Skip to content

SAML 1.1: Added support for 'sender-vouches' in subject confirmation method #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

SAML 1.1: Added support for 'sender-vouches' in subject confirmation method #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 21 additions & 16 deletions lib/saml11.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ exports.create = function(options, callback) {
algorithms.digest[options.digestAlgorithm]);

sig.signingKey = options.key;

sig.keyInfoProvider = {
getKeyInfo: function () {
return "<X509Data><X509Certificate>" + cert + "</X509Certificate></X509Data>";
Expand All @@ -68,7 +68,7 @@ exports.create = function(options, callback) {
conditions[0].setAttribute('NotBefore', now.format('YYYY-MM-DDTHH:mm:ss.SSS[Z]'));
conditions[0].setAttribute('NotOnOrAfter', now.add(options.lifetimeInSeconds, 'seconds').format('YYYY-MM-DDTHH:mm:ss.SSS[Z]'));
}

if (options.audiences) {
var audiences = options.audiences instanceof Array ? options.audiences : [options.audiences];
audiences.forEach(function (audience) {
Expand All @@ -83,7 +83,7 @@ exports.create = function(options, callback) {
var statement = doc.documentElement.getElementsByTagNameNS(NAMESPACE, 'AttributeStatement')[0];
Object.keys(options.attributes).forEach(function(prop) {
if(typeof options.attributes[prop] === 'undefined') return;

// <saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/claims/identity">
// <saml:AttributeValue>Foo Bar</saml:AttributeValue>
// </saml:Attribute>
Expand All @@ -110,15 +110,15 @@ exports.create = function(options, callback) {
.setAttribute('AuthenticationInstant', now.format('YYYY-MM-DDTHH:mm:ss.SSS[Z]'));

var nameID = doc.documentElement.getElementsByTagNameNS(NAMESPACE, 'NameIdentifier')[0];

if (options.nameIdentifier) {
nameID.textContent = options.nameIdentifier;

doc.getElementsByTagName('saml:AuthenticationStatement')[0]
.getElementsByTagName('saml:NameIdentifier')[0]
.textContent = options.nameIdentifier;
}

if (options.nameIdentifierFormat) {
var nameIDs = doc.documentElement.getElementsByTagNameNS(NAMESPACE, 'NameIdentifier');
nameIDs[0].setAttribute('Format', options.nameIdentifierFormat);
Expand All @@ -127,18 +127,18 @@ exports.create = function(options, callback) {

if (!options.encryptionCert) return sign(options, sig, doc, callback);

// encryption is turned on,
// encryption is turned on,
var proofSecret;
async.waterfall([
function(cb) {
if (!options.subjectConfirmationMethod && options.subjectConfirmationMethod !== 'holder-of-key')
if (!options.subjectConfirmationMethod && (options.subjectConfirmationMethod !== 'holder-of-key' || options.subjectConfirmationMethod !== 'sender-vouches'))
return cb();

crypto.randomBytes(32, function(err, randomBytes) {
proofSecret = randomBytes;
addSubjectConfirmation(options, doc, options.holderOfKeyProofSecret || randomBytes, cb);
});

},
function(cb) {
sign(options, sig, doc, function(err, signed) {
Expand All @@ -150,7 +150,7 @@ exports.create = function(options, callback) {
if (err) return callback(err);
callback(null, result, proofSecret);
});
};
};

function addSubjectConfirmation(options, doc, randomBytes, callback) {
var encryptOptions = {
Expand All @@ -159,7 +159,7 @@ function addSubjectConfirmation(options, doc, randomBytes, callback) {
keyEncryptionAlgorighm: options.keyEncryptionAlgorighm || 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'
};

xmlenc.encryptKeyInfo(randomBytes, encryptOptions, function(err, keyinfo) {
xmlenc.encryptKeyInfo(randomBytes, encryptOptions, function(err, keyinfo) {
if (err) return cb(err);
var subjectConfirmationNodes = doc.documentElement.getElementsByTagNameNS(NAMESPACE, 'SubjectConfirmation');

Expand All @@ -172,7 +172,12 @@ function addSubjectConfirmation(options, doc, randomBytes, callback) {
}

var method = subjectConfirmationNodes[i].getElementsByTagNameNS(NAMESPACE, 'ConfirmationMethod')[0];
method.textContent = 'urn:oasis:names:tc:SAML:1.0:cm:holder-of-key';
if (options.subjectConfirmationMethod == 'holder-of-key') {
method.textContent = 'urn:oasis:names:tc:SAML:1.0:cm:holder-of-key';

} else if (options.subjectConfirmationMethod == 'sender-vouches') {
method.textContent = 'urn:oasis:names:tc:SAML:1.0:cm:sender-vouches';
}
subjectConfirmationNodes[i].appendChild(keyinfoDom.documentElement);
}

Expand All @@ -185,9 +190,9 @@ function sign(options, sig, doc, callback) {
var signed;

try {
var opts = options.xpathToNodeBeforeSignature ? {
location: {
reference: options.xpathToNodeBeforeSignature,
var opts = options.xpathToNodeBeforeSignature ? {
location: {
reference: options.xpathToNodeBeforeSignature,
action: 'after'
}
} : {};
Expand Down
49 changes: 40 additions & 9 deletions test/saml11.tests.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ describe('saml 1.1', function () {

var isValid = utils.isValidSignature(signedAssertion, options.cert);
assert.equal(true, isValid);

var attributes = utils.getAttributes(signedAssertion);
assert.equal(3, attributes.length);
assert.equal('emailaddress', attributes[0].getAttribute('AttributeName'));
Expand Down Expand Up @@ -253,7 +253,7 @@ describe('saml 1.1', function () {
};
var signedAssertion = saml11.create(options);
var doc = new xmldom.DOMParser().parseFromString(signedAssertion);

var signature = doc.documentElement.getElementsByTagName('Signature');

assert.equal('saml:Conditions', signature[0].previousSibling.nodeName);
Expand Down Expand Up @@ -317,7 +317,7 @@ describe('saml 1.1', function () {

saml11.create(options, function(err, encrypted) {
if (err) return done(err);

xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
if (err) return done(err);
var isValid = utils.isValidSignature(decrypted, options.cert);
Expand All @@ -327,7 +327,7 @@ describe('saml 1.1', function () {
});
});

it('should support holder-of-key suject confirmationmethod', function (done) {
it('should support holder-of-key subject confirmationmethod', function (done) {
var options = {
cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
key: fs.readFileSync(__dirname + '/test-auth0.key'),
Expand All @@ -338,10 +338,10 @@ describe('saml 1.1', function () {

saml11.create(options, function(err, encrypted, proofSecret) {
if (err) return done(err);

xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
if (err) return done(err);

var doc = new xmldom.DOMParser().parseFromString(decrypted);
var subjectConfirmationNodes = doc.documentElement.getElementsByTagName('saml:SubjectConfirmation');
assert.equal(2, subjectConfirmationNodes.length);
Expand All @@ -358,6 +358,37 @@ describe('saml 1.1', function () {
});
});

it('should support sender-vouches subject confirmationmethod', function (done) {
var options = {
cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
key: fs.readFileSync(__dirname + '/test-auth0.key'),
encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem'),
subjectConfirmationMethod: 'sender-vouches'
};

saml11.create(options, function(err, encrypted, proofSecret) {
if (err) return done(err);

xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
if (err) return done(err);

var doc = new xmldom.DOMParser().parseFromString(decrypted);
var subjectConfirmationNodes = doc.documentElement.getElementsByTagName('saml:SubjectConfirmation');
assert.equal(2, subjectConfirmationNodes.length);
for (var i=0;i<subjectConfirmationNodes.length;i++) {
var method = subjectConfirmationNodes[i].getElementsByTagName('saml:ConfirmationMethod')[0];
assert.equal(method.textContent, 'urn:oasis:names:tc:SAML:1.0:cm:sender-vouches');

var decryptedProofSecret = xmlenc.decryptKeyInfo(subjectConfirmationNodes[i], options);
assert.equal(proofSecret.toString('base64'), decryptedProofSecret.toString('base64'));
}

done();
});
});
});

it('should set attributes', function (done) {
var options = {
cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
Expand All @@ -374,13 +405,13 @@ describe('saml 1.1', function () {

saml11.create(options, function(err, encrypted) {
if (err) return done(err);

xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
if (err) return done(err);

var isValid = utils.isValidSignature(decrypted, options.cert);
assert.equal(true, isValid);

var attributes = utils.getAttributes(decrypted);
assert.equal(3, attributes.length);
assert.equal('emailaddress', attributes[0].getAttribute('AttributeName'));
Expand All @@ -392,7 +423,7 @@ describe('saml 1.1', function () {
assert.equal('testaccent', attributes[2].getAttribute('AttributeName'));
assert.equal('http://example.org/claims', attributes[2].getAttribute('AttributeNamespace'));
assert.equal('fóo', attributes[2].firstChild.textContent);

done();
});
});
Expand Down