npm - samlesa - Versions diffs - 2.17.3 → 2.18.0 - Mend

samlesa 2.17.3 → 2.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/build/src/binding-artifact.js +24 -14
package/build/src/flow.js +169 -27
package/build/src/libsaml.js +442 -213
package/package.json +1 -1
package/types/src/binding-artifact.d.ts.map +1 -1
package/types/src/flow.d.ts.map +1 -1
package/types/src/libsaml.d.ts +50 -1
package/types/src/libsaml.d.ts.map +1 -1

package/build/src/binding-artifact.js CHANGED Viewed

@@ -383,22 +383,32 @@ async function parseLoginResponseResolve(params) {
             return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
         }
         samlContent = verifiedAssertionNode1;
-        const [verified, verifiedAssertionNode, isDecryptRequired, noSignature] = libsaml.verifySignature(samlContent, verificationOptions);
-        if (isDecryptRequired && noSignature) {
-            const result = await libsaml.decryptAssertion(sp, samlContent);
-            samlContent = result[0];
-            extractorFields = getDefaultExtractorFields(parserType, result[1]);
-        }
-        if (!verified && !noSignature && !isDecryptRequired) {
-            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+        // 改进的postFlow函数中关于签名验证的部分
+        const verificationResult = libsaml.verifySignature(samlContent, verificationOptions, self);
+        // 检查验证结果
+        if (!verificationResult.status) {
+            // 如果验证失败，根据具体情况返回错误
+            if (verificationResult.isMessageSigned && !verificationResult.MessageSignatureStatus) {
+                return Promise.reject('ERR_FAIL_TO_VERIFY_MESSAGE_SIGNATURE');
+            }
+            if (verificationResult.isAssertionSigned && !verificationResult.AssertionSignatureStatus) {
+                return Promise.reject('ERR_FAIL_TO_VERIFY_ASSERTION_SIGNATURE');
+            }
+            if (verificationResult.encrypted && !verificationResult.decrypted) {
+                return Promise.reject('ERR_FAIL_TO_DECRYPT_ASSERTION');
+            }
+            // 通用验证失败
+            return Promise.reject('ERR_FAIL_TO_VERIFY_SIGNATURE_OR_DECRYPTION');
         }
-        if (!isDecryptRequired) {
-            extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
+        // 更新samlContent为验证后的版本（可能已解密）
+        samlContent = verificationResult.samlContent;
+        // 根据验证结果设置extractorFields
+        if (verificationResult.assertionContent) {
+            extractorFields = getDefaultExtractorFields(parserType, verificationResult.assertionContent);
         }
-        if (parserType === 'SAMLResponse' && isDecryptRequired && !noSignature) {
-            const result = await libsaml.decryptAssertion(sp, samlContent);
-            samlContent = result[0];
-            extractorFields = getDefaultExtractorFields(parserType, result[1]);
+        else {
+            // 如果没有断言内容（例如注销请求/响应），使用适当的处理方式
+            extractorFields = getDefaultExtractorFields(parserType, null);
         }
         const parseResult = {
             samlContent: samlContent,

package/build/src/flow.js CHANGED Viewed

@@ -151,23 +151,149 @@ async function postFlow(options) {
     // check status based on different scenarios
     await checkStatus(samlContent, parserType);
     /**检查签名顺序 */
-    const [verified, verifiedAssertionNode, isDecryptRequired, noSignature] = libsaml.verifySignature(samlContent, verificationOptions);
-    decryptRequired = isDecryptRequired;
-    if (isDecryptRequired && noSignature) {
-        const result = await libsaml.decryptAssertion(self, samlContent);
-        samlContent = result[0];
-        extractorFields = getDefaultExtractorFields(parserType, result[1]);
-    }
-    if (!verified && !noSignature && !isDecryptRequired) {
-        return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+    /*
+        const [verified, verifiedAssertionNode, isDecryptRequired, noSignature] = libsaml.verifySignature(samlContent, verificationOptions);
+        decryptRequired = isDecryptRequired
+        if (isDecryptRequired && noSignature) {
+            const result = await libsaml.decryptAssertion(self, samlContent);
+            samlContent = result[0];
+            extractorFields = getDefaultExtractorFields(parserType, result[1]);
+        }
+        if (!verified && !noSignature && !isDecryptRequired) {
+            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+        }
+        if (!isDecryptRequired) {
+            extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
+        }
+        if (parserType === 'SAMLResponse' && isDecryptRequired && !noSignature) {
+            const result = await libsaml.decryptAssertion(self, samlContent);
+            samlContent = result[0];
+            extractorFields = getDefaultExtractorFields(parserType, result[1]);
+    console.log("走这里来了=========")
+            console.log(result[1])
+        }
+        const parseResult = {
+            samlContent: samlContent,
+            extract: extract(samlContent, extractorFields),
+        };
+        /!**
+         *  Validation part: validate the context of response after signature is verified and decrypted (optional)
+         *!/
+        const targetEntityMetadata = from.entityMeta;
+        const issuer = targetEntityMetadata.getEntityID();
+        const extractedProperties = parseResult.extract;
+        // unmatched issuer
+        if (
+            (parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
+            && extractedProperties
+            && extractedProperties.issuer !== issuer
+        ) {
+            return Promise.reject('ERR_UNMATCH_ISSUER');
+        }
+        // invalid session time
+        // only run the verifyTime when `SessionNotOnOrAfter` exists
+        if (
+            parserType === 'SAMLResponse'
+            && extractedProperties.sessionIndex.sessionNotOnOrAfter
+            && !verifyTime(
+                undefined,
+                extractedProperties.sessionIndex.sessionNotOnOrAfter,
+                self.entitySetting.clockDrifts
+            )
+        ) {
+            return Promise.reject('ERR_EXPIRED_SESSION');
+        }
+        // invalid time
+        // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+        if (
+            parserType === 'SAMLResponse'
+            && extractedProperties.conditions
+            && !verifyTime(
+                extractedProperties.conditions.notBefore,
+                extractedProperties.conditions.notOnOrAfter,
+                self.entitySetting.clockDrifts
+            )
+        ) {
+            return Promise.reject('ERR_SUBJECT_UNCONFIRMED');
+        }
+        //valid destination
+        //There is no validation of the response here. The upper-layer application
+        // should verify the result by itself to see if the destination is equal to the SP acs and
+        // whether the response.id is used to prevent replay attacks.
+        /!*
+            let destination = extractedProperties?.response?.destination
+            let isExit = self.entitySetting?.assertionConsumerService?.filter((item) => {
+                return item?.Location === destination
+            })
+            if (isExit?.length === 0) {
+                return Promise.reject('ERR_Destination_URL');
+            }
+            if (parserType === 'SAMLResponse') {
+                let destination = extractedProperties?.response?.destination
+                let isExit = self.entitySetting?.assertionConsumerService?.filter((item: { Location: any; }) => {
+                    return item?.Location === destination
+                })
+                if (isExit?.length === 0) {
+                    return Promise.reject('ERR_Destination_URL');
+                }
+            }
+        *!/
+        return Promise.resolve(parseResult);*/
+    // 改进的postFlow函数中关于签名验证的部分
+    const verificationResult = libsaml.verifySignature(samlContent, verificationOptions, self);
+    /*    console.log(verificationResult)
+        console.log("解析对象")*/
+    let resultObject = {
+        isMessageSigned: true, //是否有外层的消息签名（Response或者Request 等最外层的签名）
+        MessageSignatureStatus: true, //外层的签名是否经过验证
+        isAssertionSigned: true, //是否有断言的签名
+        AssertionSignatureStatus: true, //断言签名是否经过验证
+        encrypted: true, //断言是否加密
+        decrypted: true, //断言加密后断言是否解密成功，
+        status: true, //是否全部通过验证,
+        samlContent: 'xxx', //xxx是通过验证后 解密后的整个响应，
+        assertionContent: 'xxx', //xxx是通过验证后 解密后的整个响应中的assertion 断言部分字符串
+    };
+    // 检查验证结果
+    if (!verificationResult.status) {
+        // 如果验证失败，根据具体情况返回错误
+        /** 需要判断是不是  */
+        if (verificationResult.isMessageSigned && !verificationResult.MessageSignatureStatus) {
+            return Promise.reject('ERR_FAIL_TO_VERIFY_MESSAGE_SIGNATURE');
+        }
+        if (verificationResult.isAssertionSigned && !verificationResult.AssertionSignatureStatus) {
+            return Promise.reject('ERR_FAIL_TO_VERIFY_ASSERTION_SIGNATURE');
+        }
+        if (verificationResult.encrypted && !verificationResult.decrypted) {
+            return Promise.reject('ERR_FAIL_TO_DECRYPT_ASSERTION');
+        }
+        if (!verificationResult.isMessageSigned && verificationResult.type === 'LogoutRequest') {
+            return Promise.reject('ERR_LogoutRequest_Need_Signature');
+        }
+        if (!verificationResult.isMessageSigned && verificationResult.type === 'LogoutResponse') {
+            return Promise.reject('ERR_LogoutResponse_Need_Signature');
+        }
+        // 通用验证失败
+        return Promise.reject('ERR_FAIL_TO_VERIFY_SIGNATURE_OR_DECRYPTION');
     }
-    if (!isDecryptRequired) {
-        extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
+    // 更新samlContent为验证后的版本（可能已解密）
+    samlContent = verificationResult.samlContent;
+    // 根据验证结果设置extractorFields
+    if (verificationResult.assertionContent) {
+        extractorFields = getDefaultExtractorFields(parserType, verificationResult.assertionContent);
     }
-    if (parserType === 'SAMLResponse' && isDecryptRequired && !noSignature) {
-        const result = await libsaml.decryptAssertion(self, samlContent);
-        samlContent = result[0];
-        extractorFields = getDefaultExtractorFields(parserType, result[1]);
+    else {
+        // 如果没有断言内容（例如注销请求/响应），使用适当的处理方式
+        extractorFields = getDefaultExtractorFields(parserType, null);
     }
     const parseResult = {
         samlContent: samlContent,
@@ -245,18 +371,34 @@ async function postArtifactFlow(options) {
     // check status based on different scenarios
     await checkStatus(samlContent, parserType);
     /**检查签名顺序 */
-    const [verified, verifiedAssertionNode, isDecryptRequired] = libsaml.verifySignature(samlContent, verificationOptions);
-    decryptRequired = isDecryptRequired;
-    if (!verified) {
-        return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
-    }
-    if (!decryptRequired) {
-        extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
-    }
-    if (parserType === 'SAMLResponse' && decryptRequired) {
-        const result = await libsaml.decryptAssertion(self, samlContent);
-        samlContent = result[0];
-        extractorFields = getDefaultExtractorFields(parserType, result[1]);
+    // 改进的postFlow函数中关于签名验证的部分
+    const verificationResult = libsaml.verifySignature(samlContent, verificationOptions, self);
+    console.log(verificationResult);
+    console.log("最终结果====");
+    // 检查验证结果
+    if (!verificationResult.status) {
+        // 如果验证失败，根据具体情况返回错误
+        if (verificationResult.isMessageSigned && !verificationResult.MessageSignatureStatus) {
+            return Promise.reject('ERR_FAIL_TO_VERIFY_MESSAGE_SIGNATURE');
+        }
+        if (verificationResult.isAssertionSigned && !verificationResult.AssertionSignatureStatus) {
+            return Promise.reject('ERR_FAIL_TO_VERIFY_ASSERTION_SIGNATURE');
+        }
+        if (verificationResult.encrypted && !verificationResult.decrypted) {
+            return Promise.reject('ERR_FAIL_TO_DECRYPT_ASSERTION');
+        }
+        // 通用验证失败
+        return Promise.reject('ERR_FAIL_TO_VERIFY_SIGNATURE_OR_DECRYPTION');
+    }
+    // 更新samlContent为验证后的版本（可能已解密）
+    samlContent = verificationResult.samlContent;
+    // 根据验证结果设置extractorFields
+    if (verificationResult.assertionContent) {
+        extractorFields = getDefaultExtractorFields(parserType, verificationResult.assertionContent);
+    }
+    else {
+        // 如果没有断言内容（例如注销请求/响应），使用适当的处理方式
+        extractorFields = getDefaultExtractorFields(parserType, null);
     }
     const parseResult = {
         samlContent: samlContent,

package/build/src/libsaml.js CHANGED Viewed

@@ -3,6 +3,7 @@
  * @author tngan
  * @desc  A simple library including some common functions
  */
+import { X509Certificate } from 'node:crypto';
 import xml from 'xml';
 import utility, { flattenDeep, inflateString, isString } from './utility.js';
 import { algorithms, namespace, wording } from './urn.js';
@@ -73,9 +74,9 @@ const libSaml = () => {
     };
     const defaultSoapResponseFailTemplate = {
         context: `<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header></SOAP-ENV:Header>
-<samlp:ArtifactResponse xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+<samlp:ArtifactResponse xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
- InResponseTo="{InResponseTo}" Version="2.0"
+ InResponseTo="{InResponseTo}" Version="2.0"
  IssueInstant="{IssueInstant}">
  <saml:Issuer>{Issuer}</saml:Issuer>
  <samlp:Status>
@@ -336,6 +337,37 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
             }
             return isBase64Output ? utility.base64Encode(sig.getSignedXml()) : sig.getSignedXml();
         },
+        // 安全的证书验证函数
+        validateCertificate(certificateBase64, expectedIssuer) {
+            try {
+                const cert = new X509Certificate(Buffer.from(certificateBase64, 'base64'));
+                // 1. 检查有效期
+                const now = new Date();
+                if (new Date(cert.validFrom) > now || new Date(cert.validTo) < now) {
+                    throw new Error('Certificate has expired or is not yet valid');
+                }
+                // 2. 检查颁发者（如果提供）
+                if (expectedIssuer && !cert.subject.includes(expectedIssuer)) {
+                    throw new Error('Certificate issuer does not match expected value');
+                }
+                // 3. 检查公钥类型（推荐 RSA 或 EC）
+                if (!['rsa', 'ec'].includes(cert.publicKey.type.toLowerCase())) {
+                    throw new Error('Certificate uses unsupported public key type');
+                }
+                return {
+                    isValid: true,
+                    subject: cert.subject,
+                    issuer: cert.issuer,
+                    publicKey: cert.publicKey
+                };
+            }
+            catch (error) {
+                return {
+                    isValid: false,
+                    error: error.message
+                };
+            }
+        },
         /**
          * @desc Verify the XML signature
          * @param  {string} xml xml
@@ -345,7 +377,7 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
          *   - The second element is the cryptographically authenticated assertion node as a string, or `null` if not found.
          */
         // tslint:disable-next-line:no-shadowed-variable
-        verifySignature(xml, opts) {
+        verifySignature1(xml, opts) {
             const { dom } = getContext();
             const doc = dom.parseFromString(xml, 'application/xml');
             const docParser = new DOMParser();
@@ -389,6 +421,7 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
             if (selection.length === 0) {
                 /** 判断有没有加密如果没有加密返回 [false, null]*/
                 if (encryptedAssertions.length > 0) {
+                    console.log("走加密了====");
                     if (!Array.isArray(encryptedAssertions) || encryptedAssertions.length === 0) {
                         return [false, null, false, true]; // we return false now
                     }
@@ -399,6 +432,7 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                 }
             }
             if (selection.length !== 0) {
+                console.log("走加密了1====");
                 /** 判断有没有加密如果没有加密返回 [false, null]*/
                 if (logoutRequestSignature.length === 0 && LogoutResponseSignatureElementNode.length === 0 && encryptedAssertions.length > 0) {
                     if (!Array.isArray(encryptedAssertions) || encryptedAssertions.length === 0) {
@@ -418,10 +452,16 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                 if (!opts.keyFile && !opts.metadata) {
                     throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
                 }
+                console.log("开始1");
                 if (opts.keyFile) {
+                    console.log("开始11");
+                    let publicCertResult = this.validateCertificate(fs.readFileSync(opts.keyFile));
+                    console.log(publicCertResult);
+                    console.log("结果");
                     sig.publicCert = fs.readFileSync(opts.keyFile);
                 }
                 if (opts.metadata) {
+                    console.log("开始111");
                     const certificateNode = select(".//*[local-name(.)='X509Certificate']", signatureNode);
                     // certificate in metadata
                     let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
@@ -448,10 +488,17 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                             // to make sure the response certificate is one of those specified in metadata
                             throw new Error('ERROR_UNMATCH_CERTIFICATE_DECLARATION_IN_METADATA');
                         }
+                        let publicCertResult = this.validateCertificate(x509Certificate);
+                        console.log(publicCertResult);
+                        console.log("结果");
                         sig.publicCert = this.getKeyInfo(x509Certificate).getKey();
                     }
                     else {
+                        console.log("开始11111");
                         // Select first one from metadata
+                        let publicCertResult = this.validateCertificate(metadataCert[0]);
+                        console.log(publicCertResult);
+                        console.log("结果");
                         sig.publicCert = this.getKeyInfo(metadataCert[0]).getKey();
                     }
                 }
@@ -509,232 +556,317 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
             return [false, null, false, true]; // return encryptedAssert
             /*   throw new Error('ERR_ZERO_SIGNATURE');*/
         },
-        /*  verifySignatureSoap(xml: string, opts: SignatureVerifierOptions & { isAssertion?: boolean }) {
-            const {dom} = getContext();
+        /**
+         * 改进的SAML签名验证函数，支持多种签名和加密组合场景
+         * @param xml SAML XML内容
+         * @param opts 验证选项
+         * @param self
+         * @returns 验证结果对象
+         */
+        /**
+         * 改进的SAML签名验证函数，支持多种签名和加密组合场景
+         * @param xml SAML XML内容
+         * @param opts 验证选项
+         * @param self
+         * @returns 验证结果对象
+         */
+        verifySignature(xml, opts, self) {
+            const { dom } = getContext();
             const doc = dom.parseFromString(xml, 'application/xml');
             const docParser = new DOMParser();
-            let selection: any = [];
-            if (opts.isAssertion) {
-              // 断言模式下的专用逻辑
-              const assertionSignatureXpath = "./!*[local-name()='Signature']";
-              // @ts-expect-error misssing Node properties are not needed
-              const signatureNode = select(assertionSignatureXpath, doc.documentElement);
-              if (signatureNode.length === 0) {
-                throw new Error('ERR_ASSERTION_SIGNATURE_NOT_FOUND');
-              }
-              selection = selection.concat(signatureNode);
-            } else {
-              // 原始的SOAP响应验证逻辑
-              const messageSignatureXpath =
-                "/!*[local-name()='Envelope']/!*[local-name()='Body']" +
-                "/!*[local-name()='ArtifactResponse']/!*[local-name()='Signature'] | " +
-                "/!*[local-name()='Envelope']/!*[local-name()='Body']" +
-                "/!*[local-name()='ArtifactResponse']/!*[local-name()='Response']/!*[local-name()='Signature']";
-              const assertionSignatureXpath =
-                "/!*[local-name()='Envelope']/!*[local-name()='Body']" +
-                "/!*[local-name()='ArtifactResponse']/!*[local-name()='Response']" +
-                "/!*[local-name()='Assertion']/!*[local-name()='Signature'] | " +
-                "/!*[local-name()='Envelope']/!*[local-name()='Body']" +
-                "/!*[local-name()='ArtifactResponse']/!*[local-name()='Response']" +
-                "/!*[local-name()='EncryptedAssertion']";
-              const wrappingElementsXPath =
-                "/!*[local-name()='Envelope']/!*[local-name()='Body']" +
-                "/!*[local-name()='ArtifactResponse']/!*[local-name()='Response']" +
-                "/!*[local-name()='Assertion']/!*[local-name()='Subject']" +
-                "/!*[local-name()='SubjectConfirmation']" +
-                "/!*[local-name()='SubjectConfirmationData']" +
-                "//!*[local-name()='Assertion' or local-name()='Signature']";
-      // @ts-expect-error misssing Node properties are not needed
-              const messageSignatureNode = select(messageSignatureXpath, doc);
-              // @ts-expect-error misssing Node properties are not needed
-              const assertionSignatureNode = select(assertionSignatureXpath, doc);
-              // @ts-expect-error misssing Node properties are not needed
-              const wrappingElementNode = select(wrappingElementsXPath, doc);
-              // 检测包装攻击
-              if (wrappingElementNode.length !== 0) {
+            // 定义各种XPath路径
+            const messageSignatureXpath = "/*[contains(local-name(), 'Response') or contains(local-name(), 'Request')]/*[local-name(.)='Signature']";
+            const assertionSignatureXpath = "/*[contains(local-name(), 'Response') or contains(local-name(), 'Request')]/*[local-name(.)='Assertion']/*[local-name(.)='Signature']";
+            const wrappingElementsXPath = "/*[contains(local-name(), 'Response')]/*[local-name(.)='Assertion']/*[local-name(.)='Subject']/*[local-name(.)='SubjectConfirmation']/*[local-name(.)='SubjectConfirmationData']//*[local-name(.)='Assertion' or local-name(.)='Signature']";
+            const encryptedAssertionsXPath = "/*[contains(local-name(), 'Response')]/*[local-name(.)='EncryptedAssertion']";
+            // 检测包装攻击
+            // @ts-expect-error misssing Node properties are not needed
+            const wrappingElementNode = select(wrappingElementsXPath, doc);
+            if (wrappingElementNode.length !== 0) {
                 throw new Error('ERR_POTENTIAL_WRAPPING_ATTACK');
-              }
-              // 保证响应中至少有一个签名
-              if (messageSignatureNode.length === 0 && assertionSignatureNode.length === 0) {
-                throw new Error('ERR_ZERO_SIGNATURE');
-              }
-              selection = selection.concat(messageSignatureNode, assertionSignatureNode);
             }
-            for (const signatureNode of selection) {
-              const sig = new SignedXml();
-              let verified = false;
-              sig.signatureAlgorithm = opts.signatureAlgorithm!;
-              if (!opts.keyFile && !opts.metadata) {
-                throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
-              }
-              if (opts.keyFile) {
-                sig.publicCert = fs.readFileSync(opts.keyFile, 'utf-8');
-              }
-              if (opts.metadata) {
-                const certificateNodes = select(".//!*[local-name(.)='X509Certificate']", signatureNode) as any[];
-                // 获取元数据中的证书
-                let metadataCert: any = opts.metadata.getX509Certificate(certUse.signing);
-                // 规范化元数据证书
-                if (Array.isArray(metadataCert)) {
-                  metadataCert = flattenDeep(metadataCert);
-                } else if (typeof metadataCert === 'string') {
-                  metadataCert = [metadataCert];
+            // 获取各种元素
+            // @ts-expect-error misssing Node properties are not needed
+            const messageSignatureNode = select(messageSignatureXpath, doc);
+            // @ts-expect-error misssing Node properties are not needed
+            const assertionSignatureNode = select(assertionSignatureXpath, doc);
+            // @ts-expect-error misssing Node properties are not needed
+            const encryptedAssertions = select(encryptedAssertionsXPath, doc);
+            // 初始化验证状态
+            let isMessageSigned = messageSignatureNode.length > 0;
+            let isAssertionSigned = assertionSignatureNode.length > 0;
+            let encrypted = encryptedAssertions.length > 0;
+            let decrypted = false;
+            let MessageSignatureStatus = false;
+            let AssertionSignatureStatus = false;
+            let status = false;
+            let samlContent = xml;
+            let assertionContent = null;
+            // 检测SAML消息类型
+            // 检测SAML消息类型 - 使用精确匹配避免包含关系导致的误判
+            const rootElementName = doc.documentElement.localName;
+            let type = 'Unknown';
+            // 使用精确字符串比较，避免包含关系的问题
+            switch (rootElementName) {
+                case 'AuthnRequest':
+                    type = 'AuthnRequest';
+                    break;
+                case 'Response':
+                    type = 'Response';
+                    break;
+                case 'LogoutRequest':
+                    type = 'LogoutRequest';
+                    break;
+                case 'LogoutResponse':
+                    type = 'LogoutResponse';
+                    break;
+                default:
+                    // 如果不是完全匹配，尝试模糊匹配
+                    if (rootElementName.includes('AuthnRequest')) {
+                        type = 'AuthnRequest';
+                    }
+                    else if (rootElementName.includes('LogoutResponse')) {
+                        type = 'LogoutResponse';
+                    }
+                    else if (rootElementName.includes('LogoutRequest')) {
+                        type = 'LogoutRequest';
+                    }
+                    else if (rootElementName.includes('Response')) {
+                        type = 'Response';
+                    }
+                    else {
+                        type = 'Unknown';
+                    }
+            }
+            // 特殊情况：带未签名断言的未签名SAML响应，应该拒绝
+            if (!isMessageSigned && !isAssertionSigned && !encrypted) {
+                return {
+                    isMessageSigned,
+                    MessageSignatureStatus,
+                    isAssertionSigned,
+                    AssertionSignatureStatus,
+                    encrypted,
+                    decrypted,
+                    type, // 添加类型字段
+                    status: false, // 明确拒绝未签名未加密的响应
+                    samlContent,
+                    assertionContent
+                };
+            }
+            // 处理最外层有签名且断言加密的情况（关键逻辑补充）
+            if (isMessageSigned && encrypted) {
+                // 1. 首先解密断言
+                try {
+                    const result = this.decryptAssertionSync(self, xml, opts);
+                    // 更新文档为解密后的版本
+                    samlContent = result[0];
+                    assertionContent = result[1];
+                    // 更新验证状态
+                    decrypted = true;
+                    AssertionSignatureStatus = result?.[2]?.AssertionSignatureStatus || false;
+                    isAssertionSigned = result?.[2]?.isAssertionSigned || false;
+                    // 解密后的文档
+                    const decryptedDoc = dom.parseFromString(samlContent, 'application/xml');
+                    // 2. 验证最外层消息签名（使用解密后的文档）
+                    const signatureNode = messageSignatureNode[0];
+                    const sig = new SignedXml();
+                    if (!opts.keyFile && !opts.metadata) {
+                        throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
+                    }
+                    if (opts.keyFile) {
+                        sig.publicCert = fs.readFileSync(opts.keyFile);
+                    }
+                    else if (opts.metadata) {
+                        // @ts-expect-error misssing Node properties are not needed
+                        const certificateNode = select(".//*[local-name(.)='X509Certificate']", signatureNode);
+                        let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
+                        if (Array.isArray(metadataCert)) {
+                            metadataCert = flattenDeep(metadataCert);
+                        }
+                        else if (typeof metadataCert === 'string') {
+                            metadataCert = [metadataCert];
+                        }
+                        metadataCert = metadataCert.map(utility.normalizeCerString);
+                        if (certificateNode.length === 0 && metadataCert.length === 0) {
+                            throw new Error('NO_SELECTED_CERTIFICATE');
+                        }
+                        if (certificateNode.length !== 0) {
+                            const x509CertificateData = certificateNode[0].firstChild.data;
+                            const x509Certificate = utility.normalizeCerString(x509CertificateData);
+                            if (metadataCert.length >= 1 && !metadataCert.find((cert) => cert.trim() === x509Certificate.trim())) {
+                                throw new Error('ERROR_UNMATCH_CERTIFICATE_DECLARATION_IN_METADATA');
+                            }
+                            sig.publicCert = this.getKeyInfo(x509Certificate).getKey();
+                        }
+                        else {
+                            sig.publicCert = this.getKeyInfo(metadataCert[0]).getKey();
+                        }
+                    }
+                    sig.signatureAlgorithm = opts.signatureAlgorithm;
+                    // @ts-expect-error misssing Node properties are not needed
+                    sig.loadSignature(signatureNode);
+                    // 使用解密后的文档验证最外层签名
+                    MessageSignatureStatus = sig.checkSignature(decryptedDoc.toString());
+                    if (!MessageSignatureStatus) {
+                        throw new Error('ERR_FAILED_TO_VERIFY_MESSAGE_SIGNATURE_AFTER_DECRYPTION');
+                    }
+                    // 3. 验证解密后断言的签名（如果存在）
+                    if (isAssertionSigned && AssertionSignatureStatus) {
+                        /*   console.log("断言签名验证已通过");*/
+                    }
+                    else if (isAssertionSigned && !AssertionSignatureStatus) {
+                        throw new Error('ERR_FAILED_TO_VERIFY_ASSERTION_SIGNATURE_AFTER_DECRYPTION');
+                    }
+                }
+                catch (err) {
+                    throw err;
                 }
-                metadataCert = metadataCert.map(utility.normalizeCerString);
-                // 检查证书可用性
-                if (certificateNodes.length === 0 && metadataCert.length === 0) {
-                  throw new Error('NO_SELECTED_CERTIFICATE');
+            }
+            // 处理最外层有签名但断言未加密的情况
+            else if (isMessageSigned && !encrypted) {
+                const signatureNode = messageSignatureNode[0];
+                const sig = new SignedXml();
+                if (!opts.keyFile && !opts.metadata) {
+                    throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
                 }
-                // 响应中有证书节点
-                if (certificateNodes.length !== 0) {
-                  // 安全获取证书数据
-                  let x509CertificateData = '';
-                  if (certificateNodes[0].firstChild) {
-                    x509CertificateData = certificateNodes[0].firstChild.data;
-                  } else if (certificateNodes[0].textContent) {
-                    x509CertificateData = certificateNodes[0].textContent;
-                  }
-                  const x509Certificate = utility.normalizeCerString(x509CertificateData);
-                  // 验证证书匹配
-                  if (
-                    metadataCert.length >= 1 &&
-                    !metadataCert.find(cert => cert.trim() === x509Certificate.trim())
-                  ) {
-                    throw new Error('ERROR_UNMATCH_CERTIFICATE_DECLARATION_IN_METADATA');
-                  }
-                  sig.publicCert = this.getKeyInfo(x509Certificate).getKey();
-                } else {
-                  // 使用元数据中的第一个证书
-                  sig.publicCert = this.getKeyInfo(metadataCert[0]).getKey();
+                if (opts.keyFile) {
+                    sig.publicCert = fs.readFileSync(opts.keyFile);
                 }
-              }
-              // 加载签名
-              sig.loadSignature(signatureNode);
-              // 使用原始 XML 进行验证
-              verified = sig.checkSignature(xml);
-              if (!verified) {
-                throw new Error('ERR_FAILED_TO_VERIFY_SIGNATURE');
-              }
-              // 检查签名引用
-              if (!(sig.getSignedReferences().length >= 1)) {
-                throw new Error('NO_SIGNATURE_REFERENCES');
-              }
-              const signedVerifiedXML = sig.getSignedReferences()[0];
-              const verifiedDoc = docParser.parseFromString(signedVerifiedXML, 'application/xml');
-              const rootNode = verifiedDoc.documentElement;
-              // 断言模式专用返回逻辑
-              if (opts.isAssertion) {
-                if (rootNode?.localName === 'Assertion') {
-                  return [true, rootNode.toString(), false];
-                } else {
-                  throw new Error('ERR_INVALID_ASSERTION_SIGNATURE');
+                else if (opts.metadata) {
+                    // @ts-expect-error misssing Node properties are not needed
+                    const certificateNode = select(".//*[local-name(.)='X509Certificate']", signatureNode);
+                    let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
+                    if (Array.isArray(metadataCert)) {
+                        metadataCert = flattenDeep(metadataCert);
+                    }
+                    else if (typeof metadataCert === 'string') {
+                        metadataCert = [metadataCert];
+                    }
+                    metadataCert = metadataCert.map(utility.normalizeCerString);
+                    if (certificateNode.length === 0 && metadataCert.length === 0) {
+                        throw new Error('NO_SELECTED_CERTIFICATE');
+                    }
+                    if (certificateNode.length !== 0) {
+                        const x509CertificateData = certificateNode[0].firstChild.data;
+                        const x509Certificate = utility.normalizeCerString(x509CertificateData);
+                        if (metadataCert.length >= 1 && !metadataCert.find((cert) => cert.trim() === x509Certificate.trim())) {
+                            throw new Error('ERROR_UNMATCH_CERTIFICATE_DECLARATION_IN_METADATA');
+                        }
+                        sig.publicCert = this.getKeyInfo(x509Certificate).getKey();
+                    }
+                    else {
+                        sig.publicCert = this.getKeyInfo(metadataCert[0]).getKey();
+                    }
                 }
-              }
-              // 处理已验证的签名
-              // @ts-expect-error misssing Node properties are not needed
-              if (rootNode.localName === 'ArtifactResponse') {
-                // 在 ArtifactResponse 中查找 Response
+                sig.signatureAlgorithm = opts.signatureAlgorithm;
                 // @ts-expect-error misssing Node properties are not needed
-                const responseNodes = select(
-                  "./!*[local-name()='Response']",
-                  // @ts-expect-error misssing Node properties are not needed
-                  rootNode
-                ) as Element[];
-                if (responseNodes.length === 0) {
-                  continue;
+                sig.loadSignature(signatureNode);
+                MessageSignatureStatus = sig.checkSignature(doc.toString());
+                if (!MessageSignatureStatus) {
+                    throw new Error('ERR_FAILED_TO_VERIFY_MESSAGE_SIGNATURE');
                 }
-                const responseNode = responseNodes[0];
-                // 在 Response 中查找断言
-                const encryptedAssertions = select(
-                  "./!*[local-name()='EncryptedAssertion']",
-                  responseNode
-                ) as Element[];
-                const assertions = select(
-                  "./!*[local-name()='Assertion']",
-                  responseNode
-                ) as Element[];
-                if (encryptedAssertions.length === 1) {
-                  return [true, encryptedAssertions[0].toString(), true];
+            }
+            // 验证断言级签名（如果存在且未加密）
+            if (isAssertionSigned && !encrypted) {
+                const signatureNode = assertionSignatureNode[0];
+                const sig = new SignedXml();
+                if (!opts.keyFile && !opts.metadata) {
+                    throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
                 }
-                if (assertions.length === 1) {
-                  return [true, assertions[0].toString(), false];
+                if (opts.keyFile) {
+                    sig.publicCert = fs.readFileSync(opts.keyFile);
                 }
-              }
-              // 直接处理 Response
-              else if (rootNode?.localName === 'Response') {
+                else if (opts.metadata) {
+                    // @ts-expect-error misssing Node properties are not needed
+                    const certificateNode = select(".//*[local-name(.)='X509Certificate']", signatureNode);
+                    let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
+                    if (Array.isArray(metadataCert)) {
+                        metadataCert = flattenDeep(metadataCert);
+                    }
+                    else if (typeof metadataCert === 'string') {
+                        metadataCert = [metadataCert];
+                    }
+                    metadataCert = metadataCert.map(utility.normalizeCerString);
+                    if (certificateNode.length === 0 && metadataCert.length === 0) {
+                        throw new Error('NO_SELECTED_CERTIFICATE');
+                    }
+                    if (certificateNode.length !== 0) {
+                        const x509CertificateData = certificateNode[0].firstChild.data;
+                        const x509Certificate = utility.normalizeCerString(x509CertificateData);
+                        if (metadataCert.length >= 1 && !metadataCert.find((cert) => cert.trim() === x509Certificate.trim())) {
+                            throw new Error('ERROR_UNMATCH_CERTIFICATE_DECLARATION_IN_METADATA');
+                        }
+                        sig.publicCert = this.getKeyInfo(x509Certificate).getKey();
+                    }
+                    else {
+                        sig.publicCert = this.getKeyInfo(metadataCert[0]).getKey();
+                    }
+                }
+                sig.signatureAlgorithm = opts.signatureAlgorithm;
                 // @ts-expect-error misssing Node properties are not needed
-                const encryptedAssertions = select(
-                  "./!*[local-name()='EncryptedAssertion']",
-                  // @ts-expect-error misssing Node properties are not needed
-                  rootNode
-                ) as Element[];
+                sig.loadSignature(signatureNode);
+                // 为断言签名验证，我们需要从根文档中获取断言部分
                 // @ts-expect-error misssing Node properties are not needed
-                const assertions = select(
-                  "./!*[local-name()='Assertion']",
-                  // @ts-expect-error misssing Node properties are not needed
-                  rootNode
-                ) as Element[];
-                if (encryptedAssertions.length === 1) {
-                  return [true, encryptedAssertions[0].toString(), true];
+                const assertionNode = select("/*[contains(local-name(), 'Response') or contains(local-name(), 'Request')]/*[local-name(.)='Assertion']", doc)[0];
+                if (assertionNode) {
+                    const assertionDoc = dom.parseFromString(assertionNode.toString(), 'application/xml');
+                    AssertionSignatureStatus = sig.checkSignature(assertionDoc.toString());
+                }
+                else {
+                    AssertionSignatureStatus = false;
+                }
+                if (!AssertionSignatureStatus) {
+                    throw new Error('ERR_FAILED_TO_VERIFY_ASSERTION_SIGNATURE');
+                }
+            }
+            // 处理仅加密断言的情况（无消息签名）
+            if (encrypted && !isMessageSigned) {
+                if (!encryptedAssertions || encryptedAssertions.length === 0) {
+                    throw new Error('ERR_UNDEFINED_ENCRYPTED_ASSERTION');
+                }
+                if (encryptedAssertions.length > 1) {
+                    throw new Error('ERR_MULTIPLE_ASSERTION');
                 }
-                if (assertions.length === 1) {
-                  return [true, assertions[0].toString(), false];
+                const encAssertionNode = encryptedAssertions[0];
+                // 解密断言
+                try {
+                    const result = this.decryptAssertionSync(self, xml, opts);
+                    samlContent = result[0];
+                    assertionContent = result[1];
+                    decrypted = true;
+                    AssertionSignatureStatus = result?.[2]?.AssertionSignatureStatus;
+                    isAssertionSigned = result?.[2]?.isAssertionSigned;
+                }
+                catch (err) {
+                    throw new Error('ERR_EXCEPTION_OF_ASSERTION_DECRYPTION');
+                }
+            }
+            else if (!encrypted && (isMessageSigned || isAssertionSigned)) {
+                // 如果没有加密但有签名，提取断言内容
+                // @ts-expect-error misssing Node properties are not needed
+                const assertions = select("/*[contains(local-name(), 'Response') or contains(local-name(), 'Request')]/*[local-name(.)='Assertion']", doc);
+                if (assertions.length > 0) {
+                    // @ts-expect-error misssing Node properties are not needed
+                    assertionContent = assertions[0].toString();
                 }
-              }
-              // 直接处理 Assertion
-              else if (rootNode?.localName === 'Assertion') {
-                return [true, rootNode.toString(), false];
-              }
-              // 直接处理 EncryptedAssertion
-              else if (rootNode?.localName === 'EncryptedAssertion') {
-                return [true, rootNode.toString(), true];
-              } else {
-                console.warn("未知的根节点类型:", rootNode?.localName);
-              }
             }
-            throw new Error('ERR_ZERO_SIGNATURE');
-          },*/
+            // 检查整体状态
+            status = (!isMessageSigned || MessageSignatureStatus) &&
+                (!isAssertionSigned || AssertionSignatureStatus) &&
+                (!encrypted || decrypted);
+            return {
+                isMessageSigned,
+                MessageSignatureStatus,
+                isAssertionSigned,
+                AssertionSignatureStatus,
+                encrypted,
+                decrypted,
+                type, // 添加类型字段
+                status,
+                samlContent,
+                assertionContent
+            };
+        },
         verifySignatureSoap(xml, opts) {
             const { dom } = getContext();
             const doc = dom.parseFromString(xml, 'application/xml');
@@ -930,7 +1062,7 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
               verifier.update(octetString);
               const isValid = verifier.verify(utility.getPublicKeyPemFromCertificate(signCert), Buffer.isBuffer(signature) ? signature : Buffer.from(signature, 'base64'));
               return isValid
             },*/
         /**
          * @desc Verifies message signature
@@ -1063,6 +1195,103 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                 });
             });
         },
+        /**
+         * 同步版本的断言解密函数
+         */
+        /**
+         * 同步版本的断言解密函数，支持解密后验证断言签名
+         */
+        decryptAssertionSync(here, entireXML, opts) {
+            const hereSetting = here.entitySetting;
+            const { dom } = getContext();
+            const doc = dom.parseFromString(entireXML, 'application/xml');
+            // @ts-expect-error misssing Node properties are not needed
+            const encryptedAssertions = select("/*[contains(local-name(), 'Response')]/*[local-name(.)='EncryptedAssertion']", doc);
+            if (!Array.isArray(encryptedAssertions) || encryptedAssertions.length === 0) {
+                throw new Error('ERR_UNDEFINED_ENCRYPTED_ASSERTION');
+            }
+            if (encryptedAssertions.length > 1) {
+                throw new Error('ERR_MULTIPLE_ASSERTION');
+            }
+            const encAssertionNode = encryptedAssertions[0];
+            let decryptedResult = null;
+            // 使用同步方式处理解密
+            xmlenc.decrypt(encAssertionNode.toString(), {
+                key: utility.readPrivateKey(hereSetting.encPrivateKey, hereSetting.encPrivateKeyPass),
+            }, (err, res) => {
+                if (err) {
+                    throw new Error('ERR_EXCEPTION_OF_ASSERTION_DECRYPTION');
+                }
+                if (!res) {
+                    throw new Error('ERR_UNDEFINED_ENCRYPTED_ASSERTION');
+                }
+                decryptedResult = res;
+            });
+            if (!decryptedResult) {
+                throw new Error('ERR_UNDEFINED_DECRYPTED_ASSERTION');
+            }
+            // 解密完成后，检查解密后的断言是否还有签名需要验证
+            const decryptedAssertionDoc = dom.parseFromString(decryptedResult, 'application/xml');
+            let AssertionSignatureStatus = false;
+            // 检查解密后的断言是否有签名
+            // @ts-expect-error misssing Node properties are not needed
+            const assertionSignatureNode = select("/*[local-name(.)='Assertion']/*[local-name(.)='Signature']", decryptedAssertionDoc);
+            if (assertionSignatureNode.length > 0 && opts) {
+                // 解密后的断言有签名，需要验证
+                const signatureNode = assertionSignatureNode[0];
+                const sig = new SignedXml();
+                if (!opts.keyFile && !opts.metadata) {
+                    throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
+                }
+                if (opts.keyFile) {
+                    sig.publicCert = fs.readFileSync(opts.keyFile);
+                }
+                else if (opts.metadata) {
+                    // @ts-expect-error misssing Node properties are not needed
+                    const certificateNode = select(".//*[local-name(.)='X509Certificate']", signatureNode);
+                    let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
+                    if (Array.isArray(metadataCert)) {
+                        metadataCert = flattenDeep(metadataCert);
+                    }
+                    else if (typeof metadataCert === 'string') {
+                        metadataCert = [metadataCert];
+                    }
+                    metadataCert = metadataCert.map(utility.normalizeCerString);
+                    if (certificateNode.length === 0 && metadataCert.length === 0) {
+                        throw new Error('NO_SELECTED_CERTIFICATE');
+                    }
+                    if (certificateNode.length !== 0) {
+                        const x509CertificateData = certificateNode[0].firstChild.data;
+                        const x509Certificate = utility.normalizeCerString(x509CertificateData);
+                        if (metadataCert.length >= 1 && !metadataCert.find((cert) => cert.trim() === x509Certificate.trim())) {
+                            throw new Error('ERROR_UNMATCH_CERTIFICATE_DECLARATION_IN_METADATA');
+                        }
+                        sig.publicCert = this.getKeyInfo(x509Certificate).getKey();
+                    }
+                    else {
+                        sig.publicCert = this.getKeyInfo(metadataCert[0]).getKey();
+                    }
+                }
+                sig.signatureAlgorithm = opts.signatureAlgorithm;
+                // @ts-expect-error misssing Node properties are not needed
+                sig.loadSignature(signatureNode);
+                // 验证解密后断言的签名
+                const assertionDocForVerification = dom.parseFromString(decryptedResult, 'application/xml');
+                const assertionValid = sig.checkSignature(assertionDocForVerification.toString());
+                AssertionSignatureStatus = assertionValid;
+                if (!assertionValid) {
+                    throw new Error('ERR_FAILED_TO_VERIFY_DECRYPTED_ASSERTION_SIGNATURE');
+                }
+            }
+            // 将解密后的断言替换原始文档中的加密断言
+            const rawAssertionDoc = dom.parseFromString(decryptedResult, 'application/xml');
+            // @ts-ignore
+            doc.documentElement.replaceChild(rawAssertionDoc.documentElement, encAssertionNode);
+            return [doc.toString(), decryptedResult, {
+                    isAssertionSigned: !!(assertionSignatureNode.length > 0 && opts),
+                    AssertionSignatureStatus: AssertionSignatureStatus
+                }];
+        },
         /**
          * 解密 SOAP 响应中的加密断言
          * @param self 当前实体（SP 或 IdP）

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "samlesa",
-  "version": "2.17.3",
+  "version": "2.18.0",
   "description": "High-level API for Single Sign On (SAML 2.0) baseed on samlify ",
   "main": "build/index.js",
   "keywords": [

package/types/src/binding-artifact.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"binding-artifact.d.ts","sourceRoot":"","sources":["../../src/binding-artifact.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,aAAa,CAAC;AAMhD,OAAO,EACH,2BAA2B,IAAI,gBAAgB,EAC/C,0BAA0B,IAAI,eAAe,EAChD,MAAM,YAAY,CAAC;AAwCpB;;;;;GAKG;AACH,iBAAS,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,oBAAoB,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,cAAc,GAAG,GAAG,CA+FlI;AAED;;;;;;;;GAQG;AACH,iBAAe,iBAAiB,CAAC,WAAW,EAAE,GAAG,YAAK,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAE,GAAQ,EAAE,oBAAoB,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,cAAc,EAAE,eAAe,GAAE,OAAe,EAAE,kBAAkB,UAAK,GAAG,OAAO,CAAC,cAAc,CAAC,CAqIpO;AAED,iBAAe,wBAAwB,CAAC,MAAM,EAAE;IAC5C,GAAG,EAAE,gBAAgB,CAAC;IACtB,EAAE,EAAE,eAAe,CAAC;IACpB,GAAG,EAAE,MAAM,CAAA;CACd;;;GAqDA;AAED,iBAAe,yBAAyB,CAAC,MAAM,EAAE;IAAE,GAAG,EAAE,gBAAgB,CAAC;IAAC,EAAE,EAAE,eAAe,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE;;;~~GA0P3G~~;AAED,QAAA,MAAM,mBAAmB;;;;;CAOxB,CAAC;AAEF,eAAe,mBAAmB,CAAC"}
1	+ {"version":3,"file":"binding-artifact.d.ts","sourceRoot":"","sources":["../../src/binding-artifact.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,aAAa,CAAC;AAMhD,OAAO,EACH,2BAA2B,IAAI,gBAAgB,EAC/C,0BAA0B,IAAI,eAAe,EAChD,MAAM,YAAY,CAAC;AAwCpB;;;;;GAKG;AACH,iBAAS,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,oBAAoB,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,cAAc,GAAG,GAAG,CA+FlI;AAED;;;;;;;;GAQG;AACH,iBAAe,iBAAiB,CAAC,WAAW,EAAE,GAAG,YAAK,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAE,GAAQ,EAAE,oBAAoB,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,cAAc,EAAE,eAAe,GAAE,OAAe,EAAE,kBAAkB,UAAK,GAAG,OAAO,CAAC,cAAc,CAAC,CAqIpO;AAED,iBAAe,wBAAwB,CAAC,MAAM,EAAE;IAC5C,GAAG,EAAE,gBAAgB,CAAC;IACtB,EAAE,EAAE,eAAe,CAAC;IACpB,GAAG,EAAE,MAAM,CAAA;CACd;;;GAqDA;AAED,iBAAe,yBAAyB,CAAC,MAAM,EAAE;IAAE,GAAG,EAAE,gBAAgB,CAAC;IAAC,EAAE,EAAE,eAAe,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE;;;GAqQ3G;AAED,QAAA,MAAM,mBAAmB;;;;;CAOxB,CAAC;AAEF,eAAe,mBAAmB,CAAC"}

package/types/src/flow.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"flow.d.ts","sourceRoot":"","sources":["../../src/flow.ts"],"names":[],"mappings":"AAyBA,MAAM,WAAW,UAAU;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,GAAG,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;~~AA8iBD~~,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CA6BhG;AAED,wBAAgB,IAAI,CAAC,OAAO,KAAA,GAAG,OAAO,CAAC,UAAU,CAAC,CA0BjD"}
1	+ {"version":3,"file":"flow.d.ts","sourceRoot":"","sources":["../../src/flow.ts"],"names":[],"mappings":"AAyBA,MAAM,WAAW,UAAU;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,GAAG,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAgsBD,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CA6BhG;AAED,wBAAgB,IAAI,CAAC,OAAO,KAAA,GAAG,OAAO,CAAC,UAAU,CAAC,CA0BjD"}

package/types/src/libsaml.d.ts CHANGED Viewed

@@ -164,6 +164,19 @@ declare const _default: {
      * @return {string} base64 encoded string
      */
     constructSAMLSignature(opts: SignatureConstructor): string;
+    validateCertificate(certificateBase64: string, expectedIssuer?: string): {
+        isValid: boolean;
+        subject: string;
+        issuer: string;
+        publicKey: import("crypto").KeyObject;
+        error?: undefined;
+    } | {
+        isValid: boolean;
+        error: any;
+        subject?: undefined;
+        issuer?: undefined;
+        publicKey?: undefined;
+    };
     /**
      * @desc Verify the XML signature
      * @param  {string} xml xml
@@ -172,7 +185,33 @@ declare const _default: {
      *   - The first element is `true` if the signature is valid, `false` otherwise.
      *   - The second element is the cryptographically authenticated assertion node as a string, or `null` if not found.
      */
-    verifySignature(xml: string, opts: SignatureVerifierOptions): (boolean | null)[] | (string | boolean)[];
+    verifySignature1(xml: string, opts: SignatureVerifierOptions): (boolean | null)[] | (string | boolean)[];
+    /**
+     * 改进的SAML签名验证函数，支持多种签名和加密组合场景
+     * @param xml SAML XML内容
+     * @param opts 验证选项
+     * @param self
+     * @returns 验证结果对象
+     */
+    /**
+     * 改进的SAML签名验证函数，支持多种签名和加密组合场景
+     * @param xml SAML XML内容
+     * @param opts 验证选项
+     * @param self
+     * @returns 验证结果对象
+     */
+    verifySignature(xml: string, opts: SignatureVerifierOptions, self: any): {
+        isMessageSigned: boolean;
+        MessageSignatureStatus: boolean;
+        isAssertionSigned: boolean;
+        AssertionSignatureStatus: boolean;
+        encrypted: boolean;
+        decrypted: boolean;
+        type: "AuthnRequest" | "LogoutRequest" | "Response" | "LogoutResponse" | "Unknown";
+        status: boolean;
+        samlContent: string;
+        assertionContent: null;
+    };
     verifySignatureSoap(xml: string, opts: SignatureVerifierOptions): (boolean | null)[] | (string | boolean)[];
     /**
      * @desc Helper function to create the key section in metadata (abstraction for signing and encrypt use)
@@ -226,6 +265,16 @@ declare const _default: {
      * @return {function} a promise to get back the entire xml with decrypted assertion
      */
     decryptAssertion(here: any, entireXML: string): Promise<[string, any]>;
+    /**
+     * 同步版本的断言解密函数
+     */
+    /**
+     * 同步版本的断言解密函数，支持解密后验证断言签名
+     */
+    decryptAssertionSync(here: any, entireXML: string, opts?: SignatureVerifierOptions): (string | {
+        isAssertionSigned: boolean;
+        AssertionSignatureStatus: boolean;
+    })[];
     /**
      * 解密 SOAP 响应中的加密断言
      * @param self 当前实体（SP 或 IdP）

package/types/src/libsaml.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"libsaml.d.ts","sourceRoot":"","sources":["../../src/libsaml.ts"],"names":[],"mappings":"~~AAWA~~,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,eAAe,CAAC;~~AAiBrD~~;;;;GAIG;AAGH,MAAM,WAAW,oBAAoB;~~IACnC~~,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,WAAW,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,eAAe,CAAC,EAAE,GAAG,CAAC;IACtB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;~~CACrC~~;AAED,MAAM,WAAW,wBAAwB;~~IACvC~~,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kBAAkB,CAAC,EAAE,MAAM,CAAC;~~CAC7B~~;AAED,MAAM,WAAW,eAAe;~~IAC9B~~,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;IAEnB,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC9B,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAC;~~CACpB~~;AAED,MAAM,WAAW,sBAAsB;~~IACrC~~,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;~~CAC1B~~;AAED,MAAM,WAAW,gCAAgC;~~IAC/C~~,0BAA0B,CAAC,EAAE,0BAA0B,CAAC;IACxD,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;~~CACvC~~;AAED,MAAM,WAAW,gBAAgB;~~IAC/B~~,OAAO,EAAE,MAAM,CAAC;~~CACjB~~;AAED,MAAM,WAAW,qBAAsB,SAAQ,gBAAgB;~~IAC7D~~,UAAU,CAAC,EAAE,sBAAsB,EAAE,CAAC;IACtC,mBAAmB,CAAC,EAAE,gCAAgC,CAAC;~~CACxD~~;AAED,MAAM,WAAW,0BAA2B,SAAQ,gBAAgB;CACnE;AAED,MAAM,WAAW,iBAAkB,SAAQ,gBAAgB;CAC1D;AAED,MAAM,WAAW,oBAAqB,SAAQ,gBAAgB;CAC7D;AAED,MAAM,WAAW,qBAAsB,SAAQ,gBAAgB;CAC9D;AAED,MAAM,WAAW,sBAAuB,SAAQ,gBAAgB;CAC/D;AAED,MAAM,MAAM,MAAM,GAAG,SAAS,GAAG,YAAY,CAAC;AAE9C,MAAM,WAAW,YAAY;~~IAC3B~~,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;~~CACpB~~;AAED,MAAM,WAAW,gBAAgB;~~IAC/B~~,mBAAmB,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,CAAC;IAC9C,WAAW,EAAE,CAAC,KAAK,KAAA,EAAE,YAAY,CAAC,EAAE,OAAO,KAAK,MAAM,CAAC;IACvD,kBAAkB,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,KAAK,MAAM,CAAC;IAC/D,yBAAyB,EAAE,CAAC,UAAU,EAAE,sBAAsB,EAAE,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,0BAA0B,KAAK,MAAM,CAAC;IAC1K,sBAAsB,EAAE,CAAC,IAAI,EAAE,oBAAoB,KAAK,MAAM,CAAC;IAC/D,eAAe,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,wBAAwB,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACjF,gBAAgB,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,KAAK,EAAE,CAAC;IAC7D,yBAAyB,EAAE,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,OAAO,EAAE,gBAAgB,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;IAE5I,sBAAsB,EAAE,CAAC,QAAQ,KAAA,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC;IACzH,UAAU,EAAE,CAAC,eAAe,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE,GAAG,KAAK,IAAI,CAAC;IACrE,gBAAgB,EAAE,CAAC,YAAY,KAAA,EAAE,YAAY,KAAA,EAAE,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACrF,gBAAgB,EAAE,CAAC,IAAI,KAAA,EAAE,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;IAEtE,gBAAgB,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;IACpD,eAAe,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;IAEnD,gBAAgB,EAAE,GAAG,CAAC;IACtB,2BAA2B,EAAE,oBAAoB,CAAC;IAClD,4BAA4B,EAAE,qBAAqB,CAAC;IACpD,iCAAiC,EAAE,0BAA0B,CAAC;IAC9D,wBAAwB,EAAE,iBAAiB,CAAC;IAC5C,4BAA4B,EAAE,qBAAqB,CAAC;IACpD,6BAA6B,EAAE,sBAAsB,CAAC;~~CACvD~~;;~~6CA2L4C~~,OAAO,KAAG,MAAM;gCAnLxB,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;~~IA8NvC~~;;;;;OAKG;+BACwB,MAAM,aAAa,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM;IAS9E;;;;;;OAMG;IACH,eAAe;6CAC0B,GAAG,EAAE,GAAG,MAAM;IA0CvD;;;;;;;;;;OAUG;iCAC0B,oBAAoB;~~IAgDjD~~;;;;;;;OAOG;~~yBAEkB~~,MAAM,QAAQ,wBAAwB;~~6BA+ZpC~~,MAAM,QAAQ,wBAAwB;~~IAkK7D~~;;;;;OAKG;0BACmB,MAAM,cAAc,MAAM,GAAG,MAAM,GAAG,YAAY;IAsBxE;;;;;;;;OAQG;~~2CAKY~~,MAAM,OACd,MAAM,eACE,MAAM,aACR,OAAO,qBACC,MAAM;~~IA8B3B~~;;;;;;;OAOG;~~uDAGY~~,MAAM,aACR,MAAM,GAAG,MAAM,oBACR,MAAM;~~IAO1B~~;;;;OAIG;gCACyB,MAAM,oBAAmB,GAAG;;;;IAWxD;;;;;;OAMG;iEAEgD,MAAM;IAsDzD;;;;;;;OAOG;2CAC+B,MAAM;~~IAqCxC~~;;;;;OAKG;+BAC8B,GAAG,aAAa,MAAM,GAAG,OAAO,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAuEnF;;OAEG;sBACqB,MAAM,~~SAAO~~,OAAO;;~~AA8BhD~~,wBAAyB"}
1	+ {"version":3,"file":"libsaml.d.ts","sourceRoot":"","sources":["../../src/libsaml.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,eAAe,CAAC;AAerD;;;;GAIG;AAGH,MAAM,WAAW,oBAAoB;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,WAAW,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,eAAe,CAAC,EAAE,GAAG,CAAC;IACtB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;CACvC;AAED,MAAM,WAAW,wBAAwB;IACrC,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,eAAe;IAC5B,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;IAEnB,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC9B,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,sBAAsB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,gCAAgC;IAC7C,0BAA0B,CAAC,EAAE,0BAA0B,CAAC;IACxD,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;CACzC;AAED,MAAM,WAAW,gBAAgB;IAC7B,OAAO,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,qBAAsB,SAAQ,gBAAgB;IAC3D,UAAU,CAAC,EAAE,sBAAsB,EAAE,CAAC;IACtC,mBAAmB,CAAC,EAAE,gCAAgC,CAAC;CAC1D;AAED,MAAM,WAAW,0BAA2B,SAAQ,gBAAgB;CACnE;AAED,MAAM,WAAW,iBAAkB,SAAQ,gBAAgB;CAC1D;AAED,MAAM,WAAW,oBAAqB,SAAQ,gBAAgB;CAC7D;AAED,MAAM,WAAW,qBAAsB,SAAQ,gBAAgB;CAC9D;AAED,MAAM,WAAW,sBAAuB,SAAQ,gBAAgB;CAC/D;AAED,MAAM,MAAM,MAAM,GAAG,SAAS,GAAG,YAAY,CAAC;AAE9C,MAAM,WAAW,YAAY;IACzB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACtB;AAED,MAAM,WAAW,gBAAgB;IAC7B,mBAAmB,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,CAAC;IAC9C,WAAW,EAAE,CAAC,KAAK,KAAA,EAAE,YAAY,CAAC,EAAE,OAAO,KAAK,MAAM,CAAC;IACvD,kBAAkB,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,KAAK,MAAM,CAAC;IAC/D,yBAAyB,EAAE,CAAC,UAAU,EAAE,sBAAsB,EAAE,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,0BAA0B,KAAK,MAAM,CAAC;IAC1K,sBAAsB,EAAE,CAAC,IAAI,EAAE,oBAAoB,KAAK,MAAM,CAAC;IAC/D,eAAe,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,wBAAwB,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACjF,gBAAgB,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,KAAK,EAAE,CAAC;IAC7D,yBAAyB,EAAE,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,OAAO,EAAE,gBAAgB,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;IAE5I,sBAAsB,EAAE,CAAC,QAAQ,KAAA,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC;IACzH,UAAU,EAAE,CAAC,eAAe,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE,GAAG,KAAK,IAAI,CAAC;IACrE,gBAAgB,EAAE,CAAC,YAAY,KAAA,EAAE,YAAY,KAAA,EAAE,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACrF,gBAAgB,EAAE,CAAC,IAAI,KAAA,EAAE,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;IAEtE,gBAAgB,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;IACpD,eAAe,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;IAEnD,gBAAgB,EAAE,GAAG,CAAC;IACtB,2BAA2B,EAAE,oBAAoB,CAAC;IAClD,4BAA4B,EAAE,qBAAqB,CAAC;IACpD,iCAAiC,EAAE,0BAA0B,CAAC;IAC9D,wBAAwB,EAAE,iBAAiB,CAAC;IAC5C,4BAA4B,EAAE,qBAAqB,CAAC;IACpD,6BAA6B,EAAE,sBAAsB,CAAC;CACzD;;6CA2L8C,OAAO,KAAG,MAAM;gCAnLxB,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA8NrC;;;;;OAKG;+BACwB,MAAM,aAAa,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM;IAS9E;;;;;;OAMG;IACH,eAAe;6CAC0B,GAAG,EAAE,GAAG,MAAM;IA0CvD;;;;;;;;;;OAUG;iCAC0B,oBAAoB;2CAiDV,MAAM,mBAAmB,MAAM;;;;;;;;;;;;;IAiCtE;;;;;;;OAOG;0BAEmB,MAAM,QAAQ,wBAAwB;IA0M5D;;;;;;OAMG;IAGH;;;;;;OAMG;yBACkB,MAAM,QAAQ,wBAAwB,QAAQ,GAAG;;;;;;;;;;;;6BA8U7C,MAAM,QAAQ,wBAAwB;IAkK/D;;;;;OAKG;0BACmB,MAAM,cAAc,MAAM,GAAG,MAAM,GAAG,YAAY;IAsBxE;;;;;;;;OAQG;2CAEc,MAAM,OACd,MAAM,eACE,MAAM,aACR,OAAO,qBACC,MAAM;IA8B7B;;;;;;;OAOG;uDAGc,MAAM,aACR,MAAM,GAAG,MAAM,oBACR,MAAM;IAO5B;;;;OAIG;gCACyB,MAAM,oBAAmB,GAAG;;;;IAWxD;;;;;;OAMG;iEAEgD,MAAM;IAsDzD;;;;;;;OAOG;2CAC+B,MAAM;IAoCxC;;OAEG;IACH;;OAEG;+CACmC,MAAM,SAAS,wBAAwB;;;;IA0G7E;;;;;OAKG;+BAC8B,GAAG,aAAa,MAAM,GAAG,OAAO,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAuEnF;;OAEG;sBACqB,MAAM,SAAQ,OAAO;;AA8BrD,wBAAyB"}