added x509data to AuthnRequest (#97)

* added x509data to AuthnRequest * TS fix * TS fix * workflows cleanup
boxyhq · Feb 19, 2022 · ce1a9e9 · ce1a9e9
1 parent fe80252
commit ce1a9e9
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 4 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -213,8 +213,6 @@ jobs:
         uses: actions/download-artifact@v2
         with:
           name: npm_sbom.cyclonedx
-      - name: Remove temp files & pull latest code
-        run: rm results.sarif && git pull || true
       - name: Remove older SBOMs
         run: rm -rf ./npm/sbom*.* || true
       - name: Move SPDX Report

diff --git a/npm/src/controller/oauth.ts b/npm/src/controller/oauth.ts
@@ -144,6 +144,7 @@ export class OAuthController implements IOAuthController {
       entityID: this.opts.samlAudience!,
       callbackUrl: this.opts.externalUrl + this.opts.samlPath,
       signingKey: samlConfig.certs.privateKey,
+      publicKey: samlConfig.certs.publicKey,
     });
 
     const sessionId = crypto.randomBytes(16).toString('hex');

diff --git a/npm/src/saml/saml.ts b/npm/src/saml/saml.ts
@@ -13,7 +13,36 @@ const authnXPath =
   '/*[local-name(.)="AuthnRequest" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:protocol"]';
 const issuerXPath = '/*[local-name(.)="Issuer" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:assertion"]';
 
-const signRequest = (xml: string, signingKey: string) => {
+export const stripCertHeaderAndFooter = (cert: string): string => {
+  cert = cert.replace(/-+BEGIN CERTIFICATE-+\r?\n?/, '');
+  cert = cert.replace(/-+END CERTIFICATE-+\r?\n?/, '');
+  cert = cert.replace(/\r\n/g, '\n');
+  return cert;
+};
+
+function PubKeyInfo(this: any, pubKey: string) {
+  this.pubKey = stripCertHeaderAndFooter(pubKey);
+
+  this.getKeyInfo = function (_key, prefix) {
+    prefix = prefix || '';
+    prefix = prefix ? prefix + ':' : prefix;
+    return (
+      '<' +
+      prefix +
+      'X509Data><' +
+      prefix +
+      'X509Certificate>' +
+      this.pubKey +
+      '</' +
+      prefix +
+      'X509Certificate></' +
+      prefix +
+      'X509Data>'
+    );
+  };
+}
+
+const signRequest = (xml: string, signingKey: string, publicKey: string) => {
   if (!xml) {
     throw new Error('Please specify xml');
   }
@@ -23,6 +52,7 @@ const signRequest = (xml: string, signingKey: string) => {
 
   const sig = new xmlcrypto.SignedXml();
   sig.signatureAlgorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256';
+  sig.keyInfoProvider = new PubKeyInfo(publicKey);
   sig.signingKey = signingKey;
   sig.addReference(
     authnXPath,
@@ -45,6 +75,7 @@ const request = ({
   identifierFormat = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
   providerName = 'BoxyHQ',
   signingKey,
+  publicKey,
 }: SAMLReq): { id: string; request: string } => {
   const id = idPrefix + crypto.randomBytes(10).toString('hex');
   const date = new Date().toISOString();
@@ -85,7 +116,7 @@ const request = ({
 
   let xml = xmlbuilder.create(samlReq).end({});
   if (signingKey) {
-    xml = signRequest(xml, signingKey);
+    xml = signRequest(xml, signingKey, publicKey);
   }
 
   return {

diff --git a/npm/src/typings.ts b/npm/src/typings.ts
@@ -118,6 +118,7 @@ export interface SAMLReq {
   identifierFormat?: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress';
   providerName?: 'BoxyHQ';
   signingKey: string;
+  publicKey: string;
 }
 
 export interface SAMLProfile {