Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
decryptAssertion: function decryptAssertion(type, here, from, entireXML, callback) {
// Implement decryption first then check the signature
if(entireXML) {
// Perform encryption depends on the setting of where the message is sent, default is false
if(type === 'SAMLResponse' && from.entitySetting.isAssertionEncrypted) {
var hereSetting = here.entitySetting;
// callback should be function (res) { ... }
var parseEntireXML = new dom().parseFromString(entireXML);
var encryptedDataNode = getEntireBody(parseEntireXML, 'EncryptedData');
var encryptedData = encryptedDataNode !== undefined ? Utility.parseString(encryptedDataNode.toString()) : '';
if(encryptedData === '') throw new Error('Undefined assertion or invalid syntax');
xmlenc.decrypt(encryptedData, {
key: Utility.readPrivateKeyFromFile(hereSetting.privateKeyFile, hereSetting.privateKeyFilePass), // use this entity's private to decrypt
}, function(err, res) {
if(err) throw new Error('Exception in decryptAssertion ' + err);
if (res) {
callback(parseEntireXML.toString().replace('', '').replace('', '').replace(encryptedData, res));
} else {
throw new Error('Undefined encrypted assertion');
}
});
} else {
callback(entireXML); // No need to do encrpytion
}
} else {
throw new Error('Empty or undefined xml string');
}
}
const certificate = pemFormatting.addPEMHeaders("CERTIFICATE", credential.certificate);
// resolve public key
let publicKey = credential.publicKey;
if (!publicKey) { // only invoke if publicKey attribute is not present for performance
publicKey = credentials.getPublicKeyFromCertificate(certificate);
}
const encryptOptions = {
encryptionAlgorithm: algs.encryption || defaultAlgorithms.encryption,
// xmlenc's API spells this this way :(
keyEncryptionAlgorighm: algs.keyEncryption || defaultAlgorithms.keyEncryption,
pem: certificate,
rsa_pub: publicKey
};
xmlenc.encrypt(data, encryptOptions, function(err, result) {
if (err) {
reject(err);
}
resolve(result);
});
});
}
encryptAssertion: function encryptAssertion(sourceEntity, targetEntity, entireXML, callback) {
// Implement encryption after signature if it has
if(entireXML) {
var sourceEntitySetting = sourceEntity.entitySetting;
var targetEntitySetting = targetEntity.entitySetting;
var sourceEntityMetadata = sourceEntity.entityMeta;
var targetEntityMetadata = targetEntity.entityMeta;
var assertionNode = getEntireBody(new dom().parseFromString(entireXML), 'Assertion');
var assertion = assertionNode !== undefined ? Utility.parseString(assertionNode.toString()) : '';
if(assertion === '') throw new Error('Undefined assertion or invalid syntax');
// Perform encryption depends on the setting, default is false
if(sourceEntitySetting.isAssertionEncrypted) {
// callback should be function (res) { ... }
xmlenc.encrypt(assertion, {
// use xml-encryption module
rsa_pub: new Buffer(Utility.getPublicKeyPemFromCertificate(targetEntityMetadata.getX509Certificate(certUsage.ENCRYPT), true).replace(/\r?\n|\r/g, '')), // public key from certificate
pem: new Buffer('-----BEGIN CERTIFICATE-----' + targetEntityMetadata.getX509Certificate(certUsage.ENCRYPT) + '-----END CERTIFICATE-----'),
encryptionAlgorithm: sourceEntitySetting.dataEncryptionAlgorithm,
keyEncryptionAlgorighm: sourceEntitySetting.keyEncryptionAlgorithm // typo in xml-encryption
}, function(err, res) {
if(err) throw new Error('Exception in encrpytedAssertion ' + err);
if (res) {
callback(Utility.base64Encode(entireXML.replace(assertion, '' + res + '')));
} else {
throw new Error('Undefined encrypted assertion');
}
});
} else {
callback(Utility.base64Encode(entireXML)); // No need to do encrpytion
}
saml.create(options, function(err, encrypted) {
if (err) return done(err);
var encryptedData = utils.getEncryptedData(encrypted);
xmlenc.decrypt(encryptedData.toString(), { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
if (err) return done(err);
var isValid = utils.isValidSignature(decrypted, options.cert);
assert.equal(true, isValid);
var attributes = utils.getAttributes(decrypted);
assert.equal(3, attributes.length);
assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
assert.equal('foo@bar.com', attributes[0].textContent);
assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
assert.equal('Foo Bar', attributes[1].textContent);
assert.equal('http://example.org/claims/testaccent', attributes[2].getAttribute('Name'));
assert.equal('fóo', attributes[2].textContent);
done();
});
saml11.create(options, function(err, encrypted) {
if (err) return done(err);
xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
if (err) return done(err);
var isValid = utils.isValidSignature(decrypted, options.cert);
assert.equal(true, isValid);
done();
});
});
});
xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
if (err) return done(err);
var doc = new xmldom.DOMParser().parseFromString(decrypted);
var subjectConfirmationNodes = doc.documentElement.getElementsByTagName('saml:SubjectConfirmation');
assert.equal(2, subjectConfirmationNodes.length);
for (var i=0;i
return new Promise(function (resolve, reject) {
const decryptOptions = { key: credential.privateKey };
xmlenc.decrypt(
encryptedData,
decryptOptions,
function (err, result) {
if (err) {
reject(err);
}
else {
resolve(result);
}
}
);
});
});
return callback(new Error('Invalid signature'), null, false);
}
debugLog('Signature OK');
const response = doc.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:protocol', 'Response')[0];
if (response) {
debugLog('Got response');
let assertion = response.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:assertion', 'Assertion')[0];
const encAssertion = response.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:assertion', 'EncryptedAssertion')[0];
const xmlenc = require('xml-encryption');
const options = { key: this.options.privateKey };
if (typeof encAssertion !== 'undefined') {
xmlenc.decrypt(encAssertion.getElementsByTagNameNS('*', 'EncryptedData')[0], options, function(err, result) {
assertion = new xmldom.DOMParser().parseFromString(result, 'text/xml');
});
}
if (!assertion) {
return callback(new Error('Missing SAML assertion'), null, false);
}
const profile = {};
if (response.hasAttribute('InResponseTo')) {
profile.inResponseToId = response.getAttribute('InResponseTo');
}
const issuer = assertion.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:assertion', 'Issuer')[0];
if (issuer) {
function encrypt(options, signed, callback) {
var encryptOptions = {
rsa_pub: options.encryptionPublicKey,
pem: options.encryptionCert,
encryptionAlgorithm: options.encryptionAlgorithm || 'http://www.w3.org/2001/04/xmlenc#aes256-cbc',
keyEncryptionAlgorighm: options.keyEncryptionAlgorighm || 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'
};
xmlenc.encrypt(signed, encryptOptions, function(err, encrypted) {
if (err) return callback(err);
callback(null, utils.removeWhitespace(encrypted));
});
}
if (!options.encryptionCert) {
if (callback)
return callback(null, signed);
else
return signed;
}
var encryptOptions = {
rsa_pub: options.encryptionPublicKey,
pem: options.encryptionCert,
encryptionAlgorithm: options.encryptionAlgorithm || 'http://www.w3.org/2001/04/xmlenc#aes256-cbc',
keyEncryptionAlgorighm: options.keyEncryptionAlgorighm || 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'
};
xmlenc.encrypt(signed, encryptOptions, function(err, encrypted) {
if (err) return callback(err);
encrypted = '' + encrypted + '';
callback(null, utils.removeWhitespace(encrypted));
});
};