Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cert is reworked to be optional, since it is not mandatory for xml signature library #58

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 11 additions & 13 deletions lib/saml11.js
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ var utils = require('./utils'),
Parser = require('xmldom').DOMParser,
SignedXml = require('xml-crypto').SignedXml,
xmlenc = require('xml-encryption'),
moment = require('moment');
async = require('async');
moment = require('moment'),
async = require('async'),
crypto = require('crypto');

var fs = require('fs');
Expand All @@ -28,26 +28,24 @@ exports.create = function(options, callback) {
if (!options.key)
throw new Error('Expect a private key in pem format');

if (!options.cert)
throw new Error('Expect a public key cert in pem format');

options.signatureAlgorithm = options.signatureAlgorithm || 'rsa-sha256';
options.digestAlgorithm = options.digestAlgorithm || 'sha256';

var cert = utils.pemToCert(options.cert);

var sig = new SignedXml(null, { signatureAlgorithm: algorithms.signature[options.signatureAlgorithm], idAttribute: 'AssertionID' });
sig.addReference("//*[local-name(.)='Assertion']",
["http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/2001/10/xml-exc-c14n#"],
algorithms.digest[options.digestAlgorithm]);

sig.signingKey = options.key;

sig.keyInfoProvider = {
getKeyInfo: function () {
return "<X509Data><X509Certificate>" + cert + "</X509Certificate></X509Data>";
}
};

if (options.cert) {
var cert = utils.pemToCert(options.cert);
sig.keyInfoProvider = {
getKeyInfo: function () {
return "<X509Data><X509Certificate>" + cert + "</X509Certificate></X509Data>";
}
};
}

var doc;
try {
Expand Down
22 changes: 10 additions & 12 deletions lib/saml20.js
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,6 @@ exports.create = function(options, callback) {
if (!options.key)
throw new Error('Expect a private key in pem format');

if (!options.cert)
throw new Error('Expect a public key cert in pem format');

options.signatureAlgorithm = options.signatureAlgorithm || 'rsa-sha256';
options.digestAlgorithm = options.digestAlgorithm || 'sha256';

Expand All @@ -72,21 +69,22 @@ exports.create = function(options, callback) {
options.signatureNamespacePrefix = options.signatureNamespacePrefix || options.prefix;
options.signatureNamespacePrefix = typeof options.signatureNamespacePrefix === 'string' ? options.signatureNamespacePrefix : '' ;

var cert = utils.pemToCert(options.cert);

var sig = new SignedXml(null, { signatureAlgorithm: algorithms.signature[options.signatureAlgorithm], idAttribute: 'ID' });
sig.addReference("//*[local-name(.)='Assertion']",
["http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/2001/10/xml-exc-c14n#"],
algorithms.digest[options.digestAlgorithm]);

sig.signingKey = options.key;

sig.keyInfoProvider = {
getKeyInfo: function (key, prefix) {
prefix = prefix ? prefix + ':' : prefix;
return "<" + prefix + "X509Data><" + prefix + "X509Certificate>" + cert + "</" + prefix + "X509Certificate></" + prefix + "X509Data>";
}
};

if (options.cert) {
var cert = utils.pemToCert(options.cert);
sig.keyInfoProvider = {
getKeyInfo: function (key, prefix) {
prefix = prefix ? prefix + ':' : prefix;
return "<" + prefix + "X509Data><" + prefix + "X509Certificate>" + cert + "</" + prefix + "X509Certificate></" + prefix + "X509Data>";
}
};
}

var doc;
try {
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "saml",
"version": "0.13.0",
"version": "0.13.1",
"devDependencies": {
"mocha": "3.5.3",
"should": "~1.2.1"
Expand Down
10 changes: 10 additions & 0 deletions test/saml11.tests.js
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,16 @@ describe('saml 1.1', function () {
var isValid = utils.isValidSignature(signedAssertion, options.cert);
assert.equal(true, isValid);
});

it('should ignore cert if not present', function () {
var options = {
key: fs.readFileSync(__dirname + '/test-auth0.key')
};

var signedAssertion = saml11.create(options);
var isValid = utils.isValidSignature(signedAssertion, fs.readFileSync(__dirname + '/test-auth0.pem'));
assert.equal(true, isValid);
});

it('should support specifying Issuer property', function () {
var options = {
Expand Down
21 changes: 20 additions & 1 deletion test/saml20.tests.js
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,26 @@ describe('saml 2.0', function () {
assert.equal('urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified', authnContextClassRef.textContent);
});


it('should ignore cert if not present', function () {
var options = {
key: fs.readFileSync(__dirname + '/test-auth0.key'),
issuer: 'urn:issuer',
lifetimeInSeconds: 600,
audiences: 'urn:myapp',
attributes: {
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar'
},
nameIdentifier: 'foo',
nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
};

var signedAssertion = saml.create(options);
var isValid = utils.isValidSignature(signedAssertion, fs.readFileSync(__dirname + '/test-auth0.pem'));
assert.equal(true, isValid);
});

it('should set attributes', function () {
var options = {
cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
Expand Down Expand Up @@ -440,7 +460,6 @@ describe('saml 2.0', function () {
assert.equal('saml:Conditions', signature[0].previousSibling.nodeName);
});


it('should not include AudienceRestriction when there are no audiences', function () {
var options = {
cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
Expand Down