Commit 97a94886 authored by Peter Loer's avatar Peter Loer
Browse files

Merge pull request #123 from cjbarth/custom-querystring-signing

Do not sign custom query string parameters
parents f57a95d6 f33edd93
...@@ -108,6 +108,7 @@ SAML.prototype.generateInstant = function () { ...@@ -108,6 +108,7 @@ SAML.prototype.generateInstant = function () {
SAML.prototype.signRequest = function (samlMessage) { SAML.prototype.signRequest = function (samlMessage) {
var signer; var signer;
var samlMessageToSign = {};
switch(this.options.signatureAlgorithm) { switch(this.options.signatureAlgorithm) {
case 'sha256': case 'sha256':
samlMessage.SigAlg = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'; samlMessage.SigAlg = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256';
...@@ -118,7 +119,19 @@ SAML.prototype.signRequest = function (samlMessage) { ...@@ -118,7 +119,19 @@ SAML.prototype.signRequest = function (samlMessage) {
signer = crypto.createSign('RSA-SHA1'); signer = crypto.createSign('RSA-SHA1');
break; break;
} }
signer.update(querystring.stringify(samlMessage)); if (samlMessage.SAMLRequest) {
samlMessageToSign.SAMLRequest = samlMessage.SAMLRequest;
}
if (samlMessage.SAMLResponse) {
samlMessageToSign.SAMLResponse = samlMessage.SAMLResponse;
}
if (samlMessage.RelayState) {
samlMessageToSign.RelayState = samlMessage.RelayState;
}
if (samlMessage.SigAlg) {
samlMessageToSign.SigAlg = samlMessage.SigAlg;
}
signer.update(querystring.stringify(samlMessageToSign));
samlMessage.Signature = signer.sign(this.options.privateCert, 'base64'); samlMessage.Signature = signer.sign(this.options.privateCert, 'base64');
}; };
......
...@@ -689,7 +689,10 @@ describe( 'passport-saml /', function() { ...@@ -689,7 +689,10 @@ describe( 'passport-saml /', function() {
privateCert: fs.readFileSync(__dirname + '/static/acme_tools_com.key', 'utf-8'), privateCert: fs.readFileSync(__dirname + '/static/acme_tools_com.key', 'utf-8'),
authnContext: 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password', authnContext: 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password',
identifierFormat: null, identifierFormat: null,
signatureAlgorithm: 'sha256' signatureAlgorithm: 'sha256',
additionalParams: {
customQueryStringParam: 'CustomQueryStringParamValue'
}
}; };
var samlObj = new SAML( samlConfig ); var samlObj = new SAML( samlConfig );
samlObj.generateUniqueID = function () { return '12345678901234567890' }; samlObj.generateUniqueID = function () { return '12345678901234567890' };
...@@ -697,6 +700,7 @@ describe( 'passport-saml /', function() { ...@@ -697,6 +700,7 @@ describe( 'passport-saml /', function() {
var qry = require('querystring').parse(require('url').parse(url).query); var qry = require('querystring').parse(require('url').parse(url).query);
qry.SigAlg.should.match('http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'); qry.SigAlg.should.match('http://www.w3.org/2001/04/xmldsig-more#rsa-sha256');
qry.Signature.should.match('SL85w0h6Pt7ejplGrR4OOTh4Zo9zs/MQHZep27kSzs4+U/0QdQi7hg5T0TKqCSRBZpVtspMpw+i6F0tZrFot0dIJgeCgkvMA2Tllwt6K0DbKWOiNXW5S2M9tUZktdJVfjr2D5e0SG4jQIwa4PVONgNQEKFxydIqwxVh9NGYeDeMUGq5/4QpMDLgYOvLfShyvhlzmqeUs7LBlZbKJLCeXZi/Z5bnF+QOAugtKuh0G6kFOS0CmKVLIW/4XicLHmggUBDlt0VJaskxUx2amHSNUoYe3Z9/9TeZqc7IswNUOEiq/oy0DLhokLnBEj+dBRMlgkAHp/gaWcc1Vp/1jSlVAvg=='); qry.Signature.should.match('SL85w0h6Pt7ejplGrR4OOTh4Zo9zs/MQHZep27kSzs4+U/0QdQi7hg5T0TKqCSRBZpVtspMpw+i6F0tZrFot0dIJgeCgkvMA2Tllwt6K0DbKWOiNXW5S2M9tUZktdJVfjr2D5e0SG4jQIwa4PVONgNQEKFxydIqwxVh9NGYeDeMUGq5/4QpMDLgYOvLfShyvhlzmqeUs7LBlZbKJLCeXZi/Z5bnF+QOAugtKuh0G6kFOS0CmKVLIW/4XicLHmggUBDlt0VJaskxUx2amHSNUoYe3Z9/9TeZqc7IswNUOEiq/oy0DLhokLnBEj+dBRMlgkAHp/gaWcc1Vp/1jSlVAvg==');
qry.customQueryStringParam.should.match('CustomQueryStringParamValue');
done(); done();
}); });
}); });
...@@ -709,7 +713,10 @@ describe( 'passport-saml /', function() { ...@@ -709,7 +713,10 @@ describe( 'passport-saml /', function() {
privateCert: fs.readFileSync(__dirname + '/static/acme_tools_com.key', 'utf-8'), privateCert: fs.readFileSync(__dirname + '/static/acme_tools_com.key', 'utf-8'),
authnContext: 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password', authnContext: 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password',
identifierFormat: null, identifierFormat: null,
signatureAlgorithm: 'sha1' signatureAlgorithm: 'sha1',
additionalParams: {
customQueryStringParam: 'CustomQueryStringParamValue'
}
}; };
var samlObj = new SAML( samlConfig ); var samlObj = new SAML( samlConfig );
samlObj.generateUniqueID = function () { return '12345678901234567890' }; samlObj.generateUniqueID = function () { return '12345678901234567890' };
...@@ -717,6 +724,7 @@ describe( 'passport-saml /', function() { ...@@ -717,6 +724,7 @@ describe( 'passport-saml /', function() {
var qry = require('querystring').parse(require('url').parse(url).query); var qry = require('querystring').parse(require('url').parse(url).query);
qry.SigAlg.should.match('http://www.w3.org/2000/09/xmldsig#rsa-sha1'); qry.SigAlg.should.match('http://www.w3.org/2000/09/xmldsig#rsa-sha1');
qry.Signature.should.match('VnYOXVDiIaio+Vt8D2XXVwdyvwhDcdvgrQSkeq85G+MfU31yK9fvYEPFARK5pF1uJakMsYrKzVBv7HLCFcYuztpuIZloMFvFkado0MxFK4A/QFZn+EYDJE8ddLSvrW3iyuoxyVBSnH0+KLzDiI81B28YZNU3NFJIKCKzQSGIllJ7Vgw6KjH/BmE5DY0eSeUCEe6OygHgazjSrNIWQQjww5nSGIqAQl94OVanZtQBrYIUtik+d1lAhnginG0UnPccstenxEMAun2uMGp9hVqroWQvWRbX/xspRpjPOrIkvv63FzEgmRObXVNqpzDICJRUSlhTLdXAm2hb+ScYocO6EQ=='); qry.Signature.should.match('VnYOXVDiIaio+Vt8D2XXVwdyvwhDcdvgrQSkeq85G+MfU31yK9fvYEPFARK5pF1uJakMsYrKzVBv7HLCFcYuztpuIZloMFvFkado0MxFK4A/QFZn+EYDJE8ddLSvrW3iyuoxyVBSnH0+KLzDiI81B28YZNU3NFJIKCKzQSGIllJ7Vgw6KjH/BmE5DY0eSeUCEe6OygHgazjSrNIWQQjww5nSGIqAQl94OVanZtQBrYIUtik+d1lAhnginG0UnPccstenxEMAun2uMGp9hVqroWQvWRbX/xspRpjPOrIkvv63FzEgmRObXVNqpzDICJRUSlhTLdXAm2hb+ScYocO6EQ==');
qry.customQueryStringParam.should.match('CustomQueryStringParamValue');
done(); done();
}); });
}); });
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment