samlesa 2.12.3 → 2.12.5

package/build/src/libsaml.js

@@ -1,642 +1,666 @@
-"use strict";
-/**
-* @file SamlLib.js
-* @author tngan
-* @desc  A simple library including some common functions
-*/
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const utility_js_1 = __importStar(require("./utility.js"));
-const urn_js_1 = require("./urn.js");
-const xpath_1 = require("xpath");
-const node_rsa_1 = __importDefault(require("node-rsa"));
-const xml_crypto_1 = require("xml-crypto");
-const xmlenc = __importStar(require("xml-encryption"));
-const camelcase_1 = __importDefault(require("camelcase"));
-const api_js_1 = require("./api.js");
-const xml_escape_1 = __importDefault(require("xml-escape"));
-const fs = __importStar(require("fs"));
-const xmldom_1 = require("@xmldom/xmldom");
-const signatureAlgorithms = urn_js_1.algorithms.signature;
-const digestAlgorithms = urn_js_1.algorithms.digest;
-const certUse = urn_js_1.wording.certUse;
-const urlParams = urn_js_1.wording.urlParams;
-const libSaml = () => {
-    /**
-    * @desc helper function to get back the query param for redirect binding for SLO/SSO
-    * @type {string}
-    */
-    function getQueryParamByType(type) {
-        if ([urlParams.logoutRequest, urlParams.samlRequest].indexOf(type) !== -1) {
-            return 'SAMLRequest';
-        }
-        if ([urlParams.logoutResponse, urlParams.samlResponse].indexOf(type) !== -1) {
-            return 'SAMLResponse';
-        }
-        throw new Error('ERR_UNDEFINED_QUERY_PARAMS');
-    }
-    /**
-     *
-     */
-    const nrsaAliasMapping = {
-        'http://www.w3.org/2000/09/xmldsig#rsa-sha1': 'pkcs1-sha1',
-        'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256': 'pkcs1-sha256',
-        'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512': 'pkcs1-sha512',
-    };
-    /**
-    * @desc Default login request template
-    * @type {LoginRequestTemplate}
-    */
-    const defaultLoginRequestTemplate = {
-        context: '<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="{AssertionConsumerServiceURL}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:NameIDPolicy Format="{NameIDFormat}" AllowCreate="{AllowCreate}"/></samlp:AuthnRequest>',
-    };
-    /**
-    * @desc Default logout request template
-    * @type {LogoutRequestTemplate}
-    */
-    const defaultLogoutRequestTemplate = {
-        context: '<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}"><saml:Issuer>{Issuer}</saml:Issuer><saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID></samlp:LogoutRequest>',
-    };
-    /**
-    * @desc Default AttributeStatement template
-    * @type {AttributeStatementTemplate}
-    */
-    const defaultAttributeStatementTemplate = {
-        context: '<saml:AttributeStatement>{Attributes}</saml:AttributeStatement>',
-    };
-    /**
-    * @desc Default Attribute template
-    * @type {AttributeTemplate}
-    */
-    const defaultAttributeTemplate = {
-        context: '<saml:Attribute Name="{Name}" NameFormat="{NameFormat}"><saml:AttributeValue xmlns:xs="{ValueXmlnsXs}" xmlns:xsi="{ValueXmlnsXsi}" xsi:type="{ValueXsiType}">{Value}</saml:AttributeValue></saml:Attribute>',
-    };
-    /**
-    * @desc Default login response template
-    * @type {LoginResponseTemplate}
-    */
-    const defaultLoginResponseTemplate = {
-        context: '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="{StatusCode}"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{AssertionID}" Version="2.0" IssueInstant="{IssueInstant}"><saml:Issuer>{Issuer}</saml:Issuer><saml:Subject><saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="{SubjectConfirmationDataNotOnOrAfter}" Recipient="{SubjectRecipient}" InResponseTo="{InResponseTo}"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="{ConditionsNotBefore}" NotOnOrAfter="{ConditionsNotOnOrAfter}"><saml:AudienceRestriction><saml:Audience>{Audience}</saml:Audience></saml:AudienceRestriction></saml:Conditions>{AuthnStatement}{AttributeStatement}</saml:Assertion></samlp:Response>',
-        attributes: [],
-        additionalTemplates: {
-            'attributeStatementTemplate': defaultAttributeStatementTemplate,
-            'attributeTemplate': defaultAttributeTemplate
-        }
-    };
-    /**
-    * @desc Default logout response template
-    * @type {LogoutResponseTemplate}
-    */
-    const defaultLogoutResponseTemplate = {
-        context: '<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="{StatusCode}"/></samlp:Status></samlp:LogoutResponse>',
-    };
-    /**
-    * @private
-    * @desc Get the signing scheme alias by signature algorithms, used by the node-rsa module
-    * @param {string} sigAlg    signature algorithm
-    * @return {string/null} signing algorithm short-hand for the module node-rsa
-    */
-    function getSigningScheme(sigAlg) {
-        if (sigAlg) {
-            const algAlias = nrsaAliasMapping[sigAlg];
-            if (!(algAlias === undefined)) {
-                return algAlias;
-            }
-        }
-        return nrsaAliasMapping[signatureAlgorithms.RSA_SHA1];
-    }
-    /**
-    * @private
-    * @desc Get the digest algorithms by signature algorithms
-    * @param {string} sigAlg    signature algorithm
-    * @return {string/undefined} digest algorithm
-    */
-    function getDigestMethod(sigAlg) {
-        return digestAlgorithms[sigAlg];
-    }
-    /**
-    * @public
-    * @desc Create XPath
-    * @param  {string/object} local     parameters to create XPath
-    * @param  {boolean} isExtractAll    define whether returns whole content according to the XPath
-    * @return {string} xpath
-    */
-    function createXPath(local, isExtractAll) {
-        if ((0, utility_js_1.isString)(local)) {
-            return isExtractAll === true ? "//*[local-name(.)='" + local + "']/text()" : "//*[local-name(.)='" + local + "']";
-        }
-        return "//*[local-name(.)='" + local.name + "']/@" + local.attr;
-    }
-    /**
-     * @private
-     * @desc Tag normalization
-     * @param {string} prefix     prefix of the tag
-     * @param {content} content   normalize it to capitalized camel case
-     * @return {string}
-     */
-    function tagging(prefix, content) {
-        const camelContent = (0, camelcase_1.default)(content, { locale: 'en-us' });
-        return prefix + camelContent.charAt(0).toUpperCase() + camelContent.slice(1);
-    }
-    function escapeTag(replacement) {
-        return (_match, quote) => {
-            const text = (replacement === null || replacement === undefined) ? '' : String(replacement);
-            // not having a quote means this interpolation isn't for an attribute, and so does not need escaping
-            return quote ? `${quote}${(0, xml_escape_1.default)(text)}` : text;
-        };
-    }
-    return {
-        createXPath,
-        getQueryParamByType,
-        defaultLoginRequestTemplate,
-        defaultLoginResponseTemplate,
-        defaultAttributeStatementTemplate,
-        defaultAttributeTemplate,
-        defaultLogoutRequestTemplate,
-        defaultLogoutResponseTemplate,
-        /**
-        * @desc Replace the tag (e.g. {tag}) inside the raw XML
-        * @param  {string} rawXML      raw XML string used to do keyword replacement
-        * @param  {array} tagValues    tag values
-        * @return {string}
-        */
-        replaceTagsByValue(rawXML, tagValues) {
-            Object.keys(tagValues).forEach(t => {
-                rawXML = rawXML.replace(new RegExp(`("?)\\{${t}\\}`, 'g'), escapeTag(tagValues[t]));
-            });
-            return rawXML;
-        },
-        /**
-        * @desc Helper function to build the AttributeStatement tag
-        * @param  {LoginResponseAttribute} attributes    an array of attribute configuration
-        * @param  {AttributeTemplate} attributeTemplate    the attribute tag template to be used
-        * @param  {AttributeStatementTemplate} attributeStatementTemplate    the attributeStatement tag template to be used
-        * @return {string}
-        */
-        attributeStatementBuilder(attributes, attributeTemplate = defaultAttributeTemplate, attributeStatementTemplate = defaultAttributeStatementTemplate) {
-            const attr = attributes.map(({ name, nameFormat, valueTag, valueXsiType, type, valueXmlnsXs, valueXmlnsXsi }) => {
-                const defaultValueXmlnsXs = 'http://www.w3.org/2001/XMLSchema';
-                const defaultValueXmlnsXsi = 'http://www.w3.org/2001/XMLSchema-instance';
-                let attributeLine = attributeTemplate.context;
-                if (attributeLine && typeof attributeLine === 'function') {
-                    // 安全调用
-                    // @ts-ignore
-                    return attributeLine({ name, nameFormat, valueTag, valueXsiType, type, valueXmlnsXs: valueXmlnsXs ?? defaultValueXmlnsXs, valueXmlnsXsi: valueXmlnsXsi ?? defaultValueXmlnsXsi });
-                }
-                else {
-                    attributeLine = attributeLine.replace('{Name}', name);
-                    attributeLine = attributeLine.replace('{NameFormat}', nameFormat);
-                    attributeLine = attributeLine.replace('{ValueXmlnsXs}', valueXmlnsXs ? valueXmlnsXs : defaultValueXmlnsXs);
-                    attributeLine = attributeLine.replace('{ValueXmlnsXsi}', valueXmlnsXsi ? valueXmlnsXsi : defaultValueXmlnsXsi);
-                    attributeLine = attributeLine.replace('{ValueXsiType}', valueXsiType);
-                    attributeLine = attributeLine.replace('{Value}', `{${tagging('attr', valueTag)}}`);
-                    return attributeLine;
-                }
-            }).join('');
-            return attributeStatementTemplate.context.replace('{Attributes}', attr);
-        },
-        /**
-        * @desc Construct the XML signature for POST binding
-        * @param  {string} rawSamlMessage      request/response xml string
-        * @param  {string} referenceTagXPath    reference uri
-        * @param  {string} privateKey           declares the private key
-        * @param  {string} passphrase           passphrase of the private key [optional]
-        * @param  {string|buffer} signingCert   signing certificate
-        * @param  {string} signatureAlgorithm   signature algorithm
-        * @param  {string[]} transformationAlgorithms   canonicalization and transformation Algorithms
-        * @return {string} base64 encoded string
-        */
-        constructSAMLSignature(opts) {
-            const { rawSamlMessage, referenceTagXPath, privateKey, privateKeyPass, signatureAlgorithm = signatureAlgorithms.RSA_SHA512, transformationAlgorithms = [
-                'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
-                'http://www.w3.org/2001/10/xml-exc-c14n#',
-            ], signingCert, signatureConfig, isBase64Output = true, isMessageSigned = false, } = opts;
-            const sig = new xml_crypto_1.SignedXml();
-            // Add assertion sections as reference
-            const digestAlgorithm = getDigestMethod(signatureAlgorithm);
-            if (referenceTagXPath) {
-                sig.addReference({
-                    xpath: referenceTagXPath,
-                    transforms: transformationAlgorithms,
-                    digestAlgorithm: digestAlgorithm
-                });
-            }
-            if (isMessageSigned) {
-                sig.addReference({
-                    // reference to the root node
-                    xpath: '/*',
-                    transforms: transformationAlgorithms,
-                    digestAlgorithm
-                });
-            }
-            sig.signatureAlgorithm = signatureAlgorithm;
-            sig.publicCert = this.getKeyInfo(signingCert, signatureConfig).getKey();
-            sig.getKeyInfoContent = this.getKeyInfo(signingCert, signatureConfig).getKeyInfo;
-            sig.privateKey = utility_js_1.default.readPrivateKey(privateKey, privateKeyPass, true);
-            sig.canonicalizationAlgorithm = 'http://www.w3.org/2001/10/xml-exc-c14n#';
-            if (signatureConfig) {
-                sig.computeSignature(rawSamlMessage, signatureConfig);
-            }
-            else {
-                sig.computeSignature(rawSamlMessage);
-            }
-            return isBase64Output !== false ? utility_js_1.default.base64Encode(sig.getSignedXml()) : sig.getSignedXml();
-        },
-        /**
-        * @desc Verify the XML signature
-        * @param  {string} xml xml
-        * @param  {SignatureVerifierOptions} opts cert declares the X509 certificate
-         * @return {[boolean, string | null]} - A tuple where:
-         *   - The first element is `true` if the signature is valid, `false` otherwise.
-         *   - The second element is the cryptographically authenticated assertion node as a string, or `null` if not found.
-         */
-        verifySignature(xml, opts) {
-            const { dom } = (0, api_js_1.getContext)();
-            const doc = dom.parseFromString(xml);
-            const docParser = new xmldom_1.DOMParser();
-            // In order to avoid the wrapping attack, we have changed to use absolute xpath instead of naively fetching the signature element
-            // message signature (logout response / saml response)
-            const messageSignatureXpath = "/*[contains(local-name(), 'Response') or contains(local-name(), 'Request')]/*[local-name(.)='Signature']";
-            // assertion signature (logout response / saml response)
-            const assertionSignatureXpath = "/*[contains(local-name(), 'Response') or contains(local-name(), 'Request')]/*[local-name(.)='Assertion']/*[local-name(.)='Signature']";
-            // check if there is a potential malicious wrapping signature
-            const wrappingElementsXPath = "/*[contains(local-name(), 'Response')]/*[local-name(.)='Assertion']/*[local-name(.)='Subject']/*[local-name(.)='SubjectConfirmation']/*[local-name(.)='SubjectConfirmationData']//*[local-name(.)='Assertion' or local-name(.)='Signature']";
-            // select the signature node
-            let selection = [];
-            const messageSignatureNode = (0, xpath_1.select)(messageSignatureXpath, doc);
-            const assertionSignatureNode = (0, xpath_1.select)(assertionSignatureXpath, doc);
-            const wrappingElementNode = (0, xpath_1.select)(wrappingElementsXPath, doc);
-            selection = selection.concat(messageSignatureNode);
-            selection = selection.concat(assertionSignatureNode);
-            // try to catch potential wrapping attack
-            if (wrappingElementNode.length !== 0) {
-                throw new Error('ERR_POTENTIAL_WRAPPING_ATTACK');
-            }
-            // guarantee to have a signature in saml response
-            if (selection.length === 0) {
-                throw new Error('ERR_ZERO_SIGNATURE');
-            }
-            // need to refactor later on
-            for (const signatureNode of selection) {
-                const sig = new xml_crypto_1.SignedXml();
-                let verified = false;
-                sig.signatureAlgorithm = opts.signatureAlgorithm;
-                if (!opts.keyFile && !opts.metadata) {
-                    throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
-                }
-                if (opts.keyFile) {
-                    sig.publicCert = fs.readFileSync(opts.keyFile);
-                }
-                if (opts.metadata) {
-                    const certificateNode = (0, xpath_1.select)(".//*[local-name(.)='X509Certificate']", signatureNode);
-                    // certificate in metadata
-                    let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
-                    // flattens the nested array of Certificates from each KeyDescriptor
-                    if (Array.isArray(metadataCert)) {
-                        metadataCert = (0, utility_js_1.flattenDeep)(metadataCert);
-                    }
-                    else if (typeof metadataCert === 'string') {
-                        metadataCert = [metadataCert];
-                    }
-                    // normalise the certificate string
-                    metadataCert = metadataCert.map(utility_js_1.default.normalizeCerString);
-                    // no certificate in node  response nor metadata
-                    if (certificateNode.length === 0 && metadataCert.length === 0) {
-                        throw new Error('NO_SELECTED_CERTIFICATE');
-                    }
-                    // certificate node in response
-                    if (certificateNode.length !== 0) {
-                        const x509CertificateData = certificateNode[0].firstChild.data;
-                        const x509Certificate = utility_js_1.default.normalizeCerString(x509CertificateData);
-                        if (metadataCert.length >= 1 &&
-                            !metadataCert.find(cert => cert.trim() === x509Certificate.trim())) {
-                            // keep this restriction for rolling certificate usage
-                            // to make sure the response certificate is one of those specified in metadata
-                            throw new Error('ERROR_UNMATCH_CERTIFICATE_DECLARATION_IN_METADATA');
-                        }
-                        sig.publicCert = this.getKeyInfo(x509Certificate).getKey();
-                    }
-                    else {
-                        // Select first one from metadata
-                        sig.publicCert = this.getKeyInfo(metadataCert[0]).getKey();
-                    }
-                }
-                sig.loadSignature(signatureNode);
-                doc.removeChild(signatureNode);
-                verified = sig.checkSignature(doc.toString());
-                // immediately throw error when any one of the signature is failed to get verified
-                if (!verified) {
-                    throw new Error('ERR_FAILED_TO_VERIFY_SIGNATURE');
-                }
-                // attempt is made to get the signed Reference as a string();
-                // note, we don't have access to the actual signedReferences API unfortunately
-                // mainly a sanity check here for SAML. (Although ours would still be secure, if multiple references are used)
-                if (!(sig.getReferences().length >= 1)) {
-                    throw new Error('NO_SIGNATURE_REFERENCES');
-                }
-                const signedVerifiedXML = sig.getSignedReferences()[0];
-                const rootNode = docParser.parseFromString(signedVerifiedXML, 'text/xml').documentElement;
-                // process the verified signature:
-                // case 1, rootSignedDoc is a response:
-                if (rootNode.localName === 'Response') {
-                    // try getting the Xml from the first assertion
-                    const EncryptedAssertions = (0, xpath_1.select)("./*[local-name()='EncryptedAssertion']", rootNode);
-                    const assertions = (0, xpath_1.select)("./*[local-name()='Assertion']", rootNode);
-                    // now we can process the assertion as an assertion
-                    if (EncryptedAssertions.length === 1) {
-                        return [true, EncryptedAssertions[0].toString()];
-                    }
-                    if (assertions.length === 1) {
-                        return [true, assertions[0].toString()];
-                    }
-                }
-                else if (rootNode.localName === 'Assertion') {
-                    return [true, rootNode.toString()];
-                }
-                else {
-                    return [true, null]; // signature is valid. But there is no assertion node here. It could be metadata node, hence return null
-                }
-            }
-            ;
-            // something has gone seriously wrong if we are still here
-            throw new Error('ERR_ZERO_SIGNATURE');
-            // response must be signed, either entire document or assertion
-            // default we will take the assertion section under root
-            /*      if (messageSignatureNode.length === 1) {
-                    const node = select("/!*[contains(local-name(), 'Response') or contains(local-name(), 'Request')]/!*[local-name(.)='Assertion']", doc);
-                    if (node.length === 1) {
-                      assertionNode = node[0].toString();
-                    }
-                  }
-            
-                  if (assertionSignatureNode.length === 1) {
-                    const verifiedAssertionInfo = extract(assertionSignatureNode[0].toString(), [{
-                      key: 'refURI',
-                      localPath: ['Signature', 'SignedInfo', 'Reference'],
-                      attributes: ['URI']
-                    }]);
-                    // get the assertion supposed to be the one should be verified
-                    const desiredAssertionInfo = extract(doc.toString(), [{
-                      key: 'id',
-                      localPath: ['~Response', 'Assertion'],
-                      attributes: ['ID']
-                    }]);
-                    // 5.4.2 References
-                    // SAML assertions and protocol messages MUST supply a value for the ID attribute on the root element of
-                    // the assertion or protocol message being signed. The assertion’s or protocol message's root element may
-                    // or may not be the root element of the actual XML document containing the signed assertion or protocol
-                    // message (e.g., it might be contained within a SOAP envelope).
-                    // Signatures MUST contain a single <ds:Reference> containing a same-document reference to the ID
-                    // attribute value of the root element of the assertion or protocol message being signed. For example, if the
-                    // ID attribute value is "foo", then the URI attribute in the <ds:Reference> element MUST be "#foo".
-                    if (verifiedAssertionInfo.refURI !== `#${desiredAssertionInfo.id}`) {
-                      throw new Error('ERR_POTENTIAL_WRAPPING_ATTACK');
-                    }
-                    const verifiedDoc = extract(doc.toString(), [{
-                      key: 'assertion',
-                      localPath: ['~Response', 'Assertion'],
-                      attributes: [],
-                      context: true
-                    }]);
-                    assertionNode = verifiedDoc.assertion.toString();
-                  }
-            
-                  return [verified, assertionNode];*/
-        },
-        /**
-        * @desc Helper function to create the key section in metadata (abstraction for signing and encrypt use)
-        * @param  {string} use          type of certificate (e.g. signing, encrypt)
-        * @param  {string} certString    declares the certificate String
-        * @return {object} object used in xml module
-        */
-        createKeySection(use, certString) {
-            return {
-                ['KeyDescriptor']: [
-                    {
-                        _attr: { use },
-                    },
-                    {
-                        ['ds:KeyInfo']: [
-                            {
-                                _attr: {
-                                    'xmlns:ds': 'http://www.w3.org/2000/09/xmldsig#',
-                                },
-                            },
-                            {
-                                ['ds:X509Data']: [{
-                                        'ds:X509Certificate': utility_js_1.default.normalizeCerString(certString),
-                                    }],
-                            },
-                        ],
-                    }
-                ],
-            };
-        },
-        /**
-        * @desc Constructs SAML message
-        * @param  {string} octetString               see "Bindings for the OASIS Security Assertion Markup Language (SAML V2.0)" P.17/46
-        * @param  {string} key                       declares the pem-formatted private key
-        * @param  {string} passphrase                passphrase of private key [optional]
-        * @param  {string} signingAlgorithm          signing algorithm
-        * @return {string} message signature
-        */
-        constructMessageSignature(octetString, key, passphrase, isBase64, signingAlgorithm) {
-            // Default returning base64 encoded signature
-            // Embed with node-rsa module
-            const decryptedKey = new node_rsa_1.default(utility_js_1.default.readPrivateKey(key, passphrase), undefined, {
-                signingScheme: getSigningScheme(signingAlgorithm),
-            });
-            const signature = decryptedKey.sign(octetString);
-            // Use private key to sign data
-            return isBase64 !== false ? signature.toString('base64') : signature;
-        },
-        /**
-        * @desc Verifies message signature
-        * @param  {Metadata} metadata                 metadata object of identity provider or service provider
-        * @param  {string} octetString                see "Bindings for the OASIS Security Assertion Markup Language (SAML V2.0)" P.17/46
-        * @param  {string} signature                  context of XML signature
-        * @param  {string} verifyAlgorithm            algorithm used to verify
-        * @return {boolean} verification result
-        */
-        verifyMessageSignature(metadata, octetString, signature, verifyAlgorithm) {
-            const signCert = metadata.getX509Certificate(certUse.signing);
-            const signingScheme = getSigningScheme(verifyAlgorithm);
-            const key = new node_rsa_1.default(utility_js_1.default.getPublicKeyPemFromCertificate(signCert), 'public', { signingScheme });
-            return key.verify(Buffer.from(octetString), Buffer.from(signature));
-        },
-        /**
-        * @desc Get the public key in string format
-        * @param  {string} x509Certificate certificate
-        * @return {string} public key
-        */
-        getKeyInfo(x509Certificate, signatureConfig = {}) {
-            const prefix = signatureConfig.prefix ? `${signatureConfig.prefix}:` : '';
-            return {
-                getKeyInfo: () => {
-                    return `<${prefix}X509Data><${prefix}X509Certificate>${x509Certificate}</${prefix}X509Certificate></${prefix}X509Data>`;
-                },
-                getKey: () => {
-                    return utility_js_1.default.getPublicKeyPemFromCertificate(x509Certificate).toString();
-                },
-            };
-        },
-        /**
-        * @desc Encrypt the assertion section in Response
-        * @param  {Entity} sourceEntity             source entity
-        * @param  {Entity} targetEntity             target entity
-        * @param  {string} xml                      response in xml string format
-        * @return {Promise} a promise to resolve the finalized xml
-        */
-        encryptAssertion(sourceEntity, targetEntity, xml) {
-            // Implement encryption after signature if it has
-            return new Promise((resolve, reject) => {
-                if (!xml) {
-                    return reject(new Error('ERR_UNDEFINED_ASSERTION'));
-                }
-                const sourceEntitySetting = sourceEntity.entitySetting;
-                const targetEntityMetadata = targetEntity.entityMeta;
-                const { dom } = (0, api_js_1.getContext)();
-                const doc = dom.parseFromString(xml);
-                const assertions = (0, xpath_1.select)("//*[local-name(.)='Assertion']", doc);
-                if (!Array.isArray(assertions) || assertions.length === 0) {
-                    throw new Error('ERR_NO_ASSERTION');
-                }
-                if (assertions.length > 1) {
-                    throw new Error('ERR_MULTIPLE_ASSERTION');
-                }
-                const rawAssertionNode = assertions[0];
-                // Perform encryption depends on the setting, default is false
-                if (sourceEntitySetting.isAssertionEncrypted) {
-                    const publicKeyPem = utility_js_1.default.getPublicKeyPemFromCertificate(targetEntityMetadata.getX509Certificate(certUse.encrypt));
-                    xmlenc.encrypt(rawAssertionNode.toString(), {
-                        // use xml-encryption module
-                        rsa_pub: Buffer.from(publicKeyPem), // public key from certificate
-                        pem: Buffer.from(`-----BEGIN CERTIFICATE-----${targetEntityMetadata.getX509Certificate(certUse.encrypt)}-----END CERTIFICATE-----`),
-                        encryptionAlgorithm: sourceEntitySetting.dataEncryptionAlgorithm,
-                        keyEncryptionAlgorithm: sourceEntitySetting.keyEncryptionAlgorithm,
-                        keyEncryptionDigest: 'SHA-512',
-                        disallowEncryptionWithInsecureAlgorithm: true,
-                        warnInsecureAlgorithm: true
-                    }, (err, res) => {
-                        if (err) {
-                            console.error(err);
-                            return reject(new Error('ERR_EXCEPTION_OF_ASSERTION_ENCRYPTION'));
-                        }
-                        if (!res) {
-                            return reject(new Error('ERR_UNDEFINED_ENCRYPTED_ASSERTION'));
-                        }
-                        const { encryptedAssertion: encAssertionPrefix } = sourceEntitySetting.tagPrefix;
-                        const encryptAssertionDoc = dom.parseFromString(`<${encAssertionPrefix}:EncryptedAssertion xmlns:${encAssertionPrefix}="${urn_js_1.namespace.names.assertion}">${res}</${encAssertionPrefix}:EncryptedAssertion>`);
-                        doc.documentElement.replaceChild(encryptAssertionDoc.documentElement, rawAssertionNode);
-                        return resolve(utility_js_1.default.base64Encode(doc.toString()));
-                    });
-                }
-                else {
-                    return resolve(utility_js_1.default.base64Encode(xml)); // No need to do encryption
-                }
-            });
-        },
-        /**
-        * @desc Decrypt the assertion section in Response
-        * @param  {string} type             only accept SAMLResponse to proceed decryption
-        * @param  {Entity} here             this entity
-        * @param  {Entity} from             from the entity where the message is sent
-        * @param {string} entireXML         response in xml string format
-        * @return {function} a promise to get back the entire xml with decrypted assertion
-        */
-        decryptAssertion(here, entireXML) {
-            return new Promise((resolve, reject) => {
-                // Implement decryption first then check the signature
-                if (!entireXML) {
-                    return reject(new Error('ERR_UNDEFINED_ASSERTION'));
-                }
-                // Perform encryption depends on the setting of where the message is sent, default is false
-                const hereSetting = here.entitySetting;
-                const { dom } = (0, api_js_1.getContext)();
-                const doc = dom.parseFromString(entireXML);
-                const encryptedAssertions = (0, xpath_1.select)("/*[contains(local-name(), 'Response')]/*[local-name(.)='EncryptedAssertion']", doc);
-                if (!Array.isArray(encryptedAssertions) || encryptedAssertions.length === 0) {
-                    throw new Error('ERR_UNDEFINED_ENCRYPTED_ASSERTION');
-                }
-                if (encryptedAssertions.length > 1) {
-                    throw new Error('ERR_MULTIPLE_ASSERTION');
-                }
-                const encAssertionNode = encryptedAssertions[0];
-                return xmlenc.decrypt(encAssertionNode.toString(), {
-                    key: utility_js_1.default.readPrivateKey(hereSetting.encPrivateKey, hereSetting.encPrivateKeyPass),
-                }, (err, res) => {
-                    if (err) {
-                        console.error(err);
-                        return reject(new Error('ERR_EXCEPTION_OF_ASSERTION_DECRYPTION'));
-                    }
-                    if (!res) {
-                        return reject(new Error('ERR_UNDEFINED_ENCRYPTED_ASSERTION'));
-                    }
-                    const rawAssertionDoc = dom.parseFromString(res);
-                    doc.documentElement.replaceChild(rawAssertionDoc.documentElement, encAssertionNode);
-                    return resolve([doc.toString(), res]);
-                });
-            });
-        },
-        /**
-         * @desc Check if the xml string is valid and bounded
-         */
-        async isValidXml(input) {
-            // check if global api contains the validate function
-            const { validate } = (0, api_js_1.getContext)();
-            /**
-             * user can write a validate function that always returns
-             * a resolved promise and skip the validator even in
-             * production, user will take the responsibility if
-             * they intend to skip the validation
-             */
-            if (!validate) {
-                // otherwise, an error will be thrown
-                return Promise.reject('Your application is potentially vulnerable because no validation function found. Please read the documentation on how to setup the validator. (https://github.com/tngan/samlify#installation)');
-            }
-            try {
-                return await validate(input);
-            }
-            catch (e) {
-                throw e;
-            }
-        },
-    };
-};
-exports.default = libSaml();
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+* @file SamlLib.js
+* @author tngan
+* @desc  A simple library including some common functions
+*/
+const node_crypto_1 = require("node:crypto");
+const utility_js_1 = __importStar(require("./utility.js"));
+const urn_js_1 = require("./urn.js");
+const xpath_1 = require("xpath");
+const xml_crypto_1 = require("xml-crypto");
+const xmlenc = __importStar(require("xml-encryption"));
+const camelcase_1 = __importDefault(require("camelcase"));
+const api_js_1 = require("./api.js");
+const xml_escape_1 = __importDefault(require("xml-escape"));
+const fs = __importStar(require("fs"));
+const xmldom_1 = require("@xmldom/xmldom");
+const signatureAlgorithms = urn_js_1.algorithms.signature;
+const digestAlgorithms = urn_js_1.algorithms.digest;
+const certUse = urn_js_1.wording.certUse;
+const urlParams = urn_js_1.wording.urlParams;
+/**
+ * 算法名称映射表 (兼容 X.509 和 SAML 规范)
+ */
+function mapSignAlgorithm(algorithm) {
+    const algorithmMap = {
+        'rsa-sha1': 'RSA-SHA1',
+        'rsa-sha256': 'RSA-SHA256',
+        'rsa-sha384': 'RSA-SHA384',
+        'rsa-sha512': 'RSA-SHA512',
+        'ecdsa-sha256': 'ECDSA-SHA256',
+        'ecdsa-sha384': 'ECDSA-SHA384',
+        'ecdsa-sha512': 'ECDSA-SHA512'
+    };
+    return algorithmMap[algorithm.toLowerCase()] || algorithm;
+}
+const libSaml = () => {
+    /**
+    * @desc helper function to get back the query param for redirect binding for SLO/SSO
+    * @type {string}
+    */
+    function getQueryParamByType(type) {
+        if ([urlParams.logoutRequest, urlParams.samlRequest].indexOf(type) !== -1) {
+            return 'SAMLRequest';
+        }
+        if ([urlParams.logoutResponse, urlParams.samlResponse].indexOf(type) !== -1) {
+            return 'SAMLResponse';
+        }
+        throw new Error('ERR_UNDEFINED_QUERY_PARAMS');
+    }
+    /**
+     *
+     */
+    const nrsaAliasMapping = {
+        'http://www.w3.org/2000/09/xmldsig#rsa-sha1': 'pkcs1-sha1',
+        'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256': 'pkcs1-sha256',
+        'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512': 'pkcs1-sha512',
+    };
+    const nrsaAliasMappingForNode = {
+        'http://www.w3.org/2000/09/xmldsig#rsa-sha1': 'RSA-SHA1',
+        'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256': 'RSA-SHA256',
+        'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512': 'RSA-SHA512',
+    };
+    /**
+    * @desc Default login request template
+    * @type {LoginRequestTemplate}
+    */
+    const defaultLoginRequestTemplate = {
+        context: '<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="{AssertionConsumerServiceURL}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:NameIDPolicy Format="{NameIDFormat}" AllowCreate="{AllowCreate}"/></samlp:AuthnRequest>',
+    };
+    /**
+    * @desc Default logout request template
+    * @type {LogoutRequestTemplate}
+    */
+    const defaultLogoutRequestTemplate = {
+        context: '<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}"><saml:Issuer>{Issuer}</saml:Issuer><saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID></samlp:LogoutRequest>',
+    };
+    /**
+    * @desc Default AttributeStatement template
+    * @type {AttributeStatementTemplate}
+    */
+    const defaultAttributeStatementTemplate = {
+        context: '<saml:AttributeStatement>{Attributes}</saml:AttributeStatement>',
+    };
+    /**
+    * @desc Default Attribute template
+    * @type {AttributeTemplate}
+    */
+    const defaultAttributeTemplate = {
+        context: '<saml:Attribute Name="{Name}" NameFormat="{NameFormat}"><saml:AttributeValue xmlns:xs="{ValueXmlnsXs}" xmlns:xsi="{ValueXmlnsXsi}" xsi:type="{ValueXsiType}">{Value}</saml:AttributeValue></saml:Attribute>',
+    };
+    /**
+    * @desc Default login response template
+    * @type {LoginResponseTemplate}
+    */
+    const defaultLoginResponseTemplate = {
+        context: '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="{StatusCode}"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{AssertionID}" Version="2.0" IssueInstant="{IssueInstant}"><saml:Issuer>{Issuer}</saml:Issuer><saml:Subject><saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="{SubjectConfirmationDataNotOnOrAfter}" Recipient="{SubjectRecipient}" InResponseTo="{InResponseTo}"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="{ConditionsNotBefore}" NotOnOrAfter="{ConditionsNotOnOrAfter}"><saml:AudienceRestriction><saml:Audience>{Audience}</saml:Audience></saml:AudienceRestriction></saml:Conditions>{AuthnStatement}{AttributeStatement}</saml:Assertion></samlp:Response>',
+        attributes: [],
+        additionalTemplates: {
+            'attributeStatementTemplate': defaultAttributeStatementTemplate,
+            'attributeTemplate': defaultAttributeTemplate
+        }
+    };
+    /**
+    * @desc Default logout response template
+    * @type {LogoutResponseTemplate}
+    */
+    const defaultLogoutResponseTemplate = {
+        context: '<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="{StatusCode}"/></samlp:Status></samlp:LogoutResponse>',
+    };
+    function getSigningSchemeForNode(sigAlg) {
+        if (sigAlg) {
+            const algAlias = nrsaAliasMappingForNode[sigAlg];
+            if (!(algAlias === undefined)) {
+                return algAlias;
+            }
+        }
+        return nrsaAliasMappingForNode[signatureAlgorithms.RSA_SHA1];
+    }
+    /**
+    * @private
+    * @desc Get the digest algorithms by signature algorithms
+    * @param {string} sigAlg    signature algorithm
+    * @return {string/undefined} digest algorithm
+    */
+    function getDigestMethod(sigAlg) {
+        return digestAlgorithms[sigAlg];
+    }
+    /**
+    * @public
+    * @desc Create XPath
+    * @param  {string/object} local     parameters to create XPath
+    * @param  {boolean} isExtractAll    define whether returns whole content according to the XPath
+    * @return {string} xpath
+    */
+    function createXPath(local, isExtractAll) {
+        if ((0, utility_js_1.isString)(local)) {
+            return isExtractAll === true ? "//*[local-name(.)='" + local + "']/text()" : "//*[local-name(.)='" + local + "']";
+        }
+        return "//*[local-name(.)='" + local.name + "']/@" + local.attr;
+    }
+    /**
+     * @private
+     * @desc Tag normalization
+     * @param {string} prefix     prefix of the tag
+     * @param {content} content   normalize it to capitalized camel case
+     * @return {string}
+     */
+    function tagging(prefix, content) {
+        const camelContent = (0, camelcase_1.default)(content, { locale: 'en-us' });
+        return prefix + camelContent.charAt(0).toUpperCase() + camelContent.slice(1);
+    }
+    function escapeTag(replacement) {
+        return (_match, quote) => {
+            const text = (replacement === null || replacement === undefined) ? '' : String(replacement);
+            // not having a quote means this interpolation isn't for an attribute, and so does not need escaping
+            return quote ? `${quote}${(0, xml_escape_1.default)(text)}` : text;
+        };
+    }
+    return {
+        createXPath,
+        getQueryParamByType,
+        defaultLoginRequestTemplate,
+        defaultLoginResponseTemplate,
+        defaultAttributeStatementTemplate,
+        defaultAttributeTemplate,
+        defaultLogoutRequestTemplate,
+        defaultLogoutResponseTemplate,
+        /**
+        * @desc Replace the tag (e.g. {tag}) inside the raw XML
+        * @param  {string} rawXML      raw XML string used to do keyword replacement
+        * @param  {array} tagValues    tag values
+        * @return {string}
+        */
+        replaceTagsByValue(rawXML, tagValues) {
+            Object.keys(tagValues).forEach(t => {
+                rawXML = rawXML.replace(new RegExp(`("?)\\{${t}\\}`, 'g'), escapeTag(tagValues[t]));
+            });
+            return rawXML;
+        },
+        /**
+        * @desc Helper function to build the AttributeStatement tag
+        * @param  {LoginResponseAttribute} attributes    an array of attribute configuration
+        * @param  {AttributeTemplate} attributeTemplate    the attribute tag template to be used
+        * @param  {AttributeStatementTemplate} attributeStatementTemplate    the attributeStatement tag template to be used
+        * @return {string}
+        */
+        attributeStatementBuilder(attributes, attributeTemplate = defaultAttributeTemplate, attributeStatementTemplate = defaultAttributeStatementTemplate) {
+            const attr = attributes.map(({ name, nameFormat, valueTag, valueXsiType, type, valueXmlnsXs, valueXmlnsXsi }) => {
+                const defaultValueXmlnsXs = 'http://www.w3.org/2001/XMLSchema';
+                const defaultValueXmlnsXsi = 'http://www.w3.org/2001/XMLSchema-instance';
+                let attributeLine = attributeTemplate.context;
+                if (attributeLine && typeof attributeLine === 'function') {
+                    // 安全调用
+                    // @ts-ignore
+                    return attributeLine({ name, nameFormat, valueTag, valueXsiType, type, valueXmlnsXs: valueXmlnsXs ?? defaultValueXmlnsXs, valueXmlnsXsi: valueXmlnsXsi ?? defaultValueXmlnsXsi });
+                }
+                else {
+                    attributeLine = attributeLine.replace('{Name}', name);
+                    attributeLine = attributeLine.replace('{NameFormat}', nameFormat);
+                    attributeLine = attributeLine.replace('{ValueXmlnsXs}', valueXmlnsXs ? valueXmlnsXs : defaultValueXmlnsXs);
+                    attributeLine = attributeLine.replace('{ValueXmlnsXsi}', valueXmlnsXsi ? valueXmlnsXsi : defaultValueXmlnsXsi);
+                    attributeLine = attributeLine.replace('{ValueXsiType}', valueXsiType);
+                    attributeLine = attributeLine.replace('{Value}', `{${tagging('attr', valueTag)}}`);
+                    return attributeLine;
+                }
+            }).join('');
+            return attributeStatementTemplate.context.replace('{Attributes}', attr);
+        },
+        /**
+        * @desc Construct the XML signature for POST binding
+        * @param  {string} rawSamlMessage      request/response xml string
+        * @param  {string} referenceTagXPath    reference uri
+        * @param  {string} privateKey           declares the private key
+        * @param  {string} passphrase           passphrase of the private key [optional]
+        * @param  {string|buffer} signingCert   signing certificate
+        * @param  {string} signatureAlgorithm   signature algorithm
+        * @param  {string[]} transformationAlgorithms   canonicalization and transformation Algorithms
+        * @return {string} base64 encoded string
+        */
+        constructSAMLSignature(opts) {
+            const { rawSamlMessage, referenceTagXPath, privateKey, privateKeyPass, signatureAlgorithm = signatureAlgorithms.RSA_SHA512, transformationAlgorithms = [
+                'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
+                'http://www.w3.org/2001/10/xml-exc-c14n#',
+            ], signingCert, signatureConfig, isBase64Output = true, isMessageSigned = false, } = opts;
+            const sig = new xml_crypto_1.SignedXml();
+            // Add assertion sections as reference
+            const digestAlgorithm = getDigestMethod(signatureAlgorithm);
+            if (referenceTagXPath) {
+                sig.addReference({
+                    xpath: referenceTagXPath,
+                    transforms: transformationAlgorithms,
+                    digestAlgorithm: digestAlgorithm
+                });
+            }
+            if (isMessageSigned) {
+                sig.addReference({
+                    // reference to the root node
+                    xpath: '/*',
+                    transforms: transformationAlgorithms,
+                    digestAlgorithm
+                });
+            }
+            sig.signatureAlgorithm = signatureAlgorithm;
+            sig.publicCert = this.getKeyInfo(signingCert, signatureConfig).getKey();
+            sig.getKeyInfoContent = this.getKeyInfo(signingCert, signatureConfig).getKeyInfo;
+            sig.privateKey = utility_js_1.default.readPrivateKey(privateKey, privateKeyPass, true);
+            sig.canonicalizationAlgorithm = 'http://www.w3.org/2001/10/xml-exc-c14n#';
+            if (signatureConfig) {
+                sig.computeSignature(rawSamlMessage, signatureConfig);
+            }
+            else {
+                sig.computeSignature(rawSamlMessage);
+            }
+            return isBase64Output !== false ? utility_js_1.default.base64Encode(sig.getSignedXml()) : sig.getSignedXml();
+        },
+        /**
+        * @desc Verify the XML signature
+        * @param  {string} xml xml
+        * @param  {SignatureVerifierOptions} opts cert declares the X509 certificate
+         * @return {[boolean, string | null]} - A tuple where:
+         *   - The first element is `true` if the signature is valid, `false` otherwise.
+         *   - The second element is the cryptographically authenticated assertion node as a string, or `null` if not found.
+         */
+        verifySignature(xml, opts) {
+            const { dom } = (0, api_js_1.getContext)();
+            const doc = dom.parseFromString(xml, 'application/xml');
+            const docParser = new xmldom_1.DOMParser();
+            // In order to avoid the wrapping attack, we have changed to use absolute xpath instead of naively fetching the signature element
+            // message signature (logout response / saml response)
+            const messageSignatureXpath = "/*[contains(local-name(), 'Response') or contains(local-name(), 'Request')]/*[local-name(.)='Signature']";
+            // assertion signature (logout response / saml response)
+            const assertionSignatureXpath = "/*[contains(local-name(), 'Response') or contains(local-name(), 'Request')]/*[local-name(.)='Assertion']/*[local-name(.)='Signature']";
+            // check if there is a potential malicious wrapping signature
+            const wrappingElementsXPath = "/*[contains(local-name(), 'Response')]/*[local-name(.)='Assertion']/*[local-name(.)='Subject']/*[local-name(.)='SubjectConfirmation']/*[local-name(.)='SubjectConfirmationData']//*[local-name(.)='Assertion' or local-name(.)='Signature']";
+            // select the signature node
+            let selection = [];
+            const messageSignatureNode = (0, xpath_1.select)(messageSignatureXpath, doc);
+            const assertionSignatureNode = (0, xpath_1.select)(assertionSignatureXpath, doc);
+            const wrappingElementNode = (0, xpath_1.select)(wrappingElementsXPath, doc);
+            selection = selection.concat(messageSignatureNode);
+            selection = selection.concat(assertionSignatureNode);
+            // try to catch potential wrapping attack
+            // @ts-expect-error misssing Node properties are not needed
+            if (wrappingElementNode.length !== 0) {
+                throw new Error('ERR_POTENTIAL_WRAPPING_ATTACK');
+            }
+            // guarantee to have a signature in saml response
+            if (selection.length === 0) {
+                throw new Error('ERR_ZERO_SIGNATURE');
+            }
+            // need to refactor later on
+            for (const signatureNode of selection) {
+                const sig = new xml_crypto_1.SignedXml();
+                let verified = false;
+                sig.signatureAlgorithm = opts.signatureAlgorithm;
+                if (!opts.keyFile && !opts.metadata) {
+                    throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
+                }
+                if (opts.keyFile) {
+                    sig.publicCert = fs.readFileSync(opts.keyFile);
+                }
+                if (opts.metadata) {
+                    const certificateNode = (0, xpath_1.select)(".//*[local-name(.)='X509Certificate']", signatureNode);
+                    // certificate in metadata
+                    let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
+                    // flattens the nested array of Certificates from each KeyDescriptor
+                    if (Array.isArray(metadataCert)) {
+                        metadataCert = (0, utility_js_1.flattenDeep)(metadataCert);
+                    }
+                    else if (typeof metadataCert === 'string') {
+                        metadataCert = [metadataCert];
+                    }
+                    // normalise the certificate string
+                    metadataCert = metadataCert.map(utility_js_1.default.normalizeCerString);
+                    // no certificate in node  response nor metadata
+                    if (certificateNode.length === 0 && metadataCert.length === 0) {
+                        throw new Error('NO_SELECTED_CERTIFICATE');
+                    }
+                    // certificate node in response
+                    if (certificateNode.length !== 0) {
+                        const x509CertificateData = certificateNode[0].firstChild.data;
+                        const x509Certificate = utility_js_1.default.normalizeCerString(x509CertificateData);
+                        if (metadataCert.length >= 1 &&
+                            !metadataCert.find(cert => cert.trim() === x509Certificate.trim())) {
+                            // keep this restriction for rolling certificate usage
+                            // to make sure the response certificate is one of those specified in metadata
+                            throw new Error('ERROR_UNMATCH_CERTIFICATE_DECLARATION_IN_METADATA');
+                        }
+                        sig.publicCert = this.getKeyInfo(x509Certificate).getKey();
+                    }
+                    else {
+                        // Select first one from metadata
+                        sig.publicCert = this.getKeyInfo(metadataCert[0]).getKey();
+                    }
+                }
+                sig.loadSignature(signatureNode);
+                doc.removeChild(signatureNode);
+                verified = sig.checkSignature(doc.toString());
+                // immediately throw error when any one of the signature is failed to get verified
+                if (!verified) {
+                    throw new Error('ERR_FAILED_TO_VERIFY_SIGNATURE');
+                }
+                // attempt is made to get the signed Reference as a string();
+                // note, we don't have access to the actual signedReferences API unfortunately
+                // mainly a sanity check here for SAML. (Although ours would still be secure, if multiple references are used)
+                if (!(sig.getSignedReferences().length >= 1)) {
+                    throw new Error('NO_SIGNATURE_REFERENCES');
+                }
+                const signedVerifiedXML = sig.getSignedReferences()[0];
+                const rootNode = docParser.parseFromString(signedVerifiedXML, 'text/xml').documentElement;
+                // process the verified signature:
+                // case 1, rootSignedDoc is a response:
+                if (rootNode?.localName === 'Response') {
+                    // try getting the Xml from the first assertion
+                    const EncryptedAssertions = (0, xpath_1.select)("./*[local-name()='EncryptedAssertion']", rootNode);
+                    const assertions = (0, xpath_1.select)("./*[local-name()='Assertion']", rootNode);
+                    // now we can process the assertion as an assertion
+                    // @ts-expect-error misssing Node properties are not needed
+                    if (EncryptedAssertions.length === 1) {
+                        // @ts-expect-error misssing Node properties are not needed
+                        return [true, EncryptedAssertions[0].toString()];
+                    }
+                    // @ts-expect-error misssing Node properties are not needed
+                    if (assertions.length === 1) {
+                        // @ts-expect-error misssing Node properties are not needed
+                        return [true, assertions[0].toString()];
+                    }
+                }
+                else if (rootNode?.localName === 'Assertion') {
+                    return [true, rootNode.toString()];
+                }
+                else {
+                    return [true, null]; // signature is valid. But there is no assertion node here. It could be metadata node, hence return null
+                }
+            }
+            ;
+            // something has gone seriously wrong if we are still here
+            throw new Error('ERR_ZERO_SIGNATURE');
+            // response must be signed, either entire document or assertion
+            // default we will take the assertion section under root
+            /*      if (messageSignatureNode.length === 1) {
+                    const node = select("/!*[contains(local-name(), 'Response') or contains(local-name(), 'Request')]/!*[local-name(.)='Assertion']", doc);
+                    if (node.length === 1) {
+                      assertionNode = node[0].toString();
+                    }
+                  }
+            
+                  if (assertionSignatureNode.length === 1) {
+                    const verifiedAssertionInfo = extract(assertionSignatureNode[0].toString(), [{
+                      key: 'refURI',
+                      localPath: ['Signature', 'SignedInfo', 'Reference'],
+                      attributes: ['URI']
+                    }]);
+                    // get the assertion supposed to be the one should be verified
+                    const desiredAssertionInfo = extract(doc.toString(), [{
+                      key: 'id',
+                      localPath: ['~Response', 'Assertion'],
+                      attributes: ['ID']
+                    }]);
+                    // 5.4.2 References
+                    // SAML assertions and protocol messages MUST supply a value for the ID attribute on the root element of
+                    // the assertion or protocol message being signed. The assertion’s or protocol message's root element may
+                    // or may not be the root element of the actual XML document containing the signed assertion or protocol
+                    // message (e.g., it might be contained within a SOAP envelope).
+                    // Signatures MUST contain a single <ds:Reference> containing a same-document reference to the ID
+                    // attribute value of the root element of the assertion or protocol message being signed. For example, if the
+                    // ID attribute value is "foo", then the URI attribute in the <ds:Reference> element MUST be "#foo".
+                    if (verifiedAssertionInfo.refURI !== `#${desiredAssertionInfo.id}`) {
+                      throw new Error('ERR_POTENTIAL_WRAPPING_ATTACK');
+                    }
+                    const verifiedDoc = extract(doc.toString(), [{
+                      key: 'assertion',
+                      localPath: ['~Response', 'Assertion'],
+                      attributes: [],
+                      context: true
+                    }]);
+                    assertionNode = verifiedDoc.assertion.toString();
+                  }
+            
+                  return [verified, assertionNode];*/
+        },
+        /**
+        * @desc Helper function to create the key section in metadata (abstraction for signing and encrypt use)
+        * @param  {string} use          type of certificate (e.g. signing, encrypt)
+        * @param  {string} certString    declares the certificate String
+        * @return {object} object used in xml module
+        */
+        createKeySection(use, certString) {
+            return {
+                ['KeyDescriptor']: [
+                    {
+                        _attr: { use },
+                    },
+                    {
+                        ['ds:KeyInfo']: [
+                            {
+                                _attr: {
+                                    'xmlns:ds': 'http://www.w3.org/2000/09/xmldsig#',
+                                },
+                            },
+                            {
+                                ['ds:X509Data']: [{
+                                        'ds:X509Certificate': utility_js_1.default.normalizeCerString(certString),
+                                    }],
+                            },
+                        ],
+                    }
+                ],
+            };
+        },
+        /**
+         * SAML 消息签名 (符合 SAML V2.0 绑定规范)
+         * @param octetString - 要签名的原始数据 (OCTET STRING)
+         * @param key - PEM 格式私钥
+         * @param passphrase - 私钥密码 (如果有加密)
+         * @param isBase64 - 是否返回 base64 编码 (默认 true)
+         * @param signingAlgorithm - 签名算法 (默认 'rsa-sha256')
+         * @returns 消息签名
+         */
+        constructMessageSignature(octetString, key, passphrase, isBase64 = true, signingAlgorithm = nrsaAliasMappingForNode[signatureAlgorithms.RSA_SHA1]) {
+            try {
+                // 1. 标准化输入数据
+                const inputData = Buffer.isBuffer(octetString)
+                    ? octetString
+                    : Buffer.from(octetString, 'utf8');
+                // 2. 创建签名器并设置算
+                const signingAlgorithmValue = getSigningSchemeForNode(signingAlgorithm);
+                const signer = (0, node_crypto_1.createSign)(signingAlgorithmValue);
+                // 3. 加载私钥
+                const privateKey = (0, node_crypto_1.createPrivateKey)({
+                    key: key,
+                    format: 'pem',
+                    passphrase: passphrase,
+                    encoding: 'utf8'
+                });
+                signer.write(octetString);
+                signer.end();
+                const signature = signer.sign(privateKey, 'base64');
+                console.log(signature.toString());
+                console.log('dayingyixia');
+                // 5. 处理编码输出
+                return isBase64 ? signature.toString() : signature;
+            }
+            catch (error) {
+                throw new Error(`SAML 签名失败: ${error.message}`);
+            }
+        },
+        verifyMessageSignature(metadata, octetString, signature, verifyAlgorithm) {
+            const signCert = metadata.getX509Certificate(certUse.signing);
+            const signingScheme = getSigningSchemeForNode(verifyAlgorithm);
+            const verifier = (0, node_crypto_1.createVerify)(signingScheme);
+            verifier.update(octetString);
+            const isValid = verifier.verify(utility_js_1.default.getPublicKeyPemFromCertificate(signCert), Buffer.isBuffer(signature) ? signature : Buffer.from(signature, 'base64'));
+            console.log(isValid);
+            console.log('验证结果-------------');
+            return isValid;
+        },
+        /**
+        * @desc Get the public key in string format
+        * @param  {string} x509Certificate certificate
+        * @return {string} public key
+        */
+        getKeyInfo(x509Certificate, signatureConfig = {}) {
+            const prefix = signatureConfig.prefix ? `${signatureConfig.prefix}:` : '';
+            return {
+                getKeyInfo: () => {
+                    return `<${prefix}X509Data><${prefix}X509Certificate>${x509Certificate}</${prefix}X509Certificate></${prefix}X509Data>`;
+                },
+                getKey: () => {
+                    return utility_js_1.default.getPublicKeyPemFromCertificate(x509Certificate).toString();
+                },
+            };
+        },
+        /**
+        * @desc Encrypt the assertion section in Response
+        * @param  {Entity} sourceEntity             source entity
+        * @param  {Entity} targetEntity             target entity
+        * @param  {string} xml                      response in xml string format
+        * @return {Promise} a promise to resolve the finalized xml
+        */
+        encryptAssertion(sourceEntity, targetEntity, xml) {
+            // Implement encryption after signature if it has
+            return new Promise((resolve, reject) => {
+                if (!xml) {
+                    return reject(new Error('ERR_UNDEFINED_ASSERTION'));
+                }
+                const sourceEntitySetting = sourceEntity.entitySetting;
+                const targetEntityMetadata = targetEntity.entityMeta;
+                const { dom } = (0, api_js_1.getContext)();
+                const doc = dom.parseFromString(xml, 'application/xml');
+                const assertions = (0, xpath_1.select)("//*[local-name(.)='Assertion']", doc);
+                if (!Array.isArray(assertions) || assertions.length === 0) {
+                    throw new Error('ERR_NO_ASSERTION');
+                }
+                if (assertions.length > 1) {
+                    throw new Error('ERR_MULTIPLE_ASSERTION');
+                }
+                const rawAssertionNode = assertions[0];
+                // Perform encryption depends on the setting, default is false
+                if (sourceEntitySetting.isAssertionEncrypted) {
+                    const publicKeyPem = utility_js_1.default.getPublicKeyPemFromCertificate(targetEntityMetadata.getX509Certificate(certUse.encrypt));
+                    xmlenc.encrypt(rawAssertionNode.toString(), {
+                        // use xml-encryption module
+                        rsa_pub: Buffer.from(publicKeyPem),
+                        pem: Buffer.from(`-----BEGIN CERTIFICATE-----${targetEntityMetadata.getX509Certificate(certUse.encrypt)}-----END CERTIFICATE-----`),
+                        encryptionAlgorithm: sourceEntitySetting.dataEncryptionAlgorithm,
+                        keyEncryptionAlgorithm: sourceEntitySetting.keyEncryptionAlgorithm,
+                        keyEncryptionDigest: 'SHA-512',
+                        disallowEncryptionWithInsecureAlgorithm: true,
+                        warnInsecureAlgorithm: true
+                    }, (err, res) => {
+                        if (err) {
+                            console.error(err);
+                            return reject(new Error('ERR_EXCEPTION_OF_ASSERTION_ENCRYPTION'));
+                        }
+                        if (!res) {
+                            return reject(new Error('ERR_UNDEFINED_ENCRYPTED_ASSERTION'));
+                        }
+                        const { encryptedAssertion: encAssertionPrefix } = sourceEntitySetting.tagPrefix;
+                        const encryptAssertionDoc = dom.parseFromString(`<${encAssertionPrefix}:EncryptedAssertion xmlns:${encAssertionPrefix}="${urn_js_1.namespace.names.assertion}">${res}</${encAssertionPrefix}:EncryptedAssertion>`, 'application/xml');
+                        doc?.replaceChild(encryptAssertionDoc.documentElement, rawAssertionNode);
+                        return resolve(utility_js_1.default.base64Encode(doc.toString()));
+                    });
+                }
+                else {
+                    return resolve(utility_js_1.default.base64Encode(xml)); // No need to do encryption
+                }
+            });
+        },
+        /**
+        * @desc Decrypt the assertion section in Response
+        * @param  {string} type             only accept SAMLResponse to proceed decryption
+        * @param  {Entity} here             this entity
+        * @param  {Entity} from             from the entity where the message is sent
+        * @param {string} entireXML         response in xml string format
+        * @return {function} a promise to get back the entire xml with decrypted assertion
+        */
+        decryptAssertion(here, entireXML) {
+            return new Promise((resolve, reject) => {
+                // Implement decryption first then check the signature
+                if (!entireXML) {
+                    return reject(new Error('ERR_UNDEFINED_ASSERTION'));
+                }
+                // Perform encryption depends on the setting of where the message is sent, default is false
+                const hereSetting = here.entitySetting;
+                const { dom } = (0, api_js_1.getContext)();
+                const doc = dom.parseFromString(entireXML, 'application/xml');
+                const encryptedAssertions = (0, xpath_1.select)("/*[contains(local-name(), 'Response')]/*[local-name(.)='EncryptedAssertion']", doc);
+                if (!Array.isArray(encryptedAssertions) || encryptedAssertions.length === 0) {
+                    throw new Error('ERR_UNDEFINED_ENCRYPTED_ASSERTION');
+                }
+                if (encryptedAssertions.length > 1) {
+                    throw new Error('ERR_MULTIPLE_ASSERTION');
+                }
+                const encAssertionNode = encryptedAssertions[0];
+                return xmlenc.decrypt(encAssertionNode.toString(), {
+                    key: utility_js_1.default.readPrivateKey(hereSetting.encPrivateKey, hereSetting.encPrivateKeyPass),
+                }, (err, res) => {
+                    if (err) {
+                        console.error(err);
+                        return reject(new Error('ERR_EXCEPTION_OF_ASSERTION_DECRYPTION'));
+                    }
+                    if (!res) {
+                        return reject(new Error('ERR_UNDEFINED_ENCRYPTED_ASSERTION'));
+                    }
+                    const rawAssertionDoc = dom.parseFromString(res, 'application/xml');
+                    doc?.replaceChild(rawAssertionDoc?.documentElement, encAssertionNode);
+                    return resolve([doc.toString(), res]);
+                });
+            });
+        },
+        /**
+         * @desc Check if the xml string is valid and bounded
+         */
+        async isValidXml(input) {
+            // check if global api contains the validate function
+            const { validate } = (0, api_js_1.getContext)();
+            /**
+             * user can write a validate function that always returns
+             * a resolved promise and skip the validator even in
+             * production, user will take the responsibility if
+             * they intend to skip the validation
+             */
+            if (!validate) {
+                // otherwise, an error will be thrown
+                return Promise.reject('Your application is potentially vulnerable because no validation function found. Please read the documentation on how to setup the validator. (https://github.com/tngan/samlify#installation)');
+            }
+            try {
+                return await validate(input);
+            }
+            catch (e) {
+                throw e;
+            }
+        },
+    };
+};
+exports.default = libSaml();
 //# sourceMappingURL=libsaml.js.map