samlesa 2.16.1 → 2.16.6

package/build/src/extractor.js

@@ -68,6 +68,19 @@ export const loginResponseStatusFields = [
     }
 ];
 // support two-tiers status code
+export const loginArtifactResponseStatusFields = [
+    {
+        key: 'top',
+        localPath: ['Envelope', 'Body', 'ArtifactResponse', 'Status', 'StatusCode'],
+        attributes: ['Value'],
+    },
+    {
+        key: 'second',
+        localPath: ['Envelope', 'Body', 'ArtifactResponse', 'Status', 'StatusCode', 'StatusCode'],
+        attributes: ['Value'],
+    }
+];
+// support two-tiers status code
 export const logoutResponseStatusFields = [
     {
         key: 'top',

package/build/src/flow.js

@@ -1,8 +1,12 @@
 import { base64Decode } from './utility.js';
 import { verifyTime } from './validator.js';
 import libsaml from './libsaml.js';
-import { extract, loginRequestFields, loginResponseFields, logoutRequestFields, logoutResponseFields, logoutResponseStatusFields, loginResponseStatusFields } from './extractor.js';
-import { BindingNamespace, ParserType, wording, StatusCode } from './urn.js';
+import * as uuid from 'uuid';
+import { select } from 'xpath';
+import { DOMParser } from '@xmldom/xmldom';
+import { sendArtifactResolve } from "./soap.js";
+import { extract, loginRequestFields, loginResponseFields, loginResponseStatusFields, loginArtifactResponseStatusFields, logoutRequestFields, logoutResponseFields, logoutResponseStatusFields } from './extractor.js';
+import { BindingNamespace, ParserType, StatusCode, wording } from './urn.js';
 const bindDict = wording.binding;
 const urlParams = wording.urlParams;
 // get the default extractor fields based on the parserType
@@ -122,6 +126,218 @@ async function redirectFlow(options) {
 }
 // proceed the post flow
 async function postFlow(options) {
+    const { soap = false, request, from, self, parserType, checkSignature = true } = options;
+    const { body } = request;
+    const direction = libsaml.getQueryParamByType(parserType);
+    let encodedRequest = '';
+    let samlContent = '';
+    if (soap === false) {
+        encodedRequest = body[direction];
+        // @ts-ignore
+        samlContent = String(base64Decode(encodedRequest));
+    }
+    /** 增加判断是不是Soap 工件绑定*/
+    if (soap) {
+        const metadata = {
+            idp: from.entityMeta,
+            sp: self.entityMeta,
+        };
+        const spSetting = self.entitySetting;
+        let ID = '_' + uuid.v4();
+        let url = metadata.idp.getArtifactResolutionService(bindDict.soap);
+        let samlSoapRaw = libsaml.replaceTagsByValue(libsaml.defaultArtifactResolveTemplate.context, {
+            ID: ID,
+            Destination: url,
+            Issuer: metadata.sp.getEntityID(),
+            IssueInstant: new Date().toISOString(),
+            Art: request.Art
+        });
+        if (!metadata.idp.isWantAuthnRequestsSigned()) {
+            samlContent = await sendArtifactResolve(url, samlSoapRaw);
+        }
+        if (metadata.idp.isWantAuthnRequestsSigned()) {
+            const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm, transformationAlgorithms } = spSetting;
+            let signatureSoap = libsaml.constructSAMLSignature({
+                referenceTagXPath: "//*[local-name(.)='ArtifactResolve']",
+                isMessageSigned: false,
+                isBase64Output: false,
+                transformationAlgorithms: transformationAlgorithms,
+                privateKey,
+                privateKeyPass,
+                signatureAlgorithm,
+                rawSamlMessage: samlSoapRaw,
+                signingCert: metadata.sp.getX509Certificate('signing'),
+                signatureConfig: {
+                    prefix: 'ds',
+                    location: {
+                        reference: "//*[local-name(.)='Issuer']",
+                        action: 'after'
+                    }
+                }
+            });
+            samlContent = await sendArtifactResolve(url, signatureSoap);
+        }
+    }
+    const verificationOptions = {
+        metadata: from.entityMeta,
+        signatureAlgorithm: from.entitySetting.requestSignatureAlgorithm,
+    };
+    /** 断言是否加密应根据响应里面的字段判断*/
+    let decryptRequired = from.entitySetting.isAssertionEncrypted;
+    let extractorFields = [];
+    // validate the xml first
+    let res = await libsaml.isValidXml(samlContent).catch((error) => {
+        return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
+    });
+    if (res !== true) {
+        return Promise.reject('ERR_EXCEPTION_VALIDATE_XML');
+    }
+    if (parserType !== urlParams.samlResponse) {
+        extractorFields = getDefaultExtractorFields(parserType, null);
+    }
+    // check status based on different scenarios
+    await checkStatus(samlContent, parserType, soap);
+    /**检查签名顺序 */
+    /*  if (
+        checkSignature &&
+        from.entitySetting.messageSigningOrder === MessageSignatureOrder.ETS
+      ) {
+        console.log("===============我走的这里=========================")
+        const [verified, verifiedAssertionNode,isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
+        console.log(verified);
+        console.log("verified")
+        decryptRequired = isDecryptRequired
+        if (!verified) {
+          return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+        }
+        if (!decryptRequired) {
+          extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
+        }
+      }*/
+    if (soap === true) {
+        const [verified, verifiedAssertionNode, isDecryptRequired] = libsaml.verifySignatureSoap(samlContent, verificationOptions);
+        decryptRequired = isDecryptRequired;
+        if (!verified) {
+            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+        }
+        if (!decryptRequired) {
+            extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
+        }
+        if (parserType === 'SAMLResponse' && decryptRequired) {
+            // 1. 解密断言
+            const [decryptedSAML, decryptedAssertion] = await libsaml.decryptAssertionSoap(self, samlContent);
+            // 2. 检查解密后的断言是否包含签名
+            const assertionDoc = new DOMParser().parseFromString(decryptedAssertion, 'text/xml');
+            const assertionSignatureNodes = select("./*[local-name()='Signature']", assertionDoc.documentElement);
+            // 3. 如果存在签名则验证
+            if (assertionSignatureNodes.length > 0) {
+                // 3.1 创建新的验证选项（保持原配置）
+                const assertionVerificationOptions = {
+                    ...verificationOptions,
+                    isAssertion: true // 添加标识表示正在验证断言
+                };
+                // 3.2 验证断言签名
+                const [assertionVerified, result] = libsaml.verifySignatureSoap(decryptedAssertion, assertionVerificationOptions);
+                if (!assertionVerified) {
+                    console.error("解密后的断言签名验证失败");
+                    return Promise.reject('ERR_FAIL_TO_VERIFY_ASSERTION_SIGNATURE');
+                }
+                if (assertionVerified) {
+                    // @ts-ignore
+                    samlContent = result;
+                    extractorFields = getDefaultExtractorFields(parserType, result);
+                }
+            }
+            else {
+                samlContent = decryptedAssertion;
+                extractorFields = getDefaultExtractorFields(parserType, decryptedAssertion);
+            }
+        }
+    }
+    if (soap === false) {
+        const [verified, verifiedAssertionNode, isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
+        decryptRequired = isDecryptRequired;
+        if (!verified) {
+            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+        }
+        if (!decryptRequired) {
+            extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
+        }
+        if (parserType === 'SAMLResponse' && decryptRequired) {
+            const result = await libsaml.decryptAssertion(self, samlContent);
+            samlContent = result[0];
+            extractorFields = getDefaultExtractorFields(parserType, result[1]);
+        }
+    }
+    // verify the signatures (the response is signed then encrypted, then decrypt first then verify)
+    /*  if (
+        checkSignature &&
+        from.entitySetting.messageSigningOrder === MessageSignatureOrder.STE
+      ) {
+        const [verified, verifiedAssertionNode,isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
+        decryptRequired = isDecryptRequired
+        if (verified) {
+          extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
+        } else {
+          return Promise.reject('ERR_FAIL_TO_VERIFY_STE_SIGNATURE');
+        }
+      }*/
+    const parseResult = {
+        samlContent: samlContent,
+        extract: extract(samlContent, extractorFields),
+    };
+    /**
+     *  Validation part: validate the context of response after signature is verified and decrypted (optional)
+     */
+    const targetEntityMetadata = from.entityMeta;
+    const issuer = targetEntityMetadata.getEntityID();
+    const extractedProperties = parseResult.extract;
+    // unmatched issuer
+    if ((parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
+        && extractedProperties
+        && extractedProperties.issuer !== issuer) {
+        return Promise.reject('ERR_UNMATCH_ISSUER');
+    }
+    // invalid session time
+    // only run the verifyTime when `SessionNotOnOrAfter` exists
+    if (parserType === 'SAMLResponse'
+        && extractedProperties.sessionIndex.sessionNotOnOrAfter
+        && !verifyTime(undefined, extractedProperties.sessionIndex.sessionNotOnOrAfter, self.entitySetting.clockDrifts)) {
+        return Promise.reject('ERR_EXPIRED_SESSION');
+    }
+    // invalid time
+    // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+    if (parserType === 'SAMLResponse'
+        && extractedProperties.conditions
+        && !verifyTime(extractedProperties.conditions.notBefore, extractedProperties.conditions.notOnOrAfter, self.entitySetting.clockDrifts)) {
+        return Promise.reject('ERR_SUBJECT_UNCONFIRMED');
+    }
+    //valid destination
+    //There is no validation of the response here. The upper-layer application
+    // should verify the result by itself to see if the destination is equal to the SP acs and
+    // whether the response.id is used to prevent replay attacks.
+    /*
+        let destination = extractedProperties?.response?.destination
+        let isExit = self.entitySetting?.assertionConsumerService?.filter((item) => {
+            return item?.Location === destination
+        })
+        if (isExit?.length === 0) {
+            return Promise.reject('ERR_Destination_URL');
+        }
+        if (parserType === 'SAMLResponse') {
+            let destination = extractedProperties?.response?.destination
+            let isExit = self.entitySetting?.assertionConsumerService?.filter((item: { Location: any; }) => {
+                return item?.Location === destination
+            })
+            if (isExit?.length === 0) {
+                return Promise.reject('ERR_Destination_URL');
+            }
+        }
+    */
+    return Promise.resolve(parseResult);
+}
+// proceed the post Artifact flow
+async function postArtifactFlow(options) {
     const { request, from, self, parserType, checkSignature = true } = options;
     const { body } = request;
     const direction = libsaml.getQueryParamByType(parserType);
@@ -330,16 +546,20 @@ async function postSimpleSignFlow(options) {
     }
     return Promise.resolve(parseResult);
 }
-function checkStatus(content, parserType) {
+function checkStatus(content, parserType, soap) {
     // only check response parser
     if (parserType !== urlParams.samlResponse && parserType !== urlParams.logoutResponse) {
         return Promise.resolve('SKIPPED');
     }
-    const fields = parserType === urlParams.samlResponse
+    let fields = parserType === urlParams.samlResponse
         ? loginResponseStatusFields
         : logoutResponseStatusFields;
+    if (soap === true) {
+        fields = parserType === urlParams.samlResponse
+            ? loginArtifactResponseStatusFields
+            : logoutResponseStatusFields;
+    }
     const { top, second } = extract(content, fields);
-    console.log(top, second);
     // only resolve when top-tier status code is success
     if (top === StatusCode.Success) {
         return Promise.resolve('OK');

package/build/src/libsaml.js

@@ -76,6 +76,16 @@ const libSaml = () => {
     const defaultLogoutRequestTemplate = {
         context: '<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}"><saml:Issuer>{Issuer}</saml:Issuer><saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID></samlp:LogoutRequest>',
     };
+    /**
+     * @desc Default art  request template
+     * @type {LogoutRequestTemplate}
+     */
+    const defaultArtifactResolveTemplate = {
+        context: `<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><saml2p:ArtifactResolve xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}"><saml2:Issuer>{Issuer}</saml2:Issuer><saml2p:Artifact>{Art}</saml2p:Artifact></saml2p:ArtifactResolve></SOAP-ENV:Body></SOAP-ENV:Envelope>`,
+    };
+    const defaultArtAuthnRequestTemplate = {
+        context: `<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header></SOAP-ENV:Header><samlp:ArtifactResponse xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}" InResponseTo="{InResponseTo}" Version="2.0" IssueInstant="{IssueInstant}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>{AuthnRequest}</samlp:ArtifactResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>`,
+    };
     /**
      * @desc Default AttributeStatement template
      * @type {AttributeStatementTemplate}
@@ -202,6 +212,8 @@ const libSaml = () => {
         createXPath,
         getQueryParamByType,
         defaultLoginRequestTemplate,
+        defaultArtAuthnRequestTemplate,
+        defaultArtifactResolveTemplate,
         defaultLoginResponseTemplate,
         defaultAttributeStatementTemplate,
         defaultAttributeTemplate,
@@ -445,7 +457,7 @@ const libSaml = () => {
                       assertionNode = node[0].toString();
                     }
                   }
-      
+
                   if (assertionSignatureNode.length === 1) {
                     const verifiedAssertionInfo = extract(assertionSignatureNode[0].toString(), [{
                       key: 'refURI',
@@ -477,9 +489,173 @@ const libSaml = () => {
                     }]);
                     assertionNode = verifiedDoc.assertion.toString();
                   }
-      
+
                   return [verified, assertionNode];*/
         },
+        verifySignatureSoap(xml, opts) {
+            const { dom } = getContext();
+            const doc = dom.parseFromString(xml);
+            const docParser = new DOMParser();
+            let selection = [];
+            if (opts.isAssertion) {
+                // 断言模式下的专用逻辑
+                const assertionSignatureXpath = "./*[local-name()='Signature']";
+                const signatureNode = select(assertionSignatureXpath, doc.documentElement);
+                if (signatureNode.length === 0) {
+                    throw new Error('ERR_ASSERTION_SIGNATURE_NOT_FOUND');
+                }
+                selection = selection.concat(signatureNode);
+            }
+            else {
+                // 原始的SOAP响应验证逻辑
+                const messageSignatureXpath = "/*[local-name()='Envelope']/*[local-name()='Body']" +
+                    "/*[local-name()='ArtifactResponse']/*[local-name()='Signature'] | " +
+                    "/*[local-name()='Envelope']/*[local-name()='Body']" +
+                    "/*[local-name()='ArtifactResponse']/*[local-name()='Response']/*[local-name()='Signature']";
+                const assertionSignatureXpath = "/*[local-name()='Envelope']/*[local-name()='Body']" +
+                    "/*[local-name()='ArtifactResponse']/*[local-name()='Response']" +
+                    "/*[local-name()='Assertion']/*[local-name()='Signature'] | " +
+                    "/*[local-name()='Envelope']/*[local-name()='Body']" +
+                    "/*[local-name()='ArtifactResponse']/*[local-name()='Response']" +
+                    "/*[local-name()='EncryptedAssertion']";
+                const wrappingElementsXPath = "/*[local-name()='Envelope']/*[local-name()='Body']" +
+                    "/*[local-name()='ArtifactResponse']/*[local-name()='Response']" +
+                    "/*[local-name()='Assertion']/*[local-name()='Subject']" +
+                    "/*[local-name()='SubjectConfirmation']" +
+                    "/*[local-name()='SubjectConfirmationData']" +
+                    "//*[local-name()='Assertion' or local-name()='Signature']";
+                const messageSignatureNode = select(messageSignatureXpath, doc);
+                const assertionSignatureNode = select(assertionSignatureXpath, doc);
+                const wrappingElementNode = select(wrappingElementsXPath, doc);
+                // 检测包装攻击
+                if (wrappingElementNode.length !== 0) {
+                    throw new Error('ERR_POTENTIAL_WRAPPING_ATTACK');
+                }
+                // 保证响应中至少有一个签名
+                if (messageSignatureNode.length === 0 && assertionSignatureNode.length === 0) {
+                    throw new Error('ERR_ZERO_SIGNATURE');
+                }
+                selection = selection.concat(messageSignatureNode, assertionSignatureNode);
+            }
+            for (const signatureNode of selection) {
+                const sig = new SignedXml();
+                let verified = false;
+                sig.signatureAlgorithm = opts.signatureAlgorithm;
+                if (!opts.keyFile && !opts.metadata) {
+                    throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
+                }
+                if (opts.keyFile) {
+                    sig.publicCert = fs.readFileSync(opts.keyFile, 'utf-8');
+                }
+                if (opts.metadata) {
+                    const certificateNodes = select(".//*[local-name(.)='X509Certificate']", signatureNode);
+                    // 获取元数据中的证书
+                    let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
+                    // 规范化元数据证书
+                    if (Array.isArray(metadataCert)) {
+                        metadataCert = flattenDeep(metadataCert);
+                    }
+                    else if (typeof metadataCert === 'string') {
+                        metadataCert = [metadataCert];
+                    }
+                    metadataCert = metadataCert.map(utility.normalizeCerString);
+                    // 检查证书可用性
+                    if (certificateNodes.length === 0 && metadataCert.length === 0) {
+                        throw new Error('NO_SELECTED_CERTIFICATE');
+                    }
+                    // 响应中有证书节点
+                    if (certificateNodes.length !== 0) {
+                        // 安全获取证书数据
+                        let x509CertificateData = '';
+                        if (certificateNodes[0].firstChild) {
+                            x509CertificateData = certificateNodes[0].firstChild.data;
+                        }
+                        else if (certificateNodes[0].textContent) {
+                            x509CertificateData = certificateNodes[0].textContent;
+                        }
+                        const x509Certificate = utility.normalizeCerString(x509CertificateData);
+                        // 验证证书匹配
+                        if (metadataCert.length >= 1 &&
+                            !metadataCert.find(cert => cert.trim() === x509Certificate.trim())) {
+                            throw new Error('ERROR_UNMATCH_CERTIFICATE_DECLARATION_IN_METADATA');
+                        }
+                        sig.publicCert = this.getKeyInfo(x509Certificate).getKey();
+                    }
+                    else {
+                        // 使用元数据中的第一个证书
+                        sig.publicCert = this.getKeyInfo(metadataCert[0]).getKey();
+                    }
+                }
+                // 加载签名
+                sig.loadSignature(signatureNode);
+                // 使用原始 XML 进行验证
+                verified = sig.checkSignature(xml);
+                console.log("签名验证结果:", verified);
+                if (!verified) {
+                    console.error("签名验证失败");
+                    throw new Error('ERR_FAILED_TO_VERIFY_SIGNATURE');
+                }
+                // 检查签名引用
+                if (!(sig.getSignedReferences().length >= 1)) {
+                    throw new Error('NO_SIGNATURE_REFERENCES');
+                }
+                const signedVerifiedXML = sig.getSignedReferences()[0];
+                const verifiedDoc = docParser.parseFromString(signedVerifiedXML, 'text/xml');
+                const rootNode = verifiedDoc.documentElement;
+                console.log("签名引用根节点:", rootNode.localName);
+                // 断言模式专用返回逻辑
+                if (opts.isAssertion) {
+                    if (rootNode.localName === 'Assertion') {
+                        return [true, rootNode.toString(), false];
+                    }
+                    else {
+                        throw new Error('ERR_INVALID_ASSERTION_SIGNATURE');
+                    }
+                }
+                // 处理已验证的签名
+                if (rootNode.localName === 'ArtifactResponse') {
+                    // 在 ArtifactResponse 中查找 Response
+                    const responseNodes = select("./*[local-name()='Response']", rootNode);
+                    if (responseNodes.length === 0) {
+                        console.warn("ArtifactResponse 中没有找到 Response 元素");
+                        continue;
+                    }
+                    const responseNode = responseNodes[0];
+                    // 在 Response 中查找断言
+                    const encryptedAssertions = select("./*[local-name()='EncryptedAssertion']", responseNode);
+                    const assertions = select("./*[local-name()='Assertion']", responseNode);
+                    if (encryptedAssertions.length === 1) {
+                        return [true, encryptedAssertions[0].toString(), true];
+                    }
+                    if (assertions.length === 1) {
+                        return [true, assertions[0].toString(), false];
+                    }
+                }
+                // 直接处理 Response
+                else if (rootNode.localName === 'Response') {
+                    const encryptedAssertions = select("./*[local-name()='EncryptedAssertion']", rootNode);
+                    const assertions = select("./*[local-name()='Assertion']", rootNode);
+                    if (encryptedAssertions.length === 1) {
+                        return [true, encryptedAssertions[0].toString(), true];
+                    }
+                    if (assertions.length === 1) {
+                        return [true, assertions[0].toString(), false];
+                    }
+                }
+                // 直接处理 Assertion
+                else if (rootNode.localName === 'Assertion') {
+                    return [true, rootNode.toString(), false];
+                }
+                // 直接处理 EncryptedAssertion
+                else if (rootNode.localName === 'EncryptedAssertion') {
+                    return [true, rootNode.toString(), true];
+                }
+                else {
+                    console.warn("未知的根节点类型:", rootNode.localName);
+                }
+            }
+            throw new Error('ERR_ZERO_SIGNATURE');
+        },
         /**
          * @desc Helper function to create the key section in metadata (abstraction for signing and encrypt use)
          * @param  {string} use          type of certificate (e.g. signing, encrypt)
@@ -686,6 +862,61 @@ const libSaml = () => {
                 });
             });
         },
+        /**
+         * 解密 SOAP 响应中的加密断言
+         * @param self 当前实体（SP 或 IdP）
+         * @param entireXML 完整的 SOAP XML 响应
+         * @returns [解密后的完整 SOAP XML, 解密后的断言 XML]
+         */
+        async decryptAssertionSoap(self, entireXML) {
+            const { dom } = getContext();
+            try {
+                // 1. 解析 XML
+                const doc = dom.parseFromString(entireXML);
+                // 2. 定位加密断言
+                const encryptedAssertions = select("/*[local-name()='Envelope']/*[local-name()='Body']" +
+                    "/*[local-name()='ArtifactResponse']/*[local-name()='Response']" +
+                    "/*[local-name()='EncryptedAssertion']", doc);
+                if (!encryptedAssertions || encryptedAssertions.length === 0) {
+                    throw new Error('ERR_ENCRYPTED_ASSERTION_NOT_FOUND');
+                }
+                if (encryptedAssertions.length > 1) {
+                    console.warn('发现多个加密断言，仅处理第一个');
+                }
+                const encAssertionNode = encryptedAssertions[0];
+                // 3. 准备解密密钥
+                const privateKey = utility.readPrivateKey(self.entitySetting.encPrivateKey, self.entitySetting.encPrivateKeyPass);
+                // 4. 解密断言
+                const decryptedAssertion = await new Promise((resolve, reject) => {
+                    xmlenc.decrypt(encAssertionNode.toString(), { key: privateKey }, (err, result) => {
+                        if (err) {
+                            console.error('解密错误:', err);
+                            return reject(new Error('ERR_ASSERTION_DECRYPTION_FAILED'));
+                        }
+                        if (!result) {
+                            return reject(new Error('ERR_EMPTY_DECRYPTED_ASSERTION'));
+                        }
+                        resolve(result);
+                    });
+                });
+                // 5. 创建解密断言的 DOM
+                const decryptedDoc = dom.parseFromString(decryptedAssertion);
+                const decryptedAssertionNode = decryptedDoc.documentElement;
+                // 6. 替换加密断言为解密后的断言
+                const parentNode = encAssertionNode.parentNode;
+                if (!parentNode) {
+                    throw new Error('ERR_NO_PARENT_NODE_FOR_ENCRYPTED_ASSERTION');
+                }
+                parentNode.replaceChild(decryptedAssertionNode, encAssertionNode);
+                // 7. 序列化更新后的文档
+                const updatedSoapXml = doc.toString();
+                return [updatedSoapXml, decryptedAssertion];
+            }
+            catch (error) {
+                console.error('SOAP断言解密失败:', error);
+                throw new Error('ERR_SOAP_ASSERTION_DECRYPTION');
+            }
+        },
         /**
          * @desc Check if the xml string is valid and bounded
          */

package/build/src/metadata-idp.js

@@ -102,6 +102,13 @@ export class IdpMetadata extends Metadata {
                 attributePath: [],
                 attributes: ['Location']
             },
+            {
+                key: 'artifactResolutionService',
+                localPath: ['EntityDescriptor', 'IDPSSODescriptor', 'ArtifactResolutionService'],
+                index: ['Binding'],
+                attributePath: [],
+                attributes: ['Location']
+            },
         ]);
     }
     /**
@@ -130,4 +137,19 @@ export class IdpMetadata extends Metadata {
         }
         return this.meta.singleSignOnService;
     }
+    /**
+     * @desc Get the entity endpoint for single ArtifactResolutionService
+     * @param  {string} binding      protocol binding (e.g. redirect, post)
+     * @return {string/object} location
+     */
+    getArtifactResolutionService(binding) {
+        if (isString(binding)) {
+            const bindName = namespace.binding[binding];
+            const service = this.meta.artifactResolutionService[bindName];
+            if (service) {
+                return service;
+            }
+        }
+        return this.meta.artifactResolutionService;
+    }
 }

package/build/src/metadata-sp.js

@@ -70,6 +70,20 @@ export class SpMetadata extends Metadata {
                     descriptors.SingleLogoutService.push([{ _attr: attr }]);
                 });
             }
+            if (isNonEmptyArray(artifactResolutionService)) {
+                let indexCount = 0;
+                artifactResolutionService.forEach(a => {
+                    const attr = {
+                        index: String(indexCount++),
+                        Binding: a.Binding,
+                        Location: a.Location,
+                    };
+                    if (a.isDefault) {
+                        attr.isDefault = true;
+                    }
+                    descriptors.ArtifactResolutionService.push([{ _attr: attr }]);
+                });
+            }
             if (isNonEmptyArray(assertionConsumerService)) {
                 let indexCount = 0;
                 assertionConsumerService.forEach(a => {
@@ -150,21 +164,6 @@ export class SpMetadata extends Metadata {
                     descriptors.AttributeConsumingService.push(attrConsumingService);
                 });
             }
-            if (isNonEmptyArray(artifactResolutionService)) {
-                artifactResolutionService.forEach(a => {
-                    const attr = {
-                        Binding: a.Binding,
-                        Location: a.Location,
-                    };
-                    if (a.isDefault) {
-                        attr.isDefault = true;
-                    }
-                    descriptors.ArtifactResolutionService.push([{ _attr: attr }]);
-                });
-            }
-            else {
-                console.warn('Construct identity  provider - missing endpoint of ArtifactResolutionService');
-            }
             // handle element order
             const existedElements = elementsOrder.filter(name => isNonEmptyArray(descriptors[name]));
             existedElements.forEach(name => {
@@ -193,6 +192,11 @@ export class SpMetadata extends Metadata {
                 key: 'assertionConsumerService',
                 localPath: ['EntityDescriptor', 'SPSSODescriptor', 'AssertionConsumerService'],
                 attributes: ['Binding', 'Location', 'isDefault', 'index'],
+            },
+            {
+                key: 'artifactResolutionService',
+                localPath: ['EntityDescriptor', 'SPSSODescriptor', 'ArtifactResolutionService'],
+                attributes: ['Binding', 'Location', 'isDefault', 'index'],
             }
         ]);
     }