samlesa 2.12.3 → 2.12.6

package/src/utility.ts

@@ -1,13 +1,13 @@
 /**
-* @file utility.ts
-* @author tngan
-* @desc  Library for some common functions (e.g. de/inflation, en/decoding)
-*/
-import { pki, util, asn1 } from 'node-forge';
-import { X509Certificate } from 'node:crypto';
+ * @file utility.ts
+ * @author tngan
+ * @desc  Library for some common functions (e.g. de/inflation, en/decoding)
+ */
+
+import {X509Certificate,createPrivateKey } from 'node:crypto';
 
 
-import { inflate, deflate } from 'pako';
+import {inflate, deflate} from 'pako';
 
 const BASE64_STR = 'base64';
 
@@ -36,6 +36,7 @@ export function zipObject(arr1: string[], arr2: any[], skipDuplicated = true) {
 
   }, {});
 }
+
 /**
  * @desc Alternative to lodash.flattenDeep
  * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_flattendeep
@@ -43,9 +44,10 @@ export function zipObject(arr1: string[], arr2: any[], skipDuplicated = true) {
  */
 export function flattenDeep(input: any[]) {
   return Array.isArray(input)
-  ? input.reduce( (a, b) => a.concat(flattenDeep(b)) , [])
-  : [input];
+    ? input.reduce((a, b) => a.concat(flattenDeep(b)), [])
+    : [input];
 }
+
 /**
  * @desc Alternative to lodash.last
  * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_last
@@ -54,6 +56,7 @@ export function flattenDeep(input: any[]) {
 export function last(input: any[]) {
   return input.slice(-1)[0];
 }
+
 /**
  * @desc Alternative to lodash.uniq
  * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_uniq
@@ -61,8 +64,9 @@ export function last(input: any[]) {
  */
 export function uniq(input: string[]) {
   const set = new Set(input);
-  return [... set];
+  return [...set];
 }
+
 /**
  * @desc Alternative to lodash.get
  * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_get
@@ -72,8 +76,9 @@ export function uniq(input: string[]) {
  */
 export function get(obj, path, defaultValue) {
   return path.split('.')
-  .reduce((a, c) => (a && a[c] ? a[c] : (defaultValue || null)), obj);
+    .reduce((a, c) => (a && a[c] ? a[c] : (defaultValue || null)), obj);
 }
+
 /**
  * @desc Check if the input is string
  * @param {any} input
@@ -81,107 +86,123 @@ export function get(obj, path, defaultValue) {
 export function isString(input: any) {
   return typeof input === 'string';
 }
+
 /**
-* @desc Encode string with base64 format
-* @param  {string} message                       plain-text message
-* @return {string} base64 encoded string
-*/
+ * @desc Encode string with base64 format
+ * @param  {string} message                       plain-text message
+ * @return {string} base64 encoded string
+ */
 function base64Encode(message: string | number[]) {
   return Buffer.from(message as string).toString(BASE64_STR);
 }
+
 /**
-* @desc Decode string from base64 format
-* @param  {string} base64Message                 encoded string
-* @param  {boolean} isBytes                      determine the return value type (True: bytes False: string)
-* @return {bytes/string}  decoded bytes/string depends on isBytes, default is {string}
-*/
+ * @desc Decode string from base64 format
+ * @param  {string} base64Message                 encoded string
+ * @param  {boolean} isBytes                      determine the return value type (True: bytes False: string)
+ * @return {bytes/string}  decoded bytes/string depends on isBytes, default is {string}
+ */
 export function base64Decode(base64Message: string, isBytes?: boolean): string | Buffer {
   const bytes = Buffer.from(base64Message, BASE64_STR);
   return Boolean(isBytes) ? bytes : bytes.toString();
 }
+
 /**
-* @desc Compress the string
-* @param  {string} message
-* @return {string} compressed string
-*/
+ * @desc Compress the string
+ * @param  {string} message
+ * @return {string} compressed string
+ */
 function deflateString(message: string): number[] {
   const input = Array.prototype.map.call(message, char => char.charCodeAt(0));
-  return Array.from(deflate(input, { raw: true }));
+  return Array.from(deflate(input, {raw: true}));
 }
+
 /**
-* @desc Decompress the compressed string
-* @param  {string} compressedString
-* @return {string} decompressed string
-*/
+ * @desc Decompress the compressed string
+ * @param  {string} compressedString
+ * @return {string} decompressed string
+ */
 export function inflateString(compressedString: string): string {
   const inputBuffer = Buffer.from(compressedString, BASE64_STR);
   const input = Array.prototype.map.call(inputBuffer.toString('binary'), char => char.charCodeAt(0));
-  return Array.from(inflate(input, { raw: true }))
+  return Array.from(inflate(input, {raw: true}))
     .map((byte: number) => String.fromCharCode(byte))
     .join('');
 }
+
 /**
-* @desc Abstract the normalizeCerString and normalizePemString
-* @param {buffer} File stream or string
-* @param {string} String for header and tail
-* @return {string} A formatted certificate string
-*/
+ * @desc Abstract the normalizeCerString and normalizePemString
+ * @param {buffer} File stream or string
+ * @param {string} String for header and tail
+ * @return {string} A formatted certificate string
+ */
 function _normalizeCerString(bin: string | Buffer, format: string) {
   return bin.toString().replace(/\n/g, '').replace(/\r/g, '').replace(`-----BEGIN ${format}-----`, '').replace(`-----END ${format}-----`, '').replace(/ /g, '').replace(/\t/g, '');
 }
+
 /**
-* @desc Parse the .cer to string format without line break, header and footer
-* @param  {string} certString     declares the certificate contents
-* @return {string} certificiate in string format
-*/
+ * @desc Parse the .cer to string format without line break, header and footer
+ * @param  {string} certString     declares the certificate contents
+ * @return {string} certificiate in string format
+ */
 function normalizeCerString(certString: string | Buffer) {
   return _normalizeCerString(certString, 'CERTIFICATE');
 }
+
 /**
-* @desc Normalize the string in .pem format without line break, header and footer
-* @param  {string} pemString
-* @return {string} private key in string format
-*/
+ * @desc Normalize the string in .pem format without line break, header and footer
+ * @param  {string} pemString
+ * @return {string} private key in string format
+ */
 function normalizePemString(pemString: string | Buffer) {
   return _normalizeCerString(pemString.toString(), 'RSA PRIVATE KEY');
 }
+
 /**
-* @desc Return the complete URL
-* @param  {object} req                   HTTP request
-* @return {string} URL
-*/
+ * @desc Return the complete URL
+ * @param  {object} req                   HTTP request
+ * @return {string} URL
+ */
 function getFullURL(req) {
   return `${req.protocol}://${req.get('host')}${req.originalUrl}`;
 }
+
 /**
-* @desc Parse input string, return default value if it is undefined
-* @param  {string/boolean}
-* @return {boolean}
-*/
+ * @desc Parse input string, return default value if it is undefined
+ * @param  {string/boolean}
+ * @return {boolean}
+ */
 function parseString(str, defaultValue = '') {
   return str || defaultValue;
 }
+
 /**
-* @desc Override the object by another object (rtl)
-* @param  {object} default object
-* @param  {object} object applied to the default object
-* @return {object} result object
-*/
+ * @desc Override the object by another object (rtl)
+ * @param  {object} default object
+ * @param  {object} object applied to the default object
+ * @return {object} result object
+ */
 function applyDefault(obj1, obj2) {
   return Object.assign({}, obj1, obj2);
 }
+
 /**
-* @desc Get public key in pem format from the certificate included in the metadata
-* @param {string} x509 certificate
-* @return {string} public key fetched from the certificate
-*/
+ * @desc Get public key in pem format from the certificate included in the metadata
+ * @param {string} x509 certificate
+ * @return {string} public key fetched from the certificate
+ */
 function getPublicKeyPemFromCertificate(x509CertificateString: string) {
-  const certDerBytes = util.decode64(x509CertificateString);
-  const obj = asn1.fromDer(certDerBytes);
-  const cert = pki.certificateFromAsn1(obj);
-  return pki.publicKeyToPem(cert.publicKey);
-}
+  const derBuffer = Buffer.from(x509CertificateString, 'base64');
+  // 解析 X.509 证书
+  const cert2 = new X509Certificate(derBuffer);
+  const publicKeyObject = cert2.publicKey
+  // 3. 导出为 PEM 格式
+  return publicKeyObject.export({
+    type: 'spki',   // 使用 Subject Public Key Info 结构
+    format: 'pem'  // 输出 PEM 格式
+  });
 
+}
 
 
 /*function getPublicKeyPemFromCertificate(x509Certificate: string): string {
@@ -197,25 +218,75 @@ function getPublicKeyPemFromCertificate(x509CertificateString: string) {
   return cert.publicKey?.toString();
 }*/
 /**
-* @desc Read private key from pem-formatted string
-* @param {string | Buffer} keyString pem-formatted string
-* @param {string} protected passphrase of the key
-* @return {string} string in pem format
-* If passphrase is used to protect the .pem content (recommend)
-*/
-export function readPrivateKey(keyString: string | Buffer, passphrase: string | undefined, isOutputString?: boolean) {
-  return isString(passphrase) ? this.convertToString(pki.privateKeyToPem(pki.decryptRsaPrivateKey(String(keyString), passphrase)), isOutputString) : keyString;
+ * @desc Read private key from pem-formatted string
+ * @param {string | Buffer} keyString pem-formatted string
+ * @param {string} protected passphrase of the key
+ * @return {string} string in pem format
+ * If passphrase is used to protect the .pem content (recommend)
+ */
+
+/**
+ * PEM 头尾格式校验与修复
+ */
+function validatePEMHeaders(pem: string, keyType: string): string {
+  const expectedHeader = `-----BEGIN ${keyType}-----`;
+  const expectedFooter = `-----END ${keyType}-----`;
+
+  // 自动修复不规范的 PEM 头尾
+  return pem
+      .replace(/-{5}.*PRIVATE KEY-{5}/g, '')  // 清除已有头尾
+      .replace(/(\r\n|\n|\r)/gm, '\n')       // 统一换行符
+      .trim() +                               // 清理空白
+    `\n${expectedHeader}\n${pem}\n${expectedFooter}\n`;
 }
+export function readPrivateKey(
+  keyString: string | Buffer,
+  passphrase?: string,
+  isOutputString: boolean = true
+): string | Buffer {
+  try {
+    // 统一转换为字符串格式处理
+    const pemKey = Buffer.isBuffer(keyString)
+      ? keyString.toString('utf8')
+      : keyString;
+
+    // 创建私钥对象 (自动处理加密)
+    const keyObject = createPrivateKey({
+      key: pemKey,
+      format: 'pem',
+      passphrase: isString(passphrase) ? passphrase : undefined,
+      encoding: 'utf8'
+    });
+
+    // 验证密钥类型为 RSA
+    if (keyObject.asymmetricKeyType !== 'rsa') {
+      throw new Error('仅支持 RSA 私钥类型');
+    }
+
+    // 强制转换为 PKCS#1 格式
+    const exported = keyObject.export({
+      type: 'pkcs1',      // 明确指定 RSA 传统格式
+      format: 'pem'      // 输出为 PEM 格式
+    }) as string;
+
+    return isOutputString ? String(exported) : Buffer.from(exported, 'utf8');
+  } catch (error) {
+    throw new Error(`私钥读取失败: ${error.message}`);
+  }
+}
+
+
 /**
-* @desc Inline syntax sugar
-*/
+ * @desc Inline syntax sugar
+ */
 function convertToString(input, isOutputString) {
   return Boolean(isOutputString) ? String(input) : input;
 }
+
 /**
  * @desc Check if the input is an array with non-zero size
  */
-export function isNonEmptyArray(a:any) {
+export function isNonEmptyArray(a: any) {
   return Array.isArray(a) && a.length > 0;
 }
 

package/types/index.d.ts

@@ -1,10 +1,10 @@
-import IdentityProvider, { IdentityProvider as IdentityProviderInstance } from './src/entity-idp.js';
-import ServiceProvider, { ServiceProvider as ServiceProviderInstance } from './src/entity-sp.js';
-export { default as IdPMetadata } from './src/metadata-idp.js';
-export { default as SPMetadata } from './src/metadata-sp.js';
-export { default as Utility } from './src/utility.js';
-export { default as SamlLib } from './src/libsaml.js';
-import * as Constants from './src/urn.js';
-import * as Extractor from './src/extractor.js';
-import { setSchemaValidator, setDOMParserOptions } from './src/api.js';
-export { Constants, Extractor, IdentityProvider, IdentityProviderInstance, ServiceProvider, ServiceProviderInstance, setSchemaValidator, setDOMParserOptions };
+import IdentityProvider, { IdentityProvider as IdentityProviderInstance } from './src/entity-idp.js';
+import ServiceProvider, { ServiceProvider as ServiceProviderInstance } from './src/entity-sp.js';
+export { default as IdPMetadata } from './src/metadata-idp.js';
+export { default as SPMetadata } from './src/metadata-sp.js';
+export { default as Utility } from './src/utility.js';
+export { default as SamlLib } from './src/libsaml.js';
+import * as Constants from './src/urn.js';
+import * as Extractor from './src/extractor.js';
+import { setSchemaValidator, setDOMParserOptions } from './src/api.js';
+export { Constants, Extractor, IdentityProvider, IdentityProviderInstance, ServiceProvider, ServiceProviderInstance, setSchemaValidator, setDOMParserOptions };

package/types/src/api.d.ts

@@ -1,13 +1,13 @@
-import { DOMParser as dom, Options as DOMParserOptions } from '@xmldom/xmldom';
-interface Context extends ValidatorContext, DOMParserContext {
-}
-interface ValidatorContext {
-    validate?: (xml: string) => Promise<any>;
-}
-interface DOMParserContext {
-    dom: dom;
-}
-export declare function getContext(): Context;
-export declare function setSchemaValidator(params: ValidatorContext): void;
-export declare function setDOMParserOptions(options?: DOMParserOptions): void;
-export {};
+import { DOMParser as dom, Options as DOMParserOptions } from '@xmldom/xmldom';
+interface Context extends ValidatorContext, DOMParserContext {
+}
+interface ValidatorContext {
+    validate?: (xml: string) => Promise<any>;
+}
+interface DOMParserContext {
+    dom: dom;
+}
+export declare function getContext(): Context;
+export declare function setSchemaValidator(params: ValidatorContext): void;
+export declare function setDOMParserOptions(options?: DOMParserOptions): void;
+export {};

package/types/src/binding-post.d.ts

@@ -1,46 +1,46 @@
-/**
-* @file binding-post.ts
-* @author tngan
-* @desc Binding-level API, declare the functions using POST binding
-*/
-import { BindingContext } from './entity.js';
-/**
-* @desc Generate a base64 encoded login request
-* @param  {string} referenceTagXPath           reference uri
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
-declare function base64LoginRequest(referenceTagXPath: string, entity: any, customTagReplacement?: (template: string) => BindingContext): BindingContext;
-/**
-* @desc Generate a base64 encoded login response
-* @param  {object} requestInfo                 corresponding request, used to obtain the id
-* @param  {object} entity                      object includes both idp and sp
-* @param  {object} user                        current logged user (e.g. req.user)
-* @param  {function} customTagReplacement     used when developers have their own login response template
-* @param  {boolean}  encryptThenSign           whether or not to encrypt then sign first (if signing). Defaults to sign-then-encrypt
-*/
-declare function base64LoginResponse(requestInfo: any | undefined, entity: any, user?: any, customTagReplacement?: (template: string) => BindingContext, encryptThenSign?: boolean): Promise<BindingContext>;
-/**
-* @desc Generate a base64 encoded logout request
-* @param  {object} user                         current logged user (e.g. req.user)
-* @param  {string} referenceTagXPath            reference uri
-* @param  {object} entity                       object includes both idp and sp
-* @param  {function} customTagReplacement      used when developers have their own login response template
-* @return {string} base64 encoded request
-*/
-declare function base64LogoutRequest(user: any, referenceTagXPath: any, entity: any, customTagReplacement?: (template: string) => BindingContext): BindingContext;
-/**
-* @desc Generate a base64 encoded logout response
-* @param  {object} requestInfo                 corresponding request, used to obtain the id
-* @param  {string} referenceTagXPath           reference uri
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
-declare function base64LogoutResponse(requestInfo: any, entity: any, customTagReplacement: (template: string) => BindingContext): BindingContext;
-declare const postBinding: {
-    base64LoginRequest: typeof base64LoginRequest;
-    base64LoginResponse: typeof base64LoginResponse;
-    base64LogoutRequest: typeof base64LogoutRequest;
-    base64LogoutResponse: typeof base64LogoutResponse;
-};
-export default postBinding;
+/**
+* @file binding-post.ts
+* @author tngan
+* @desc Binding-level API, declare the functions using POST binding
+*/
+import { BindingContext } from './entity.js';
+/**
+* @desc Generate a base64 encoded login request
+* @param  {string} referenceTagXPath           reference uri
+* @param  {object} entity                      object includes both idp and sp
+* @param  {function} customTagReplacement     used when developers have their own login response template
+*/
+declare function base64LoginRequest(referenceTagXPath: string, entity: any, customTagReplacement?: (template: string) => BindingContext): BindingContext;
+/**
+* @desc Generate a base64 encoded login response
+* @param  {object} requestInfo                 corresponding request, used to obtain the id
+* @param  {object} entity                      object includes both idp and sp
+* @param  {object} user                        current logged user (e.g. req.user)
+* @param  {function} customTagReplacement     used when developers have their own login response template
+* @param  {boolean}  encryptThenSign           whether or not to encrypt then sign first (if signing). Defaults to sign-then-encrypt
+*/
+declare function base64LoginResponse(requestInfo: any, entity: any, user?: any, customTagReplacement?: (template: string) => BindingContext, encryptThenSign?: boolean): Promise<BindingContext>;
+/**
+* @desc Generate a base64 encoded logout request
+* @param  {object} user                         current logged user (e.g. req.user)
+* @param  {string} referenceTagXPath            reference uri
+* @param  {object} entity                       object includes both idp and sp
+* @param  {function} customTagReplacement      used when developers have their own login response template
+* @return {string} base64 encoded request
+*/
+declare function base64LogoutRequest(user: any, referenceTagXPath: any, entity: any, customTagReplacement?: (template: string) => BindingContext): BindingContext;
+/**
+* @desc Generate a base64 encoded logout response
+* @param  {object} requestInfo                 corresponding request, used to obtain the id
+* @param  {string} referenceTagXPath           reference uri
+* @param  {object} entity                      object includes both idp and sp
+* @param  {function} customTagReplacement     used when developers have their own login response template
+*/
+declare function base64LogoutResponse(requestInfo: any, entity: any, customTagReplacement: (template: string) => BindingContext): BindingContext;
+declare const postBinding: {
+    base64LoginRequest: typeof base64LoginRequest;
+    base64LoginResponse: typeof base64LoginResponse;
+    base64LogoutRequest: typeof base64LogoutRequest;
+    base64LogoutResponse: typeof base64LogoutResponse;
+};
+export default postBinding;

package/types/src/binding-redirect.d.ts

@@ -1,52 +1,52 @@
-import { BindingContext } from './entity.js';
-import { IdentityProvider as Idp } from './entity-idp.js';
-import { ServiceProvider as Sp } from './entity-sp.js';
-export interface BuildRedirectConfig {
-    baseUrl: string;
-    type: string;
-    isSigned: boolean;
-    context: string;
-    entitySetting: any;
-    relayState?: string;
-}
-/**
-* @desc Redirect URL for login request
-* @param  {object} entity                       object includes both idp and sp
-* @param  {function} customTagReplacement      used when developers have their own login response template
-* @return {string} redirect URL
-*/
-declare function loginRequestRedirectURL(entity: {
-    idp: Idp;
-    sp: Sp;
-}, customTagReplacement?: (template: string) => BindingContext): BindingContext;
-/**
-* @desc Redirect URL for login response
-* @param  {object} requestInfo             corresponding request, used to obtain the id
-* @param  {object} entity                      object includes both idp and sp
-* @param  {object} user                         current logged user (e.g. req.user)
-* @param  {String} relayState                the relaystate sent by sp corresponding request
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
-declare function loginResponseRedirectURL(requestInfo: any, entity: any, user?: any, relayState?: string, customTagReplacement?: (template: string) => BindingContext): BindingContext;
-/**
-* @desc Redirect URL for logout request
-* @param  {object} user                        current logged user (e.g. req.user)
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-* @return {string} redirect URL
-*/
-declare function logoutRequestRedirectURL(user: any, entity: any, relayState?: string, customTagReplacement?: (template: string, tags: object) => BindingContext): BindingContext;
-/**
-* @desc Redirect URL for logout response
-* @param  {object} requescorresponding request, used to obtain the id
-* @param  {object} entity                      object includes both idp and sp
-* @param  {function} customTagReplacement     used when developers have their own login response template
-*/
-declare function logoutResponseRedirectURL(requestInfo: any, entity: any, relayState?: string, customTagReplacement?: (template: string) => BindingContext): BindingContext;
-declare const redirectBinding: {
-    loginRequestRedirectURL: typeof loginRequestRedirectURL;
-    loginResponseRedirectURL: typeof loginResponseRedirectURL;
-    logoutRequestRedirectURL: typeof logoutRequestRedirectURL;
-    logoutResponseRedirectURL: typeof logoutResponseRedirectURL;
-};
-export default redirectBinding;
+import { BindingContext } from './entity.js';
+import { IdentityProvider as Idp } from './entity-idp.js';
+import { ServiceProvider as Sp } from './entity-sp.js';
+export interface BuildRedirectConfig {
+    baseUrl: string;
+    type: string;
+    isSigned: boolean;
+    context: string;
+    entitySetting: any;
+    relayState?: string;
+}
+/**
+ * @desc Redirect URL for login request
+ * @param  {object} entity                       object includes both idp and sp
+ * @param  {function} customTagReplacement      used when developers have their own login response template
+ * @return {string} redirect URL
+ */
+declare function loginRequestRedirectURL(entity: {
+    idp: Idp;
+    sp: Sp;
+}, customTagReplacement?: (template: string) => BindingContext): BindingContext;
+/**
+ * @desc Redirect URL for login response
+ * @param  {object} requestInfo             corresponding request, used to obtain the id
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {object} user                         current logged user (e.g. req.user)
+ * @param  {String} relayState                the relaystate sent by sp corresponding request
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ */
+declare function loginResponseRedirectURL(requestInfo: any, entity: any, user?: any, relayState?: string, customTagReplacement?: (template: string) => BindingContext): BindingContext;
+/**
+ * @desc Redirect URL for logout request
+ * @param  {object} user                        current logged user (e.g. req.user)
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ * @return {string} redirect URL
+ */
+declare function logoutRequestRedirectURL(user: any, entity: any, relayState?: string, customTagReplacement?: (template: string, tags: object) => BindingContext): BindingContext;
+/**
+ * @desc Redirect URL for logout response
+ * @param  {object} requescorresponding request, used to obtain the id
+ * @param  {object} entity                      object includes both idp and sp
+ * @param  {function} customTagReplacement     used when developers have their own login response template
+ */
+declare function logoutResponseRedirectURL(requestInfo: any, entity: any, relayState?: string, customTagReplacement?: (template: string) => BindingContext): BindingContext;
+declare const redirectBinding: {
+    loginRequestRedirectURL: typeof loginRequestRedirectURL;
+    loginResponseRedirectURL: typeof loginResponseRedirectURL;
+    logoutRequestRedirectURL: typeof logoutRequestRedirectURL;
+    logoutResponseRedirectURL: typeof logoutResponseRedirectURL;
+};
+export default redirectBinding;