Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: support unencrypted PKCS#8 keys again #503

Merged
merged 2 commits into from
Jan 29, 2023
Merged

fix: support unencrypted PKCS#8 keys again #503

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
714100e
fix: support unencrypted PKCS#8 keys again
mastermatt Jan 6, 2023
b0623ac
remove octetStringBuilder
mastermatt Jan 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/libsaml.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -545,7 +545,7 @@ const libSaml = () => {
// Embed with node-rsa module
const decryptedKey = new nrsa(
utility.readPrivateKey(key, passphrase),
'private',
undefined,
{
signingScheme: getSigningScheme(signingAlgorithm),
}
Expand Down
36 changes: 35 additions & 1 deletion test/flow.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ const createTemplateCallback = (_idp, _sp, _binding, user) => template => {

// Parse Redirect Url context

const parseRedirectUrlContextCallBack = (_context) => {
const parseRedirectUrlContextCallBack = (_context: string) => {
const originalURL = url.parse(_context, true);
const _SAMLResponse = originalURL.query.SAMLResponse;
const _Signature = originalURL.query.Signature;
Expand Down Expand Up @@ -252,6 +252,40 @@ test('create login request with redirect binding using [custom template]', t =>
(id === 'exposed_testing_id' && isString(context)) ? t.pass() : t.fail();
});

test('create login request with redirect binding signing with unencrypted PKCS#8', t => {
const _sp = serviceProvider({
authnRequestsSigned: true,
signingCert: readFileSync('./test/key/sp/cert.unencrypted.pkcs8.cer'),
privateKey: readFileSync('./test/key/sp/privkey.unencrypted.pkcs8.pem'),
privateKeyPass: undefined,
});

const { context } = _sp.createLoginRequest(idp, 'redirect');

const parsed = parseRedirectUrlContextCallBack(context)
const signature = Buffer.from(parsed.query.Signature as string, 'base64');

const valid = libsaml.verifyMessageSignature(_sp.entityMeta, parsed.octetString, signature, parsed.query.SigAlg as string);
t.true(valid, 'signature did not validate');
});

test('create login request with redirect binding signing with encrypted PKCS#8', t => {
const _sp = serviceProvider({
authnRequestsSigned: true,
signingCert: readFileSync('./test/key/sp/cert.encrypted.pkcs8.cer'),
privateKey: readFileSync('./test/key/sp/privkey.encrypted.pkcs8.pem'),
privateKeyPass: 'VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px',
});

const { context } = _sp.createLoginRequest(idp, 'redirect');

const parsed = parseRedirectUrlContextCallBack(context)
const signature = Buffer.from(parsed.query.Signature as string, 'base64');

const valid = libsaml.verifyMessageSignature(_sp.entityMeta, parsed.octetString, signature, parsed.query.SigAlg as string);
t.true(valid, 'signature did not validate');
});

test('create login request with post binding using [custom template]', t => {
const _sp = serviceProvider({
...defaultSpConfig, loginRequestTemplate: {
Expand Down
10 changes: 7 additions & 3 deletions test/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -334,13 +334,17 @@ test('getAssertionConsumerService with two bindings', t => {
test('idp with multiple signing and encryption certificates', t => {
const localIdp = identityProvider({
signingCert: [
readFileSync('./test/key/sp/cert.cer'),
readFileSync('./test/key/sp/cert2.cer').toString(),
readFileSync('./test/key/idp/cert.cer'),
readFileSync('./test/key/idp/cert2.cer').toString(),
],
encryptCert: [
readFileSync('./test/key/idp/encryptionCert.cer'),
readFileSync('./test/key/idp/encryptionCert.cer').toString(),
]
],
singleSignOnService: [{
Binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
Location: 'idp.example.com/sso',
}]
tngan marked this conversation as resolved.
Show resolved Hide resolved
})

const signingCertificate = localIdp.entityMeta.getX509Certificate('signing');
Expand Down
23 changes: 23 additions & 0 deletions test/key/sp/cert.encrypted.pkcs8.cer
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIID0TCCArigAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCaGsx
EjAQBgNVBAgMCUhvbmcgS29uZzETMBEGA1UECgwKbm9kZS1zYW1sMjEXMBUGA1UE
AwwOc2FtbGlmeS5qcy5vcmcxCzAJBgNVBAcMAkhLMSMwIQYJKoZIhvcNAQkBFhRu
b2RlLnNhbWwyQGdtYWlsLmNvbTAeFw0yMzAxMDYxNTQ2NTdaFw0zMzAxMDMxNTQ2
NTdaMIGBMQswCQYDVQQGEwJoazESMBAGA1UECAwJSG9uZyBLb25nMRMwEQYDVQQK
DApub2RlLXNhbWwyMRcwFQYDVQQDDA5zYW1saWZ5LmpzLm9yZzELMAkGA1UEBwwC
SEsxIzAhBgkqhkiG9w0BCQEWFG5vZGUuc2FtbDJAZ21haWwuY29tMIIBIzANBgkq
hkiG9w0BAQEFAAOCARAAMIIBCwKCAQIA0rKjNPl2dwu+4jE128CvOTC3nHbJmjyx
5RaLuPEt65koViXqg/klpvzUUu8V+FeIiiOJx0NB5BXCm4QDcSay9K4A2daeTNLm
vNM340TWMIZbz32wx4lnwD7Nc//UmbFzBgU+AB5tLEkzXc+21YY6GhWIsjuz4/ta
WfhvdQatMJOCm2C8G5n5X/HfxLxHNBOpPytuxTZKHYWWszMFNf7K+08n58O3z/Ha
Z/wH//KWPZ4GF4B+NrSd6j0JFwHXXwHdomlYJ0QH/jaW8jvegM+u56xHsWl/p1Ae
eB/Fm90jFcAbf4lK5BsD3RSaV2IlTz2i8pLkKYZumMjFIZ+stSZ3LBECAwEAAaNQ
ME4wHQYDVR0OBBYEFHBW91GXY9QE3eS26e7xap4JPwjpMB8GA1UdIwQYMBaAFHBW
91GXY9QE3eS26e7xap4JPwjpMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD
ggECAE39udf8tOHRSIghwFYi4TQQeLxFZq3fhfX2z9Jy5Anz18930nx343dolL7B
MCG93AHkimCZSOpc2T0/bYi4SaTTvA9EQ0wbF3QDlItjxaIjuEf9C0uFSIGZKUV3
HgdDcK+eEFe50fO37mepsGoFesNMEfYIO2qacIFdowTNi+yrA3lOgmEETBFx/bEM
dXTCAjRGchPM6IiAHNQ1OzM8qEzH/ALUgGGY3FXxi4cZk/mIVvLtj8S41IphZfBZ
Zc+GIiB7I8YPy1OuMcHVfEU9Kyqc3L4nCkQ1HbL9Z6E646w3yWIv116beFe9QEFQ
y7MQIO27pdvoQAQKoYysA87o7UEv
-----END CERTIFICATE-----
23 changes: 23 additions & 0 deletions test/key/sp/cert.unencrypted.pkcs8.cer
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIID0TCCArigAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCaGsx
EjAQBgNVBAgMCUhvbmcgS29uZzETMBEGA1UECgwKbm9kZS1zYW1sMjEXMBUGA1UE
AwwOc2FtbGlmeS5qcy5vcmcxCzAJBgNVBAcMAkhLMSMwIQYJKoZIhvcNAQkBFhRu
b2RlLnNhbWwyQGdtYWlsLmNvbTAeFw0yMzAxMDUyMjQ3NTBaFw0zMzAxMDIyMjQ3
NTBaMIGBMQswCQYDVQQGEwJoazESMBAGA1UECAwJSG9uZyBLb25nMRMwEQYDVQQK
DApub2RlLXNhbWwyMRcwFQYDVQQDDA5zYW1saWZ5LmpzLm9yZzELMAkGA1UEBwwC
SEsxIzAhBgkqhkiG9w0BCQEWFG5vZGUuc2FtbDJAZ21haWwuY29tMIIBIzANBgkq
hkiG9w0BAQEFAAOCARAAMIIBCwKCAQIAuiZeojwEcgdd8yRCddkhLhoKScITJl1V
cUrbMFa76yg/9KFjOgiY27Y4czL71XKy3L52GQXcryXhOXrt+td8ArsDV+ATVmLt
/Ew1VTmG5jKbsJQe3tYgulvdl6rME7ytC1vk40LGAtB08fP4HbVULOS6HEsFWtwt
KxI2woVgfCU37nJOCz9SVWsMxRwjmNn1lyOnLdzHZ87yU6IyIGRCzwLhN09jVoYK
36XKPl+XF2mTeODAXJ5bGHzBfS1PLhi9zG7c8t0wLMVbS76Cz6TpK/oTJnTBMmzw
Z6sLlrbK3Xy7geRV7rhWfEmY97WXkGLUa3jKfq5LTAf63rz5ZjzgeZ8CAwEAAaNQ
ME4wHQYDVR0OBBYEFIW8z2CmYsUvTbX8IFHE+IdbkcsHMB8GA1UdIwQYMBaAFIW8
z2CmYsUvTbX8IFHE+IdbkcsHMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD
ggECAAvSnm6IQYmPPVpoUvwC3K3jh28HQ/8S5QMgRGw+RcqgJbo5wIAn0OOUJLfR
rLtcx2UfaFPn3QKvGOrX71ekb6FF0hzEq+U3Mbv2KEWBEwbu5D+N93uvf3ryeM7o
X4t6Qi5gKe486PrOBu2CyUtveFBqECWCGRG5yN+/4bd2zh/hug3lD28hicA7rsnA
FOrEmnhnDhzWzoG+ih1uCzjui21gFGeKRspWkXf+4Vgc7lL+tYCI0sVfe1huRwFh
SkTC5yT/7mYw4aLlRAKOxAEMHQjj5bFyr8NZa296YIcdBbdRm8oqGDqWcK4wcu/I
yFtbTMIWwNL9n/lLh695eNwDmg28
-----END CERTIFICATE-----
30 changes: 30 additions & 0 deletions test/key/sp/privkey.encrypted.pkcs8.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIuQ2unbu0tjICAggA
MBQGCCqGSIb3DQMHBAjKZQizh2v/CgSCBMjMV4AX1EmUgV2PjSYYehbnIEOZdiOU
xiH2hEWZBvj6Lc+OtG01w/DubW7drMdbeQPY8ZWd0mFuhPKWbrU7C+u98vy9+dly
hm22DfEda5BWD4YINKj7qdK+RtM0Im3gHtmppfNP6ZTIGB6TC6gy0pSbOsT2BaAO
Ly/4wp/KSxgaCyTIyFlmUP34AGZoLz21FjQn6nD9TNGO6V+/0CUin5aezuoEbz6r
aWhw+eaw/KtzIDfuj6mShbqBHWP74DfB16M5pU3MCOsfalzouoh+y4FbImRD+ILU
CYibmXQXxbXFHtp30eYsJHVMg56HvkO1EZI6nHdOLUxJ6N/0Gs1FdsijMuqdjX9P
OWPVMrXvCoWSSWcSQDIGKqxA7QJOubH3Q0F2cEWkgSht00EO3tm7LZqCVWv0lPh/
S61WvUSu6YeGXgeZ7FMWBM3MEJIGAP6Uk0jJ//NGkdPEHe4K488UM8KswLMfUPdv
PCI9vtqgDuWlMytQKbtUPgY9LHKa2aGF3FJq6XIDgyGAbPkSjdtMJS3cIzbB9vPD
Pxpj6PLe2HRuE9fQsxQia3SFHhXlHo2MjUJZsyZbts70BeI1J8dJJSCfRtvxjCeL
fet8LN/5wv7aIteJOiM6ffvexzwUUiBMSo+HtgZ49992MRf/bx5i87uAgxlshc2k
tLJEW/UQXwpA2QaP3CJS8I2P3PwvmCKT77+s21vFeheNUOsfdwN2dQeEJU/9DDCN
fGrCW2p9HAvh9TEAqJGToMU11OZjMhWEh/d1Xzo9VxuO5LDSNnv3w/MHXKUuZyNI
mIBSTvwz/qs7bdDxZfTzhy6IxIYIT2jILg+sOR5jyej/bq3F3MxvKonX58X3U5NE
HqKcFuqtsZfFINUrke2GjyQaHKvnUpwTx8H5SkCzpH6MuSrm78afX1Pkg8LvDO6c
4YWSs6hX7xUZxuiACvF6oDAesk5KqlbH7DoEbgX003i+0RoRPGbm8a1ksrbxw+Vl
Nsab4Wq6pXM0z5ZcDLrgI2PRc7yJLnoLiMDFIbKWWC3TTmLsNuQqyICRSsJtE9SH
CQNq+hD82GElrnERllxCyGeues6Wx6ST2ruxil1oKTXygU8dg3Hw6tae3t5Gfnwv
FZaTsU1rQF8fnRaWHID65e4XuXdvqx9ml7KHfDool6Kgjjz+AgSM0ns6R5WIDsZR
2sBdorICollrE6zvCrpZiPxbr96M835lW0Zblj2a7rKWqDUd2t1+W4TbFgwGS7jM
T8n5Fbje4f1BSpJCWZlo28aDzlfum003tdKrHizzWEjIoEsO+fad55qPMc94/4oW
TXg7kn5jo2RMYniKV18cDIJhziGp5sA/fJX5w2z2mL1cyKLZpV6YcIrErxdJ/gQD
Tx1Q9ayCenIAgnwn/PtRf0AI1n/yPYxHfln3Y9kvajgYe7lA4lFFMKpUMZ8xmZ8T
KTWIK+tVSm+uYCrMPb+EwKxkoD+unvPjHFUfRjquCahx07HVd7+TMBA3LHwSWdtX
DIdLBDUrvmhrdcUf8EyHBD4TGr/ZYiKPVCcT1E1op4mqBucfQGBfja02sDXL6Vu+
vqKMK662XrRNUXUIRPF901f070QVmou7UW1tG9Dzi6Y7bcUfDjZwR7Y3LPrMEYfi
mOk=
-----END ENCRYPTED PRIVATE KEY-----
28 changes: 28 additions & 0 deletions test/key/sp/privkey.unencrypted.pkcs8.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEwgIBADANBgkqhkiG9w0BAQEFAASCBKwwggSoAgEAAoIBAgC6Jl6iPARyB13z
JEJ12SEuGgpJwhMmXVVxStswVrvrKD/0oWM6CJjbtjhzMvvVcrLcvnYZBdyvJeE5
eu3613wCuwNX4BNWYu38TDVVOYbmMpuwlB7e1iC6W92XqswTvK0LW+TjQsYC0HTx
8/gdtVQs5LocSwVa3C0rEjbChWB8JTfuck4LP1JVawzFHCOY2fWXI6ct3MdnzvJT
ojIgZELPAuE3T2NWhgrfpco+X5cXaZN44MBcnlsYfMF9LU8uGL3Mbtzy3TAsxVtL
voLPpOkr+hMmdMEybPBnqwuWtsrdfLuB5FXuuFZ8SZj3tZeQYtRreMp+rktMB/re
vPlmPOB5nwIDAQABAoIBAgCwsQD8n1lc3y9HPjCzafE7sE35qvTAYrFag0JAxONE
mAT08Eeea1CkpHc6qbcu6Ntr+oFgyRarTZpWFCBWDDnS4a6Pt8rDIc5hv/iTt7Ib
SQhM+JvAyqFwIwjYEK/7QAlFEenV6ajIPRP0Ia5ujJKktksN1gv0La/WBUjjJPTr
gdKDgP4SgEHwhDF3rgzk/284Dbmr4pOxvi290AnHrVER+oPlxy/WS4mOEBYVU2Rq
TbP07ej+ifYO/w9ZjJAc5l9UK2NDsv3JCUgui0PBgZ27z3dZ2TD2VbZXqSS4jahG
UUhwCT0sOzIWVsZypv4PvTHJl/uvgS1Be01n/FAtcJGAKQKBgQ49glSkdtfJtjQm
blqbacabkox+EM8EGkc9iveveD81E0gUYTL7AjVawowVYKQnYSZfsCdU7feLPQH2
bwjzAgbiY+QbbFcTT9FJu5D31qM4jqk24Bu2vjecHpEy8sJKkvoqv0CdWTUKhk98
7enh63LWo4Hjs6FVMAh8QKwsHjeMfQKBgQ0Sc4eO4ZSFuwCx8L4gG7MlvIeqVbHC
8kwDzJY3qECxDaDD1ogbGuDVa9p8bnZNmhHE6+nyep7AGvXKzWUzWqYYz2nqxwuC
/MAQHN6ruKFDaWzrDCfBMfwLsif4SgpcKkJj+1Y+LjPe1tgBw45cco9cWxZLPvVL
yxEAVTbFWXFlSwKBgQu7F/ZqVYyGGpbzYc06YfS+jAc4gthG5O7y/9vyrPhE3NFw
GHJK3RLe5Y1Ivwf7eMiH4zFDgZV/Go7XV7jjlzPco7Vx8dn5irM6Lk3KHQLwwHUd
Q5kQ/boJ3hR3CAyOKm3zcQHlnWtYdDRfEg6tkaxUrPV/gqbQ6nTTBuPOpEXWcQKB
gQnqSvMxr21mmleGoOK1nA0gvIXy75ksE3kREKeIg/i902Zz5U/Lr3GGsI5C/86A
QjLkOUV0hQnRESIKuAzhDQsbmofuaxgSPQC5uAw2GI9JgLf6+XdWFUHm5TVoIVEG
Y4+EIuphs83oYvHpNJnRCZwwI28fmBubZ+X3aKtoudVHTQKBgQCKN34ZGQUgs3OY
0VNlrlM5BMqO4uJD/kv5BgepqfbVEud2Mwmu+W1nPKv0rdWyIZunL2xVGD/9yRk0
ruC2q4dCQvFV2TsxN7Pkf+bvm9Ep9XokQE79g7EVty3mf8vYVv5KXDXEH808YxqU
gFQYnB76DUsI08o13SQtjDCm/oLxSA==
-----END PRIVATE KEY-----