samlesa 2.12.10 → 2.12.11

package/src/libsaml.ts

@@ -1,19 +1,19 @@
 /**
-* @file SamlLib.js
-* @author tngan
-* @desc  A simple library including some common functions
-*/
-import { createSign, createPrivateKey,createVerify } from 'node:crypto';
-import utility, { flattenDeep, isString } from './utility.js';
-import { algorithms, wording, namespace } from './urn.js';
-import { select } from 'xpath';
-import { MetadataInterface } from './metadata.js';
-
-import { SignedXml } from 'xml-crypto';
+ * @file SamlLib.js
+ * @author tngan
+ * @desc  A simple library including some common functions
+ */
+import {createSign, createPrivateKey, createVerify} from 'node:crypto';
+import utility, {flattenDeep, isString} from './utility.js';
+import {algorithms, wording, namespace} from './urn.js';
+import {select} from 'xpath';
+import {MetadataInterface} from './metadata.js';
+import {create} from 'xmlbuilder2'
+import {SignedXml} from 'xml-crypto';
 import * as xmlenc from 'xml-encryption';
-import { extract } from './extractor.js';
+import {extract} from './extractor.js';
 import camelCase from 'camelcase';
-import { getContext } from './api.js';
+import {getContext} from './api.js';
 import xmlEscape from 'xml-escape';
 import * as fs from 'fs';
 import {DOMParser} from '@xmldom/xmldom';
@@ -22,11 +22,12 @@ const signatureAlgorithms = algorithms.signature;
 const digestAlgorithms = algorithms.digest;
 const certUse = wording.certUse;
 const urlParams = wording.urlParams;
+
 /**
  * 算法名称映射表 (兼容 X.509 和 SAML 规范)
  */
 function mapSignAlgorithm(algorithm: string): string {
-  const algorithmMap =  {
+  const algorithmMap = {
     'rsa-sha1': 'RSA-SHA1',
     'rsa-sha256': 'RSA-SHA256',
     'rsa-sha384': 'RSA-SHA384',
@@ -38,6 +39,15 @@ function mapSignAlgorithm(algorithm: string): string {
 
   return algorithmMap[algorithm.toLowerCase()] || algorithm;
 }
+
+
+/**
+ * 生成 SAML Attribute 元素（不带 XML 声明头）
+ * @param {Array} attributeData - 属性配置数据
+ * @returns {string} SAML Attribute XML 字符串
+ */
+
+
 export interface SignatureConstructor {
   rawSamlMessage: string;
   referenceTagXPath?: string;
@@ -59,6 +69,7 @@ export interface SignatureVerifierOptions {
 
 export interface ExtractorResult {
   [key: string]: any;
+
   signature?: string | string[];
   issuer?: string | string[];
   nameID?: string;
@@ -88,15 +99,21 @@ export interface LoginResponseTemplate extends BaseSamlTemplate {
   attributes?: LoginResponseAttribute[];
   additionalTemplates?: LoginResponseAdditionalTemplates;
 }
-export interface AttributeStatementTemplate extends BaseSamlTemplate { }
 
-export interface AttributeTemplate extends BaseSamlTemplate { }
+export interface AttributeStatementTemplate extends BaseSamlTemplate {
+}
+
+export interface AttributeTemplate extends BaseSamlTemplate {
+}
 
-export interface LoginRequestTemplate extends BaseSamlTemplate { }
+export interface LoginRequestTemplate extends BaseSamlTemplate {
+}
 
-export interface LogoutRequestTemplate extends BaseSamlTemplate { }
+export interface LogoutRequestTemplate extends BaseSamlTemplate {
+}
 
-export interface LogoutResponseTemplate extends BaseSamlTemplate { }
+export interface LogoutResponseTemplate extends BaseSamlTemplate {
+}
 
 export type KeyUse = 'signing' | 'encryption';
 
@@ -134,9 +151,9 @@ export interface LibSamlInterface {
 const libSaml = () => {
 
   /**
-  * @desc helper function to get back the query param for redirect binding for SLO/SSO
-  * @type {string}
-  */
+   * @desc helper function to get back the query param for redirect binding for SLO/SSO
+   * @type {string}
+   */
   function getQueryParamByType(type: string) {
     if ([urlParams.logoutRequest, urlParams.samlRequest].indexOf(type) !== -1) {
       return 'SAMLRequest';
@@ -146,6 +163,7 @@ const libSaml = () => {
     }
     throw new Error('ERR_UNDEFINED_QUERY_PARAMS');
   }
+
   /**
    *
    */
@@ -160,40 +178,47 @@ const libSaml = () => {
     'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512': 'RSA-SHA512',
   };
   /**
-  * @desc Default login request template
-  * @type {LoginRequestTemplate}
-  */
+   * @desc Default login request template
+   * @type {LoginRequestTemplate}
+   */
   const defaultLoginRequestTemplate = {
     context: '<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="{AssertionConsumerServiceURL}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:NameIDPolicy Format="{NameIDFormat}" AllowCreate="{AllowCreate}"/></samlp:AuthnRequest>',
   };
   /**
-  * @desc Default logout request template
-  * @type {LogoutRequestTemplate}
-  */
+   * @desc Default logout request template
+   * @type {LogoutRequestTemplate}
+   */
   const defaultLogoutRequestTemplate = {
     context: '<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}"><saml:Issuer>{Issuer}</saml:Issuer><saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID></samlp:LogoutRequest>',
   };
 
   /**
-  * @desc Default AttributeStatement template
-  * @type {AttributeStatementTemplate}
-  */
+   * @desc Default AttributeStatement template
+   * @type {AttributeStatementTemplate}
+   */
   const defaultAttributeStatementTemplate = {
     context: '<saml:AttributeStatement>{Attributes}</saml:AttributeStatement>',
   };
 
   /**
-  * @desc Default Attribute template
-  * @type {AttributeTemplate}
-  */
+   * @desc Default Attribute template
+   * @type {AttributeTemplate}
+   */
   const defaultAttributeTemplate = {
-    context: '<saml:Attribute Name="{Name}" NameFormat="{NameFormat}"><saml:AttributeValue xmlns:xs="{ValueXmlnsXs}" xmlns:xsi="{ValueXmlnsXsi}" xsi:type="{ValueXsiType}">{Value}</saml:AttributeValue></saml:Attribute>',
+    context: '<saml:Attribute Name="{Name}" NameFormat="{NameFormat}">{AttributeValues}</saml:Attribute>',
+  };
+  /**
+   * @desc Default AttributeValue template
+   * @type {AttributeTemplate}
+   */
+  const defaultAttributeValueTemplate = {
+    context: '<saml:AttributeValue xmlns:xs="{ValueXmlnsXs}" xmlns:xsi="{ValueXmlnsXsi}" xsi:type="{ValueXsiType}">{Value}</saml:AttributeValue>',
   };
 
   /**
-  * @desc Default login response template
-  * @type {LoginResponseTemplate}
-  */
+   * @desc Default login response template
+   * @type {LoginResponseTemplate}
+   */
   const defaultLoginResponseTemplate = {
     context: '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="{StatusCode}"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{AssertionID}" Version="2.0" IssueInstant="{IssueInstant}"><saml:Issuer>{Issuer}</saml:Issuer><saml:Subject><saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="{SubjectConfirmationDataNotOnOrAfter}" Recipient="{SubjectRecipient}" InResponseTo="{InResponseTo}"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="{ConditionsNotBefore}" NotOnOrAfter="{ConditionsNotOnOrAfter}"><saml:AudienceRestriction><saml:Audience>{Audience}</saml:Audience></saml:AudienceRestriction></saml:Conditions>{AuthnStatement}{AttributeStatement}</saml:Assertion></samlp:Response>',
     attributes: [],
@@ -203,14 +228,14 @@ const libSaml = () => {
     }
   };
   /**
-  * @desc Default logout response template
-  * @type {LogoutResponseTemplate}
-  */
+   * @desc Default logout response template
+   * @type {LogoutResponseTemplate}
+   */
   const defaultLogoutResponseTemplate = {
     context: '<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="{StatusCode}"/></samlp:Status></samlp:LogoutResponse>',
   };
 
-  function getSigningSchemeForNode(sigAlg?: string){
+  function getSigningSchemeForNode(sigAlg?: string) {
     if (sigAlg) {
       const algAlias = nrsaAliasMappingForNode[sigAlg];
       if (!(algAlias === undefined)) {
@@ -219,22 +244,24 @@ const libSaml = () => {
     }
     return nrsaAliasMappingForNode[signatureAlgorithms.RSA_SHA256];
   }
+
   /**
-  * @private
-  * @desc Get the digest algorithms by signature algorithms
-  * @param {string} sigAlg    signature algorithm
-  * @return {string/undefined} digest algorithm
-  */
+   * @private
+   * @desc Get the digest algorithms by signature algorithms
+   * @param {string} sigAlg    signature algorithm
+   * @return {string/undefined} digest algorithm
+   */
   function getDigestMethod(sigAlg: string): string | undefined {
     return digestAlgorithms[sigAlg];
   }
+
   /**
-  * @public
-  * @desc Create XPath
-  * @param  {string/object} local     parameters to create XPath
-  * @param  {boolean} isExtractAll    define whether returns whole content according to the XPath
-  * @return {string} xpath
-  */
+   * @public
+   * @desc Create XPath
+   * @param  {string/object} local     parameters to create XPath
+   * @param  {boolean} isExtractAll    define whether returns whole content according to the XPath
+   * @return {string} xpath
+   */
   function createXPath(local, isExtractAll?: boolean): string {
     if (isString(local)) {
       return isExtractAll === true ? "//*[local-name(.)='" + local + "']/text()" : "//*[local-name(.)='" + local + "']";
@@ -273,13 +300,13 @@ const libSaml = () => {
     defaultAttributeTemplate,
     defaultLogoutRequestTemplate,
     defaultLogoutResponseTemplate,
-
+    defaultAttributeValueTemplate,
     /**
-    * @desc Replace the tag (e.g. {tag}) inside the raw XML
-    * @param  {string} rawXML      raw XML string used to do keyword replacement
-    * @param  {array} tagValues    tag values
-    * @return {string}
-    */
+     * @desc Replace the tag (e.g. {tag}) inside the raw XML
+     * @param  {string} rawXML      raw XML string used to do keyword replacement
+     * @param  {array} tagValues    tag values
+     * @return {string}
+     */
     replaceTagsByValue(rawXML: string, tagValues: Record<string, unknown>): string {
       Object.keys(tagValues).forEach(t => {
         rawXML = rawXML.replace(
@@ -290,50 +317,87 @@ const libSaml = () => {
       return rawXML;
     },
     /**
-    * @desc Helper function to build the AttributeStatement tag
-    * @param  {LoginResponseAttribute} attributes    an array of attribute configuration
-    * @param  {AttributeTemplate} attributeTemplate    the attribute tag template to be used
-    * @param  {AttributeStatementTemplate} attributeStatementTemplate    the attributeStatement tag template to be used
-    * @return {string}
-    */
-    attributeStatementBuilder(
+     * @desc Helper function to build the AttributeStatement tag
+     * @param  {LoginResponseAttribute} attributes    an array of attribute configuration
+     * @param  {AttributeTemplate} attributeTemplate    the attribute tag template to be used
+     * @param  {AttributeStatementTemplate} attributeStatementTemplate    the attributeStatement tag template to be used
+     * @return {string}
+     */
+/*    attributeStatementBuilder(
       attributes: LoginResponseAttribute[],
       attributeTemplate: AttributeTemplate = defaultAttributeTemplate,
       attributeStatementTemplate: AttributeStatementTemplate = defaultAttributeStatementTemplate
     ): string {
-      const attr = attributes.map(({name, nameFormat, valueTag, valueXsiType,type, valueXmlnsXs, valueXmlnsXsi }) => {
+      const attr = attributes.map(({name, nameFormat, valueTag, valueXsiType, type, valueXmlnsXs, valueXmlnsXsi}) => {
         const defaultValueXmlnsXs = 'http://www.w3.org/2001/XMLSchema';
         const defaultValueXmlnsXsi = 'http://www.w3.org/2001/XMLSchema-instance';
-      let attributeLine = attributeTemplate.context;
-      if (attributeLine && typeof attributeLine === 'function') {
-        // 安全调用
-        // @ts-ignore
-        return attributeLine({ name, nameFormat, valueTag, valueXsiType,type, valueXmlnsXs: valueXmlnsXs ?? defaultValueXmlnsXs, valueXmlnsXsi :valueXmlnsXsi ?? defaultValueXmlnsXsi })
-      }else{
-        attributeLine = attributeLine.replace('{Name}', name);
-        attributeLine = attributeLine.replace('{NameFormat}', nameFormat);
-        attributeLine = attributeLine.replace('{ValueXmlnsXs}', valueXmlnsXs ? valueXmlnsXs : defaultValueXmlnsXs);
-        attributeLine = attributeLine.replace('{ValueXmlnsXsi}', valueXmlnsXsi ? valueXmlnsXsi : defaultValueXmlnsXsi);
-        attributeLine = attributeLine.replace('{ValueXsiType}', valueXsiType);
-        attributeLine = attributeLine.replace('{Value}', `{${tagging('attr', valueTag)}}`);
-        return attributeLine;
-      }
+        let attributeLine = attributeTemplate.context;
+        if (attributeLine && typeof attributeLine === 'function') {
+          // 安全调用
+          // @ts-ignore
+          return attributeLine({
+            name,
+            nameFormat,
+            valueTag,
+            valueXsiType,
+            type,
+            valueXmlnsXs: valueXmlnsXs ?? defaultValueXmlnsXs,
+            valueXmlnsXsi: valueXmlnsXsi ?? defaultValueXmlnsXsi
+          })
+        } else {
+          attributeLine = attributeLine.replace('{Name}', name);
+          attributeLine = attributeLine.replace('{NameFormat}', nameFormat);
+          attributeLine = attributeLine.replace('{ValueXmlnsXs}', valueXmlnsXs ? valueXmlnsXs : defaultValueXmlnsXs);
+          attributeLine = attributeLine.replace('{ValueXmlnsXsi}', valueXmlnsXsi ? valueXmlnsXsi : defaultValueXmlnsXsi);
+          attributeLine = attributeLine.replace('{ValueXsiType}', valueXsiType);
+          attributeLine = attributeLine.replace('{Value}', `{${tagging('attr', valueTag)}}`);
+          return attributeLine;
+        }
 
-    }).join('');
-  return attributeStatementTemplate.context.replace('{Attributes}', attr);
-    },
+      }).join('');
+      return attributeStatementTemplate.context.replace('{Attributes}', attr);
+    },*/
+    /** For Test */
+    attributeStatementBuilder(attributeData: any[]): string {
+    const root = create({
+      // 关键配置：关闭 XML 声明头和独立文档标识
+      headless: true
+    }).ele('saml:AttributeStatement', {
+      index: 1
+    });
+
+    attributeData.forEach(attr => {
+      const attribute = root.ele('saml:Attribute', {
+        Name: attr.Name,
+        NameFormat: attr.NameFormat,
+        FriendlyName: attr.FriendlyName
+      });
+
+      attr.valueArray.forEach(valueObj => {
+        const valueElement = attribute.ele('saml:AttributeValue');
 
+        // 根据 ValueType 添加数据类型
+        /*     if (attr.ValueType === 1) {
+               valueElement.att('xsi:type', 'xs:string');
+             } // 可扩展其他类型...*/
+
+        valueElement.txt(valueObj.value);
+      });
+    });
+
+    return root.end({prettyPrint: true});
+  },
     /**
-    * @desc Construct the XML signature for POST binding
-    * @param  {string} rawSamlMessage      request/response xml string
-    * @param  {string} referenceTagXPath    reference uri
-    * @param  {string} privateKey           declares the private key
-    * @param  {string} passphrase           passphrase of the private key [optional]
-    * @param  {string|buffer} signingCert   signing certificate
-    * @param  {string} signatureAlgorithm   signature algorithm
-    * @param  {string[]} transformationAlgorithms   canonicalization and transformation Algorithms
-    * @return {string} base64 encoded string
-    */
+     * @desc Construct the XML signature for POST binding
+     * @param  {string} rawSamlMessage      request/response xml string
+     * @param  {string} referenceTagXPath    reference uri
+     * @param  {string} privateKey           declares the private key
+     * @param  {string} passphrase           passphrase of the private key [optional]
+     * @param  {string|buffer} signingCert   signing certificate
+     * @param  {string} signatureAlgorithm   signature algorithm
+     * @param  {string[]} transformationAlgorithms   canonicalization and transformation Algorithms
+     * @return {string} base64 encoded string
+     */
     constructSAMLSignature(opts: SignatureConstructor) {
       const {
         rawSamlMessage,
@@ -382,15 +446,15 @@ const libSaml = () => {
       return isBase64Output !== false ? utility.base64Encode(sig.getSignedXml()) : sig.getSignedXml();
     },
     /**
-    * @desc Verify the XML signature
-    * @param  {string} xml xml
-    * @param  {SignatureVerifierOptions} opts cert declares the X509 certificate
+     * @desc Verify the XML signature
+     * @param  {string} xml xml
+     * @param  {SignatureVerifierOptions} opts cert declares the X509 certificate
      * @return {[boolean, string | null]} - A tuple where:
      *   - The first element is `true` if the signature is valid, `false` otherwise.
      *   - The second element is the cryptographically authenticated assertion node as a string, or `null` if not found.
      */
     verifySignature(xml: string, opts: SignatureVerifierOptions) {
-      const { dom } = getContext();
+      const {dom} = getContext();
       const doc = dom.parseFromString(xml);
 
       const docParser = new DOMParser();
@@ -423,7 +487,7 @@ const libSaml = () => {
 
 
       // need to refactor later on
-      for (const signatureNode of selection){
+      for (const signatureNode of selection) {
         const sig = new SignedXml();
         let verified = false;
 
@@ -502,19 +566,19 @@ const libSaml = () => {
 
           // try getting the Xml from the first assertion
           const EncryptedAssertions = select(
-              "./*[local-name()='EncryptedAssertion']",
-              rootNode
+            "./*[local-name()='EncryptedAssertion']",
+            rootNode
           );
           const assertions = select(
-              "./*[local-name()='Assertion']",
-              rootNode
+            "./*[local-name()='Assertion']",
+            rootNode
           );
 
-            // now we can process the assertion as an assertion
-            if (EncryptedAssertions.length === 1) {
+          // now we can process the assertion as an assertion
+          if (EncryptedAssertions.length === 1) {
 
-              return [true, EncryptedAssertions[0].toString()];
-            }
+            return [true, EncryptedAssertions[0].toString()];
+          }
 
           if (assertions.length === 1) {
 
@@ -526,65 +590,65 @@ const libSaml = () => {
         } else {
           return [true, null]; // signature is valid. But there is no assertion node here. It could be metadata node, hence return null
         }
-      };
+      }
 
       // something has gone seriously wrong if we are still here
       throw new Error('ERR_ZERO_SIGNATURE');
 
       // response must be signed, either entire document or assertion
       // default we will take the assertion section under root
-/*      if (messageSignatureNode.length === 1) {
-        const node = select("/!*[contains(local-name(), 'Response') or contains(local-name(), 'Request')]/!*[local-name(.)='Assertion']", doc);
-        if (node.length === 1) {
-          assertionNode = node[0].toString();
-        }
-      }
+      /*      if (messageSignatureNode.length === 1) {
+              const node = select("/!*[contains(local-name(), 'Response') or contains(local-name(), 'Request')]/!*[local-name(.)='Assertion']", doc);
+              if (node.length === 1) {
+                assertionNode = node[0].toString();
+              }
+            }
 
-      if (assertionSignatureNode.length === 1) {
-        const verifiedAssertionInfo = extract(assertionSignatureNode[0].toString(), [{
-          key: 'refURI',
-          localPath: ['Signature', 'SignedInfo', 'Reference'],
-          attributes: ['URI']
-        }]);
-        // get the assertion supposed to be the one should be verified
-        const desiredAssertionInfo = extract(doc.toString(), [{
-          key: 'id',
-          localPath: ['~Response', 'Assertion'],
-          attributes: ['ID']
-        }]);
-        // 5.4.2 References
-        // SAML assertions and protocol messages MUST supply a value for the ID attribute on the root element of
-        // the assertion or protocol message being signed. The assertion’s or protocol message's root element may
-        // or may not be the root element of the actual XML document containing the signed assertion or protocol
-        // message (e.g., it might be contained within a SOAP envelope).
-        // Signatures MUST contain a single <ds:Reference> containing a same-document reference to the ID
-        // attribute value of the root element of the assertion or protocol message being signed. For example, if the
-        // ID attribute value is "foo", then the URI attribute in the <ds:Reference> element MUST be "#foo".
-        if (verifiedAssertionInfo.refURI !== `#${desiredAssertionInfo.id}`) {
-          throw new Error('ERR_POTENTIAL_WRAPPING_ATTACK');
-        }
-        const verifiedDoc = extract(doc.toString(), [{
-          key: 'assertion',
-          localPath: ['~Response', 'Assertion'],
-          attributes: [],
-          context: true
-        }]);
-        assertionNode = verifiedDoc.assertion.toString();
-      }
+            if (assertionSignatureNode.length === 1) {
+              const verifiedAssertionInfo = extract(assertionSignatureNode[0].toString(), [{
+                key: 'refURI',
+                localPath: ['Signature', 'SignedInfo', 'Reference'],
+                attributes: ['URI']
+              }]);
+              // get the assertion supposed to be the one should be verified
+              const desiredAssertionInfo = extract(doc.toString(), [{
+                key: 'id',
+                localPath: ['~Response', 'Assertion'],
+                attributes: ['ID']
+              }]);
+              // 5.4.2 References
+              // SAML assertions and protocol messages MUST supply a value for the ID attribute on the root element of
+              // the assertion or protocol message being signed. The assertion’s or protocol message's root element may
+              // or may not be the root element of the actual XML document containing the signed assertion or protocol
+              // message (e.g., it might be contained within a SOAP envelope).
+              // Signatures MUST contain a single <ds:Reference> containing a same-document reference to the ID
+              // attribute value of the root element of the assertion or protocol message being signed. For example, if the
+              // ID attribute value is "foo", then the URI attribute in the <ds:Reference> element MUST be "#foo".
+              if (verifiedAssertionInfo.refURI !== `#${desiredAssertionInfo.id}`) {
+                throw new Error('ERR_POTENTIAL_WRAPPING_ATTACK');
+              }
+              const verifiedDoc = extract(doc.toString(), [{
+                key: 'assertion',
+                localPath: ['~Response', 'Assertion'],
+                attributes: [],
+                context: true
+              }]);
+              assertionNode = verifiedDoc.assertion.toString();
+            }
 
-      return [verified, assertionNode];*/
+            return [verified, assertionNode];*/
     },
     /**
-    * @desc Helper function to create the key section in metadata (abstraction for signing and encrypt use)
-    * @param  {string} use          type of certificate (e.g. signing, encrypt)
-    * @param  {string} certString    declares the certificate String
-    * @return {object} object used in xml module
-    */
+     * @desc Helper function to create the key section in metadata (abstraction for signing and encrypt use)
+     * @param  {string} use          type of certificate (e.g. signing, encrypt)
+     * @param  {string} certString    declares the certificate String
+     * @return {object} object used in xml module
+     */
     createKeySection(use: KeyUse, certString: string | Buffer): KeyComponent {
       return {
         ['KeyDescriptor']: [
           {
-            _attr: { use },
+            _attr: {use},
           },
           {
             ['ds:KeyInfo']: [
@@ -615,38 +679,38 @@ const libSaml = () => {
 
     constructMessageSignature(
       octetString: string | Buffer,
-    key: string | Buffer,
-    passphrase?: string,
-    isBase64: boolean = true,
-    signingAlgorithm: string = nrsaAliasMappingForNode[signatureAlgorithms.RSA_SHA256]
-): string | Buffer {
-    try {
-      // 1. 标准化输入数据
-      const inputData = Buffer.isBuffer(octetString)
-        ? octetString
-        : Buffer.from(octetString, 'utf8');
-      // 2. 创建签名器并设置算
-      const signingAlgorithmValue = getSigningSchemeForNode(signingAlgorithm)
-      const signer = createSign(signingAlgorithmValue)
-
-      // 3. 加载私钥
-      const privateKey = createPrivateKey({
-        key: key,
-        format: 'pem',
-        passphrase: passphrase,
-        encoding: 'utf8'
-      });
-      signer.write(octetString);
-      signer.end();
-      const signature = signer.sign(privateKey, 'base64');
-      console.log(signature.toString());
-      console.log('dayingyixia')
-      // 5. 处理编码输出
-      return isBase64 ? signature.toString() : signature;
-    } catch (error) {
-      throw new Error(`SAML 签名失败: ${error.message}`);
-    }
-  },
+      key: string | Buffer,
+      passphrase?: string,
+      isBase64: boolean = true,
+      signingAlgorithm: string = nrsaAliasMappingForNode[signatureAlgorithms.RSA_SHA256]
+    ): string | Buffer {
+      try {
+        // 1. 标准化输入数据
+        const inputData = Buffer.isBuffer(octetString)
+          ? octetString
+          : Buffer.from(octetString, 'utf8');
+        // 2. 创建签名器并设置算
+        const signingAlgorithmValue = getSigningSchemeForNode(signingAlgorithm)
+        const signer = createSign(signingAlgorithmValue)
+
+        // 3. 加载私钥
+        const privateKey = createPrivateKey({
+          key: key,
+          format: 'pem',
+          passphrase: passphrase,
+          encoding: 'utf8'
+        });
+        signer.write(octetString);
+        signer.end();
+        const signature = signer.sign(privateKey, 'base64');
+        console.log(signature.toString());
+        console.log('dayingyixia')
+        // 5. 处理编码输出
+        return isBase64 ? signature.toString() : signature;
+      } catch (error) {
+        throw new Error(`SAML 签名失败: ${error.message}`);
+      }
+    },
     verifyMessageSignature(
       metadata,
       octetString: string,
@@ -657,19 +721,19 @@ const libSaml = () => {
       const signingScheme = getSigningSchemeForNode(verifyAlgorithm);
       const verifier = createVerify(signingScheme);
       verifier.update(octetString);
-      const isValid = verifier.verify(utility.getPublicKeyPemFromCertificate(signCert),       Buffer.isBuffer(signature) ? signature : Buffer.from(signature, 'base64'));
+      const isValid = verifier.verify(utility.getPublicKeyPemFromCertificate(signCert), Buffer.isBuffer(signature) ? signature : Buffer.from(signature, 'base64'));
       console.log(isValid);
-      console.log('验证结果-------------')
+      console.log('-------------签名验证结果-------------')
       return isValid
 
     },
 
 
     /**
-    * @desc Get the public key in string format
-    * @param  {string} x509Certificate certificate
-    * @return {string} public key
-    */
+     * @desc Get the public key in string format
+     * @param  {string} x509Certificate certificate
+     * @return {string} public key
+     */
     getKeyInfo(x509Certificate: string, signatureConfig: any = {}) {
       const prefix = signatureConfig.prefix ? `${signatureConfig.prefix}:` : '';
       return {
@@ -682,12 +746,12 @@ const libSaml = () => {
       };
     },
     /**
-    * @desc Encrypt the assertion section in Response
-    * @param  {Entity} sourceEntity             source entity
-    * @param  {Entity} targetEntity             target entity
-    * @param  {string} xml                      response in xml string format
-    * @return {Promise} a promise to resolve the finalized xml
-    */
+     * @desc Encrypt the assertion section in Response
+     * @param  {Entity} sourceEntity             source entity
+     * @param  {Entity} targetEntity             target entity
+     * @param  {string} xml                      response in xml string format
+     * @return {Promise} a promise to resolve the finalized xml
+     */
     encryptAssertion(sourceEntity, targetEntity, xml?: string) {
       // Implement encryption after signature if it has
       return new Promise<string>((resolve, reject) => {
@@ -698,7 +762,7 @@ const libSaml = () => {
 
         const sourceEntitySetting = sourceEntity.entitySetting;
         const targetEntityMetadata = targetEntity.entityMeta;
-        const { dom } = getContext();
+        const {dom} = getContext();
         const doc = dom.parseFromString(xml);
         const assertions = select("//*[local-name(.)='Assertion']", doc) as Node[];
         if (!Array.isArray(assertions) || assertions.length === 0) {
@@ -731,7 +795,7 @@ const libSaml = () => {
             if (!res) {
               return reject(new Error('ERR_UNDEFINED_ENCRYPTED_ASSERTION'));
             }
-            const { encryptedAssertion: encAssertionPrefix } = sourceEntitySetting.tagPrefix;
+            const {encryptedAssertion: encAssertionPrefix} = sourceEntitySetting.tagPrefix;
             const encryptAssertionDoc = dom.parseFromString(`<${encAssertionPrefix}:EncryptedAssertion xmlns:${encAssertionPrefix}="${namespace.names.assertion}">${res}</${encAssertionPrefix}:EncryptedAssertion>`);
             doc.documentElement.replaceChild(encryptAssertionDoc.documentElement, rawAssertionNode);
             return resolve(utility.base64Encode(doc.toString()));
@@ -742,13 +806,13 @@ const libSaml = () => {
       });
     },
     /**
-    * @desc Decrypt the assertion section in Response
-    * @param  {string} type             only accept SAMLResponse to proceed decryption
-    * @param  {Entity} here             this entity
-    * @param  {Entity} from             from the entity where the message is sent
-    * @param {string} entireXML         response in xml string format
-    * @return {function} a promise to get back the entire xml with decrypted assertion
-    */
+     * @desc Decrypt the assertion section in Response
+     * @param  {string} type             only accept SAMLResponse to proceed decryption
+     * @param  {Entity} here             this entity
+     * @param  {Entity} from             from the entity where the message is sent
+     * @param {string} entireXML         response in xml string format
+     * @return {function} a promise to get back the entire xml with decrypted assertion
+     */
     decryptAssertion(here, entireXML: string) {
       return new Promise<[string, any]>((resolve, reject) => {
         // Implement decryption first then check the signature
@@ -757,7 +821,7 @@ const libSaml = () => {
         }
         // Perform encryption depends on the setting of where the message is sent, default is false
         const hereSetting = here.entitySetting;
-        const { dom  } = getContext();
+        const {dom} = getContext();
         const doc = dom.parseFromString(entireXML);
         const encryptedAssertions = select("/*[contains(local-name(), 'Response')]/*[local-name(.)='EncryptedAssertion']", doc) as Node[];
         if (!Array.isArray(encryptedAssertions) || encryptedAssertions.length === 0) {
@@ -789,7 +853,7 @@ const libSaml = () => {
     async isValidXml(input: string) {
 
       // check if global api contains the validate function
-      const { validate } = getContext();
+      const {validate} = getContext();
 
       /**
        * user can write a validate function that always returns