samlesa 2.12.3 → 2.12.6

package/build/src/validator.js.map

@@ -1 +1 @@
-{"version":3,"file":"validator.js","sourceRoot":"","sources":["../../src/validator.ts"],"names":[],"mappings":";;AA0CE,gCAAU;AAvCZ,SAAS,UAAU,CACjB,YAAgC,EAChC,eAAmC,EACnC,QAAwB,CAAC,CAAC,EAAE,CAAC,CAAC;IAG9B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IAEvB,IAAI,CAAC,YAAY,IAAI,CAAC,eAAe,EAAE,CAAC;QACtC,kHAAkH;QAClH,OAAO,CAAC,IAAI,CAAC,2FAA2F,CAAC,CAAC;QAC1G,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,cAAc,GAAgB,IAAI,CAAC;IACvC,IAAI,iBAAiB,GAAgB,IAAI,CAAC;IAE1C,MAAM,CAAC,cAAc,EAAE,iBAAiB,CAAC,GAAG,KAAK,CAAC;IAElD,IAAI,YAAY,IAAI,CAAC,eAAe,EAAE,CAAC;QACrC,cAAc,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC;QACxC,OAAO,CAAC,cAAc,GAAG,cAAc,IAAI,CAAC,GAAG,CAAC;IAClD,CAAC;IACD,IAAI,CAAC,YAAY,IAAI,eAAe,EAAE,CAAC;QACrC,iBAAiB,GAAG,IAAI,IAAI,CAAC,eAAe,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,GAAG,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;IACvD,CAAC;IAED,cAAc,GAAG,IAAI,IAAI,CAAC,YAAa,CAAC,CAAC;IACzC,iBAAiB,GAAG,IAAI,IAAI,CAAC,eAAgB,CAAC,CAAC;IAE/C,OAAO,CACL,CAAC,cAAc,GAAG,cAAc,IAAI,CAAC,GAAG;QACxC,CAAC,GAAG,GAAG,CAAC,iBAAiB,GAAG,iBAAiB,CAC9C,CAAC;AAEJ,CAAC"}
+{"version":3,"file":"validator.js","sourceRoot":"","sources":["../../src/validator.ts"],"names":[],"mappings":";;;AAGA,SAAS,UAAU,CACjB,YAAgC,EAChC,eAAmC,EACnC,QAAwB,CAAC,CAAC,EAAE,CAAC,CAAC;IAG9B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IAEvB,IAAI,CAAC,YAAY,IAAI,CAAC,eAAe,EAAE;QACrC,kHAAkH;QAClH,OAAO,CAAC,IAAI,CAAC,2FAA2F,CAAC,CAAC;QAC1G,OAAO,IAAI,CAAC;KACb;IAED,IAAI,cAAc,GAAgB,IAAI,CAAC;IACvC,IAAI,iBAAiB,GAAgB,IAAI,CAAC;IAE1C,MAAM,CAAC,cAAc,EAAE,iBAAiB,CAAC,GAAG,KAAK,CAAC;IAElD,IAAI,YAAY,IAAI,CAAC,eAAe,EAAE;QACpC,cAAc,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC;QACxC,OAAO,CAAC,cAAc,GAAG,cAAc,IAAI,CAAC,GAAG,CAAC;KACjD;IACD,IAAI,CAAC,YAAY,IAAI,eAAe,EAAE;QACpC,iBAAiB,GAAG,IAAI,IAAI,CAAC,eAAe,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,GAAG,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;KACtD;IAED,cAAc,GAAG,IAAI,IAAI,CAAC,YAAa,CAAC,CAAC;IACzC,iBAAiB,GAAG,IAAI,IAAI,CAAC,eAAgB,CAAC,CAAC;IAE/C,OAAO,CACL,CAAC,cAAc,GAAG,cAAc,IAAI,CAAC,GAAG;QACxC,CAAC,GAAG,GAAG,CAAC,iBAAiB,GAAG,iBAAiB,CAC9C,CAAC;AAEJ,CAAC;AAGC,gCAAU"}

package/index.d.ts

@@ -1,10 +1,10 @@
-import IdentityProvider, { IdentityProvider as IdentityProviderInstance } from './src/entity-idp';
-import ServiceProvider, { ServiceProvider as ServiceProviderInstance } from './src/entity-sp';
-export { default as IdPMetadata } from './src/metadata-idp';
-export { default as SPMetadata } from './src/metadata-sp';
-export { default as Utility } from './src/utility';
-export { default as SamlLib } from './src/libsaml';
-import * as Constants from './src/urn';
-import * as Extractor from './src/extractor';
-import { setSchemaValidator, setDOMParserOptions } from './src/api';
-export { Constants, Extractor, IdentityProvider, IdentityProviderInstance, ServiceProvider, ServiceProviderInstance, setSchemaValidator, setDOMParserOptions };
+import IdentityProvider, { IdentityProvider as IdentityProviderInstance } from './src/entity-idp';
+import ServiceProvider, { ServiceProvider as ServiceProviderInstance } from './src/entity-sp';
+export { default as IdPMetadata } from './src/metadata-idp';
+export { default as SPMetadata } from './src/metadata-sp';
+export { default as Utility } from './src/utility';
+export { default as SamlLib } from './src/libsaml';
+import * as Constants from './src/urn';
+import * as Extractor from './src/extractor';
+import { setSchemaValidator, setDOMParserOptions } from './src/api';
+export { Constants, Extractor, IdentityProvider, IdentityProviderInstance, ServiceProvider, ServiceProviderInstance, setSchemaValidator, setDOMParserOptions };

package/index.js

@@ -1,19 +1,19 @@
-// version <= 1.25
-import IdentityProvider, { IdentityProvider as IdentityProviderInstance } from './src/entity-idp';
-import ServiceProvider, { ServiceProvider as ServiceProviderInstance } from './src/entity-sp';
-export { default as IdPMetadata } from './src/metadata-idp';
-export { default as SPMetadata } from './src/metadata-sp';
-export { default as Utility } from './src/utility';
-export { default as SamlLib } from './src/libsaml';
-// roadmap
-// new name convention in version >= 3.0
-import * as Constants from './src/urn';
-import * as Extractor from './src/extractor';
-// exposed methods for customizing samlify
-import { setSchemaValidator, setDOMParserOptions } from './src/api';
-export { Constants, Extractor, 
-// temp: resolve the conflict after version >= 3.0
-IdentityProvider, IdentityProviderInstance, ServiceProvider, ServiceProviderInstance, 
-// set context
-setSchemaValidator, setDOMParserOptions };
+// version <= 1.25
+import IdentityProvider, { IdentityProvider as IdentityProviderInstance } from './src/entity-idp';
+import ServiceProvider, { ServiceProvider as ServiceProviderInstance } from './src/entity-sp';
+export { default as IdPMetadata } from './src/metadata-idp';
+export { default as SPMetadata } from './src/metadata-sp';
+export { default as Utility } from './src/utility';
+export { default as SamlLib } from './src/libsaml';
+// roadmap
+// new name convention in version >= 3.0
+import * as Constants from './src/urn';
+import * as Extractor from './src/extractor';
+// exposed methods for customizing samlify
+import { setSchemaValidator, setDOMParserOptions } from './src/api';
+export { Constants, Extractor, 
+// temp: resolve the conflict after version >= 3.0
+IdentityProvider, IdentityProviderInstance, ServiceProvider, ServiceProviderInstance, 
+// set context
+setSchemaValidator, setDOMParserOptions };
 //# sourceMappingURL=index.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "samlesa",
-  "version": "2.12.3",
+  "version": "2.12.6",
   "description": "High-level API for Single Sign On (SAML 2.0) 维护分支：修复原项目samlify的一些问题 ",
   "main": "build/index.js",
   "keywords": [
@@ -35,8 +35,6 @@
     "xml-encryption": "^3.0.1",
     "@xmldom/xmldom": "^0.8.6",
     "camelcase": "^6.2.0",
-    "node-forge": "^1.3.0",
-    "node-rsa": "^1.1.1",
     "pako": "^1.0.10",
     "uuid": "^10.0.0",
     "xml": "^1.0.1",
@@ -47,8 +45,6 @@
   "devDependencies": {
     "@ava/typescript": "^1.1.1",
     "@types/node": "^22.15.17",
-    "@types/node-forge": "^1.0.1",
-    "@types/node-rsa": "^1.1.1",
     "@types/pako": "^1.0.1",
     "@types/uuid": "^10.0.0",
     "@types/xmldom": "^0.1.31",

package/qodana.yaml

@@ -1,29 +1,29 @@
-#-------------------------------------------------------------------------------#
-#               Qodana analysis is configured by qodana.yaml file               #
-#             https://www.jetbrains.com/help/qodana/qodana-yaml.html            #
-#-------------------------------------------------------------------------------#
-version: "1.0"
-
-#Specify inspection profile for code analysis
-profile:
-  name: qodana.starter
-
-#Enable inspections
-#include:
-#  - name: <SomeEnabledInspectionId>
-
-#Disable inspections
-#exclude:
-#  - name: <SomeDisabledInspectionId>
-#    paths:
-#      - <path/where/not/run/inspection>
-
-#Execute shell command before Qodana execution (Applied in CI/CD pipeline)
-#bootstrap: sh ./prepare-qodana.sh
-
-#Install IDE plugins before Qodana execution (Applied in CI/CD pipeline)
-#plugins:
-#  - id: <plugin.id> #(plugin id can be found at https://plugins.jetbrains.com)
-
-#Specify Qodana linter for analysis (Applied in CI/CD pipeline)
-linter: jetbrains/qodana-js:2025.1
+#-------------------------------------------------------------------------------#
+#               Qodana analysis is configured by qodana.yaml file               #
+#             https://www.jetbrains.com/help/qodana/qodana-yaml.html            #
+#-------------------------------------------------------------------------------#
+version: "1.0"
+
+#Specify inspection profile for code analysis
+profile:
+  name: qodana.starter
+
+#Enable inspections
+#include:
+#  - name: <SomeEnabledInspectionId>
+
+#Disable inspections
+#exclude:
+#  - name: <SomeDisabledInspectionId>
+#    paths:
+#      - <path/where/not/run/inspection>
+
+#Execute shell command before Qodana execution (Applied in CI/CD pipeline)
+#bootstrap: sh ./prepare-qodana.sh
+
+#Install IDE plugins before Qodana execution (Applied in CI/CD pipeline)
+#plugins:
+#  - id: <plugin.id> #(plugin id can be found at https://plugins.jetbrains.com)
+
+#Specify Qodana linter for analysis (Applied in CI/CD pipeline)
+linter: jetbrains/qodana-js:2025.1

package/src/binding-post.ts

@@ -168,7 +168,7 @@ async function base64LoginResponse(requestInfo: any = {}, entity: any, user: any
         },
       });
       console.log(rawSamlResponse);
-      console.log("这他妈是什么------------------")
+      console.log('这他妈是什么------------------')
     }
 
     // console.debug('after message signed', rawSamlResponse);

package/src/binding-redirect.ts

@@ -1,15 +1,15 @@
 /**
-* @file binding-redirect.ts
-* @author tngan
-* @desc Binding-level API, declare the functions using Redirect binding
-*/
-import utility, { get } from './utility.js';
+ * @file binding-redirect.ts
+ * @author tngan
+ * @desc Binding-level API, declare the functions using Redirect binding
+ */
+import utility, {get} from './utility.js';
 import libsaml from './libsaml.js';
-import { BindingContext } from './entity.js';
-import { IdentityProvider as Idp } from './entity-idp.js';
-import { ServiceProvider as Sp } from './entity-sp.js';
-import * as url from 'url';
-import { wording, namespace } from './urn.js';
+import {BindingContext} from './entity.js';
+import {IdentityProvider as Idp} from './entity-idp.js';
+import {ServiceProvider as Sp} from './entity-sp.js';
+
+import {wording, namespace} from './urn.js';
 
 const binding = wording.binding;
 const urlParams = wording.urlParams;
@@ -24,25 +24,26 @@ export interface BuildRedirectConfig {
 }
 
 /**
-* @private
-* @desc Helper of generating URL param/value pair
-* @param  {string} param     key
-* @param  {string} value     value of key
-* @param  {boolean} first    determine whether the param is the starting one in order to add query header '?'
-* @return {string}
-*/
+ * @private
+ * @desc Helper of generating URL param/value pair
+ * @param  {string} param     key
+ * @param  {string} value     value of key
+ * @param  {boolean} first    determine whether the param is the starting one in order to add query header '?'
+ * @return {string}
+ */
 function pvPair(param: string, value: string, first?: boolean): string {
   return (first === true ? '?' : '&') + param + '=' + value;
 }
+
 /**
-* @private
-* @desc Refractored part of URL generation for login/logout request
-* @param  {string} type
-* @param  {boolean} isSigned
-* @param  {string} rawSamlRequest
-* @param  {object} entitySetting
-* @return {string}
-*/
+ * @private
+ * @desc Refractored part of URL generation for login/logout request
+ * @param  {string} type
+ * @param  {boolean} isSigned
+ * @param  {string} rawSamlRequest
+ * @param  {object} entitySetting
+ * @return {string}
+ */
 function buildRedirectURL(opts: BuildRedirectConfig) {
   const {
     baseUrl,
@@ -51,8 +52,14 @@ function buildRedirectURL(opts: BuildRedirectConfig) {
     context,
     entitySetting,
   } = opts;
-  let { relayState = '' } = opts;
-  const noParams = (url.parse(baseUrl).query || []).length === 0;
+  let {relayState = ''} = opts;
+  let noParams = true
+  try {
+    noParams = new URL(baseUrl)?.searchParams?.size === 0
+  } catch {
+    noParams = true
+  }
+
   const queryParam = libsaml.getQueryParamByType(type);
   // In general, this xmlstring is required to do deflate -> base64 -> urlencode
   const samlRequest = encodeURIComponent(utility.base64Encode(utility.deflateString(context)));
@@ -65,27 +72,31 @@ function buildRedirectURL(opts: BuildRedirectConfig) {
     return baseUrl
       + pvPair(queryParam, octetString, noParams)
       + pvPair(urlParams.signature, encodeURIComponent(
-        libsaml.constructMessageSignature(
-          queryParam + '=' + octetString,
-          entitySetting.privateKey,
-          entitySetting.privateKeyPass,
-          undefined,
-          entitySetting.requestSignatureAlgorithm
-        ).toString()
-      )
+          libsaml.constructMessageSignature(
+            queryParam + '=' + octetString,
+            entitySetting.privateKey,
+            entitySetting.privateKeyPass,
+            undefined,
+            entitySetting.requestSignatureAlgorithm
+          ).toString()
+        )
       );
   }
   return baseUrl + pvPair(queryParam, samlRequest + relayState, noParams);
 }
+
 /**
-* @desc Redirect URL for login request
-* @param  {object} entity                       object includes both idp and sp
-* @param  {function} customTagReplacement      used when developers have their own login response template
-* @return {string} redirect URL
-*/
-function loginRequestRedirectURL(entity: { idp: Idp, sp: Sp }, customTagReplacement?: (template: string) => BindingContext): BindingContext {
+ * @desc Redirect URL for login request
+ * @param  {object} entity                       object includes both idp and sp
+ * @param  {function} customTagReplacement      used when developers have their own login response template
+ * @return {string} redirect URL
+ */
+function loginRequestRedirectURL(entity: {
+  idp: Idp,
+  sp: Sp
+}, customTagReplacement?: (template: string) => BindingContext): BindingContext {
 
-  const metadata: any = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta };
+  const metadata: any = {idp: entity.idp.entityMeta, sp: entity.sp.entityMeta};
   const spSetting: any = entity.sp.entitySetting;
   let id: string = '';
 
@@ -127,13 +138,13 @@ function loginRequestRedirectURL(entity: { idp: Idp, sp: Sp }, customTagReplacem
 }
 
 /**
-* @desc Redirect URL for login response
-* @param  {object} requestInfo             corresponding request, used to obtain the id
-* @param  {object} entity                      object includes both idp and sp
-* @param  {object} user                         current logged user (e.g. req.user)
-* @param  {String} relayState                the relaystate sent by sp corresponding request
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
+ * @desc Redirect URL for login response
+ * @param  {object} requestInfo             corresponding request, used to obtain the id
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {object} user                         current logged user (e.g. req.user)
+ * @param  {String} relayState                the relaystate sent by sp corresponding request
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ */
 function loginResponseRedirectURL(requestInfo: any, entity: any, user: any = {}, relayState?: string, customTagReplacement?: (template: string) => BindingContext): BindingContext {
   const idpSetting = entity.idp.entitySetting;
   const spSetting = entity.sp.entitySetting;
@@ -144,7 +155,11 @@ function loginResponseRedirectURL(requestInfo: any, entity: any, user: any = {},
 
   let id: string = idpSetting.generateID();
   if (metadata && metadata.idp && metadata.sp) {
-    const base = metadata.sp.getAssertionConsumerService(binding.redirect);
+    const base = metadata.sp.getAssertionConsumerService(binding.redirect) ?? 'https://signin.volcengine.com/saml/sso';
+    if(!base){
+      throw new Error('dont have a base url');
+    }
+
     let rawSamlResponse: string;
     //
     const nameIDFormat = idpSetting.nameIDFormat;
@@ -186,7 +201,7 @@ function loginResponseRedirectURL(requestInfo: any, entity: any, user: any = {},
       rawSamlResponse = libsaml.replaceTagsByValue(libsaml.defaultLoginResponseTemplate.context, tvalue);
     }
 
-    const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm } = idpSetting;
+    const {privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm} = idpSetting;
     const config = {
       privateKey,
       privateKeyPass,
@@ -203,7 +218,10 @@ function loginResponseRedirectURL(requestInfo: any, entity: any, user: any = {},
         referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
         signatureConfig: {
           prefix: 'ds',
-          location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']", action: 'after' },
+          location: {
+            reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']",
+            action: 'after'
+          },
         },
       });
     }
@@ -225,14 +243,14 @@ function loginResponseRedirectURL(requestInfo: any, entity: any, user: any = {},
 }
 
 /**
-* @desc Redirect URL for logout request
-* @param  {object} user                        current logged user (e.g. req.user)
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-* @return {string} redirect URL
-*/
+ * @desc Redirect URL for logout request
+ * @param  {object} user                        current logged user (e.g. req.user)
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ * @return {string} redirect URL
+ */
 function logoutRequestRedirectURL(user, entity, relayState?: string, customTagReplacement?: (template: string, tags: object) => BindingContext): BindingContext {
-  const metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta };
+  const metadata = {init: entity.init.entityMeta, target: entity.target.entityMeta};
   const initSetting = entity.init.entitySetting;
   let id: string = initSetting.generateID();
   const nameIDFormat = initSetting.nameIDFormat;
@@ -272,12 +290,13 @@ function logoutRequestRedirectURL(user, entity, relayState?: string, customTagRe
   }
   throw new Error('ERR_GENERATE_REDIRECT_LOGOUT_REQUEST_MISSING_METADATA');
 }
+
 /**
-* @desc Redirect URL for logout response
-* @param  {object} requescorresponding request, used to obtain the id
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
+ * @desc Redirect URL for logout response
+ * @param  {object} requescorresponding request, used to obtain the id
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ */
 function logoutResponseRedirectURL(requestInfo: any, entity: any, relayState?: string, customTagReplacement?: (template: string) => BindingContext): BindingContext {
   const metadata = {
     init: entity.init.entityMeta,

package/src/entity-idp.ts

@@ -3,12 +3,19 @@
 * @author tngan
 * @desc  Declares the actions taken by identity provider
 */
+import {
+  wording,
+} from './urn.js';
+const binding = wording.binding
+
+
+
 import Entity, { ESamlHttpRequest } from './entity.js';
 import {
   ServiceProviderConstructor as ServiceProvider,
   ServiceProviderMetadata,
   IdentityProviderMetadata,
-  IdentityProviderSettings,
+  IdentityProviderSettings
 } from './types.js';
 import libsaml from './libsaml.js';
 import { namespace } from './urn.js';
@@ -71,25 +78,21 @@ export class IdentityProvider extends Entity {
   }
 
   /**
-  * @desc  Generates the login response for developers to design their own method
-  * @param  sp                        object of service provider
-  * @param  requestInfo               corresponding request, used to obtain the id
-  * @param  binding                   protocol binding
-  * @param  user                      current logged user (e.g. req.user)
-  * @param  customTagReplacement      used when developers have their own login response template
-  * @param  encryptThenSign           whether or not to encrypt then sign first (if signing)
-  * @param  relayState             the relayState from corresponding request
-  */
-  public async createLoginResponse(
-    sp: ServiceProvider,
-    requestInfo: { [key: string]: any },
-    binding: string,
-    user: { [key: string]: any },
+   * @desc  Generates the login response for developers to design their own method
+   * @param params
+   */
+  public async createLoginResponse(params:{
+    sp: ServiceProvider;
+    requestInfo: Record<string, any>;
+    binding?: string;  // 可选参数，带默认值
+    user: Record<string, any>;
     customTagReplacement?: (template: string) => BindingContext,
     encryptThenSign?: boolean,
     relayState?: string,
-  ) {
-    const protocol = namespace.binding[binding];
+  }) {
+const bindType = params?.binding ?? 'post';
+    const {  sp,requestInfo ={}, user = {},customTagReplacement,encryptThenSign = false ,relayState=''} = params
+    const protocol = namespace.binding[bindType];
     // can support post, redirect and post simple sign bindings for login response
     let context: any = null;
     switch (protocol) {
@@ -111,15 +114,18 @@ export class IdentityProvider extends Entity {
           idp: this,
           sp,
         }, user, relayState, customTagReplacement);
-
       default:
-        throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING');
+        context = await postBinding.base64LoginResponse(requestInfo, {
+          idp: this,
+          sp,
+        }, user, customTagReplacement, encryptThenSign);
+ /*       throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING');*/
     }
 
     return {
       ...context,
       relayState,
-      entityEndpoint: (sp.entityMeta as ServiceProviderMetadata).getAssertionConsumerService(binding) as string,
+      entityEndpoint: (sp.entityMeta as ServiceProviderMetadata).getAssertionConsumerService(bindType ?? 'post') as string,
       type: 'SAMLResponse'
     };
   }

package/src/libsaml.ts

@@ -3,12 +3,12 @@
 * @author tngan
 * @desc  A simple library including some common functions
 */
-
+import { createSign, createPrivateKey,createVerify } from 'node:crypto';
 import utility, { flattenDeep, isString } from './utility.js';
 import { algorithms, wording, namespace } from './urn.js';
 import { select } from 'xpath';
 import { MetadataInterface } from './metadata.js';
-import nrsa, { SigningSchemeHash } from 'node-rsa';
+
 import { SignedXml } from 'xml-crypto';
 import * as xmlenc from 'xml-encryption';
 import { extract } from './extractor.js';
@@ -22,7 +22,22 @@ const signatureAlgorithms = algorithms.signature;
 const digestAlgorithms = algorithms.digest;
 const certUse = wording.certUse;
 const urlParams = wording.urlParams;
+/**
+ * 算法名称映射表 (兼容 X.509 和 SAML 规范)
+ */
+function mapSignAlgorithm(algorithm: string): string {
+  const algorithmMap =  {
+    'rsa-sha1': 'RSA-SHA1',
+    'rsa-sha256': 'RSA-SHA256',
+    'rsa-sha384': 'RSA-SHA384',
+    'rsa-sha512': 'RSA-SHA512',
+    'ecdsa-sha256': 'ECDSA-SHA256',
+    'ecdsa-sha384': 'ECDSA-SHA384',
+    'ecdsa-sha512': 'ECDSA-SHA512'
+  };
 
+  return algorithmMap[algorithm.toLowerCase()] || algorithm;
+}
 export interface SignatureConstructor {
   rawSamlMessage: string;
   referenceTagXPath?: string;
@@ -139,6 +154,11 @@ const libSaml = () => {
     'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256': 'pkcs1-sha256',
     'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512': 'pkcs1-sha512',
   };
+  const nrsaAliasMappingForNode = {
+    'http://www.w3.org/2000/09/xmldsig#rsa-sha1': 'RSA-SHA1',
+    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256': 'RSA-SHA256',
+    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512': 'RSA-SHA512',
+  };
   /**
   * @desc Default login request template
   * @type {LoginRequestTemplate}
@@ -189,20 +209,15 @@ const libSaml = () => {
   const defaultLogoutResponseTemplate = {
     context: '<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="{StatusCode}"/></samlp:Status></samlp:LogoutResponse>',
   };
-  /**
-  * @private
-  * @desc Get the signing scheme alias by signature algorithms, used by the node-rsa module
-  * @param {string} sigAlg    signature algorithm
-  * @return {string/null} signing algorithm short-hand for the module node-rsa
-  */
-  function getSigningScheme(sigAlg?: string): SigningSchemeHash {
+
+  function getSigningSchemeForNode(sigAlg?: string){
     if (sigAlg) {
-      const algAlias = nrsaAliasMapping[sigAlg];
+      const algAlias = nrsaAliasMappingForNode[sigAlg];
       if (!(algAlias === undefined)) {
         return algAlias;
       }
     }
-    return nrsaAliasMapping[signatureAlgorithms.RSA_SHA1];
+    return nrsaAliasMappingForNode[signatureAlgorithms.RSA_SHA256];
   }
   /**
   * @private
@@ -587,42 +602,51 @@ const libSaml = () => {
           }],
       };
     },
+
     /**
-    * @desc Constructs SAML message
-    * @param  {string} octetString               see "Bindings for the OASIS Security Assertion Markup Language (SAML V2.0)" P.17/46
-    * @param  {string} key                       declares the pem-formatted private key
-    * @param  {string} passphrase                passphrase of private key [optional]
-    * @param  {string} signingAlgorithm          signing algorithm
-    * @return {string} message signature
-    */
+     * SAML 消息签名 (符合 SAML V2.0 绑定规范)
+     * @param octetString - 要签名的原始数据 (OCTET STRING)
+     * @param key - PEM 格式私钥
+     * @param passphrase - 私钥密码 (如果有加密)
+     * @param isBase64 - 是否返回 base64 编码 (默认 true)
+     * @param signingAlgorithm - 签名算法 (默认 'rsa-sha256')
+     * @returns 消息签名
+     */
+
     constructMessageSignature(
-      octetString: string,
-      key: string,
-      passphrase?: string,
-      isBase64?: boolean,
-      signingAlgorithm?: string
-    ) {
-      // Default returning base64 encoded signature
-      // Embed with node-rsa module
-      const decryptedKey = new nrsa(
-        utility.readPrivateKey(key, passphrase),
-        undefined,
-        {
-          signingScheme: getSigningScheme(signingAlgorithm),
-        }
-      );
-      const signature = decryptedKey.sign(octetString);
-      // Use private key to sign data
-      return isBase64 !== false ? signature.toString('base64') : signature;
-    },
-    /**
-    * @desc Verifies message signature
-    * @param  {Metadata} metadata                 metadata object of identity provider or service provider
-    * @param  {string} octetString                see "Bindings for the OASIS Security Assertion Markup Language (SAML V2.0)" P.17/46
-    * @param  {string} signature                  context of XML signature
-    * @param  {string} verifyAlgorithm            algorithm used to verify
-    * @return {boolean} verification result
-    */
+      octetString: string | Buffer,
+    key: string | Buffer,
+    passphrase?: string,
+    isBase64: boolean = true,
+    signingAlgorithm: string = nrsaAliasMappingForNode[signatureAlgorithms.RSA_SHA256]
+): string | Buffer {
+    try {
+      // 1. 标准化输入数据
+      const inputData = Buffer.isBuffer(octetString)
+        ? octetString
+        : Buffer.from(octetString, 'utf8');
+      // 2. 创建签名器并设置算
+      const signingAlgorithmValue = getSigningSchemeForNode(signingAlgorithm)
+      const signer = createSign(signingAlgorithmValue)
+
+      // 3. 加载私钥
+      const privateKey = createPrivateKey({
+        key: key,
+        format: 'pem',
+        passphrase: passphrase,
+        encoding: 'utf8'
+      });
+      signer.write(octetString);
+      signer.end();
+      const signature = signer.sign(privateKey, 'base64');
+      console.log(signature.toString());
+      console.log('dayingyixia')
+      // 5. 处理编码输出
+      return isBase64 ? signature.toString() : signature;
+    } catch (error) {
+      throw new Error(`SAML 签名失败: ${error.message}`);
+    }
+  },
     verifyMessageSignature(
       metadata,
       octetString: string,
@@ -630,10 +654,17 @@ const libSaml = () => {
       verifyAlgorithm?: string
     ) {
       const signCert = metadata.getX509Certificate(certUse.signing);
-      const signingScheme = getSigningScheme(verifyAlgorithm);
-      const key = new nrsa(utility.getPublicKeyPemFromCertificate(signCert), 'public', { signingScheme });
-      return key.verify(Buffer.from(octetString), Buffer.from(signature));
+      const signingScheme = getSigningSchemeForNode(verifyAlgorithm);
+      const verifier = createVerify(signingScheme);
+      verifier.update(octetString);
+      const isValid = verifier.verify(utility.getPublicKeyPemFromCertificate(signCert),       Buffer.isBuffer(signature) ? signature : Buffer.from(signature, 'base64'));
+      console.log(isValid);
+      console.log('验证结果-------------')
+      return isValid
+
     },
+
+
     /**
     * @desc Get the public key in string format
     * @param  {string} x509Certificate certificate