saml 1.0.1 → 3.0.0

package/.github/workflows/semgrep.yml

@@ -0,0 +1,15 @@
+name: Semgrep
+on:
+  pull_request: {}
+  push:
+     branches: ["master"] 
+jobs:
+  semgrep:
+    name: Scan
+    runs-on: ubuntu-latest
+    if: (github.actor != 'dependabot[bot]' && github.actor != 'snyk-bot')
+    steps:
+      - uses: actions/checkout@v2
+      - uses: returntocorp/semgrep-action@v1
+        with:
+          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}

package/.idea/aws.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="accountSettings">
+    <option name="activeRegion" value="us-east-1" />
+    <option name="recentlyUsedRegions">
+      <list>
+        <option value="us-east-1" />
+      </list>
+    </option>
+  </component>
+</project>

package/.idea/inspectionProfiles/Project_Default.xml

@@ -0,0 +1,6 @@
+<component name="InspectionProjectProfileManager">
+  <profile version="1.0">
+    <option name="myName" value="Project Default" />
+    <inspection_tool class="Eslint" enabled="true" level="WARNING" enabled_by_default="true" />
+  </profile>
+</component>

package/.idea/jsLibraryMappings.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="JavaScriptLibraryMappings">
+    <includedPredefinedLibrary name="Node.js Core" />
+  </component>
+</project>

package/.idea/modules.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/node-saml.iml" filepath="$PROJECT_DIR$/.idea/node-saml.iml" />
+    </modules>
+  </component>
+</project>

package/.idea/node-saml.iml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="WEB_MODULE" version="4">
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$">
+      <excludeFolder url="file://$MODULE_DIR$/temp" />
+      <excludeFolder url="file://$MODULE_DIR$/.tmp" />
+      <excludeFolder url="file://$MODULE_DIR$/tmp" />
+      <excludeFolder url="file://$MODULE_DIR$/.idea" />
+    </content>
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>

package/.idea/prettier.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="PrettierConfiguration">
+    <option name="myRunOnSave" value="true" />
+    <option name="myRunOnReformat" value="true" />
+  </component>
+</project>

package/.idea/sonarlint/issuestore/9/7/97145ab6a3556e0c76c6cdf36c0a30bb088f382f

@@ -0,0 +1,2 @@
+
+�
javascript:S1488"bImmediately return this expression instead of assigning it to the temporary variable "signatures".(����8�����/

package/.idea/sonarlint/issuestore/index.pb

@@ -0,0 +1,15 @@
+
+<
+CHANGELOG.md,a/b/ab09011fa121d0a2bb9fa4ca76094f2482b902b7
+G
+test/test-auth0_rsa.pub,1/6/16c55078736dc7b024c5f6aee3724b578a6f762e
+<
+package.json,7/0/7030d0b2f71b999ff89a343de08c414af32fc93a
+C
+test/test-auth0.pem,9/8/988145bf095565ed2790e577ca6610aae3f148eb
+C
+test/test-auth0.key,b/f/bf580f9fe6b7aafd1864a1b474928848f50d9486
+=
+
+I
+test/test-auth0-chain.pem,1/5/152d3f39906314d7648bee688e6cf0e074eac700

package/.idea/vcs.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$" vcs="Git" />
+  </component>
+</project>

package/CHANGELOG.md

@@ -2,6 +2,38 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [3.0.0](https://github.com/auth0/node-saml/compare/v2.0.1...v3.0.0) (2022-05-12)
+
+
+### ⚠ BREAKING CHANGES
+
+* handle poorly formatted PEM files (#85)
+
+### Bug Fixes
+
+* handle poorly formatted PEM files ([#85](https://github.com/auth0/node-saml/issues/85)) ([8830a23](https://github.com/auth0/node-saml/commit/8830a238d33e2e198acd81fb6d972583848bfe26))
+
+### [2.0.1](https://github.com/auth0/node-saml/compare/v2.0.0...v2.0.1) (2022-02-09)
+
+
+### Bug Fixes
+
+* **saml11:** do not mutate moment() when options.lifetimeInSeconds is provided ([0a5afd1](https://github.com/auth0/node-saml/commit/0a5afd1977dc832f1cc51de6af7c801cc95f78b5))
+
+## [2.0.0](https://github.com/auth0/node-saml/compare/v1.0.1...v2.0.0) (2022-02-04)
+
+
+### ⚠ BREAKING CHANGES
+
+* Requires NodeJS >= 12
+
+Upgraded the xml-encryption package which removes the vulnerable node-forge dependency
+See https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
+
+### Bug Fixes
+
+* remove vulnerable node-forge dependency ([0106c61](https://github.com/auth0/node-saml/commit/0106c611a1263150e42692411aeeea0c95ec0755))
+
 ### [1.0.1](https://github.com/auth0/node-saml/compare/v1.0.0...v1.0.1) (2021-09-17)
 
 

package/README.md

@@ -4,6 +4,10 @@ Create SAML assertions. Supports SAML 1.1 and SAML 2.0 tokens.
 
 [![Build Status](https://travis-ci.org/auth0/node-saml.png)](https://travis-ci.org/auth0/node-saml)
 
+### Supported Node Versions
+
+node >= 12
+
 ### Usage
 
 ```js

package/lib/saml11.js

@@ -118,7 +118,7 @@ function createAssertion(options, strategies, callback) {
 
   if (options.lifetimeInSeconds) {
     conditions[0].setAttribute('NotBefore', now.format('YYYY-MM-DDTHH:mm:ss.SSS[Z]'));
-    conditions[0].setAttribute('NotOnOrAfter', now.add(options.lifetimeInSeconds, 'seconds').format('YYYY-MM-DDTHH:mm:ss.SSS[Z]'));
+    conditions[0].setAttribute('NotOnOrAfter', moment(now).add(options.lifetimeInSeconds, 'seconds').format('YYYY-MM-DDTHH:mm:ss.SSS[Z]'));
   }
 
   if (options.audiences) {

package/lib/utils.js

@@ -1,8 +1,8 @@
-var fs = require('fs');
-var Parser = require('@xmldom/xmldom').DOMParser;
+const fs = require('fs');
+const Parser = require('@xmldom/xmldom').DOMParser;
 
 exports.pemToCert = function(pem) {
-  var cert = /-----BEGIN CERTIFICATE-----([^-]*)-----END CERTIFICATE-----/g.exec(pem.toString());
+  const cert = /-----BEGIN CERTIFICATE-----([^-]*)-----END CERTIFICATE-----/g.exec(pem.toString());
   if (cert && cert.length > 0) {
     return cert[1].replace(/[\n|\r\n]/g, '');
   }
@@ -29,11 +29,11 @@ exports.reportError = function(err, callback){
  * @api private
  */
 exports.uid = function(len) {
-  var buf = []
-    , chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
-    , charlen = chars.length;
+  const buf = []
+      , chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
+      , charlen = chars.length;
 
-  for (var i = 0; i < len; ++i) {
+  for (let i = 0; i < len; ++i) {
     buf.push(chars[getRandomInt(0, charlen - 1)]);
   }
 
@@ -41,16 +41,15 @@ exports.uid = function(len) {
 };
 
 exports.removeWhitespace = function(xml) {
-  var trimmed = xml
-                .replace(/\r\n/g, '')
-                .replace(/\n/g,'')
-                .replace(/>(\s*)</g, '><') //unindent
-                .trim();
-  return trimmed;
+  return xml
+      .replace(/\r\n/g, '')
+      .replace(/\n/g, '')
+      .replace(/>(\s*)</g, '><') //unindent
+      .trim();
 };
 
 /**
- * Retrun a random int, used by `utils.uid()`
+ * Return a random int, used by `utils.uid()`
  *
  * @param {Number} min
  * @param {Number} max
@@ -69,10 +68,29 @@ function getRandomInt(min, max) {
  * @return {function(): Node}
  */
 exports.factoryForNode = function factoryForNode(pathToTemplate) {
-  var template = fs.readFileSync(pathToTemplate)
-  var prototypeDoc = new Parser().parseFromString(template.toString())
+  const template = fs.readFileSync(pathToTemplate);
+  const prototypeDoc = new Parser().parseFromString(template.toString());
 
   return function () {
     return prototypeDoc.cloneNode(true);
   };
 };
+
+/**
+ * Standardizes PEM content to match the spec (best effort)
+ *
+ * @param pem {Buffer} The PEM content to standardize
+ * @returns {Buffer} The standardized PEM. Original will be returned unmodified if the content is not PEM.
+ */
+exports.fixPemFormatting = function (pem) {
+  let pemEntries = pem.toString().matchAll(/([-]{5}[^-\r\n]+[-]{5})([^-]*)([-]{5}[^-\r\n]+[-]{5})/g);
+  let fixedPem = ''
+  for (const pemParts of pemEntries) {
+    fixedPem = fixedPem.concat(`${pemParts[1]}\n${pemParts[2].replaceAll(/[\r\n]/g, '')}\n${pemParts[3]}\n`)
+  }
+  if (fixedPem.length === 0) {
+    return pem;
+  }
+
+  return Buffer.from(fixedPem)
+}

package/lib/xml/encrypt.js

@@ -1,12 +1,12 @@
-var xmlenc = require('xml-encryption');
+const xmlenc = require('xml-encryption');
 
-var utils = require('../utils');
+const utils = require('../utils');
 
 exports.fromEncryptXmlOptions = function (options) {
   if (!options.encryptionCert) {
     return this.unencrypted;
   } else {
-    var encryptOptions = {
+    const encryptOptions = {
       rsa_pub: options.encryptionPublicKey,
       pem: options.encryptionCert,
       encryptionAlgorithm: options.encryptionAlgorithm || 'http://www.w3.org/2001/04/xmlenc#aes256-cbc',
@@ -29,8 +29,26 @@ exports.unencrypted = function (xml, callback) {
 exports.encrypted = function (encryptOptions) {
   return function encrypt(xml, callback) {
     xmlenc.encrypt(xml, encryptOptions, function (err, encrypted) {
-      if (err) return callback(err);
-      callback(null, utils.removeWhitespace(encrypted));
+      if (err) {
+        // Attempt to fix errors and retry
+        xmlenc.encrypt(
+            xml,
+            {
+              ...encryptOptions,
+              rsa_pub: utils.fixPemFormatting(encryptOptions.rsa_pub),
+              pem: utils.fixPemFormatting(encryptOptions.pem),
+            },
+            function (retryErr, retryEncrypted) {
+              if (retryErr) {
+                return callback(retryErr);
+              }
+
+              callback(null, utils.removeWhitespace(retryEncrypted));
+            }
+        );
+      } else {
+        callback(null, utils.removeWhitespace(encrypted));
+      }
     });
   };
 };

package/lib/xml/sign.js

@@ -1,10 +1,10 @@
-var utils = require('../utils');
-var SignedXml = require('xml-crypto').SignedXml;
+const utils = require('../utils');
+const SignedXml = require('xml-crypto').SignedXml;
 
-var algorithms = {
+const algorithms = {
   signature: {
     'rsa-sha256': 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
-    'rsa-sha1':  'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+    'rsa-sha1': 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
   },
   digest: {
     'sha256': 'http://www.w3.org/2001/04/xmlenc#sha256',
@@ -22,16 +22,16 @@ exports.fromSignXmlOptions = function (options) {
   if (!options.xpathToNodeBeforeSignature)
     throw new Error('xpathToNodeBeforeSignature is required')
 
-  var key = options.key;
-  var pem = options.cert;
-  var signatureAlgorithm = options.signatureAlgorithm || 'rsa-sha256';
-  var digestAlgorithm = options.digestAlgorithm || 'sha256';
-  var signatureNamespacePrefix = (function (prefix) {
+  const key = options.key;
+  const pem = options.cert;
+  const signatureAlgorithm = options.signatureAlgorithm || 'rsa-sha256';
+  const digestAlgorithm = options.digestAlgorithm || 'sha256';
+  const signatureNamespacePrefix = (function (prefix) {
     // 0.10.1 added prefix, but we want to name it signatureNamespacePrefix - This is just to keep supporting prefix
     return typeof prefix === 'string' ? prefix : '';
   })(options.signatureNamespacePrefix || options.prefix);
-  var xpathToNodeBeforeSignature = options.xpathToNodeBeforeSignature;
-  var idAttribute = options.signatureIdAttribute;
+  const xpathToNodeBeforeSignature = options.xpathToNodeBeforeSignature;
+  const idAttribute = options.signatureIdAttribute;
 
   /**
    * @param {Document} doc
@@ -39,44 +39,63 @@ exports.fromSignXmlOptions = function (options) {
    * @return {string}
    */
   return function signXmlDocument(doc, callback) {
-    var unsigned = exports.unsigned(doc);
-    var cert = utils.pemToCert(pem);
+    function sign(key) {
+      const unsigned = exports.unsigned(doc);
+      const cert = utils.pemToCert(pem);
 
-    var sig = new SignedXml(null, { signatureAlgorithm: algorithms.signature[signatureAlgorithm], idAttribute: idAttribute });
-    sig.addReference("//*[local-name(.)='Assertion']",
-      ["http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/2001/10/xml-exc-c14n#"],
-      algorithms.digest[digestAlgorithm]);
+      const sig = new SignedXml(null, {
+        signatureAlgorithm: algorithms.signature[signatureAlgorithm],
+        idAttribute: idAttribute
+      });
+      sig.addReference("//*[local-name(.)='Assertion']",
+          ["http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/2001/10/xml-exc-c14n#"],
+          algorithms.digest[digestAlgorithm]);
 
-    sig.signingKey = key;
+      sig.signingKey = key;
 
-    sig.keyInfoProvider = {
-      getKeyInfo: function (key, prefix) {
-        prefix = prefix ? prefix + ':' : prefix;
-        return "<" + prefix + "X509Data><" + prefix + "X509Certificate>" + cert + "</" + prefix + "X509Certificate></" + prefix + "X509Data>";
-      }
-    };
+      sig.keyInfoProvider = {
+        getKeyInfo: function (key, prefix) {
+          prefix = prefix ? prefix + ':' : prefix;
+          return "<" + prefix + "X509Data><" + prefix + "X509Certificate>" + cert + "</" + prefix + "X509Certificate></" + prefix + "X509Data>";
+        }
+      };
+
+      sig.computeSignature(unsigned, {
+        location: {reference: xpathToNodeBeforeSignature, action: 'after'},
+        prefix: signatureNamespacePrefix
+      });
+
+      return sig.getSignedXml();
+    }
 
-    sig.computeSignature(unsigned, {
-      location: { reference: xpathToNodeBeforeSignature, action: 'after' },
-      prefix: signatureNamespacePrefix
-    });
+    let signed
+    try {
+      try {
+        signed = sign(key)
+      } catch (err) {
+        signed = sign(utils.fixPemFormatting(key))
+      }
 
-    var signed = sig.getSignedXml();
-    if (callback) {
-      setImmediate(callback, null, signed);
-    } else {
-      return signed;
+      if (callback) {
+        setImmediate(callback, null, signed);
+      } else {
+        return signed;
+      }
+    } catch (e) {
+      if (callback) {
+        setImmediate(callback, e)
+      }
+      throw e
     }
   };
 };
-
 /**
  * @param {Document} doc
  * @param {Function} [callback]
  * @return {string}
  */
 exports.unsigned = function (doc, callback) {
-  var xml = utils.removeWhitespace(doc.toString());
+  const xml = utils.removeWhitespace(doc.toString());
   if (callback) {
     setImmediate(callback, null, xml)
   } else {

package/package.json

@@ -1,6 +1,9 @@
 {
   "name": "saml",
-  "version": "1.0.1",
+  "version": "3.0.0",
+  "engines": {
+    "node": ">=12"
+  },
   "devDependencies": {
     "@commitlint/cli": "^11.0.0",
     "@commitlint/config-conventional": "^11.0.0",
@@ -24,7 +27,7 @@
     "moment": "2.19.3",
     "valid-url": "~1.0.9",
     "xml-crypto": "^2.1.3",
-    "xml-encryption": "^1.2.1",
+    "xml-encryption": "^2.0.0",
     "xml-name-validator": "~2.0.1",
     "xpath": "0.0.5"
   },

package/test/saml11.tests.js

@@ -46,6 +46,32 @@ describe('saml 1.1', function () {
         assertSignature(signedAssertion, options);
       });
 
+      it('should not error when cert is missing newlines', function () {
+        // cert created with:
+        // openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/CN=auth0.auth0.com/O=Auth0 LLC/C=US/ST=Washington/L=Redmond' -keyout auth0.key -out auth0.pem
+
+        var options = {
+          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
+          key: fs.readFileSync(__dirname + '/test-auth0.key')
+        };
+
+        var signedAssertion = saml11[createAssertion]({...options, cert: Buffer.from(options.cert.toString().replaceAll(/[\r\n]/g, ''))});
+        assertSignature(signedAssertion, options);
+      });
+
+      it('should not error when key is missing newlines', function () {
+        // cert created with:
+        // openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/CN=auth0.auth0.com/O=Auth0 LLC/C=US/ST=Washington/L=Redmond' -keyout auth0.key -out auth0.pem
+
+        var options = {
+          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
+          key: fs.readFileSync(__dirname + '/test-auth0.key')
+        };
+
+        var signedAssertion = saml11[createAssertion]({...options, key: Buffer.from(options.key.toString().replaceAll(/[\r\n]/g, ''))});
+        assertSignature(signedAssertion, options);
+      });
+
       it('should support specifying Issuer property', function () {
         var options = {
           cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
@@ -95,10 +121,13 @@ describe('saml 1.1', function () {
         var signedAssertion = saml11[createAssertion](options);
         var conditions = utils.getConditions(signedAssertion);
         assert.equal(1, conditions.length);
+        var authenticationInstant = utils.getAuthenticationInstant(signedAssertion);
         var notBefore = conditions[0].getAttribute('NotBefore');
         var notOnOrAfter = conditions[0].getAttribute('NotOnOrAfter');
+
         should.ok(notBefore);
         should.ok(notOnOrAfter);
+        should.equal(authenticationInstant, notBefore);
 
         var lifetime = Math.round((moment(notOnOrAfter).utc() - moment(notBefore).utc()) / 1000);
         assert.equal(600, lifetime);
@@ -347,6 +376,44 @@ describe('saml 1.1', function () {
           });
         });
 
+        it('should not error when encryptionPublicKey is missing newlines', function (done) {
+          var options = {
+            cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
+            key: fs.readFileSync(__dirname + '/test-auth0.key'),
+            encryptionPublicKey: Buffer.from(fs.readFileSync(__dirname + '/test-auth0_rsa.pub').toString().replaceAll(/[\r\n]/g, '')),
+            encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem')
+          };
+
+          saml11[createAssertion](options, function(err, encrypted) {
+            if (err) return done(err);
+
+            xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
+              if (err) return done(err);
+              assertSignature(decrypted, options);
+              done();
+            });
+          });
+        });
+
+        it('should not error when encryptionCert is missing newlines', function (done) {
+          var options = {
+            cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
+            key: fs.readFileSync(__dirname + '/test-auth0.key'),
+            encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
+            encryptionCert: Buffer.from(fs.readFileSync(__dirname + '/test-auth0.pem').toString().replaceAll(/[\r\n]/g, ''))
+          };
+
+          saml11[createAssertion](options, function(err, encrypted) {
+            if (err) return done(err);
+
+            xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
+              if (err) return done(err);
+              assertSignature(decrypted, options);
+              done();
+            });
+          });
+        });
+
         it('should support holder-of-key suject confirmationmethod', function (done) {
           var options = {
             cert: fs.readFileSync(__dirname + '/test-auth0.pem'),

package/test/saml20.tests.js

@@ -77,6 +77,96 @@ describe('saml 2.0', function () {
         assert.equal('urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified', authnContextClassRef.textContent);
       });
 
+      it('should not error when cert is missing newlines', function () {
+        var options = {
+          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
+          key: fs.readFileSync(__dirname + '/test-auth0.key'),
+          issuer: 'urn:issuer',
+          lifetimeInSeconds: 600,
+          audiences: 'urn:myapp',
+          attributes: {
+            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'foo@bar.com',
+            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar'
+          },
+          nameIdentifier: 'foo',
+          nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
+        };
+
+        var signedAssertion = saml[createAssertion]({...options, cert: Buffer.from(options.cert.toString().replaceAll(/[\r\n]/g, ''))});
+        assertSignature(signedAssertion, options);
+
+        var nameIdentifier = utils.getNameID(signedAssertion);
+        assert.equal('foo', nameIdentifier.textContent);
+        assert.equal('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', nameIdentifier.getAttribute('Format'));
+
+        var attributes = utils.getAttributes(signedAssertion);
+        assert.equal(2, attributes.length);
+        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
+        assert.equal('foo@bar.com', attributes[0].textContent);
+        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
+        assert.equal('Foo Bar', attributes[1].textContent);
+
+        assert.equal('urn:issuer', utils.getSaml2Issuer(signedAssertion).textContent);
+
+        var conditions = utils.getConditions(signedAssertion);
+        assert.equal(1, conditions.length);
+        var notBefore = conditions[0].getAttribute('NotBefore');
+        var notOnOrAfter = conditions[0].getAttribute('NotOnOrAfter');
+        should.ok(notBefore);
+        should.ok(notOnOrAfter);
+
+        var lifetime = Math.round((moment(notOnOrAfter).utc() - moment(notBefore).utc()) / 1000);
+        assert.equal(600, lifetime);
+
+        var authnContextClassRef = utils.getAuthnContextClassRef(signedAssertion);
+        assert.equal('urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified', authnContextClassRef.textContent);
+      });
+
+      it('should not error when key is missing newlines', function () {
+        var options = {
+          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
+          key: fs.readFileSync(__dirname + '/test-auth0.key'),
+          issuer: 'urn:issuer',
+          lifetimeInSeconds: 600,
+          audiences: 'urn:myapp',
+          attributes: {
+            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'foo@bar.com',
+            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar'
+          },
+          nameIdentifier: 'foo',
+          nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
+        };
+
+        var signedAssertion = saml[createAssertion]({...options, key: Buffer.from(options.key.toString().replaceAll(/[\r\n]/g, ''))});
+        assertSignature(signedAssertion, options);
+
+        var nameIdentifier = utils.getNameID(signedAssertion);
+        assert.equal('foo', nameIdentifier.textContent);
+        assert.equal('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', nameIdentifier.getAttribute('Format'));
+
+        var attributes = utils.getAttributes(signedAssertion);
+        assert.equal(2, attributes.length);
+        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
+        assert.equal('foo@bar.com', attributes[0].textContent);
+        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
+        assert.equal('Foo Bar', attributes[1].textContent);
+
+        assert.equal('urn:issuer', utils.getSaml2Issuer(signedAssertion).textContent);
+
+        var conditions = utils.getConditions(signedAssertion);
+        assert.equal(1, conditions.length);
+        var notBefore = conditions[0].getAttribute('NotBefore');
+        var notOnOrAfter = conditions[0].getAttribute('NotOnOrAfter');
+        should.ok(notBefore);
+        should.ok(notOnOrAfter);
+
+        var lifetime = Math.round((moment(notOnOrAfter).utc() - moment(notBefore).utc()) / 1000);
+        assert.equal(600, lifetime);
+
+        var authnContextClassRef = utils.getAuthnContextClassRef(signedAssertion);
+        assert.equal('urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified', authnContextClassRef.textContent);
+      });
+
       it('should set attributes', function () {
         var options = {
           cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
@@ -513,6 +603,48 @@ describe('saml 2.0', function () {
           });
         });
 
+        it('should not error when encryptionPublicKey is missing newline', function (done) {
+          var options = {
+            cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
+            key: fs.readFileSync(__dirname + '/test-auth0.key'),
+            encryptionPublicKey: Buffer.from(fs.readFileSync(__dirname + '/test-auth0_rsa.pub').toString().replaceAll(/[\r\n]/g, '')),
+            encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem')
+          };
+
+          saml[createAssertion](options, function (err, encrypted) {
+            if (err) return done(err);
+
+            var encryptedData = utils.getEncryptedData(encrypted);
+
+            xmlenc.decrypt(encryptedData.toString(), { key: fs.readFileSync(__dirname + '/test-auth0.key') }, function (err, decrypted) {
+              if (err) return done(err);
+              assertSignature(decrypted, options);
+              done();
+            });
+          });
+        });
+
+        it('should not error when encryptionCert is missing newline', function (done) {
+          var options = {
+            cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
+            key: fs.readFileSync(__dirname + '/test-auth0.key'),
+            encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
+            encryptionCert: Buffer.from(fs.readFileSync(__dirname + '/test-auth0.pem').toString().replaceAll(/[\r\n]/g, ''))
+          };
+
+          saml[createAssertion](options, function (err, encrypted) {
+            if (err) return done(err);
+
+            var encryptedData = utils.getEncryptedData(encrypted);
+
+            xmlenc.decrypt(encryptedData.toString(), { key: fs.readFileSync(__dirname + '/test-auth0.key') }, function (err, decrypted) {
+              if (err) return done(err);
+              assertSignature(decrypted, options);
+              done();
+            });
+          });
+        });
+
         it('should set attributes', function (done) {
           var options = {
             cert: fs.readFileSync(__dirname + '/test-auth0.pem'),

package/test/test-auth0-chain.pem

@@ -0,0 +1,160 @@
+-----BEGIN CERTIFICATE-----
+MIIN1jCCDL6gAwIBAgIRANpcJKruPRmYEgAAAAAFph0wDQYJKoZIhvcNAQELBQAw
+RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
+TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjIwMzE3MTAyNjA4WhcNMjIwNjA5
+MTAyNjA3WjAXMRUwEwYDVQQDDAwqLmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggq
+hkjOPQMBBwNCAATtYBIFrigABQ4fmk2FmwNZhOsA5o5Z+V6m1npj4TjYTAxTLHoO
+Qv2wKY7YfnQD6Jb7yQhc7Jma4UdPV/jplArko4ILtzCCC7MwDgYDVR0PAQH/BAQD
+AgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
+FI0OoPWBuG+vJ2nvFqPxQqYA+RyiMB8GA1UdIwQYMBaAFIp0f6+Fze6VzT2c0OJG
+FPNxNR0nMGoGCCsGAQUFBwEBBF4wXDAnBggrBgEFBQcwAYYbaHR0cDovL29jc3Au
+cGtpLmdvb2cvZ3RzMWMzMDEGCCsGAQUFBzAChiVodHRwOi8vcGtpLmdvb2cvcmVw
+by9jZXJ0cy9ndHMxYzMuZGVyMIIJaAYDVR0RBIIJXzCCCVuCDCouZ29vZ2xlLmNv
+bYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYIJKi5iZG4uZGV2ghIqLmNsb3VkLmdv
+b2dsZS5jb22CGCouY3Jvd2Rzb3VyY2UuZ29vZ2xlLmNvbYIYKi5kYXRhY29tcHV0
+ZS5nb29nbGUuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUuY2yCDiouZ29vZ2xl
+LmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28udWuCDyouZ29vZ2xl
+LmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5jb20uYnKCDyouZ29v
+Z2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2dsZS5jb20udHKCDyou
+Z29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xlLmVzggsqLmdvb2ds
+ZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdvb2dsZS5ubIILKi5n
+b29nbGUucGyCCyouZ29vZ2xlLnB0ghIqLmdvb2dsZWFkYXBpcy5jb22CDyouZ29v
+Z2xlYXBpcy5jboIRKi5nb29nbGV2aWRlby5jb22CDCouZ3N0YXRpYy5jboIQKi5n
+c3RhdGljLWNuLmNvbYIPZ29vZ2xlY25hcHBzLmNughEqLmdvb2dsZWNuYXBwcy5j
+boIRZ29vZ2xlYXBwcy1jbi5jb22CEyouZ29vZ2xlYXBwcy1jbi5jb22CDGdrZWNu
+YXBwcy5jboIOKi5na2VjbmFwcHMuY26CEmdvb2dsZWRvd25sb2Fkcy5jboIUKi5n
+b29nbGVkb3dubG9hZHMuY26CEHJlY2FwdGNoYS5uZXQuY26CEioucmVjYXB0Y2hh
+Lm5ldC5jboIQcmVjYXB0Y2hhLWNuLm5ldIISKi5yZWNhcHRjaGEtY24ubmV0ggt3
+aWRldmluZS5jboINKi53aWRldmluZS5jboIRYW1wcHJvamVjdC5vcmcuY26CEyou
+YW1wcHJvamVjdC5vcmcuY26CEWFtcHByb2plY3QubmV0LmNughMqLmFtcHByb2pl
+Y3QubmV0LmNughdnb29nbGUtYW5hbHl0aWNzLWNuLmNvbYIZKi5nb29nbGUtYW5h
+bHl0aWNzLWNuLmNvbYIXZ29vZ2xlYWRzZXJ2aWNlcy1jbi5jb22CGSouZ29vZ2xl
+YWRzZXJ2aWNlcy1jbi5jb22CEWdvb2dsZXZhZHMtY24uY29tghMqLmdvb2dsZXZh
+ZHMtY24uY29tghFnb29nbGVhcGlzLWNuLmNvbYITKi5nb29nbGVhcGlzLWNuLmNv
+bYIVZ29vZ2xlb3B0aW1pemUtY24uY29tghcqLmdvb2dsZW9wdGltaXplLWNuLmNv
+bYISZG91YmxlY2xpY2stY24ubmV0ghQqLmRvdWJsZWNsaWNrLWNuLm5ldIIYKi5m
+bHMuZG91YmxlY2xpY2stY24ubmV0ghYqLmcuZG91YmxlY2xpY2stY24ubmV0gg5k
+b3VibGVjbGljay5jboIQKi5kb3VibGVjbGljay5jboIUKi5mbHMuZG91YmxlY2xp
+Y2suY26CEiouZy5kb3VibGVjbGljay5jboIRZGFydHNlYXJjaC1jbi5uZXSCEyou
+ZGFydHNlYXJjaC1jbi5uZXSCHWdvb2dsZXRyYXZlbGFkc2VydmljZXMtY24uY29t
+gh8qLmdvb2dsZXRyYXZlbGFkc2VydmljZXMtY24uY29tghhnb29nbGV0YWdzZXJ2
+aWNlcy1jbi5jb22CGiouZ29vZ2xldGFnc2VydmljZXMtY24uY29tghdnb29nbGV0
+YWdtYW5hZ2VyLWNuLmNvbYIZKi5nb29nbGV0YWdtYW5hZ2VyLWNuLmNvbYIYZ29v
+Z2xlc3luZGljYXRpb24tY24uY29tghoqLmdvb2dsZXN5bmRpY2F0aW9uLWNuLmNv
+bYIkKi5zYWZlZnJhbWUuZ29vZ2xlc3luZGljYXRpb24tY24uY29tghZhcHAtbWVh
+c3VyZW1lbnQtY24uY29tghgqLmFwcC1tZWFzdXJlbWVudC1jbi5jb22CC2d2dDEt
+Y24uY29tgg0qLmd2dDEtY24uY29tggtndnQyLWNuLmNvbYINKi5ndnQyLWNuLmNv
+bYILMm1kbi1jbi5uZXSCDSouMm1kbi1jbi5uZXSCFGdvb2dsZWZsaWdodHMtY24u
+bmV0ghYqLmdvb2dsZWZsaWdodHMtY24ubmV0ggxhZG1vYi1jbi5jb22CDiouYWRt
+b2ItY24uY29tgg0qLmdzdGF0aWMuY29tghQqLm1ldHJpYy5nc3RhdGljLmNvbYIK
+Ki5ndnQxLmNvbYIRKi5nY3BjZG4uZ3Z0MS5jb22CCiouZ3Z0Mi5jb22CDiouZ2Nw
+Lmd2dDIuY29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUu
+Y29tggsqLnl0aW1nLmNvbYILYW5kcm9pZC5jb22CDSouYW5kcm9pZC5jb22CEyou
+Zmxhc2guYW5kcm9pZC5jb22CBGcuY26CBiouZy5jboIEZy5jb4IGKi5nLmNvggZn
+b28uZ2yCCnd3dy5nb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29tghYqLmdvb2ds
+ZS1hbmFseXRpY3MuY29tggpnb29nbGUuY29tghJnb29nbGVjb21tZXJjZS5jb22C
+FCouZ29vZ2xlY29tbWVyY2UuY29tgghnZ3BodC5jboIKKi5nZ3BodC5jboIKdXJj
+aGluLmNvbYIMKi51cmNoaW4uY29tggh5b3V0dS5iZYILeW91dHViZS5jb22CDSou
+eW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29tghYqLnlvdXR1YmVlZHVj
+YXRpb24uY29tgg95b3V0dWJla2lkcy5jb22CESoueW91dHViZWtpZHMuY29tggV5
+dC5iZYIHKi55dC5iZYIaYW5kcm9pZC5jbGllbnRzLmdvb2dsZS5jb22CG2RldmVs
+b3Blci5hbmRyb2lkLmdvb2dsZS5jboIcZGV2ZWxvcGVycy5hbmRyb2lkLmdvb2ds
+ZS5jboIYc291cmNlLmFuZHJvaWQuZ29vZ2xlLmNuMCEGA1UdIAQaMBgwCAYGZ4EM
+AQIBMAwGCisGAQQB1nkCBQMwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybHMu
+cGtpLmdvb2cvZ3RzMWMzL2ZWSnhiVi1LdG1rLmNybDCCAQMGCisGAQQB1nkCBAIE
+gfQEgfEA7wB2ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABf5eg
+31sAAAQDAEcwRQIgKO/qyXDbVstUmyGkus1+NtSfQeBVeaah4uvJ4h5zODUCIQCr
+IAXRbx0K9/GQGOK/OCcdH04AszWgCoHyR2AZjTaTfQB1AN+lXqtogk8fbK3uuF9O
+PlrqzaISpGpejjsSwCBEXCpzAAABf5eg364AAAQDAEYwRAIgAr7Yby6/4yctoeiV
+N84JsUBOFT8H5Wm9/JxeRhLzOOcCIAXVbvK2b8fGEBcnMXaiMEB3A2NknYf3eeKV
+hkPNl1/BMA0GCSqGSIb3DQEBCwUAA4IBAQAfxzM4OzKzXj4vvS4ian65PHlV1YiY
+JOonKRWzA3LDjZ0TAF1WMEXiD46yV6HYAYdeQTGin6AaL2P4Z11rCVJPQVHW6UGv
+8AoqW4QmBer0U3dJpu28UZ7IA2KPUdAJKhukl7Y5M4fotMxydh5nmh/743GZw3g9
+krSDY8HAFqhr2R9zo2gh42IPUQI4YJcZiU4vnZlaE9NbaJmZmCm357AJ6RhHMC66
+WZ1O8+UD3EpkFWamhrPEU2GOLFjDDG/SOtXv7BBG0zCn/VRwShCj5kfivZWfWxvN
+/UrJwT49JDcuuHV7P0SwabvCQurMRd7J6ANO+esgdxGavWsnzT4U3Ac2
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw
+CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
+MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw
+MDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
+Y2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFDMzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAPWI3+dijB43+DdCkH9sh9D7ZYIl/ejLa6T/belaI+KZ9hzp
+kgOZE3wJCor6QtZeViSqejOEH9Hpabu5dOxXTGZok3c3VVP+ORBNtzS7XyV3NzsX
+lOo85Z3VvMO0Q+sup0fvsEQRY9i0QYXdQTBIkxu/t/bgRQIh4JZCF8/ZK2VWNAcm
+BA2o/X3KLu/qSHw3TT8An4Pf73WELnlXXPxXbhqW//yMmqaZviXZf5YsBvcRKgKA
+gOtjGDxQSYflispfGStZloEAoPtR28p3CwvJlk/vcEnHXG0g/Zm0tOLKLnf9LdwL
+tmsTDIwZKxeWmLnwi/agJ7u2441Rj72ux5uxiZ0CAwEAAaOCAYAwggF8MA4GA1Ud
+DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0T
+AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUinR/r4XN7pXNPZzQ4kYU83E1HScwHwYD
+VR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYG
+CCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcw
+AoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQt
+MCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsMFcG
+A1UdIARQME4wOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Br
+aS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcN
+AQELBQADggIBAIl9rCBcDDy+mqhXlRu0rvqrpXJxtDaV/d9AEQNMwkYUuxQkq/BQ
+cSLbrcRuf8/xam/IgxvYzolfh2yHuKkMo5uhYpSTld9brmYZCwKWnvy15xBpPnrL
+RklfRuFBsdeYTWU0AIAaP0+fbH9JAIFTQaSSIYKCGvGjRFsqUBITTcFTNvNCCK9U
++o53UxtkOCcXCb1YyRt8OS1b887U7ZfbFAO/CVMkH8IMBHmYJvJh8VNS/UKMG2Yr
+PxWhu//2m+OBmgEGcYk1KCTd4b3rGS3hSMs9WYNRtHTGnXzGsYZbr8w0xNPM1IER
+lQCh9BIiAfq0g3GvjLeMcySsN1PCAJA/Ef5c7TaUEDu9Ka7ixzpiO2xj2YC/WXGs
+Yye5TBeg2vZzFb8q3o/zpWwygTMD0IZRcZk0upONXbVRWPeyk+gB9lm+cZv9TSjO
+z23HFtz30dZGm6fKa+l3D/2gthsjgx0QGtkJAITgRNOidSOzNIb2ILCkXhAd4FJG
+AJ2xDx8hcFH1mt0G/FX0Kw4zd8NLQsLxdxP8c4CU6x+7Nz/OAipmsHMdMqUybDKw
+juDEI/9bfU1lcKwrmz3O2+BtjjKAvpafkmO8l7tdufThcV4q5O8DIrGKZTqPwJNl
+1IXNDw9bg1kWRxYtnCQ6yICmJhSFm/Y3m6xv+cXDBlHz4n/FsRC6UfTd
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
+MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
+CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
+OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
+GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
+ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
+iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
+KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
+DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
+j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
+cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
+CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
+iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
+Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
+sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
+9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
+BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
+BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
+JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
+MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
+MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
+AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
+NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
+WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
+9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
++qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
+d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
+MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
+aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
+jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
+xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
+1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
+snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
+U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
+9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
+AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
+yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
+38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
+AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
+DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
+HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
+-----END CERTIFICATE-----

package/test/utils.js

@@ -47,6 +47,10 @@ exports.getIssueInstant = function(assertion) {
   return doc.documentElement.getAttribute('IssueInstant');
 };
 
+exports.getAuthenticationInstant = function (assertion) {
+  return exports.getAuthenticationStatement(assertion).getAttribute('AuthenticationInstant');
+};
+
 exports.getConditions = function(assertion) {
   var doc = new xmldom.DOMParser().parseFromString(assertion);
   return doc.documentElement.getElementsByTagName('saml:Conditions');

package/test/utils.tests.js

@@ -1,11 +1,63 @@
-var assert = require("assert"),
-  utils = require("../lib/utils");
-
-describe("saml 1.1", function() {
-	describe("pemToCert", function() {
-		it("should not throw when the cert is invalid", function() {
-			var cert = utils.pemToCert('abc');
-			assert.ok(!cert);
-		});
-	});
+const assert = require("assert"),
+    utils = require("../lib/utils");
+const fs = require("fs");
+const {createPublicKey} = require('crypto')
+
+describe("pemToCert", function () {
+    it("should not throw when the cert is invalid", function () {
+        var cert = utils.pemToCert('abc');
+        assert.ok(!cert);
+    });
 });
+
+describe("fixPemFormatting", () => {
+    it("returns the original when the original is not in PEM format", () => {
+        let originalCert = fs.readFileSync(__dirname + '/test-auth0.der');
+		let standardizedCert = utils.fixPemFormatting(originalCert);
+		assert.strictEqual(originalCert.compare(standardizedCert), 0);
+    })
+
+	it("handles already correctly formatted PEM content", () => {
+        let originalCert = fs.readFileSync(__dirname + '/test-auth0_rsa.pub');
+        let standardizedCert = utils.fixPemFormatting(originalCert);
+        assert.notStrictEqual(originalCert, standardizedCert);
+        assert.deepStrictEqual(createPublicKey(originalCert), createPublicKey(standardizedCert));
+	})
+
+    it("handles PEM content with extra data before the cert", () => {
+        let originalCert = Buffer.from(`data that should be ignored\n${fs.readFileSync(__dirname + '/test-auth0_rsa.pub').toString()}`)
+        let standardizedCert = utils.fixPemFormatting(originalCert);
+        assert.notStrictEqual(originalCert, standardizedCert);
+        assert.deepStrictEqual(createPublicKey(originalCert), createPublicKey(standardizedCert));
+    })
+
+    it("handles PEM content with extra data after the cert", () => {
+        let originalCert = Buffer.from(`${fs.readFileSync(__dirname + '/test-auth0_rsa.pub').toString()}\ndata that should be ignored`)
+        let standardizedCert = utils.fixPemFormatting(originalCert);
+        assert.notStrictEqual(originalCert, standardizedCert);
+        assert.deepStrictEqual(createPublicKey(originalCert), createPublicKey(standardizedCert));
+    })
+
+    it("handles incorrectly formatted PEM content", () => {
+        let originalCert = Buffer.from(fs.readFileSync(__dirname + '/test-auth0_rsa.pub').toString().replaceAll(/[\r\n]/g, ''));
+        let standardizedCert = utils.fixPemFormatting(originalCert);
+        assert.notStrictEqual(originalCert, standardizedCert);
+        let correctCert = createPublicKey(fs.readFileSync(__dirname + '/test-auth0_rsa.pub'))
+        assert.deepStrictEqual(correctCert, createPublicKey(standardizedCert));
+    })
+
+    it("handles already correctly formatted PEM chains", () => {
+        let originalCert = fs.readFileSync(__dirname + '/test-auth0-chain.pem');
+        let standardizedCert = utils.fixPemFormatting(originalCert);
+        assert.notStrictEqual(originalCert, standardizedCert);
+        assert.deepStrictEqual(createPublicKey(originalCert), createPublicKey(standardizedCert));
+    })
+
+    it("handles incorrectly formatted PEM chains", () => {
+        let originalCert = Buffer.from(fs.readFileSync(__dirname + '/test-auth0-chain.pem').toString().replaceAll(/[\r\n]/g, ''));
+        let standardizedCert = utils.fixPemFormatting(originalCert);
+        assert.notStrictEqual(originalCert, standardizedCert);
+        let correctCert = createPublicKey(fs.readFileSync(__dirname + '/test-auth0-chain.pem'))
+        assert.deepStrictEqual(correctCert, createPublicKey(standardizedCert));
+    })
+})