support array of thumbprints

examples/auth0/app.js

@@ -20,7 +20,7 @@ passport.use(new Strategy(
     // identityProviderUrl: 'https://mdocs.auth0.com/samlp/dVrQZOG4gkBhzcLartSgW2v7kSnvW5XR?connection=github',
     // thumbprint: 'c5b930896e3f4e2cc1d6d1ceb68f4d3de90deee6'
     identityProviderUrl: 'https://login0.myauth0.com/samlp/wklezTET2P3iYA54Sraju8qFN0ohdI0G',
-    thumbprint: 'dba77ba142ff38d5076b4310700709c470d53790'
+    thumbprints: ['dba77ba142ff38d5076b4310700709c470d53790']
   }, function(profile, done) {
     console.log("Auth with", profile);
     if (!profile.email) {

examples/login/app.js

@@ -44,7 +44,7 @@ passport.use(new wsfedsaml2(
     // setup either a certificate base64 encoded (cer) or just the thumbprint of the certificate if public key is embedded in the signature
 
     //cert: 'MIIDFjCCAf6gAwIBAgIQDRRprj9lv5RBvaQdlFltDzANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTEwOTIxMDMzMjMyWhcNMTIwOTIwMDkzMjMyWjAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEIAEB/KKT3ehNMy2MQEyJIQ14CnZ8DC2FZgL5Gw3UBSdRb9JinK/gw7yOQtwKfJUqeoZaUSAAdcdbgqwVxOnMBfWiYX7DGlEznSfqYVnjOWjqqjpoe0h6RaOkdWovDtoidmqVV1tWRJFjkj895clPxkLpnqqcycfXtSdZen0SroGyirD2mhMc9ccLbJ3zRnBNjlvpo5zow1zYows09tNC2EhGROL/OS4JNRQnJRICZC+WkA7Igf3xb4btJOzIPYhFiqCGrd/81CHmAyEuNzyc60I5yomDQfZ91Eb5Uk3F7mlfAlYB2aZwDwldLSOlVE8G1E5xFexF/5KyPC4ShNodAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUyYfx/r0czsPgTzitqey+fGMQpkcwDQYJKoZIhvcNAQEFBQADggEBAB5dgQlM3tKS+/cjlvMCPjZH0Iqo/Wxecri3YWi2iVziZ/TQ3dSV+J/iTyduN7rJmFQzTsNERcsgyAwblwnEKXXvlWo8G/+VDIMh3zVPNQFKns5WPkfkhoSVlnZPTQ8zdXAcWgDXbCgvdqIPozdgL+4l0W0XVL1ugA4/hmMXh4TyNd9Qj7MWvlmwVjevpSqN4wG735jAZFHb/L/vvc91uKqP+JvLNj8tPFVxatzi56X1V8jBM61Hx1Z9D0RCDjtmcQVysVEylW9O6mNy6ZrhLm0q5yecWudfBbTKDqRoCHQRjrMU2c5q/ZFDtgjLim7FaNxFbgTyjeRCPclEhfemYVg='
-    thumbprint: 'a3cff17cbf7e793a97861390eb698d00e9598537'
+    thumbprints: ['a3cff17cbf7e793a97861390eb698d00e9598537']
   },
   function(profile, done) {
     console.log("Auth with", profile);

lib/passport-wsfed-saml2/saml.js

@@ -12,8 +12,12 @@ var ELEMENT_NODE = 1;
 var SAML = function (options) {
   this.options = options;
 
-  if (!options.cert && !options.thumbprint) {
-    throw new Error('You should set either a base64 encoded certificate or the thumbprint of the certificate');
+  if (this.options.thumbprint) {
+    this.options.thumbprints = (this.options.thumbprints || []).concat([this.options.thumbprint]);
+  }
+
+  if (!this.options.cert && (!this.options.thumbprints || this.options.thumbprints.length === 0)) {
+    throw new Error('You should set either a base64 encoded certificate or the thumbprints of the signing certificates');
   }
 
   this.options.checkExpiration = (typeof this.options.checkExpiration !== 'undefined') ? this.options.checkExpiration : true;
@@ -42,7 +46,7 @@ SAML.prototype.validateSignature = function (xml, options, callback) {
       return "<X509Data></X509Data>";
     },
     getKey: function (keyInfo) {
-      if (options.thumbprint)  {
+      if (options.thumbprints && options.thumbprints.length > 0)  {
         var embeddedSignature = keyInfo[0].getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "X509Certificate");
         if (embeddedSignature.length > 0) {
           var base64cer = embeddedSignature[0].firstChild.toString();
@@ -69,9 +73,14 @@ SAML.prototype.validateSignature = function (xml, options, callback) {
     return callback();
   }
 
-  if (options.thumbprint) {
-    if (this.calculatedThumbprint.toUpperCase() !== options.thumbprint.toUpperCase()) {
-      return callback(new Error('Invalid thumbprint (configured: ' + options.thumbprint.toUpperCase() + '. calculated: ' + this.calculatedThumbprint.toUpperCase() + ')' ));
+  if (options.thumbprints) {
+
+    var valid_thumbprint = options.thumbprints.some(function (thumbprint) {
+      return self.calculatedThumbprint.toUpperCase() === thumbprint.toUpperCase();
+    });
+
+    if (!valid_thumbprint) {
+      return callback(new Error('Invalid thumbprint (configured: ' + options.thumbprints.join(', ').toUpperCase() + '. calculated: ' + this.calculatedThumbprint.toUpperCase() + ')' ));
     }
 
     return callback();
@@ -217,7 +226,7 @@ SAML.prototype.validateSamlAssertion = function (samlAssertion, callback) {
 
   self.validateSignature(samlAssertion, {
     cert: self.options.cert,
-    thumbprint: self.options.thumbprint,
+    thumbprints: self.options.thumbprints,
     signaturePath: "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']" }, function(err) {
     if (err) return callback(err);
 

lib/passport-wsfed-saml2/samlp.js

@@ -10,7 +10,14 @@ var xmlenc = require('xml-encryption');
 var Samlp = module.exports = function Samlp (options, saml) {
   this.options = options || {};
   this.options.protocolBinding = options.protocolBinding || 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST';
-  if (typeof options.deflate === 'undefined') this.options.deflate = true;
+
+  if (this.options.thumbprint) {
+    this.options.thumbprints = (this.options.thumbprints || []).concat([this.options.thumbprint]);
+  }
+
+  if (typeof options.deflate === 'undefined') {
+    this.options.deflate = true;
+  }
 
   this._saml = saml;
 };
@@ -151,7 +158,7 @@ Samlp.prototype = {
       if (isResponseSigned) {
         self._saml.validateSignature(samlResponse, {
           cert: self.options.cert,
-          thumbprint: self.options.thumbprint,
+          thumbprints: self.options.thumbprints,
           signaturePath: samlResponseSignaturePath
         },
         function (err) {

test/fixture/samlp-server.js

@@ -15,7 +15,7 @@ passport.use('samlp', new Strategy({
     path: '/callback',
     realm: 'https://auth0-dev-ed.my.salesforce.com',
     identityProviderUrl: identityProviderUrl,
-    thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309'
+    thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309']
   }, function(profile, done) {
     return done(null, profile);
   })
@@ -25,7 +25,7 @@ passport.use('samlp-custom-request-template', new Strategy({
     path: '/callback',
     realm: 'https://auth0-dev-ed.my.salesforce.com',
     identityProviderUrl: identityProviderUrl,
-    thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309',
+    thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'],
     requestTemplate: '<AuthnRequest Issuertico="@@Issuer@@" Version="3.0" Protocol="@@ProtocolBinding@@" Foo="@@Foo.Test@@"></AuthnRequest>',
     requestContext: {
       Foo: {
@@ -42,7 +42,7 @@ passport.use('samlp-idpurl-with-querystring', new Strategy(
     path: '/callback',
     realm: 'https://auth0-dev-ed.my.salesforce.com',
     identityProviderUrl: identityProviderUrl + '?foo=bar',
-    thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309'
+    thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309']
   },
   function(profile, done) {
     return done(null, profile);
@@ -54,7 +54,7 @@ passport.use('samlp-signedresponse', new Strategy(
     path: '/callback',
     realm: 'https://auth0-dev-ed.my.salesforce.com',
     identityProviderUrl: identityProviderUrl,
-    thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309'
+    thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309']
   },
   function(profile, done) {
     return done(null, profile);
@@ -66,7 +66,7 @@ passport.use('samlp-signedresponse-invalidcert', new Strategy(
     path: '/callback',
     realm: 'urn:fixture-test',
     identityProviderUrl: identityProviderUrl,
-    thumbprint: '11111111111111111a5b93a43572eb2376fed309'
+    thumbprints: ['11111111111111111a5b93a43572eb2376fed309']
   },
   function(profile, done) {
     return done(null, profile);
@@ -78,7 +78,7 @@ passport.use('samlp-invalidcert', new Strategy(
     path: '/callback',
     realm: 'urn:fixture-test',
     identityProviderUrl: identityProviderUrl,
-    thumbprint: '11111111111111111a5b93a43572eb2376fed309'
+    thumbprints: ['11111111111111111a5b93a43572eb2376fed309']
   },
   function(profile, done) {
     return done(null, profile);
@@ -89,7 +89,7 @@ passport.use('samlp-signedresponse-signedassertion', new Strategy(
   {
     path: '/callback',
     realm: 'urn:auth0:login-dev3',
-    thumbprint: 'C9ED4DFB07CAF13FC21E0FEC1572047EB8A7A4CB',
+    thumbprints: ['C9ED4DFB07CAF13FC21E0FEC1572047EB8A7A4CB'],
     checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide
   },
   function(profile, done) {
@@ -101,7 +101,7 @@ passport.use('samlp-ping', new Strategy(
   {
     path: '/callback',
     realm: 'urn:auth0:login-dev3',
-    thumbprint: '44340220770a348444be34970939cff8a2d74f08',
+    thumbprints: ['44340220770a348444be34970939cff8a2d74f08'],
     checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide
   },
   function(profile, done) {
@@ -113,7 +113,7 @@ passport.use('samlp-okta', new Strategy(
   {
     path: '/callback',
     realm: 'https://auth0145.auth0.com',
-    thumbprint: 'a0c7dbb790e3476d3c5dd236f9f2060b1fd6e253',
+    thumbprints: ['a0c7dbb790e3476d3c5dd236f9f2060b1fd6e253'],
     checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide
   },
   function(profile, done) {
@@ -124,7 +124,7 @@ passport.use('samlp-okta', new Strategy(
 passport.use('samlp-with-utf8', new Strategy(
   {
     path: '/callback',
-    thumbprint: '42FA24A83E107F6842E05D2A2CA0A0A0CA8A2031',
+    thumbprints: ['42FA24A83E107F6842E05D2A2CA0A0A0CA8A2031'],
     decryptionKey: fs.readFileSync(path.join(__dirname, '../test-decryption.key')),
     checkExpiration: false, // we are using a precomputed assertion generated from a sample idp feide
     checkAudience: false

test/fixture/wsfed-server.js

@@ -13,7 +13,7 @@ passport.use(new Strategy(
     path: '/callback',
     realm: 'urn:fixture-test',
     identityProviderUrl: 'http://localhost:5050/login',
-    thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309'
+    thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309']
   },
   function(profile, done) {
     return done(null, profile);