivateKey(key, passphrase), - 'private', + undefined, { signingScheme: getSigningScheme(signingAlgorithm), } diff --git a/test/flow.ts b/test/flow.ts index 702b389f..8cfcc61a 100644 --- a/test/flow.ts +++ b/test/flow.ts @@ -77,7 +77,7 @@ const createTemplateCallback = (_idp, _sp, _binding, user) => template => { // Parse Redirect Url context -const parseRedirectUrlContextCallBack = (_context) => { +const parseRedirectUrlContextCallBack = (_context: string) => { const originalURL = url.parse(_context, true); const _SAMLResponse = originalURL.query.SAMLResponse; const _Signature = originalURL.query.Signature; @@ -252,6 +252,40 @@ test('create login request with redirect binding using [custom template]', t => (id === 'exposed_testing_id' && isString(context)) ? t.pass() : t.fail(); }); +test('create login request with redirect binding signing with unencrypted PKCS#8', t => { + const _sp = serviceProvider({ + authnRequestsSigned: true, + signingCert: readFileSync('./test/key/sp/cert.unencrypted.pkcs8.cer'), + privateKey: readFileSync('./test/key/sp/privkey.unencrypted.pkcs8.pem'), + privateKeyPass: undefined, + }); + + const { context } = _sp.createLoginRequest(idp, 'redirect'); + + const parsed = parseRedirectUrlContextCallBack(context) + const signature = Buffer.from(parsed.query.Signature as string, 'base64'); + + const valid = libsaml.verifyMessageSignature(_sp.entityMeta, parsed.octetString, signature, parsed.query.SigAlg as string); + t.true(valid, 'signature did not validate'); +}); + +test('create login request with redirect binding signing with encrypted PKCS#8', t => { + const _sp = serviceProvider({ + authnRequestsSigned: true, + signingCert: readFileSync('./test/key/sp/cert.encrypted.pkcs8.cer'), + privateKey: readFileSync('./test/key/sp/privkey.encrypted.pkcs8.pem'), + privateKeyPass: 'VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px', + }); + + const { context } = _sp.createLoginRequest(idp, 'redirect'); + + const parsed = parseRedirectUrlContextCallBack(context) + const signature = Buffer.from(parsed.query.Signature as string, 'base64'); + + const valid = libsaml.verifyMessageSignature(_sp.entityMeta, parsed.octetString, signature, parsed.query.SigAlg as string); + t.true(valid, 'signature did not validate'); +}); + test('create login request with post binding using [custom template]', t => { const _sp = serviceProvider({ ...defaultSpConfig, loginRequestTemplate: { diff --git a/test/index.ts b/test/index.ts index 1de0660e..e10e0f4b 100644 --- a/test/index.ts +++ b/test/index.ts @@ -334,13 +334,17 @@ test('getAssertionConsumerService with two bindings', t => { test('idp with multiple signing and encryption certificates', t => { const localIdp = identityProvider({ signingCert: [ - readFileSync('./test/key/sp/cert.cer'), - readFileSync('./test/key/sp/cert2.cer').toString(), + readFileSync('./test/key/idp/cert.cer'), + readFileSync('./test/key/idp/cert2.cer').toString(), ], encryptCert: [ readFileSync('./test/key/idp/encryptionCert.cer'), readFileSync('./test/key/idp/encryptionCert.cer').toString(), - ] + ], + singleSignOnService: [{ + Binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', + Location: 'idp.example.com/sso', + }] }) const signingCertificate = localIdp.entityMeta.getX509Certificate('signing'); diff --git a/test/key/sp/cert.encrypted.pkcs8.cer b/test/key/sp/cert.encrypted.pkcs8.cer new file mode 100644 index 00000000..2cd28299 --- /dev/null +++ b/test/key/sp/cert.encrypted.pkcs8.cer @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID0TCCArigAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCaGsx +EjAQBgNVBAgMCUhvbmcgS29uZzETMBEGA1UECgwKbm9kZS1zYW1sMjEXMBUGA1UE +AwwOc2FtbGlmeS5qcy5vcmcxCzAJBgNVBAcMAkhLMSMwIQYJKoZIhvcNAQkBFhRu +b2RlLnNhbWwyQGdtYWlsLmNvbTAeFw0yMzAxMDYxNTQ2NTdaFw0zMzAxMDMxNTQ2 +NTdaMIGBMQswCQYDVQQGEwJoazESMBAGA1UECAwJSG9uZyBLb25nMRMwEQYDVQQK +DApub2RlLXNhbWwyMRcwFQYDVQQDDA5zYW1saWZ5LmpzLm9yZzELMAkGA1UEBwwC +SEsxIzAhBgkqhkiG9w0BCQEWFG5vZGUuc2FtbDJAZ21haWwuY29tMIIBIzANBgkq +hkiG9w0BAQEFAAOCARAAMIIBCwKCAQIA0rKjNPl2dwu+4jE128CvOTC3nHbJmjyx +5RaLuPEt65koViXqg/klpvzUUu8V+FeIiiOJx0NB5BXCm4QDcSay9K4A2daeTNLm +vNM340TWMIZbz32wx4lnwD7Nc//UmbFzBgU+AB5tLEkzXc+21YY6GhWIsjuz4/ta +WfhvdQatMJOCm2C8G5n5X/HfxLxHNBOpPytuxTZKHYWWszMFNf7K+08n58O3z/Ha +Z/wH//KWPZ4GF4B+NrSd6j0JFwHXXwHdomlYJ0QH/jaW8jvegM+u56xHsWl/p1Ae +eB/Fm90jFcAbf4lK5BsD3RSaV2IlTz2i8pLkKYZumMjFIZ+stSZ3LBECAwEAAaNQ +ME4wHQYDVR0OBBYEFHBW91GXY9QE3eS26e7xap4JPwjpMB8GA1UdIwQYMBaAFHBW +91GXY9QE3eS26e7xap4JPwjpMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD +ggECAE39udf8tOHRSIghwFYi4TQQeLxFZq3fhfX2z9Jy5Anz18930nx343dolL7B +MCG93AHkimCZSOpc2T0/bYi4SaTTvA9EQ0wbF3QDlItjxaIjuEf9C0uFSIGZKUV3 +HgdDcK+eEFe50fO37mepsGoFesNMEfYIO2qacIFdowTNi+yrA3lOgmEETBFx/bEM +dXTCAjRGchPM6IiAHNQ1OzM8qEzH/ALUgGGY3FXxi4cZk/mIVvLtj8S41IphZfBZ +Zc+GIiB7I8YPy1OuMcHVfEU9Kyqc3L4nCkQ1HbL9Z6E646w3yWIv116beFe9QEFQ +y7MQIO27pdvoQAQKoYysA87o7UEv +-----END CERTIFICATE----- diff --git a/test/key/sp/cert.unencrypted.pkcs8.cer b/test/key/sp/cert.unencrypted.pkcs8.cer new file mode 100644 index 00000000..ee478e5f --- /dev/null +++ b/test/key/sp/cert.unencrypted.pkcs8.cer @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID0TCCArigAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCaGsx +EjAQBgNVBAgMCUhvbmcgS29uZzETMBEGA1UECgwKbm9kZS1zYW1sMjEXMBUGA1UE +AwwOc2FtbGlmeS5qcy5vcmcxCzAJBgNVBAcMAkhLMSMwIQYJKoZIhvcNAQkBFhRu +b2RlLnNhbWwyQGdtYWlsLmNvbTAeFw0yMzAxMDUyMjQ3NTBaFw0zMzAxMDIyMjQ3 +NTBaMIGBMQswCQYDVQQGEwJoazESMBAGA1UECAwJSG9uZyBLb25nMRMwEQYDVQQK +DApub2RlLXNhbWwyMRcwFQYDVQQDDA5zYW1saWZ5LmpzLm9yZzELMAkGA1UEBwwC +SEsxIzAhBgkqhkiG9w0BCQEWFG5vZGUuc2FtbDJAZ21haWwuY29tMIIBIzANBgkq +hkiG9w0BAQEFAAOCARAAMIIBCwKCAQIAuiZeojwEcgdd8yRCddkhLhoKScITJl1V +cUrbMFa76yg/9KFjOgiY27Y4czL71XKy3L52GQXcryXhOXrt+td8ArsDV+ATVmLt +/Ew1VTmG5jKbsJQe3tYgulvdl6rME7ytC1vk40LGAtB08fP4HbVULOS6HEsFWtwt +KxI2woVgfCU37nJOCz9SVWsMxRwjmNn1lyOnLdzHZ87yU6IyIGRCzwLhN09jVoYK +36XKPl+XF2mTeODAXJ5bGHzBfS1PLhi9zG7c8t0wLMVbS76Cz6TpK/oTJnTBMmzw +Z6sLlrbK3Xy7geRV7rhWfEmY97WXkGLUa3jKfq5LTAf63rz5ZjzgeZ8CAwEAAaNQ +ME4wHQYDVR0OBBYEFIW8z2CmYsUvTbX8IFHE+IdbkcsHMB8GA1UdIwQYMBaAFIW8 +z2CmYsUvTbX8IFHE+IdbkcsHMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD +ggECAAvSnm6IQYmPPVpoUvwC3K3jh28HQ/8S5QMgRGw+RcqgJbo5wIAn0OOUJLfR +rLtcx2UfaFPn3QKvGOrX71ekb6FF0hzEq+U3Mbv2KEWBEwbu5D+N93uvf3ryeM7o +X4t6Qi5gKe486PrOBu2CyUtveFBqECWCGRG5yN+/4bd2zh/hug3lD28hicA7rsnA +FOrEmnhnDhzWzoG+ih1uCzjui21gFGeKRspWkXf+4Vgc7lL+tYCI0sVfe1huRwFh +SkTC5yT/7mYw4aLlRAKOxAEMHQjj5bFyr8NZa296YIcdBbdRm8oqGDqWcK4wcu/I +yFtbTMIWwNL9n/lLh695eNwDmg28 +-----END CERTIFICATE----- diff --git a/test/key/sp/privkey.encrypted.pkcs8.pem b/test/key/sp/privkey.encrypted.pkcs8.pem new file mode 100644 index 00000000..76ab8bd1 --- /dev/null +++ b/test/key/sp/privkey.encrypted.pkcs8.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIuQ2unbu0tjICAggA +MBQGCCqGSIb3DQMHBAjKZQizh2v/CgSCBMjMV4AX1EmUgV2PjSYYehbnIEOZdiOU +xiH2hEWZBvj6Lc+OtG01w/DubW7drMdbeQPY8ZWd0mFuhPKWbrU7C+u98vy9+dly +hm22DfEda5BWD4YINKj7qdK+RtM0Im3gHtmppfNP6ZTIGB6TC6gy0pSbOsT2BaAO +Ly/4wp/KSxgaCyTIyFlmUP34AGZoLz21FjQn6nD9TNGO6V+/0CUin5aezuoEbz6r +aWhw+eaw/KtzIDfuj6mShbqBHWP74DfB16M5pU3MCOsfalzouoh+y4FbImRD+ILU +CYibmXQXxbXFHtp30eYsJHVMg56HvkO1EZI6nHdOLUxJ6N/0Gs1FdsijMuqdjX9P +OWPVMrXvCoWSSWcSQDIGKqxA7QJOubH3Q0F2cEWkgSht00EO3tm7LZqCVWv0lPh/ +S61WvUSu6YeGXgeZ7FMWBM3MEJIGAP6Uk0jJ//NGkdPEHe4K488UM8KswLMfUPdv +PCI9vtqgDuWlMytQKbtUPgY9LHKa2aGF3FJq6XIDgyGAbPkSjdtMJS3cIzbB9vPD +Pxpj6PLe2HRuE9fQsxQia3SFHhXlHo2MjUJZsyZbts70BeI1J8dJJSCfRtvxjCeL +fet8LN/5wv7aIteJOiM6ffvexzwUUiBMSo+HtgZ49992MRf/bx5i87uAgxlshc2k +tLJEW/UQXwpA2QaP3CJS8I2P3PwvmCKT77+s21vFeheNUOsfdwN2dQeEJU/9DDCN +fGrCW2p9HAvh9TEAqJGToMU11OZjMhWEh/d1Xzo9VxuO5LDSNnv3w/MHXKUuZyNI +mIBSTvwz/qs7bdDxZfTzhy6IxIYIT2jILg+sOR5jyej/bq3F3MxvKonX58X3U5NE +HqKcFuqtsZfFINUrke2GjyQaHKvnUpwTx8H5SkCzpH6MuSrm78afX1Pkg8LvDO6c +4YWSs6hX7xUZxuiACvF6oDAesk5KqlbH7DoEbgX003i+0RoRPGbm8a1ksrbxw+Vl +Nsab4Wq6pXM0z5ZcDLrgI2PRc7yJLnoLiMDFIbKWWC3TTmLsNuQqyICRSsJtE9SH +CQNq+hD82GElrnERllxCyGeues6Wx6ST2ruxil1oKTXygU8dg3Hw6tae3t5Gfnwv +FZaTsU1rQF8fnRaWHID65e4XuXdvqx9ml7KHfDool6Kgjjz+AgSM0ns6R5WIDsZR +2sBdorICollrE6zvCrpZiPxbr96M835lW0Zblj2a7rKWqDUd2t1+W4TbFgwGS7jM +T8n5Fbje4f1BSpJCWZlo28aDzlfum003tdKrHizzWEjIoEsO+fad55qPMc94/4oW +TXg7kn5jo2RMYniKV18cDIJhziGp5sA/fJX5w2z2mL1cyKLZpV6YcIrErxdJ/gQD +Tx1Q9ayCenIAgnwn/PtRf0AI1n/yPYxHfln3Y9kvajgYe7lA4lFFMKpUMZ8xmZ8T +KTWIK+tVSm+uYCrMPb+EwKxkoD+unvPjHFUfRjquCahx07HVd7+TMBA3LHwSWdtX +DIdLBDUrvmhrdcUf8EyHBD4TGr/ZYiKPVCcT1E1op4mqBucfQGBfja02sDXL6Vu+ +vqKMK662XrRNUXUIRPF901f070QVmou7UW1tG9Dzi6Y7bcUfDjZwR7Y3LPrMEYfi +mOk= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/test/key/sp/privkey.unencrypted.pkcs8.pem b/test/key/sp/privkey.unencrypted.pkcs8.pem new file mode 100644 index 00000000..89c857e8 --- /dev/null +++ b/test/key/sp/privkey.unencrypted.pkcs8.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEwgIBADANBgkqhkiG9w0BAQEFAASCBKwwggSoAgEAAoIBAgC6Jl6iPARyB13z +JEJ12SEuGgpJwhMmXVVxStswVrvrKD/0oWM6CJjbtjhzMvvVcrLcvnYZBdyvJeE5 +eu3613wCuwNX4BNWYu38TDVVOYbmMpuwlB7e1iC6W92XqswTvK0LW+TjQsYC0HTx +8/gdtVQs5LocSwVa3C0rEjbChWB8JTfuck4LP1JVawzFHCOY2fWXI6ct3MdnzvJT +ojIgZELPAuE3T2NWhgrfpco+X5cXaZN44MBcnlsYfMF9LU8uGL3Mbtzy3TAsxVtL +voLPpOkr+hMmdMEybPBnqwuWtsrdfLuB5FXuuFZ8SZj3tZeQYtRreMp+rktMB/re +vPlmPOB5nwIDAQABAoIBAgCwsQD8n1lc3y9HPjCzafE7sE35qvTAYrFag0JAxONE +mAT08Eeea1CkpHc6qbcu6Ntr+oFgyRarTZpWFCBWDDnS4a6Pt8rDIc5hv/iTt7Ib +SQhM+JvAyqFwIwjYEK/7QAlFEenV6ajIPRP0Ia5ujJKktksN1gv0La/WBUjjJPTr +gdKDgP4SgEHwhDF3rgzk/284Dbmr4pOxvi290AnHrVER+oPlxy/WS4mOEBYVU2Rq +TbP07ej+ifYO/w9ZjJAc5l9UK2NDsv3JCUgui0PBgZ27z3dZ2TD2VbZXqSS4jahG +UUhwCT0sOzIWVsZypv4PvTHJl/uvgS1Be01n/FAtcJGAKQKBgQ49glSkdtfJtjQm +blqbacabkox+EM8EGkc9iveveD81E0gUYTL7AjVawowVYKQnYSZfsCdU7feLPQH2 +bwjzAgbiY+QbbFcTT9FJu5D31qM4jqk24Bu2vjecHpEy8sJKkvoqv0CdWTUKhk98 +7enh63LWo4Hjs6FVMAh8QKwsHjeMfQKBgQ0Sc4eO4ZSFuwCx8L4gG7MlvIeqVbHC +8kwDzJY3qECxDaDD1ogbGuDVa9p8bnZNmhHE6+nyep7AGvXKzWUzWqYYz2nqxwuC +/MAQHN6ruKFDaWzrDCfBMfwLsif4SgpcKkJj+1Y+LjPe1tgBw45cco9cWxZLPvVL +yxEAVTbFWXFlSwKBgQu7F/ZqVYyGGpbzYc06YfS+jAc4gthG5O7y/9vyrPhE3NFw +GHJK3RLe5Y1Ivwf7eMiH4zFDgZV/Go7XV7jjlzPco7Vx8dn5irM6Lk3KHQLwwHUd +Q5kQ/boJ3hR3CAyOKm3zcQHlnWtYdDRfEg6tkaxUrPV/gqbQ6nTTBuPOpEXWcQKB +gQnqSvMxr21mmleGoOK1nA0gvIXy75ksE3kREKeIg/i902Zz5U/Lr3GGsI5C/86A +QjLkOUV0hQnRESIKuAzhDQsbmofuaxgSPQC5uAw2GI9JgLf6+XdWFUHm5TVoIVEG +Y4+EIuphs83oYvHpNJnRCZwwI28fmBubZ+X3aKtoudVHTQKBgQCKN34ZGQUgs3OY +0VNlrlM5BMqO4uJD/kv5BgepqfbVEud2Mwmu+W1nPKv0rdWyIZunL2xVGD/9yRk0 +ruC2q4dCQvFV2TsxN7Pkf+bvm9Ep9XokQE79g7EVty3mf8vYVv5KXDXEH808YxqU +gFQYnB76DUsI08o13SQtjDCm/oLxSA== +-----END PRIVATE KEY-----