samlesa 2.12.113 → 2.14.0

package/src/types.ts

@@ -1,153 +0,0 @@
-import { LoginResponseTemplate } from './libsaml.js';
-
-export { IdentityProvider as IdentityProviderConstructor } from './entity-idp.js';
-export { IdpMetadata as IdentityProviderMetadata } from './metadata-idp.js';
-
-export { ServiceProvider as ServiceProviderConstructor } from './entity-sp.js';
-export { SpMetadata as ServiceProviderMetadata } from './metadata-sp.js';
-
-export type MetadataFile = string | Buffer;
-
-type SSOService = {
-  isDefault?: boolean;
-  Binding: string;
-  Location: string;
-};
-// 1. 定义服务名称类型
-export type ServiceName = {
-  value: string;
-  /** @description 语言标识符（如 en/zh-CN） */
-  lang?: string;
-};
-
-// 2. 定义请求属性类型
-export type RequestedAttribute = {
-  name: string;
-  friendlyName?: string;
-  isRequired?: boolean;
-  nameFormat?: string;
-  attributeValue?: string[];
-};
-
-// 3. 定义属性消费服务类型
-export type AttributeConsumingService = {
-  isDefault: boolean;
-  serviceName: ServiceName[]; // 修复点：确保属性名为 serviceName（驼峰命名）
-  serviceDescription: ServiceName[]; // 修复点：确保属性名为 serviceName（驼峰命名）
-  requestedAttributes: RequestedAttribute[];
-};
-
-// 4. 定义顶层服务配置类型
-export type AttrService = AttributeConsumingService[];
-export interface MetadataIdpOptions {
-  entityID?: string;
-  signingCert?: string | Buffer | (string | Buffer)[];
-  encryptCert?: string | Buffer | (string | Buffer)[];
-  wantAuthnRequestsSigned?: boolean;
-  nameIDFormat?: string[];
-  singleSignOnService?: SSOService[];
-  singleLogoutService?: SSOService[];
-  requestSignatureAlgorithm?: string;
-}
-
-export type MetadataIdpConstructor =
-  | MetadataIdpOptions
-  | MetadataFile;
-
-export interface MetadataSpOptions {
-  entityID?: string;
-  signingCert?: string | Buffer | (string | Buffer)[];
-  encryptCert?: string | Buffer | (string | Buffer)[];
-  authnRequestsSigned?: boolean;
-  wantAssertionsSigned?: boolean;
-  wantMessageSigned?: boolean;
-  signatureConfig?: { [key: string]: any };
-  nameIDFormat?: string[];
-  singleSignOnService?: SSOService[];
-  singleLogoutService?: SSOService[];
-  assertionConsumerService?: SSOService[];
-  attributeConsumingService?: AttributeConsumingService[];
-  elementsOrder?: string[];
-}
-
-export type MetadataSpConstructor =
-  | MetadataSpOptions
-  | MetadataFile;
-
-export type EntitySetting = ServiceProviderSettings & IdentityProviderSettings;
-
-export interface SignatureConfig {
-  prefix?: string;
-  location?: {
-    reference?: string;
-    action?: 'append' | 'prepend' | 'before' | 'after';
-  };
-}
-
-export interface SAMLDocumentTemplate {
-  context?: string;
-}
-
-export type ServiceProviderSettings = {
-  metadata?: string | Buffer;
-  entityID?: string;
-  authnRequestsSigned?: boolean;
-  wantAssertionsSigned?: boolean;
-  wantMessageSigned?: boolean;
-  wantLogoutResponseSigned?: boolean;
-  wantLogoutRequestSigned?: boolean;
-  privateKey?: string | Buffer;
-  privateKeyPass?: string;
-  isAssertionEncrypted?: boolean;
-  requestSignatureAlgorithm?: string;
-  encPrivateKey?: string | Buffer;
-  encPrivateKeyPass?: string | Buffer;
-  assertionConsumerService?: SSOService[];
-  singleLogoutService?: SSOService[];
-  signatureConfig?: SignatureConfig;
-  loginRequestTemplate?: SAMLDocumentTemplate;
-  logoutRequestTemplate?: SAMLDocumentTemplate;
-  signingCert?: string | Buffer | (string | Buffer)[];
-  encryptCert?: string | Buffer | (string | Buffer)[];
-  transformationAlgorithms?: string[];
-  nameIDFormat?: string[];
-  allowCreate?: boolean;
-  // will be deprecated soon
-  relayState?: string;
-  // https://github.com/tngan/samlify/issues/337
-  clockDrifts?: [number, number];
-};
-
-export type IdentityProviderSettings = {
-  metadata?: string | Buffer;
-
-  /** signature algorithm */
-  requestSignatureAlgorithm?: string;
-
-  /** template of login response */
-  loginResponseTemplate?: LoginResponseTemplate;
-
-  /** template of logout request */
-  logoutRequestTemplate?: SAMLDocumentTemplate;
-
-  /** customized function used for generating request ID */
-  generateID?: () => string;
-
-  entityID?: string;
-  privateKey?: string | Buffer;
-  privateKeyPass?: string;
-  signingCert?: string | Buffer | (string | Buffer)[];
-  encryptCert?: string | Buffer | (string | Buffer)[];
-  nameIDFormat?: string[];
-  singleSignOnService?: SSOService[];
-  singleLogoutService?: SSOService[];
-  isAssertionEncrypted?: boolean;
-  encPrivateKey?: string | Buffer;
-  encPrivateKeyPass?: string;
-  messageSigningOrder?: string;
-  wantLogoutRequestSigned?: boolean;
-  wantLogoutResponseSigned?: boolean;
-  wantAuthnRequestsSigned?: boolean;
-  wantLogoutRequestSignedResponseSigned?: boolean;
-  tagPrefix?: { [key: string]: string };
-};

package/src/urn.ts

@@ -1,211 +0,0 @@
-/**
-* @file urn.ts
-* @author tngan
-* @desc  Includes all keywords need in samlify
-*/
-
-export enum BindingNamespace {
-  Redirect = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-  Post = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-  SimpleSign = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
-  Artifact = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'
-}
-
-export enum MessageSignatureOrder {
-  STE = 'sign-then-encrypt',
-  ETS = 'encrypt-then-sign'
-}
-
-export enum StatusCode {
-  // top-tier
-  Success = 'urn:oasis:names:tc:SAML:2.0:status:Success',
-  Requester = 'urn:oasis:names:tc:SAML:2.0:status:Requester',
-  Responder = 'urn:oasis:names:tc:SAML:2.0:status:Responder',
-  VersionMismatch = 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch',
-  // second-tier to provide more information
-  AuthFailed = 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed',
-  InvalidAttrNameOrValue = 'urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue',
-  InvalidNameIDPolicy = 'urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy',
-  NoAuthnContext = 'urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext',
-  NoAvailableIDP = 'urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP',
-  NoPassive = 'urn:oasis:names:tc:SAML:2.0:status:NoPassive',
-  NoSupportedIDP = 'urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP',
-  PartialLogout = 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout',
-  ProxyCountExceeded = 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded',
-  RequestDenied = 'urn:oasis:names:tc:SAML:2.0:status:RequestDenied',
-  RequestUnsupported = 'urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported',
-  RequestVersionDeprecated = 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated',
-  RequestVersionTooHigh = 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh',
-  RequestVersionTooLow = 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow',
-  ResourceNotRecognized = 'urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized',
-  TooManyResponses = 'urn:oasis:names:tc:SAML:2.0:status:TooManyResponses',
-  UnknownAttrProfile = 'urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile',
-  UnknownPrincipal = 'urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal',
-  UnsupportedBinding = 'urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding',
-}
-
-const namespace = {
-  binding: {
-    redirect: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-    post: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-    simpleSign: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
-    artifact: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
-  },
-  names: {
-    protocol: 'urn:oasis:names:tc:SAML:2.0:protocol',
-    assertion: 'urn:oasis:names:tc:SAML:2.0:assertion',
-    metadata: 'urn:oasis:names:tc:SAML:2.0:metadata',
-    userLogout: 'urn:oasis:names:tc:SAML:2.0:logout:user',
-    adminLogout: 'urn:oasis:names:tc:SAML:2.0:logout:admin',
-  },
-  authnContextClassRef: {
-    password: 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password',
-    passwordProtectedTransport: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
-  },
-  format: {
-    emailAddress: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
-    persistent: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
-    transient: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
-    entity: 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity',
-    unspecified: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
-    kerberos: 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos',
-    windowsDomainQualifiedName: 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName',
-    x509SubjectName: 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName',
-  },
-  statusCode: {
-    // permissible top-level status codes
-    success: 'urn:oasis:names:tc:SAML:2.0:status:Success',
-    requester: 'urn:oasis:names:tc:SAML:2.0:status:Requester',
-    responder: 'urn:oasis:names:tc:SAML:2.0:status:Responder',
-    versionMismatch: 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch',
-    // second-level status codes
-    authFailed: 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed',
-    invalidAttrNameOrValue: 'urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue',
-    invalidNameIDPolicy: 'urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy',
-    noAuthnContext: 'urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext',
-    noAvailableIDP: 'urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP',
-    noPassive: 'urn:oasis:names:tc:SAML:2.0:status:NoPassive',
-    noSupportedIDP: 'urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP',
-    partialLogout: 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout',
-    proxyCountExceeded: 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded',
-    requestDenied: 'urn:oasis:names:tc:SAML:2.0:status:RequestDenied',
-    requestUnsupported: 'urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported',
-    requestVersionDeprecated: 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated',
-    requestVersionTooHigh: 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh',
-    requestVersionTooLow: 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow',
-    resourceNotRecognized: 'urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized',
-    tooManyResponses: 'urn:oasis:names:tc:SAML:2.0:status:TooManyResponses',
-    unknownAttrProfile: 'urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile',
-    unknownPrincipal: 'urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal',
-    unsupportedBinding: 'urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding',
-  },
-};
-
-const tags = {
-  request: {
-    AllowCreate: '{AllowCreate}',
-    AssertionConsumerServiceURL: '{AssertionConsumerServiceURL}',
-    AuthnContextClassRef: '{AuthnContextClassRef}',
-    AssertionID: '{AssertionID}',
-    Audience: '{Audience}',
-    AuthnStatement: '{AuthnStatement}',
-    AttributeStatement: '{AttributeStatement}',
-    ConditionsNotBefore: '{ConditionsNotBefore}',
-    ConditionsNotOnOrAfter: '{ConditionsNotOnOrAfter}',
-    Destination: '{Destination}',
-    EntityID: '{EntityID}',
-    ID: '{ID}',
-    Issuer: '{Issuer}',
-    IssueInstant: '{IssueInstant}',
-    InResponseTo: '{InResponseTo}',
-    NameID: '{NameID}',
-    NameIDFormat: '{NameIDFormat}',
-    ProtocolBinding: '{ProtocolBinding}',
-    SessionIndex: '{SessionIndex}',
-    SubjectRecipient: '{SubjectRecipient}',
-    SubjectConfirmationDataNotOnOrAfter: '{SubjectConfirmationDataNotOnOrAfter}',
-    StatusCode: '{StatusCode}',
-  },
-  xmlTag: {
-    loginRequest: 'AuthnRequest',
-    logoutRequest: 'LogoutRequest',
-    loginResponse: 'Response',
-    logoutResponse: 'LogoutResponse',
-  },
-};
-
-const messageConfigurations = {
-  signingOrder: {
-    SIGN_THEN_ENCRYPT: 'sign-then-encrypt',
-    ENCRYPT_THEN_SIGN: 'encrypt-then-sign',
-  },
-};
-
-const algorithms = {
-  signature: {
-    RSA_SHA1: 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
-    RSA_SHA256: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
-    RSA_SHA512: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512',
-  },
-  encryption: {
-    data: {
-      AES_128: 'http://www.w3.org/2001/04/xmlenc#aes128-cbc',
-      AES_256: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc',
-      AES_256_GCM: 'http://www.w3.org/2009/xmlenc11#aes256-gcm',
-      TRI_DEC: 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc',
-      AES_128_GCM: 'http://www.w3.org/2009/xmlenc11#aes128-gcm'
-    },
-    key: {
-      RSA_OAEP_MGF1P: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p',
-      RSA_1_5: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5',
-    },
-  },
-  digest: {
-    'http://www.w3.org/2000/09/xmldsig#rsa-sha1': 'http://www.w3.org/2000/09/xmldsig#sha1',
-    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256': 'http://www.w3.org/2001/04/xmlenc#sha256',
-    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512': 'http://www.w3.org/2001/04/xmlenc#sha512', // support hashing algorithm sha512 in xml-crypto after 0.8.0
-  },
-};
-
-export enum ParserType {
-  SAMLRequest = 'SAMLRequest',
-  SAMLResponse = 'SAMLResponse',
-  LogoutRequest = 'LogoutRequest',
-  LogoutResponse = 'LogoutResponse'
-}
-
-const wording = {
-  urlParams: {
-    samlRequest: 'SAMLRequest',
-    samlResponse: 'SAMLResponse',
-    logoutRequest: 'LogoutRequest',
-    logoutResponse: 'LogoutResponse',
-    sigAlg: 'SigAlg',
-    signature: 'Signature',
-    relayState: 'RelayState',
-  },
-  binding: {
-    redirect: 'redirect',
-    post: 'post',
-    simpleSign: 'simpleSign',
-    artifact: 'artifact',
-  },
-  certUse: {
-    signing: 'signing',
-    encrypt: 'encryption',
-  },
-  metadata: {
-    sp: 'metadata-sp',
-    idp: 'metadata-idp',
-  },
-};
-
-// https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataForSP
-// some idps restrict the order of elements in entity descriptors
-const elementsOrder = {
-  default: ['KeyDescriptor', 'NameIDFormat', 'SingleLogoutService', 'AssertionConsumerService','AttributeConsumingService'],
-  onelogin: ['KeyDescriptor', 'NameIDFormat', 'SingleLogoutService', 'AssertionConsumerService','AttributeConsumingService'],
-  shibboleth: ['KeyDescriptor', 'SingleLogoutService', 'NameIDFormat', 'AssertionConsumerService', 'AttributeConsumingService'],
-};
-
-export { namespace, tags, algorithms, wording, elementsOrder, messageConfigurations };

package/src/utility.ts

@@ -1,319 +0,0 @@
-/**
- * @file utility.ts
- * @author tngan
- * @desc  Library for some common functions (e.g. de/inflation, en/decoding)
- */
-
-import {X509Certificate,createPrivateKey } from 'node:crypto';
-
-
-import {inflate, deflate} from 'pako';
-
-const BASE64_STR = 'base64';
-
-/**
- * @desc Mimic lodash.zipObject
- * @param arr1 {string[]}
- * @param arr2 {[]}
- */
-export function zipObject(arr1: string[], arr2: any[], skipDuplicated = true) {
-  return arr1.reduce((res, l, i) => {
-
-    if (skipDuplicated) {
-      res[l] = arr2[i];
-      return res;
-    }
-    // if key exists, aggregate with array in order to get rid of duplicate key
-    if (res[l] !== undefined) {
-      res[l] = Array.isArray(res[l])
-        ? res[l].concat(arr2[i])
-        : [res[l]].concat(arr2[i]);
-      return res;
-    }
-
-    res[l] = arr2[i];
-    return res;
-
-  }, {});
-}
-
-/**
- * @desc Alternative to lodash.flattenDeep
- * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_flattendeep
- * @param input {[]}
- */
-export function flattenDeep(input: any[]) {
-  return Array.isArray(input)
-    ? input.reduce((a, b) => a.concat(flattenDeep(b)), [])
-    : [input];
-}
-
-/**
- * @desc Alternative to lodash.last
- * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_last
- * @param input {[]}
- */
-export function last(input: any[]) {
-  return input.slice(-1)[0];
-}
-
-/**
- * @desc Alternative to lodash.uniq
- * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_uniq
- * @param input {string[]}
- */
-export function uniq(input: string[]) {
-  const set = new Set(input);
-  return [...set];
-}
-
-/**
- * @desc Alternative to lodash.get
- * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_get
- * @param obj
- * @param path
- * @param defaultValue
- */
-export function get(obj, path, defaultValue) {
-  return path.split('.')
-    .reduce((a, c) => (a && a[c] ? a[c] : (defaultValue || null)), obj);
-}
-
-/**
- * @desc Check if the input is string
- * @param {any} input
- */
-export function isString(input: any) {
-  return typeof input === 'string';
-}
-
-/**
- * @desc Encode string with base64 format
- * @param  {string} message                       plain-text message
- * @return {string} base64 encoded string
- */
-function base64Encode(message: string | number[]) {
-  return Buffer.from(message as string).toString(BASE64_STR);
-}
-
-/**
- * @desc Decode string from base64 format
- * @param  {string} base64Message                 encoded string
- * @param  {boolean} isBytes                      determine the return value type (True: bytes False: string)
- * @return {bytes/string}  decoded bytes/string depends on isBytes, default is {string}
- */
-export function base64Decode(base64Message: string, isBytes?: boolean): string | Buffer {
-  const bytes = Buffer.from(base64Message, BASE64_STR);
-  return Boolean(isBytes) ? bytes : bytes.toString();
-}
-
-/**
- * @desc Compress the string
- * @param  {string} message
- * @return {string} compressed string
- */
-function deflateString(message: string): number[] {
-  const input = Array.prototype.map.call(message, char => char.charCodeAt(0));
-  return Array.from(deflate(input, {raw: true}));
-}
-
-/**
- * @desc Decompress the compressed string
- * @param  {string} compressedString
- * @return {string} decompressed string
- */
-export function inflateString(compressedString: string): string {
-  const inputBuffer = Buffer.from(compressedString, BASE64_STR);
-  const input = Array.prototype.map.call(inputBuffer.toString('binary'), char => char.charCodeAt(0));
-  return Array.from(inflate(input, {raw: true}))
-    .map((byte: number) => String.fromCharCode(byte))
-    .join('');
-}
-
-/**
- * @desc Abstract the normalizeCerString and normalizePemString
- * @param {buffer} File stream or string
- * @param {string} String for header and tail
- * @return {string} A formatted certificate string
- */
-function _normalizeCerString(bin: string | Buffer, format: string) {
-  return bin.toString().replace(/\n/g, '').replace(/\r/g, '').replace(`-----BEGIN ${format}-----`, '').replace(`-----END ${format}-----`, '').replace(/ /g, '').replace(/\t/g, '');
-}
-
-/**
- * @desc Parse the .cer to string format without line break, header and footer
- * @param  {string} certString     declares the certificate contents
- * @return {string} certificiate in string format
- */
-function normalizeCerString(certString: string | Buffer) {
-  return _normalizeCerString(certString, 'CERTIFICATE');
-}
-
-/**
- * @desc Normalize the string in .pem format without line break, header and footer
- * @param  {string} pemString
- * @return {string} private key in string format
- */
-function normalizePemString(pemString: string | Buffer) {
-  return _normalizeCerString(pemString.toString(), 'RSA PRIVATE KEY');
-}
-
-/**
- * @desc Return the complete URL
- * @param  {object} req                   HTTP request
- * @return {string} URL
- */
-function getFullURL(req) {
-  return `${req.protocol}://${req.get('host')}${req.originalUrl}`;
-}
-
-/**
- * @desc Parse input string, return default value if it is undefined
- * @param  {string/boolean}
- * @return {boolean}
- */
-function parseString(str, defaultValue = '') {
-  return str || defaultValue;
-}
-
-/**
- * @desc Override the object by another object (rtl)
- * @param  {object} default object
- * @param  {object} object applied to the default object
- * @return {object} result object
- */
-function applyDefault(obj1, obj2) {
-  return Object.assign({}, obj1, obj2);
-}
-
-/**
- * @desc Get public key in pem format from the certificate included in the metadata
- * @param {string} x509 certificate
- * @return {string} public key fetched from the certificate
- */
-function getPublicKeyPemFromCertificate(x509CertificateString: string) {
-  const derBuffer = Buffer.from(x509CertificateString, 'base64');
-  // 解析 X.509 证书
-  const cert2 = new X509Certificate(derBuffer);
-  const publicKeyObject = cert2.publicKey
-  // 3. 导出为 PEM 格式
-  return publicKeyObject.export({
-    type: 'spki',   // 使用 Subject Public Key Info 结构
-    format: 'pem'  // 输出 PEM 格式
-  });
-
-}
-
-
-/*function getPublicKeyPemFromCertificate(x509Certificate: string): string {
-  // 将 Base64 字符串转为 Buffer（DER 编码）
-  const derBuffer = Buffer.from(x509Certificate, 'base64');
-
-  // 解析 X.509 证书
-  const cert =  new X509Certificate(derBuffer);
-
-  // 直接获取公钥的 PEM 格式
-  console.log(cert.publicKey?.toString())
-  console.log("这就是我的打印")
-  return cert.publicKey?.toString();
-}*/
-/**
- * @desc Read private key from pem-formatted string
- * @param {string | Buffer} keyString pem-formatted string
- * @param {string} protected passphrase of the key
- * @return {string} string in pem format
- * If passphrase is used to protect the .pem content (recommend)
- */
-
-/**
- * PEM 头尾格式校验与修复
- */
-function validatePEMHeaders(pem: string, keyType: string): string {
-  const expectedHeader = `-----BEGIN ${keyType}-----`;
-  const expectedFooter = `-----END ${keyType}-----`;
-
-  // 自动修复不规范的 PEM 头尾
-  return pem
-      .replace(/-{5}.*PRIVATE KEY-{5}/g, '')  // 清除已有头尾
-      .replace(/(\r\n|\n|\r)/gm, '\n')       // 统一换行符
-      .trim() +                               // 清理空白
-    `\n${expectedHeader}\n${pem}\n${expectedFooter}\n`;
-}
-export function readPrivateKey(
-  keyString: string | Buffer,
-  passphrase?: string,
-  isOutputString: boolean = true
-): string | Buffer {
-  try {
-    // 统一转换为字符串格式处理
-    const pemKey = Buffer.isBuffer(keyString)
-      ? keyString.toString('utf8')
-      : keyString;
-
-    // 创建私钥对象 (自动处理加密)
-    const keyObject = createPrivateKey({
-      key: pemKey,
-      format: 'pem',
-      passphrase: isString(passphrase) ? passphrase : undefined,
-      encoding: 'utf8'
-    });
-
-    // 验证密钥类型为 RSA
-    if (keyObject.asymmetricKeyType !== 'rsa') {
-      throw new Error('仅支持 RSA 私钥类型');
-    }
-
-    // 强制转换为 PKCS#1 格式
-    const exported = keyObject.export({
-      type: 'pkcs1',      // 明确指定 RSA 传统格式
-      format: 'pem'      // 输出为 PEM 格式
-    }) as string;
-
-    return isOutputString ? String(exported) : Buffer.from(exported, 'utf8');
-  } catch (error) {
-    throw new Error(`私钥读取失败: ${error.message}`);
-  }
-}
-
-
-/**
- * @desc Inline syntax sugar
- */
-function convertToString(input, isOutputString) {
-  return Boolean(isOutputString) ? String(input) : input;
-}
-
-/**
- * @desc Check if the input is an array with non-zero size
- */
-export function isNonEmptyArray(a: any) {
-  return Array.isArray(a) && a.length > 0;
-}
-
-export function castArrayOpt<T>(a?: T | T[]): T[] {
-  if (a === undefined) return []
-  return Array.isArray(a) ? a : [a]
-}
-
-export function notEmpty<TValue>(value: TValue | null | undefined): value is TValue {
-  return value !== null && value !== undefined;
-}
-
-const utility = {
-  isString,
-  base64Encode,
-  base64Decode,
-  deflateString,
-  inflateString,
-  normalizeCerString,
-  normalizePemString,
-  getFullURL,
-  parseString,
-  applyDefault,
-  getPublicKeyPemFromCertificate,
-  readPrivateKey,
-  convertToString,
-  isNonEmptyArray,
-};
-
-export default utility;