samlesa 2.16.5 → 2.17.0

package/build/src/libsaml.js

@@ -4,10 +4,10 @@
  * @desc  A simple library including some common functions
  */
 import xml from 'xml';
-import { createSign, createPrivateKey, createVerify } from 'node:crypto';
-import utility, { flattenDeep, isString } from './utility.js';
-import { algorithms, wording, namespace } from './urn.js';
+import utility, { flattenDeep, inflateString, isString } from './utility.js';
+import { algorithms, namespace, wording } from './urn.js';
 import { select } from 'xpath';
+import nrsa from 'node-rsa';
 import { SignedXml } from 'xml-crypto';
 import * as xmlenc from 'xml-encryption';
 import camelCase from 'camelcase';
@@ -15,26 +15,10 @@ import { getContext } from './api.js';
 import xmlEscape from 'xml-escape';
 import * as fs from 'fs';
 import { DOMParser } from '@xmldom/xmldom';
-import { inflate } from 'pako';
 const signatureAlgorithms = algorithms.signature;
 const digestAlgorithms = algorithms.digest;
 const certUse = wording.certUse;
 const urlParams = wording.urlParams;
-/**
- * 算法名称映射表 (兼容 X.509 和 SAML 规范)
- */
-function mapSignAlgorithm(algorithm) {
-    const algorithmMap = {
-        'rsa-sha1': 'RSA-SHA1',
-        'rsa-sha256': 'RSA-SHA256',
-        'rsa-sha384': 'RSA-SHA384',
-        'rsa-sha512': 'RSA-SHA512',
-        'ecdsa-sha256': 'ECDSA-SHA256',
-        'ecdsa-sha384': 'ECDSA-SHA384',
-        'ecdsa-sha512': 'ECDSA-SHA512'
-    };
-    return algorithmMap[algorithm.toLowerCase()] || algorithm;
-}
 const libSaml = () => {
     /**
      * @desc helper function to get back the query param for redirect binding for SLO/SSO
@@ -52,6 +36,7 @@ const libSaml = () => {
     /**
      *
      */
+    // 签名算法映射表
     const nrsaAliasMapping = {
         'http://www.w3.org/2000/09/xmldsig#rsa-sha1': 'pkcs1-sha1',
         'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256': 'pkcs1-sha256',
@@ -70,19 +55,22 @@ const libSaml = () => {
         context: '<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="{AssertionConsumerServiceURL}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:NameIDPolicy Format="{NameIDFormat}" AllowCreate="{AllowCreate}"/></samlp:AuthnRequest>',
     };
     /**
-     * @desc Default art  request template
+     * @desc Default logout request template
      * @type {LogoutRequestTemplate}
      */
     const defaultLogoutRequestTemplate = {
         context: '<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}"><saml:Issuer>{Issuer}</saml:Issuer><saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID></samlp:LogoutRequest>',
     };
     /**
-     * @desc Default logout request template
+     * @desc Default art  request template
      * @type {LogoutRequestTemplate}
      */
     const defaultArtifactResolveTemplate = {
         context: `<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><saml2p:ArtifactResolve xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}"><saml2:Issuer>{Issuer}</saml2:Issuer><saml2p:Artifact>{Art}</saml2p:Artifact></saml2p:ArtifactResolve></SOAP-ENV:Body></SOAP-ENV:Envelope>`,
     };
+    const defaultArtAuthnRequestTemplate = {
+        context: `<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header></SOAP-ENV:Header><samlp:ArtifactResponse xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}" InResponseTo="{InResponseTo}" Version="2.0" IssueInstant="{IssueInstant}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>{AuthnRequest}</samlp:ArtifactResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>`,
+    };
     /**
      * @desc Default AttributeStatement template
      * @type {AttributeStatementTemplate}
@@ -123,6 +111,21 @@ const libSaml = () => {
     const defaultLogoutResponseTemplate = {
         context: '<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="{StatusCode}"/></samlp:Status></samlp:LogoutResponse>',
     };
+    /**
+     * @private
+     * @desc Get the signing scheme alias by signature algorithms, used by the node-rsa module
+     * @param {string} sigAlg    signature algorithm
+     * @return {string/null} signing algorithm short-hand for the module node-rsa
+     */
+    function getSigningScheme(sigAlg) {
+        if (sigAlg) {
+            const algAlias = nrsaAliasMapping[sigAlg];
+            if (!(algAlias === undefined)) {
+                return algAlias;
+            }
+        }
+        return nrsaAliasMapping[signatureAlgorithms.RSA_SHA1];
+    }
     function validateAndInflateSamlResponse(urlEncodedResponse) {
         // 3. 尝试DEFLATE解压（SAML规范要求使用原始DEFLATE）
         let xml = "";
@@ -130,18 +133,14 @@ const libSaml = () => {
         try { // 1. URL解码
             const base64Encoded = decodeURIComponent(urlEncodedResponse);
             // 2. Base64解码为Uint8Array
-            const binaryStr = atob(base64Encoded);
-            const compressedData = new Uint8Array(binaryStr.length);
-            for (let i = 0; i < binaryStr.length; i++) {
-                compressedData[i] = binaryStr.charCodeAt(i);
-            }
-            xml = inflate(compressedData, { to: 'string', raw: true });
+            xml = inflateString(base64Encoded);
         }
         catch (inflateError) {
             // 4. 解压失败，尝试直接解析为未压缩的XML
+            console.log("解压失败---------------------");
             try {
                 const base64Encoded = decodeURIComponent(urlEncodedResponse);
-                xml = Buffer.from(base64Encoded, 'base64').toString('utf-8');
+                xml = atob(base64Encoded);
                 return { compressed: false, xml, error: null };
             }
             catch (xmlError) {
@@ -209,6 +208,7 @@ const libSaml = () => {
         createXPath,
         getQueryParamByType,
         defaultLoginRequestTemplate,
+        defaultArtAuthnRequestTemplate,
         defaultArtifactResolveTemplate,
         defaultLoginResponseTemplate,
         defaultAttributeStatementTemplate,
@@ -273,6 +273,9 @@ const libSaml = () => {
             };
             // 生成 XML（关闭自动声明头）
             const xmlString = xml([attributeStatement], { declaration: false });
+            if (xmlString.trim() === '<saml:AttributeStatement></saml:AttributeStatement>') {
+                return '';
+            }
             return xmlString.trim();
         },
         /**
@@ -320,7 +323,7 @@ const libSaml = () => {
             else {
                 sig.computeSignature(rawSamlMessage);
             }
-            return isBase64Output !== false ? utility.base64Encode(sig.getSignedXml()) : sig.getSignedXml();
+            return isBase64Output ? utility.base64Encode(sig.getSignedXml()) : sig.getSignedXml();
         },
         /**
          * @desc Verify the XML signature
@@ -333,29 +336,68 @@ const libSaml = () => {
         // tslint:disable-next-line:no-shadowed-variable
         verifySignature(xml, opts) {
             const { dom } = getContext();
-            const doc = dom.parseFromString(xml);
+            const doc = dom.parseFromString(xml, 'application/xml');
             const docParser = new DOMParser();
             // In order to avoid the wrapping attack, we have changed to use absolute xpath instead of naively fetching the signature element
+            const LogoutResponseSignatureXpath = "/*[local-name()='LogoutResponse']/*[local-name()='Signature']";
+            const logoutRequestSignatureXpath = "/*[local-name()='LogoutRequest']/*[local-name()='Signature']";
             // message signature (logout response / saml response)
             const messageSignatureXpath = "/*[contains(local-name(), 'Response') or contains(local-name(), 'Request')]/*[local-name(.)='Signature']";
             // assertion signature (logout response / saml response)
             const assertionSignatureXpath = "/*[contains(local-name(), 'Response') or contains(local-name(), 'Request')]/*[local-name(.)='Assertion']/*[local-name(.)='Signature']";
             // check if there is a potential malicious wrapping signature
             const wrappingElementsXPath = "/*[contains(local-name(), 'Response')]/*[local-name(.)='Assertion']/*[local-name(.)='Subject']/*[local-name(.)='SubjectConfirmation']/*[local-name(.)='SubjectConfirmationData']//*[local-name(.)='Assertion' or local-name(.)='Signature']";
+            // const wrappingElementsXPath = "/*[contains(local-name(), 'Response')]/*[local-name(.)='Assertion']/*[local-name(.)='Subject']/*[local-name(.)='SubjectConfirmation']/*[local-name(.)='SubjectConfirmationData']//*[local-name(.)='Assertion' or local-name(.)='Signature']";
+            // @ts-expect-error misssing Node properties are not needed
+            const encryptedAssertions = select("/*[contains(local-name(), 'Response')]/*[local-name(.)='EncryptedAssertion']", doc);
+            const encAssertionNode = encryptedAssertions[0];
             // select the signature node
             let selection = [];
+            // @ts-expect-error misssing Node properties are not needed
             const messageSignatureNode = select(messageSignatureXpath, doc);
+            // @ts-expect-error misssing Node properties are not needed
             const assertionSignatureNode = select(assertionSignatureXpath, doc);
+            // @ts-expect-error misssing Node properties are not needed
             const wrappingElementNode = select(wrappingElementsXPath, doc);
-            selection = selection.concat(messageSignatureNode);
-            selection = selection.concat(assertionSignatureNode);
+            // @ts-expect-error misssing Node properties are not needed
+            const LogoutResponseSignatureElementNode = select(LogoutResponseSignatureXpath, doc);
             // try to catch potential wrapping attack
             if (wrappingElementNode.length !== 0) {
                 throw new Error('ERR_POTENTIAL_WRAPPING_ATTACK');
             }
+            // 优先检测 LogoutRequest 签名
+            // @ts-expect-error missing Node properties
+            const logoutRequestSignature = select(logoutRequestSignatureXpath, doc);
+            if (logoutRequestSignature.length > 0) {
+                selection = selection.concat(logoutRequestSignature);
+            }
+            selection = selection.concat(messageSignatureNode);
+            selection = selection.concat(assertionSignatureNode);
+            selection = selection.concat(LogoutResponseSignatureElementNode);
             // guarantee to have a signature in saml response
             if (selection.length === 0) {
-                throw new Error('ERR_ZERO_SIGNATURE');
+                /** 判断有没有加密如果没有加密返回 [false, null]*/
+                if (encryptedAssertions.length > 0) {
+                    if (!Array.isArray(encryptedAssertions) || encryptedAssertions.length === 0) {
+                        return [false, null, false, true]; // we return false now
+                    }
+                    if (encryptedAssertions.length > 1) {
+                        throw new Error('ERR_MULTIPLE_ASSERTION');
+                    }
+                    return [false, null, true, true]; // return encryptedAssert
+                }
+            }
+            if (selection.length !== 0) {
+                /** 判断有没有加密如果没有加密返回 [false, null]*/
+                if (logoutRequestSignature.length === 0 && LogoutResponseSignatureElementNode.length === 0 && encryptedAssertions.length > 0) {
+                    if (!Array.isArray(encryptedAssertions) || encryptedAssertions.length === 0) {
+                        return [false, null, true, false]; // we return false now
+                    }
+                    if (encryptedAssertions.length > 1) {
+                        throw new Error('ERR_MULTIPLE_ASSERTION');
+                    }
+                    return [false, null, true, false]; // return encryptedAssert
+                }
             }
             // need to refactor later on
             for (const signatureNode of selection) {
@@ -403,7 +445,6 @@ const libSaml = () => {
                     }
                 }
                 sig.loadSignature(signatureNode);
-                doc.removeChild(signatureNode);
                 verified = sig.checkSignature(doc.toString());
                 // immediately throw error when any one of the signature is failed to get verified
                 if (!verified) {
@@ -416,86 +457,56 @@ const libSaml = () => {
                     throw new Error('NO_SIGNATURE_REFERENCES');
                 }
                 const signedVerifiedXML = sig.getSignedReferences()[0];
-                const rootNode = docParser.parseFromString(signedVerifiedXML, 'text/xml').documentElement;
+                const rootNode = docParser.parseFromString(signedVerifiedXML, 'application/xml').documentElement;
                 // process the verified signature:
                 // case 1, rootSignedDoc is a response:
-                if (rootNode.localName === 'Response') {
+                if (rootNode?.localName === 'Response') {
                     // try getting the Xml from the first assertion
-                    const EncryptedAssertions = select("./*[local-name()='EncryptedAssertion']", rootNode);
-                    const assertions = select("./*[local-name()='Assertion']", rootNode);
+                    const EncryptedAssertions = select("./*[local-name()='EncryptedAssertion']", 
+                    // @ts-expect-error misssing Node properties are not needed
+                    rootNode);
+                    const assertions = select("./*[local-name()='Assertion']", 
+                    // @ts-expect-error misssing Node properties are not needed
+                    rootNode);
                     /**第三个参数代表是否加密*/
                     // now we can process the assertion as an assertion
                     if (EncryptedAssertions.length === 1) {
                         /** 已加密*/
-                        return [true, EncryptedAssertions[0].toString(), true];
+                        return [true, EncryptedAssertions[0].toString(), true, false];
                     }
                     if (assertions.length === 1) {
-                        return [true, assertions[0].toString(), false];
+                        return [true, assertions[0].toString(), false, false];
                     }
                 }
-                else if (rootNode.localName === 'Assertion') {
-                    return [true, rootNode.toString(), false];
+                else if (rootNode?.localName === 'Assertion') {
+                    return [true, rootNode.toString(), false, false];
                 }
-                else if (rootNode.localName === 'EncryptedAssertion') {
-                    return [true, rootNode.toString(), true];
+                else if (rootNode?.localName === 'EncryptedAssertion') {
+                    return [true, rootNode.toString(), true, false];
+                }
+                else if (rootNode?.localName === 'LogoutRequest') {
+                    return [true, rootNode.toString(), false, false];
+                }
+                else if (rootNode?.localName === 'LogoutResponse') {
+                    return [true, rootNode.toString(), false, false];
                 }
                 else {
-                    return [true, null]; // signature is valid. But there is no assertion node here. It could be metadata node, hence return null
+                    return [true, null, false, false]; // signature is valid. But there is no assertion node here. It could be metadata node, hence return null
                 }
             }
             // something has gone seriously wrong if we are still here
-            throw new Error('ERR_ZERO_SIGNATURE');
-            // response must be signed, either entire document or assertion
-            // default we will take the assertion section under root
-            /*      if (messageSignatureNode.length === 1) {
-                    const node = select("/!*[contains(local-name(), 'Response') or contains(local-name(), 'Request')]/!*[local-name(.)='Assertion']", doc);
-                    if (node.length === 1) {
-                      assertionNode = node[0].toString();
-                    }
-                  }
-      
-                  if (assertionSignatureNode.length === 1) {
-                    const verifiedAssertionInfo = extract(assertionSignatureNode[0].toString(), [{
-                      key: 'refURI',
-                      localPath: ['Signature', 'SignedInfo', 'Reference'],
-                      attributes: ['URI']
-                    }]);
-                    // get the assertion supposed to be the one should be verified
-                    const desiredAssertionInfo = extract(doc.toString(), [{
-                      key: 'id',
-                      localPath: ['~Response', 'Assertion'],
-                      attributes: ['ID']
-                    }]);
-                    // 5.4.2 References
-                    // SAML assertions and protocol messages MUST supply a value for the ID attribute on the root element of
-                    // the assertion or protocol message being signed. The assertion’s or protocol message's root element may
-                    // or may not be the root element of the actual XML document containing the signed assertion or protocol
-                    // message (e.g., it might be contained within a SOAP envelope).
-                    // Signatures MUST contain a single <ds:Reference> containing a same-document reference to the ID
-                    // attribute value of the root element of the assertion or protocol message being signed. For example, if the
-                    // ID attribute value is "foo", then the URI attribute in the <ds:Reference> element MUST be "#foo".
-                    if (verifiedAssertionInfo.refURI !== `#${desiredAssertionInfo.id}`) {
-                      throw new Error('ERR_POTENTIAL_WRAPPING_ATTACK');
-                    }
-                    const verifiedDoc = extract(doc.toString(), [{
-                      key: 'assertion',
-                      localPath: ['~Response', 'Assertion'],
-                      attributes: [],
-                      context: true
-                    }]);
-                    assertionNode = verifiedDoc.assertion.toString();
-                  }
-      
-                  return [verified, assertionNode];*/
+            return [false, null, false, true]; // return encryptedAssert
+            /*   throw new Error('ERR_ZERO_SIGNATURE');*/
         },
         verifySignatureSoap(xml, opts) {
             const { dom } = getContext();
-            const doc = dom.parseFromString(xml);
+            const doc = dom.parseFromString(xml, 'application/xml');
             const docParser = new DOMParser();
             let selection = [];
             if (opts.isAssertion) {
                 // 断言模式下的专用逻辑
                 const assertionSignatureXpath = "./*[local-name()='Signature']";
+                // @ts-expect-error misssing Node properties are not needed
                 const signatureNode = select(assertionSignatureXpath, doc.documentElement);
                 if (signatureNode.length === 0) {
                     throw new Error('ERR_ASSERTION_SIGNATURE_NOT_FOUND');
@@ -520,8 +531,11 @@ const libSaml = () => {
                     "/*[local-name()='SubjectConfirmation']" +
                     "/*[local-name()='SubjectConfirmationData']" +
                     "//*[local-name()='Assertion' or local-name()='Signature']";
+                // @ts-expect-error misssing Node properties are not needed
                 const messageSignatureNode = select(messageSignatureXpath, doc);
+                // @ts-expect-error misssing Node properties are not needed
                 const assertionSignatureNode = select(assertionSignatureXpath, doc);
+                // @ts-expect-error misssing Node properties are not needed
                 const wrappingElementNode = select(wrappingElementsXPath, doc);
                 // 检测包装攻击
                 if (wrappingElementNode.length !== 0) {
@@ -586,9 +600,7 @@ const libSaml = () => {
                 sig.loadSignature(signatureNode);
                 // 使用原始 XML 进行验证
                 verified = sig.checkSignature(xml);
-                console.log("签名验证结果:", verified);
                 if (!verified) {
-                    console.error("签名验证失败");
                     throw new Error('ERR_FAILED_TO_VERIFY_SIGNATURE');
                 }
                 // 检查签名引用
@@ -596,12 +608,11 @@ const libSaml = () => {
                     throw new Error('NO_SIGNATURE_REFERENCES');
                 }
                 const signedVerifiedXML = sig.getSignedReferences()[0];
-                const verifiedDoc = docParser.parseFromString(signedVerifiedXML, 'text/xml');
+                const verifiedDoc = docParser.parseFromString(signedVerifiedXML, 'application/xml');
                 const rootNode = verifiedDoc.documentElement;
-                console.log("签名引用根节点:", rootNode.localName);
                 // 断言模式专用返回逻辑
                 if (opts.isAssertion) {
-                    if (rootNode.localName === 'Assertion') {
+                    if (rootNode?.localName === 'Assertion') {
                         return [true, rootNode.toString(), false];
                     }
                     else {
@@ -609,11 +620,14 @@ const libSaml = () => {
                     }
                 }
                 // 处理已验证的签名
+                // @ts-expect-error misssing Node properties are not needed
                 if (rootNode.localName === 'ArtifactResponse') {
                     // 在 ArtifactResponse 中查找 Response
-                    const responseNodes = select("./*[local-name()='Response']", rootNode);
+                    // @ts-expect-error misssing Node properties are not needed
+                    const responseNodes = select("./*[local-name()='Response']", 
+                    // @ts-expect-error misssing Node properties are not needed
+                    rootNode);
                     if (responseNodes.length === 0) {
-                        console.warn("ArtifactResponse 中没有找到 Response 元素");
                         continue;
                     }
                     const responseNode = responseNodes[0];
@@ -628,9 +642,15 @@ const libSaml = () => {
                     }
                 }
                 // 直接处理 Response
-                else if (rootNode.localName === 'Response') {
-                    const encryptedAssertions = select("./*[local-name()='EncryptedAssertion']", rootNode);
-                    const assertions = select("./*[local-name()='Assertion']", rootNode);
+                else if (rootNode?.localName === 'Response') {
+                    // @ts-expect-error misssing Node properties are not needed
+                    const encryptedAssertions = select("./*[local-name()='EncryptedAssertion']", 
+                    // @ts-expect-error misssing Node properties are not needed
+                    rootNode);
+                    // @ts-expect-error misssing Node properties are not needed
+                    const assertions = select("./*[local-name()='Assertion']", 
+                    // @ts-expect-error misssing Node properties are not needed
+                    rootNode);
                     if (encryptedAssertions.length === 1) {
                         return [true, encryptedAssertions[0].toString(), true];
                     }
@@ -639,15 +659,15 @@ const libSaml = () => {
                     }
                 }
                 // 直接处理 Assertion
-                else if (rootNode.localName === 'Assertion') {
+                else if (rootNode?.localName === 'Assertion') {
                     return [true, rootNode.toString(), false];
                 }
                 // 直接处理 EncryptedAssertion
-                else if (rootNode.localName === 'EncryptedAssertion') {
+                else if (rootNode?.localName === 'EncryptedAssertion') {
                     return [true, rootNode.toString(), true];
                 }
                 else {
-                    console.warn("未知的根节点类型:", rootNode.localName);
+                    console.warn("未知的根节点类型:", rootNode?.localName);
                 }
             }
             throw new Error('ERR_ZERO_SIGNATURE');
@@ -690,59 +710,43 @@ const libSaml = () => {
          * @param signingAlgorithm - 签名算法 (默认 'rsa-sha256')
          * @returns 消息签名
          */
-        constructMessageSignature(octetString, key, passphrase, isBase64 = true, signingAlgorithm = nrsaAliasMappingForNode[signatureAlgorithms.RSA_SHA256]) {
-            try {
-                // 1. 标准化输入数据
-                const inputData = Buffer.isBuffer(octetString)
-                    ? octetString
-                    : Buffer.from(octetString, 'utf8');
-                // 2. 创建签名器并设置算
-                const signingAlgorithmValue = getSigningSchemeForNode(signingAlgorithm);
-                const signer = createSign(signingAlgorithmValue);
-                // 3. 加载私钥
-                const privateKey = createPrivateKey({
-                    key: key,
-                    format: 'pem',
-                    passphrase: passphrase,
-                    encoding: 'utf8'
-                });
-                signer.write(octetString);
-                signer.end();
-                const signature = signer.sign(privateKey, 'base64');
-                // 5. 处理编码输出
-                return isBase64 ? signature.toString() : signature;
-            }
-            catch (error) {
-                throw new Error(`SAML 签名失败: ${error.message}`);
-            }
+        constructMessageSignature(octetString, key, passphrase, isBase64, signingAlgorithm) {
+            // Default returning base64 encoded signature
+            // Embed with node-rsa module
+            const decryptedKey = new nrsa(utility.readPrivateKey(key, passphrase), undefined, {
+                signingScheme: getSigningScheme(signingAlgorithm),
+            });
+            const signature = decryptedKey.sign(octetString);
+            // Use private key to sign data
+            return isBase64 !== false ? signature.toString('base64') : signature;
         },
-        /*    constructMessageSignature(
+        /*    verifyMessageSignature(
+              metadata,
               octetString: string,
-              key: string,
-              passphrase?: string,
-              isBase64?: boolean,
-              signingAlgorithm?: string
+              signature: string | Buffer,
+              verifyAlgorithm?: string
             ) {
-              // Default returning base64 encoded signature
-              // Embed with node-rsa module
-              const decryptedKey = new nrsa(
-                utility.readPrivateKey(key, passphrase),
-                undefined,
-                {
-                  signingScheme: getSigningScheme(signingAlgorithm),
-                }
-              );
-              const signature = decryptedKey.sign(octetString);
-              // Use private key to sign data
-              return isBase64 !== false ? signature.toString('base64') : signature;
+              const signCert = metadata.getX509Certificate(certUse.signing);
+              const signingScheme = getSigningSchemeForNode(verifyAlgorithm);
+              const verifier = createVerify(signingScheme);
+              verifier.update(octetString);
+              const isValid = verifier.verify(utility.getPublicKeyPemFromCertificate(signCert), Buffer.isBuffer(signature) ? signature : Buffer.from(signature, 'base64'));
+              return isValid
+    
             },*/
+        /**
+         * @desc Verifies message signature
+         * @param  {Metadata} metadata                 metadata object of identity provider or service provider
+         * @param  {string} octetString                see "Bindings for the OASIS Security Assertion Markup Language (SAML V2.0)" P.17/46
+         * @param  {string} signature                  context of XML signature
+         * @param  {string} verifyAlgorithm            algorithm used to verify
+         * @return {boolean} verification result
+         */
         verifyMessageSignature(metadata, octetString, signature, verifyAlgorithm) {
             const signCert = metadata.getX509Certificate(certUse.signing);
-            const signingScheme = getSigningSchemeForNode(verifyAlgorithm);
-            const verifier = createVerify(signingScheme);
-            verifier.update(octetString);
-            const isValid = verifier.verify(utility.getPublicKeyPemFromCertificate(signCert), Buffer.isBuffer(signature) ? signature : Buffer.from(signature, 'base64'));
-            return isValid;
+            const signingScheme = getSigningScheme(verifyAlgorithm);
+            const key = new nrsa(utility.getPublicKeyPemFromCertificate(signCert), 'public', { signingScheme });
+            return key.verify(Buffer.from(octetString), Buffer.from(signature));
         },
         /**
          * @desc Get the public key in string format
@@ -777,7 +781,8 @@ const libSaml = () => {
                 const sourceEntitySetting = sourceEntity.entitySetting;
                 const targetEntityMetadata = targetEntity.entityMeta;
                 const { dom } = getContext();
-                const doc = dom.parseFromString(xml);
+                const doc = dom.parseFromString(xml, 'application/xml');
+                // @ts-expect-error misssing Node properties are not needed
                 const assertions = select("//*[local-name(.)='Assertion']", doc);
                 if (!Array.isArray(assertions) || assertions.length === 0) {
                     throw new Error('ERR_NO_ASSERTION');
@@ -795,7 +800,7 @@ const libSaml = () => {
                         pem: Buffer.from(`-----BEGIN CERTIFICATE-----${targetEntityMetadata.getX509Certificate(certUse.encrypt)}-----END CERTIFICATE-----`),
                         encryptionAlgorithm: sourceEntitySetting.dataEncryptionAlgorithm,
                         keyEncryptionAlgorithm: sourceEntitySetting.keyEncryptionAlgorithm,
-                        keyEncryptionDigest: 'SHA-512',
+                        /*       keyEncryptionDigest: 'SHA-512',*/
                         disallowEncryptionWithInsecureAlgorithm: true,
                         warnInsecureAlgorithm: true
                     }, (err, res) => {
@@ -806,7 +811,8 @@ const libSaml = () => {
                             return reject(new Error('ERR_UNDEFINED_ENCRYPTED_ASSERTION'));
                         }
                         const { encryptedAssertion: encAssertionPrefix } = sourceEntitySetting.tagPrefix;
-                        const encryptAssertionDoc = dom.parseFromString(`<${encAssertionPrefix}:EncryptedAssertion xmlns:${encAssertionPrefix}="${namespace.names.assertion}">${res}</${encAssertionPrefix}:EncryptedAssertion>`);
+                        const encryptAssertionDoc = dom.parseFromString(`<${encAssertionPrefix}:EncryptedAssertion xmlns:${encAssertionPrefix}="${namespace.names.assertion}">${res}</${encAssertionPrefix}:EncryptedAssertion>`, 'application/xml');
+                        // @ts-expect-error misssing Node properties are not needed
                         doc.documentElement.replaceChild(encryptAssertionDoc.documentElement, rawAssertionNode);
                         return resolve(utility.base64Encode(doc.toString()));
                     });
@@ -833,7 +839,8 @@ const libSaml = () => {
                 // Perform encryption depends on the setting of where the message is sent, default is false
                 const hereSetting = here.entitySetting;
                 const { dom } = getContext();
-                const doc = dom.parseFromString(entireXML);
+                const doc = dom.parseFromString(entireXML, 'application/xml');
+                // @ts-expect-error misssing Node properties are not needed
                 const encryptedAssertions = select("/*[contains(local-name(), 'Response')]/*[local-name(.)='EncryptedAssertion']", doc);
                 if (!Array.isArray(encryptedAssertions) || encryptedAssertions.length === 0) {
                     throw new Error('ERR_UNDEFINED_ENCRYPTED_ASSERTION');
@@ -846,13 +853,13 @@ const libSaml = () => {
                     key: utility.readPrivateKey(hereSetting.encPrivateKey, hereSetting.encPrivateKeyPass),
                 }, (err, res) => {
                     if (err) {
-                        console.error(err);
                         return reject(new Error('ERR_EXCEPTION_OF_ASSERTION_DECRYPTION'));
                     }
                     if (!res) {
                         return reject(new Error('ERR_UNDEFINED_ENCRYPTED_ASSERTION'));
                     }
-                    const rawAssertionDoc = dom.parseFromString(res);
+                    const rawAssertionDoc = dom.parseFromString(res, 'application/xml');
+                    // @ts-ignore
                     doc.documentElement.replaceChild(rawAssertionDoc.documentElement, encAssertionNode);
                     return resolve([doc.toString(), res]);
                 });
@@ -868,11 +875,14 @@ const libSaml = () => {
             const { dom } = getContext();
             try {
                 // 1. 解析 XML
-                const doc = dom.parseFromString(entireXML);
+                // @ts-ignore
+                const doc = dom.parseFromString(entireXML, 'application/xml');
                 // 2. 定位加密断言
                 const encryptedAssertions = select("/*[local-name()='Envelope']/*[local-name()='Body']" +
                     "/*[local-name()='ArtifactResponse']/*[local-name()='Response']" +
-                    "/*[local-name()='EncryptedAssertion']", doc);
+                    "/*[local-name()='EncryptedAssertion']", 
+                // @ts-ignore
+                doc);
                 if (!encryptedAssertions || encryptedAssertions.length === 0) {
                     throw new Error('ERR_ENCRYPTED_ASSERTION_NOT_FOUND');
                 }
@@ -886,7 +896,6 @@ const libSaml = () => {
                 const decryptedAssertion = await new Promise((resolve, reject) => {
                     xmlenc.decrypt(encAssertionNode.toString(), { key: privateKey }, (err, result) => {
                         if (err) {
-                            console.error('解密错误:', err);
                             return reject(new Error('ERR_ASSERTION_DECRYPTION_FAILED'));
                         }
                         if (!result) {
@@ -896,27 +905,28 @@ const libSaml = () => {
                     });
                 });
                 // 5. 创建解密断言的 DOM
-                const decryptedDoc = dom.parseFromString(decryptedAssertion);
+                // @ts-ignore
+                const decryptedDoc = dom.parseFromString(decryptedAssertion, 'application/xml');
                 const decryptedAssertionNode = decryptedDoc.documentElement;
                 // 6. 替换加密断言为解密后的断言
                 const parentNode = encAssertionNode.parentNode;
                 if (!parentNode) {
                     throw new Error('ERR_NO_PARENT_NODE_FOR_ENCRYPTED_ASSERTION');
                 }
+                // @ts-ignore
                 parentNode.replaceChild(decryptedAssertionNode, encAssertionNode);
                 // 7. 序列化更新后的文档
                 const updatedSoapXml = doc.toString();
                 return [updatedSoapXml, decryptedAssertion];
             }
             catch (error) {
-                console.error('SOAP断言解密失败:', error);
                 throw new Error('ERR_SOAP_ASSERTION_DECRYPTION');
             }
         },
         /**
          * @desc Check if the xml string is valid and bounded
          */
-        async isValidXml(input) {
+        async isValidXml(input, soap = false) {
             // check if global api contains the validate function
             const { validate } = getContext();
             /**
@@ -930,7 +940,7 @@ const libSaml = () => {
                 return Promise.reject('Your application is potentially vulnerable because no validation function found. Please read the documentation on how to setup the validator. (https://github.com/tngan/samlify#installation)');
             }
             try {
-                return await validate(input);
+                return await validate(input, soap);
             }
             catch (e) {
                 throw e;

package/build/src/metadata-sp.js

@@ -71,8 +71,10 @@ export class SpMetadata extends Metadata {
                 });
             }
             if (isNonEmptyArray(artifactResolutionService)) {
+                let indexCount = 0;
                 artifactResolutionService.forEach(a => {
                     const attr = {
+                        index: String(indexCount++),
                         Binding: a.Binding,
                         Location: a.Location,
                     };