support for thumbprint check

auth0 · Aug 27, 2012 · 8258295 · 8258295
1 parent d31386b
commit 8258295
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/examples/login/app.js b/examples/login/app.js
@@ -3,7 +3,6 @@ var express = require('express')
   , util = require('util')
   , wsfedsaml2 = require('../../lib/passport-wsfed-saml2/index').Strategy
   , fs = require('fs');
-
 
 var users = [
     { id: 1, givenName: 'matias', email: '[email protected]' }
@@ -42,7 +41,10 @@ passport.use(new wsfedsaml2(
     realm: 'urn:node:app',
     homeRealm: '', // specify an identity provider to avoid showing the idp selector
     identityProviderUrl: 'https://auth10-dev.accesscontrol.windows.net/v2/wsfederation',
-    cert: 'MIIDFjCCAf6gAwIBAgIQDRRprj9lv5RBvaQdlFltDzANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTEwOTIxMDMzMjMyWhcNMTIwOTIwMDkzMjMyWjAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEIAEB/KKT3ehNMy2MQEyJIQ14CnZ8DC2FZgL5Gw3UBSdRb9JinK/gw7yOQtwKfJUqeoZaUSAAdcdbgqwVxOnMBfWiYX7DGlEznSfqYVnjOWjqqjpoe0h6RaOkdWovDtoidmqVV1tWRJFjkj895clPxkLpnqqcycfXtSdZen0SroGyirD2mhMc9ccLbJ3zRnBNjlvpo5zow1zYows09tNC2EhGROL/OS4JNRQnJRICZC+WkA7Igf3xb4btJOzIPYhFiqCGrd/81CHmAyEuNzyc60I5yomDQfZ91Eb5Uk3F7mlfAlYB2aZwDwldLSOlVE8G1E5xFexF/5KyPC4ShNodAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUyYfx/r0czsPgTzitqey+fGMQpkcwDQYJKoZIhvcNAQEFBQADggEBAB5dgQlM3tKS+/cjlvMCPjZH0Iqo/Wxecri3YWi2iVziZ/TQ3dSV+J/iTyduN7rJmFQzTsNERcsgyAwblwnEKXXvlWo8G/+VDIMh3zVPNQFKns5WPkfkhoSVlnZPTQ8zdXAcWgDXbCgvdqIPozdgL+4l0W0XVL1ugA4/hmMXh4TyNd9Qj7MWvlmwVjevpSqN4wG735jAZFHb/L/vvc91uKqP+JvLNj8tPFVxatzi56X1V8jBM61Hx1Z9D0RCDjtmcQVysVEylW9O6mNy6ZrhLm0q5yecWudfBbTKDqRoCHQRjrMU2c5q/ZFDtgjLim7FaNxFbgTyjeRCPclEhfemYVg='
+    // setup either a certificate base64 encoded (cer) or just the thumbprint of the certificate if public key is embedded in the signature
+
+    //cert: 'MIIDFjCCAf6gAwIBAgIQDRRprj9lv5RBvaQdlFltDzANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTEwOTIxMDMzMjMyWhcNMTIwOTIwMDkzMjMyWjAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEIAEB/KKT3ehNMy2MQEyJIQ14CnZ8DC2FZgL5Gw3UBSdRb9JinK/gw7yOQtwKfJUqeoZaUSAAdcdbgqwVxOnMBfWiYX7DGlEznSfqYVnjOWjqqjpoe0h6RaOkdWovDtoidmqVV1tWRJFjkj895clPxkLpnqqcycfXtSdZen0SroGyirD2mhMc9ccLbJ3zRnBNjlvpo5zow1zYows09tNC2EhGROL/OS4JNRQnJRICZC+WkA7Igf3xb4btJOzIPYhFiqCGrd/81CHmAyEuNzyc60I5yomDQfZ91Eb5Uk3F7mlfAlYB2aZwDwldLSOlVE8G1E5xFexF/5KyPC4ShNodAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUyYfx/r0czsPgTzitqey+fGMQpkcwDQYJKoZIhvcNAQEFBQADggEBAB5dgQlM3tKS+/cjlvMCPjZH0Iqo/Wxecri3YWi2iVziZ/TQ3dSV+J/iTyduN7rJmFQzTsNERcsgyAwblwnEKXXvlWo8G/+VDIMh3zVPNQFKns5WPkfkhoSVlnZPTQ8zdXAcWgDXbCgvdqIPozdgL+4l0W0XVL1ugA4/hmMXh4TyNd9Qj7MWvlmwVjevpSqN4wG735jAZFHb/L/vvc91uKqP+JvLNj8tPFVxatzi56X1V8jBM61Hx1Z9D0RCDjtmcQVysVEylW9O6mNy6ZrhLm0q5yecWudfBbTKDqRoCHQRjrMU2c5q/ZFDtgjLim7FaNxFbgTyjeRCPclEhfemYVg='
+    thumbprint: 'a3cff17cbf7e793a97861390eb698d00e9598537'
   },
   function(profile, done) {
     console.log("Auth with", profile);

diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js
@@ -8,6 +8,10 @@ var querystring = require('querystring');
 
 var SAML = function (options) {
   this.options = options;
+
+  if (!options.cert && !options.thumbprint) {
+    throw new Error('You should set either a base64 encoded certificate or the thumbprint of the certificate');
+  }
 };
 
 SAML.prototype.certToPEM = function (cert) {
@@ -17,7 +21,7 @@ SAML.prototype.certToPEM = function (cert) {
   return cert;
 };
 
-SAML.prototype.validateSignature = function (xml, cert) {
+SAML.prototype.validateSignature = function (xml, cert, thumbprint) {
   var self = this;
   var doc = new xmldom.DOMParser().parseFromString(xml);
   var signature = xmlCrypto.xpath.SelectNodes(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0];
@@ -27,11 +31,32 @@ SAML.prototype.validateSignature = function (xml, cert) {
       return "<X509Data></X509Data>"
     },
     getKey: function (keyInfo) {
+      if (thumbprint)  {
+        var embeddedSignature = keyInfo[0].getElementsByTagName("X509Certificate");
+        if (embeddedSignature.length > 0) {
+          var base64cer = embeddedSignature[0].firstChild.toString();
+          var shasum = crypto.createHash('sha1');
+          var der = new Buffer(base64cer, 'base64').toString('binary')
+          shasum.update(der);
+          self.calculatedThumbprint = shasum.digest('hex');
+
+          return self.certToPEM(base64cer);
+        }
+      }
+
       return self.certToPEM(cert);
     }
   };
   sig.loadSignature(signature.toString());
-  return sig.checkSignature(xml);
+  var valid = sig.checkSignature(xml);
+
+  if (cert) {
+    return valid;
+  }
+
+  if (thumbprint) {
+    return valid && this.calculatedThumbprint.toUpperCase() === thumbprint.toUpperCase();
+  }
 };
 
 SAML.prototype.getElement = function (parentElement, elementName) {
@@ -45,7 +70,7 @@ SAML.prototype.validateResponse = function (samlAssertionString, callback) {
   var self = this;
 
   // Verify signature
-  if (self.options.cert && !self.validateSignature(samlAssertionString, self.options.cert)) {
+  if (!self.validateSignature(samlAssertionString, self.options.cert, self.options.thumbprint)) {
     return callback(new Error('Invalid signature'), null);
   }