samlesa 3.4.2 → 3.5.0

package/build/src/entity-idp.js

@@ -10,6 +10,7 @@ import { namespace } from './urn.js';
 import postBinding from './binding-post.js';
 import redirectBinding from './binding-redirect.js';
 import simpleSignBinding from './binding-simplesign.js';
+import artifactBinding from './binding-artifact.js';
 import { flow } from './flow.js';
 /**
  * Identity provider can be configured using either metadata importing or idpSetting
@@ -36,7 +37,7 @@ export class IdentityProvider extends Entity {
      * @param params
      */
     async createLoginResponse(params) {
-        const bindType = params?.binding ?? 'post';
+        const bindType = (params?.binding ?? 'post');
         const { sp, requestInfo = {}, user = {}, customTagReplacement, encryptThenSign = false, relayState = '', AttributeStatement = [], idpInit = false, } = params;
         const protocol = namespace.binding[bindType];
         // can support post, redirect and post simple sign bindings for login response
@@ -66,6 +67,20 @@ export class IdentityProvider extends Entity {
                     idp: this,
                     sp,
                 }, user, relayState, customTagReplacement, AttributeStatement);
+            case namespace.binding.artifact:
+                context = await artifactBinding.soapLoginResponse({
+                    requestInfo,
+                    entity: {
+                        idp: this,
+                        sp,
+                    },
+                    user,
+                    customTagReplacement,
+                    encryptThenSign,
+                    AttributeStatement,
+                    idpInit,
+                });
+                break;
             default:
                 throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING');
         }

package/build/src/entity-sp.js

@@ -4,12 +4,11 @@
  * @desc  Declares the actions taken by service provider
  */
 import Entity from './entity.js';
-import Artifact from './binding-artifact.js';
+import artifactBinding from './binding-artifact.js';
 import { namespace } from './urn.js';
 import redirectBinding from './binding-redirect.js';
 import postBinding from './binding-post.js';
 import simpleSignBinding from './binding-simplesign.js';
-import artifactSignBinding from './binding-artifact.js';
 import { flow } from './flow.js';
 /*
  * @desc interface function
@@ -19,8 +18,7 @@ export default function (props) {
 }
 /**
  * @desc Service provider can be configured using either metadata importing or spSetting
- * @param  {object} spSettingimport { FlowResult } from '../types/src/flow.d';
-
+ * @param  {object} spSetting
  */
 export class ServiceProvider extends Entity {
     /**
@@ -61,8 +59,13 @@ export class ServiceProvider extends Entity {
                 // Object context = {id, context, signature, sigAlg}
                 context = simpleSignBinding.base64LoginRequest({ idp, sp: this }, customTagReplacement);
                 break;
+            case nsBinding.artifact:
+                context = artifactBinding.soapLoginRequest("/*[local-name(.)='AuthnRequest']", {
+                    idp,
+                    sp: this
+                }, customTagReplacement);
+                break;
             default:
-                // Will support artifact in the next release
                 throw new Error('ERR_SP_LOGIN_REQUEST_UNDEFINED_BINDING');
         }
         return {
@@ -73,13 +76,7 @@ export class ServiceProvider extends Entity {
         };
     }
     async createLoginSoapRequest(idp, binding = 'artifact', config) {
-        const nsBinding = namespace.binding;
-        const protocol = nsBinding[binding];
-        if (this.entityMeta.isAuthnRequestSigned() !== idp.entityMeta.isWantAuthnRequestsSigned()) {
-            throw new Error('ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLAG');
-        }
-        let context = null;
-        context = await artifactSignBinding.soapLoginRequest("/*[local-name(.)='AuthnRequest']", {
+        const context = await artifactBinding.soapLoginRequest("/*[local-name(.)='AuthnRequest']", {
             idp,
             sp: this,
             inResponse: config?.inResponseTo,
@@ -106,22 +103,27 @@ export class ServiceProvider extends Entity {
         });
     }
     /**
-     * @desc   request SamlResponse by Arc id
+     * @desc   Parse and validate Artifact Resolve request
      * @param  {IdentityProvider}   idp             object of identity provider
-     * @param  {string}   binding                   protocol binding
-     * @param  {request}   req                      request
+     * @param  {string}   xml                       SOAP request XML string
      */
     parseLoginRequestResolve(idp, xml) {
         const self = this;
-        return Artifact.parseLoginRequestResolve({
+        return artifactBinding.parseLoginRequestResolve({
             idp: idp,
             sp: self,
             xml: xml
         });
     }
+    /**
+     * @desc   Resolve SAML Response by Artifact ID
+     * @param  {IdentityProvider}   idp             object of identity provider
+     * @param  {string}   art                       Artifact string
+     * @param  {request}   req                      request
+     */
     parseLoginResponseResolve(idp, art, request) {
         const self = this;
-        return Artifact.parseLoginResponseResolve({
+        return artifactBinding.parseLoginResponseResolve({
             idp: idp,
             sp: self,
             art: art

package/build/src/extractor.js

@@ -117,10 +117,27 @@ export const loginRequestFields = [
     { key: 'signature', localPath: ['AuthnRequest', 'Signature'], attributes: [], context: true }
 ];
 export const artifactResolveFields = [
-    { key: 'request', localPath: ['ArtifactResolve'], attributes: ['ID', 'IssueInstant', 'Version'] },
-    { key: 'issuer', localPath: ['ArtifactResolve', 'Issuer'], attributes: [] },
-    { key: 'Artifact', localPath: ['ArtifactResolve', 'Artifact'], attributes: [] },
-    { key: 'signature', localPath: ['ArtifactResolve', 'Signature'], attributes: [], context: true },
+    {
+        key: 'request',
+        localPath: ['Envelope', 'Body', 'ArtifactResolve'],
+        attributes: ['ID', 'IssueInstant', 'Version', 'Destination']
+    },
+    {
+        key: 'issuer',
+        localPath: ['Envelope', 'Body', 'ArtifactResolve', 'Issuer'],
+        attributes: []
+    },
+    {
+        key: 'artifact',
+        localPath: ['Envelope', 'Body', 'ArtifactResolve', 'Artifact'],
+        attributes: []
+    },
+    {
+        key: 'signature',
+        localPath: ['Envelope', 'Body', 'ArtifactResolve', 'Signature'],
+        attributes: [],
+        context: true
+    },
 ];
 export const artifactResponseFields = [
     { key: 'request', localPath: ['Envelope', 'Body', 'ArtifactResolve'], attributes: ['ID', 'IssueInstant', 'Version'] },
@@ -1487,6 +1504,9 @@ export function extractSp(context) {
 export function extractAuthRequest(context) {
     return extract(context, loginRequestFields);
 }
-export function extractResponse(context, ass) {
+export function extractResponse(context) {
     return extractSpToll(context, loginResponseFieldsFullList);
 }
+export function extractArtifactResolve(context) {
+    return extract(context, artifactResolveFields);
+}

package/build/src/flow.js

@@ -225,7 +225,7 @@ async function postFlow(options) {
     if (parserType === 'SAMLResponse'
         && extractedProperties.conditions
         && !verifyTime(extractedProperties.conditions.notBefore, extractedProperties.conditions.notOnOrAfter, self.entitySetting.clockDrifts)) {
-        return Promise.reject('ERR_CONDITION_SESSION');
+        return Promise.reject('ERR_CONDITION_UNCONFIRMED');
     }
     // invalid subjectConfirmation time
     // invalid time
@@ -416,13 +416,6 @@ async function postArtifactFlow(options) {
     //There is no validation of the response here. The upper-layer application
     // should verify the result by itself to see if the destination is equal to the SP acs and
     // whether the response.id is used to prevent replay attacks.
-    let destination = extractedProperties?.response?.destination;
-    let isExit = self?.entityMeta?.meta?.assertionConsumerService?.filter((item) => {
-        return item?.location === destination;
-    });
-    if (isExit?.length === 0) {
-        return Promise.reject('ERR_Destination_URL');
-    }
     if (parserType === 'SAMLResponse') {
         let destination = extractedProperties?.response?.destination;
         let isExit = self?.entityMeta?.meta?.assertionConsumerService?.filter((item) => {

package/build/src/schemaValidator.js

@@ -5,7 +5,8 @@ import { fileURLToPath } from 'node:url';
 import { DOMParser } from '@xmldom/xmldom';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
-let normal = [
+// 定义各个场景所需的 schema 文件列表（保持不变）
+const normalSchemas = [
     'saml-schema-protocol-2.0.xsd',
     'saml-schema-assertion-2.0.xsd',
     'xmldsig-core-schema.xsd',
@@ -15,42 +16,38 @@ let normal = [
     'saml-schema-ecp-2.0.xsd',
     'saml-schema-dce-2.0.xsd'
 ];
-let soapSchema = [
+const soapSchemas = [
     'soap-envelope.xsd',
     'xml.xsd',
-    // 2. SOAP核心模式（所有SOAP消息的基础）
-    // 3. XML签名模式（SAML签名的前置依赖）
     'xmldsig-core-schema.xsd',
-    // 4. XML加密模式（SAML断言加密的前置依赖）
     'xenc-schema.xsd',
     'xenc-schema-11.xsd',
-    // 5. SAML核心模式（最基础的SAML组件）
-    'saml-schema-assertion-2.0.xsd', // 断言定义
-    // 6. SAML协议模式（依赖断言模式）
+    'saml-schema-assertion-2.0.xsd',
     'saml-schema-protocol-2.0.xsd',
-    // 7. SAML扩展模式（依赖核心模式）
-    'saml-schema-metadata-2.0.xsd', // 元数据
-    'saml-schema-ecp-2.0.xsd', // ECP扩展
-    'saml-schema-dce-2.0.xsd' // DCE扩展
+    'saml-schema-metadata-2.0.xsd',
+    'saml-schema-ecp-2.0.xsd',
+    'saml-schema-dce-2.0.xsd'
 ];
-let meta = [
-    'saml-schema-metadata-2.0.xsd', // 元数据
+const metadataSchemas = [
+    'saml-schema-metadata-2.0.xsd',
     'xml.xsd',
     'saml-schema-assertion-2.0.xsd',
     'xmldsig-core-schema.xsd',
     'xenc-schema.xsd',
-    'xenc-schema-11.xsd',
+    'xenc-schema-11.xsd'
 ];
-let schemas = normal;
+/**
+ * 检测 XML 字符串中是否存在 XXE 攻击指示器
+ * @param samlString 待检测的 XML 字符串
+ * @returns 如果存在可疑模式则返回匹配详情，否则返回 null
+ */
 function detectXXEIndicators(samlString) {
     const xxePatterns = [
-        /<!DOCTYPE\s[^>]*>/i,
-        /<!ENTITY\s+[^\s>]+\s+(?:SYSTEM|PUBLIC)\s+['"][^>]*>/i,
-        /&[a-zA-Z0-9._-]+;/g,
-        /SYSTEM\s*=/i,
-        /PUBLIC\s*=/i,
-        /file:\/\//,
-        /\.dtd['"]?/
+        /<!DOCTYPE\s[^>]*>/i, // DOCTYPE 声明
+        /<!ENTITY\s+[^\s>]+\s+(?:SYSTEM|PUBLIC)\s+['"][^>]*>/i, // 外部实体声明
+        /SYSTEM\s*['"]\s*file:\/\//i, // file:// 协议的系统引用
+        /SYSTEM\s*['"]\s*\.\.\/.*\.dtd['"]?/i, // 相对路径的 DTD 引用
+        /PUBLIC\s*['"][^'"]*['"]\s*['"][^'"]*\.dtd['"]?/i // 公共 DTD 引用
     ];
     const matches = {};
     xxePatterns.forEach((pattern, index) => {
@@ -64,94 +61,112 @@ function detectXXEIndicators(samlString) {
     });
     return Object.keys(matches).length > 0 ? matches : null;
 }
+/**
+ * 加载指定的 schema 文件内容
+ * @param schemaNames 文件名数组
+ * @returns 包含 fileName 和 contents 的对象数组
+ */
+async function loadSchemas(schemaNames) {
+    const schemaPath = path.resolve(__dirname, 'schema');
+    return Promise.all(schemaNames.map(async (file) => ({
+        fileName: file,
+        contents: await fs.promises.readFile(`${schemaPath}/${file}`, 'utf-8')
+    })));
+}
+/**
+ * 验证 SAML 消息（普通或 SOAP）
+ * @param xml XML 字符串
+ * @param isSoap 是否为 SOAP 消息，默认 false
+ * @returns true 表示验证通过，否则抛出错误
+ * @throws 当检测到 XXE 或验证失败时抛出错误
+ */
 export const validate = async (xml, isSoap = false) => {
+    // 检测 XXE 攻击
     const indicators = detectXXEIndicators(xml);
     if (indicators) {
         throw new Error('ERR_EXCEPTION_VALIDATE_XML');
     }
-    schemas = isSoap ? soapSchema : normal;
-    const schemaPath = path.resolve(__dirname, 'schema');
-    const [xmlParse, ...preload] = await Promise.all(schemas.map(async (file) => ({
-        fileName: file,
-        contents: await fs.promises.readFile(`${schemaPath}/${file}`, 'utf-8')
-    })));
+    // 根据类型选择对应的 schema 列表（避免全局变量并发问题）
+    const schemaList = isSoap ? soapSchemas : normalSchemas;
+    const schemas = await loadSchemas(schemaList);
     try {
         const validationResult = await validateXML({
-            xml: [
-                {
-                    fileName: 'content.xml',
-                    contents: xml,
-                },
-            ],
+            xml: [{ fileName: 'content.xml', contents: xml }],
             extension: 'schema',
-            schema: [xmlParse],
-            preload: [xmlParse, ...preload],
+            schema: [schemas[0]], // 第一个 schema 作为主入口
+            preload: [schemas[0], ...schemas.slice(1)], // 其余作为预加载
         });
         if (validationResult.valid) {
             return true;
         }
+        // 验证失败，抛出错误对象
         throw validationResult.errors;
     }
     catch (error) {
-        throw new Error('ERR_EXCEPTION_VALIDATE_XML');
+        // 保留原始错误信息
+        throw error;
     }
 };
+/**
+ * 验证 SAML 元数据，并可选择解析元数据类型
+ * @param xml XML 字符串
+ * @param isParse 是否解析并返回元数据类型，默认 false
+ * @returns 验证通过时：若 isParse 为 true 返回 { isValid: true, metadataType: string }，否则返回 true；
+ *          验证失败时返回 Error 对象（保持原行为）
+ */
 export const validateMetadata = async (xml, isParse = false) => {
+    // 检测 XXE 攻击
     const indicators = detectXXEIndicators(xml);
     if (indicators) {
         throw new Error('ERR_EXCEPTION_VALIDATE_XML');
     }
-    schemas = meta;
-    const schemaPath = path.resolve(__dirname, 'schema');
-    const [xmlParse, ...preload] = await Promise.all(schemas.map(async (file) => ({
-        fileName: file,
-        contents: await fs.promises.readFile(`${schemaPath}/${file}`, 'utf-8')
-    })));
+    const schemas = await loadSchemas(metadataSchemas);
     try {
+        // @ts-ignore
         const validationResult = await validateXML({
-            xml: [
-                {
-                    fileName: 'content.xml',
-                    contents: xml,
-                },
-            ],
+            xml: [{ fileName: 'content.xml', contents: xml }],
             extension: 'schema',
-            schema: [xmlParse],
-            preload: [xmlParse, ...preload],
+            schema: [schemas[0]],
+            preload: [schemas[0], ...schemas.slice(1)],
         });
         if (validationResult.valid) {
             if (isParse) {
-                // 解析 XML 为 DOM 对象
+                // 解析 XML 并确定元数据类型
                 const parser = new DOMParser();
                 const xmlDoc = parser.parseFromString(xml, 'text/xml');
-                // 检查 IdP 和 SP 描述符元素
+                // 检查解析错误（防御性编程）
+                const parserError = xmlDoc.getElementsByTagName('parsererror');
+                if (parserError.length > 0) {
+                    // 解析失败，视为无效 XML，返回错误对象（与原逻辑一致）
+                    return new Error('XML parsing failed');
+                }
                 const idpDescriptor = xmlDoc.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:metadata', 'IDPSSODescriptor');
                 const spDescriptor = xmlDoc.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:metadata', 'SPSSODescriptor');
-                // 判断元数据类型
                 let metadataType;
                 if (idpDescriptor.length > 0 && spDescriptor.length > 0) {
-                    metadataType = 'both'; // 同时包含 IdP 和 SP
+                    metadataType = 'both';
                 }
                 else if (idpDescriptor.length > 0) {
-                    metadataType = 'IdP'; // 身份提供者
+                    metadataType = 'IdP';
                 }
                 else if (spDescriptor.length > 0) {
-                    metadataType = 'SP'; // 服务提供者
+                    metadataType = 'SP';
                 }
                 else {
-                    metadataType = 'unknown'; // 无法确定
+                    metadataType = 'unknown';
                 }
-                // 返回验证结果和元数据类型
                 return {
                     isValid: true,
-                    metadataType: metadataType
+                    metadataType
                 };
             }
             return true;
         }
-        throw validationResult.errors;
+        // 验证失败，返回错误对象（保持原行为）
+        return validationResult.errors;
     }
     catch (error) {
-        return error;
+        // 捕获其他异常（如文件读取失败）并返回错误对象
+        return error instanceof Error ? error : new Error(String(error));
     }
 };

package/build/src/urn.js

@@ -10,6 +10,16 @@ export var BindingNamespace;
     BindingNamespace["SimpleSign"] = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign";
     BindingNamespace["Artifact"] = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact";
 })(BindingNamespace || (BindingNamespace = {}));
+export const NamespaceBindingMap = {
+    'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': 'redirect',
+    'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': 'post',
+    'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign': 'simplesign',
+    'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact': 'artifact'
+};
+// 可选：添加反向查找函数
+function getBindingName(uri) {
+    return NamespaceBindingMap[uri];
+}
 export var MessageSignatureOrder;
 (function (MessageSignatureOrder) {
     MessageSignatureOrder["STE"] = "sign-then-encrypt";
@@ -51,6 +61,12 @@ const namespace = {
         artifact: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
         soap: 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
     },
+    bindMap: {
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': 'redirect',
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': 'post',
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign': 'simplesign',
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact': 'artifact'
+    },
     names: {
         protocol: 'urn:oasis:names:tc:SAML:2.0:protocol',
         assertion: 'urn:oasis:names:tc:SAML:2.0:assertion',
@@ -173,22 +189,31 @@ const messageConfigurations = {
 const algorithms = {
     // 1. 签名算法定义 (SignatureMethod)
     signature: {
-        // ❌ 原文错误修正：ECDSA 不能用 rsa-sha256 的 URI
-        ECDSA_SHA256: 'http://www.w3.org/2007/05/xmldsig-more#ecdsa-sha256',
-        ECDSA_SHA384: 'http://www.w3.org/2007/05/xmldsig-more#ecdsa-sha384',
-        ECDSA_SHA512: 'http://www.w3.org/2007/05/xmldsig-more#ecdsa-sha512',
-        DSA_SHA1: 'http://www.w3.org/2000/09/xmldsig#dsa-sha1',
-        RSA_SHA1: 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+        // ❌ 不安全的算法（已废弃）
+        RSA_SHA1: 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', // ⚠️ 已废弃，不推荐使用
+        DSA_SHA1: 'http://www.w3.org/2000/09/xmldsig#dsa-sha1', // ⚠️ 已废弃，不推荐使用
+        // ✅ 安全的 RSA 算法（推荐）
         RSA_SHA224: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224',
-        RSA_SHA256: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', // 推荐
+        RSA_SHA256: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', // ⭐ 推荐
         RSA_SHA384: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384',
         RSA_SHA512: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512',
-        // XML Signature 1.1 PSS 填充 (更安全)
+        // ✅ ECDSA 算法（推荐）
+        ECDSA_SHA256: 'http://www.w3.org/2007/05/xmldsig-more#ecdsa-sha256', // ⭐ 推荐
+        ECDSA_SHA384: 'http://www.w3.org/2007/05/xmldsig-more#ecdsa-sha384',
+        ECDSA_SHA512: 'http://www.w3.org/2007/05/xmldsig-more#ecdsa-sha512',
+        // ✅ XML Signature 1.1 PSS 填充（更安全）
         RSA_PSS_SHA256: 'http://www.w3.org/2007/05/xmldsig-more#rsa-pss-sha256',
-        // EdDSA (Ed25519)
-        EDDSA_ED25519: 'http://www.w3.org/2007/05/xmldsig-more#eddsa-ed25519',
+        // ✅ EdDSA (Ed25519/Ed448)
+        EDDSA_ED25519: 'http://www.w3.org/2007/05/xmldsig-more#eddsa-ed25519', // ⭐ 推荐
         EDDSA_ED488: 'http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448'
     },
+    // 不安全的算法列表（用于验证和阻止）
+    unsafeAlgorithms: [
+        'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+        'http://www.w3.org/2000/09/xmldsig#dsa-sha1',
+        'http://www.w3.org/2000/09/xmldsig#hmac-sha1',
+        'http://www.w3.org/2000/09/xmldsig#sha1',
+    ],
     // 2. 摘要算法定义 (DigestMethod)
     // 注意：这里直接使用标准推荐的 URI，SHA-2xx 系列推荐使用 xmlenc 命名空间
     digest: {
@@ -306,4 +331,77 @@ const elementsOrder = {
     onelogin: ['KeyDescriptor', 'NameIDFormat', 'ArtifactResolutionService', 'SingleLogoutService', 'AssertionConsumerService', 'AttributeConsumingService'],
     shibboleth: ['KeyDescriptor', 'ArtifactResolutionService', 'SingleLogoutService', 'NameIDFormat', 'AssertionConsumerService', 'AttributeConsumingService',],
 };
-export { namespace, tags, algorithms, wording, elementsOrder, messageConfigurations };
+/**
+ * 默认安全配置
+ */
+const defaultSecurityOptions = {
+    allowSHA1: false,
+    allowRSA15: false,
+    allowTripleDES: false,
+};
+/**
+ * 当前安全配置
+ */
+let currentSecurityOptions = { ...defaultSecurityOptions };
+/**
+ * 设置安全配置
+ * @param options 安全配置选项
+ */
+function setSecurityOptions(options) {
+    currentSecurityOptions = { ...currentSecurityOptions, ...options };
+}
+/**
+ * 获取当前安全配置
+ * @returns 安全配置对象
+ */
+function getSecurityOptions() {
+    return currentSecurityOptions;
+}
+/**
+ * 重置为默认安全配置
+ */
+function resetSecurityOptions() {
+    currentSecurityOptions = { ...defaultSecurityOptions };
+}
+/**
+ * 验证算法是否安全
+ * @param algorithm 算法 URI
+ * @returns 验证结果
+ */
+function validateAlgorithm(algorithm) {
+    // 检查 SHA-1
+    if (!currentSecurityOptions.allowSHA1 && algorithm.toLowerCase().includes('sha1')) {
+        return {
+            valid: false,
+            reason: 'SHA-1 algorithm is not allowed. Use SHA-256 or stronger.'
+        };
+    }
+    // 检查 RSA-1_5
+    if (!currentSecurityOptions.allowRSA15 && algorithm.includes('rsa-1_5')) {
+        return {
+            valid: false,
+            reason: 'RSA-1_5 key encryption is not allowed. Use RSA-OAEP instead.'
+        };
+    }
+    // 检查 TripleDES
+    if (!currentSecurityOptions.allowTripleDES && algorithm.includes('tripledes')) {
+        return {
+            valid: false,
+            reason: 'TripleDES encryption is not allowed. Use AES-GCM instead.'
+        };
+    }
+    return { valid: true };
+}
+/**
+ * 检查算法是否为不安全算法
+ * @param algorithm 算法 URI
+ * @returns 检查结果
+ */
+function checkUnsafeAlgorithm(algorithm) {
+    const isUnsafe = algorithms.unsafeAlgorithms.some(unsafeAlg => algorithm.toLowerCase().includes(unsafeAlg.toLowerCase().replace('http://www.w3.org/2000/09/xmldsig#', '').replace('#', ''))) || algorithm.toLowerCase().includes('sha1');
+    return {
+        isUnsafe,
+        algorithm: isUnsafe ? algorithm : undefined
+    };
+}
+export { namespace, tags, algorithms, wording, elementsOrder, messageConfigurations, getBindingName, defaultSecurityOptions, setSecurityOptions, getSecurityOptions, resetSecurityOptions, validateAlgorithm, checkUnsafeAlgorithm };

package/build/src/utility.js

@@ -312,6 +312,75 @@ export function castArrayOpt(a) {
 export function notEmpty(value) {
     return value !== null && value !== undefined;
 }
+/**
+ * @desc 验证 RelayState 是否符合 SAML 2.0 规范
+ * @param {string} relayState - RelayState 值
+ * @returns {{ valid: boolean; error?: string }} 验证结果
+ */
+export function validateRelayState(relayState) {
+    // RelayState 是可选的
+    if (!relayState || relayState.length === 0) {
+        return { valid: true };
+    }
+    // 验证长度（SAML 规范限制 80 字节）
+    if (relayState.length > 80) {
+        return {
+            valid: false,
+            error: 'RelayState exceeds 80 bytes'
+        };
+    }
+    // 验证是否为合法 URL（如果是 URL）
+    if (relayState.startsWith('http://') || relayState.startsWith('https://')) {
+        try {
+            new URL(relayState);
+        }
+        catch {
+            return {
+                valid: false,
+                error: 'RelayState is not a valid URL'
+            };
+        }
+    }
+    return { valid: true };
+}
+/**
+ * @desc 敏感信息键名列表（用于日志脱敏）
+ */
+const sensitiveKeys = [
+    'privateKey',
+    'privateKeyPass',
+    'encPrivateKey',
+    'encPrivateKeyPass',
+    'password',
+    'secret',
+    'signingCert',
+    'encryptCert'
+];
+/**
+ * @desc 日志脱敏函数，过滤敏感信息
+ * @param {any} data - 需要脱敏的数据
+ * @returns {any} 脱敏后的数据
+ */
+export function sanitizeLog(data) {
+    if (typeof data !== 'object' || data === null) {
+        return data;
+    }
+    const sanitized = Array.isArray(data) ? [] : {};
+    for (const [key, value] of Object.entries(data)) {
+        // 检查是否为敏感键名
+        if (sensitiveKeys.some(k => k.toLowerCase() === key.toLowerCase())) {
+            sanitized[key] = '***REDACTED***';
+        }
+        else if (typeof value === 'object' && value !== null) {
+            // 递归处理嵌套对象
+            sanitized[key] = sanitizeLog(value);
+        }
+        else {
+            sanitized[key] = value;
+        }
+    }
+    return sanitized;
+}
 const utility = {
     isString,
     base64Encode,
@@ -327,5 +396,7 @@ const utility = {
     readPrivateKey,
     convertToString,
     isNonEmptyArray,
+    validateRelayState,
+    sanitizeLog,
 };
 export default utility;