fix: support unencrypted PKCS#8 keys again (tngan#503)

* fix: support unencrypted PKCS#8 keys again

Allow `node-rsa` to detect the format of the private key by not explicitly specifying an alias for the `pkcs1-private-pem` format.
Reference [comment](tngan#452 (comment)) for details.

Fixes tngan#452

* remove octetStringBuilder

src/libsaml.ts

@@ -545,7 +545,7 @@ const libSaml = () => {
       // Embed with node-rsa module
       const decryptedKey = new nrsa(
         utility.readPrivateKey(key, passphrase),
-        'private',
+        undefined,
         {
           signingScheme: getSigningScheme(signingAlgorithm),
         }

test/flow.ts

@@ -77,7 +77,7 @@ const createTemplateCallback = (_idp, _sp, _binding, user) => template => {
 
 // Parse Redirect Url context
 
-const parseRedirectUrlContextCallBack = (_context) => {
+const parseRedirectUrlContextCallBack = (_context: string) => {
   const originalURL = url.parse(_context, true);
   const _SAMLResponse = originalURL.query.SAMLResponse;
   const _Signature = originalURL.query.Signature;
@@ -252,6 +252,40 @@ test('create login request with redirect binding using [custom template]', t =>
   (id === 'exposed_testing_id' && isString(context)) ? t.pass() : t.fail();
 });
 
+test('create login request with redirect binding signing with unencrypted PKCS#8', t => {
+  const _sp = serviceProvider({
+    authnRequestsSigned: true,
+    signingCert: readFileSync('./test/key/sp/cert.unencrypted.pkcs8.cer'),
+    privateKey: readFileSync('./test/key/sp/privkey.unencrypted.pkcs8.pem'),
+    privateKeyPass: undefined,
+  });
+
+  const { context } = _sp.createLoginRequest(idp, 'redirect');
+
+  const parsed = parseRedirectUrlContextCallBack(context)
+  const signature =  Buffer.from(parsed.query.Signature as string, 'base64');
+
+  const valid = libsaml.verifyMessageSignature(_sp.entityMeta, parsed.octetString, signature, parsed.query.SigAlg as string);
+  t.true(valid, 'signature did not validate');
+});
+
+test('create login request with redirect binding signing with encrypted PKCS#8', t => {
+  const _sp = serviceProvider({
+    authnRequestsSigned: true,
+    signingCert: readFileSync('./test/key/sp/cert.encrypted.pkcs8.cer'),
+    privateKey: readFileSync('./test/key/sp/privkey.encrypted.pkcs8.pem'),
+    privateKeyPass: 'VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px',
+  });
+
+  const { context } = _sp.createLoginRequest(idp, 'redirect');
+
+  const parsed = parseRedirectUrlContextCallBack(context)
+  const signature =  Buffer.from(parsed.query.Signature as string, 'base64');
+
+  const valid = libsaml.verifyMessageSignature(_sp.entityMeta, parsed.octetString, signature, parsed.query.SigAlg as string);
+  t.true(valid, 'signature did not validate');
+});
+
 test('create login request with post binding using [custom template]', t => {
   const _sp = serviceProvider({
     ...defaultSpConfig, loginRequestTemplate: {

test/index.ts

@@ -334,13 +334,17 @@ test('getAssertionConsumerService with two bindings', t => {
 test('idp with multiple signing and encryption certificates', t => {
   const localIdp = identityProvider({
     signingCert: [
-      readFileSync('./test/key/sp/cert.cer'),
-      readFileSync('./test/key/sp/cert2.cer').toString(),
+      readFileSync('./test/key/idp/cert.cer'),
+      readFileSync('./test/key/idp/cert2.cer').toString(),
     ],
     encryptCert: [
       readFileSync('./test/key/idp/encryptionCert.cer'),
       readFileSync('./test/key/idp/encryptionCert.cer').toString(),
-    ]
+    ],
+    singleSignOnService: [{
+      Binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+      Location: 'idp.example.com/sso',
+    }]
   })
 
   const signingCertificate = localIdp.entityMeta.getX509Certificate('signing');

test/key/sp/cert.encrypted.pkcs8.cer

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID0TCCArigAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCaGsx
+EjAQBgNVBAgMCUhvbmcgS29uZzETMBEGA1UECgwKbm9kZS1zYW1sMjEXMBUGA1UE
+AwwOc2FtbGlmeS5qcy5vcmcxCzAJBgNVBAcMAkhLMSMwIQYJKoZIhvcNAQkBFhRu
+b2RlLnNhbWwyQGdtYWlsLmNvbTAeFw0yMzAxMDYxNTQ2NTdaFw0zMzAxMDMxNTQ2
+NTdaMIGBMQswCQYDVQQGEwJoazESMBAGA1UECAwJSG9uZyBLb25nMRMwEQYDVQQK
+DApub2RlLXNhbWwyMRcwFQYDVQQDDA5zYW1saWZ5LmpzLm9yZzELMAkGA1UEBwwC
+SEsxIzAhBgkqhkiG9w0BCQEWFG5vZGUuc2FtbDJAZ21haWwuY29tMIIBIzANBgkq
+hkiG9w0BAQEFAAOCARAAMIIBCwKCAQIA0rKjNPl2dwu+4jE128CvOTC3nHbJmjyx
+5RaLuPEt65koViXqg/klpvzUUu8V+FeIiiOJx0NB5BXCm4QDcSay9K4A2daeTNLm
+vNM340TWMIZbz32wx4lnwD7Nc//UmbFzBgU+AB5tLEkzXc+21YY6GhWIsjuz4/ta
+WfhvdQatMJOCm2C8G5n5X/HfxLxHNBOpPytuxTZKHYWWszMFNf7K+08n58O3z/Ha
+Z/wH//KWPZ4GF4B+NrSd6j0JFwHXXwHdomlYJ0QH/jaW8jvegM+u56xHsWl/p1Ae
+eB/Fm90jFcAbf4lK5BsD3RSaV2IlTz2i8pLkKYZumMjFIZ+stSZ3LBECAwEAAaNQ
+ME4wHQYDVR0OBBYEFHBW91GXY9QE3eS26e7xap4JPwjpMB8GA1UdIwQYMBaAFHBW
+91GXY9QE3eS26e7xap4JPwjpMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD
+ggECAE39udf8tOHRSIghwFYi4TQQeLxFZq3fhfX2z9Jy5Anz18930nx343dolL7B
+MCG93AHkimCZSOpc2T0/bYi4SaTTvA9EQ0wbF3QDlItjxaIjuEf9C0uFSIGZKUV3
+HgdDcK+eEFe50fO37mepsGoFesNMEfYIO2qacIFdowTNi+yrA3lOgmEETBFx/bEM
+dXTCAjRGchPM6IiAHNQ1OzM8qEzH/ALUgGGY3FXxi4cZk/mIVvLtj8S41IphZfBZ
+Zc+GIiB7I8YPy1OuMcHVfEU9Kyqc3L4nCkQ1HbL9Z6E646w3yWIv116beFe9QEFQ
+y7MQIO27pdvoQAQKoYysA87o7UEv
+-----END CERTIFICATE-----

test/key/sp/cert.unencrypted.pkcs8.cer

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID0TCCArigAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCaGsx
+EjAQBgNVBAgMCUhvbmcgS29uZzETMBEGA1UECgwKbm9kZS1zYW1sMjEXMBUGA1UE
+AwwOc2FtbGlmeS5qcy5vcmcxCzAJBgNVBAcMAkhLMSMwIQYJKoZIhvcNAQkBFhRu
+b2RlLnNhbWwyQGdtYWlsLmNvbTAeFw0yMzAxMDUyMjQ3NTBaFw0zMzAxMDIyMjQ3
+NTBaMIGBMQswCQYDVQQGEwJoazESMBAGA1UECAwJSG9uZyBLb25nMRMwEQYDVQQK
+DApub2RlLXNhbWwyMRcwFQYDVQQDDA5zYW1saWZ5LmpzLm9yZzELMAkGA1UEBwwC
+SEsxIzAhBgkqhkiG9w0BCQEWFG5vZGUuc2FtbDJAZ21haWwuY29tMIIBIzANBgkq
+hkiG9w0BAQEFAAOCARAAMIIBCwKCAQIAuiZeojwEcgdd8yRCddkhLhoKScITJl1V
+cUrbMFa76yg/9KFjOgiY27Y4czL71XKy3L52GQXcryXhOXrt+td8ArsDV+ATVmLt
+/Ew1VTmG5jKbsJQe3tYgulvdl6rME7ytC1vk40LGAtB08fP4HbVULOS6HEsFWtwt
+KxI2woVgfCU37nJOCz9SVWsMxRwjmNn1lyOnLdzHZ87yU6IyIGRCzwLhN09jVoYK
+36XKPl+XF2mTeODAXJ5bGHzBfS1PLhi9zG7c8t0wLMVbS76Cz6TpK/oTJnTBMmzw
+Z6sLlrbK3Xy7geRV7rhWfEmY97WXkGLUa3jKfq5LTAf63rz5ZjzgeZ8CAwEAAaNQ
+ME4wHQYDVR0OBBYEFIW8z2CmYsUvTbX8IFHE+IdbkcsHMB8GA1UdIwQYMBaAFIW8
+z2CmYsUvTbX8IFHE+IdbkcsHMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD
+ggECAAvSnm6IQYmPPVpoUvwC3K3jh28HQ/8S5QMgRGw+RcqgJbo5wIAn0OOUJLfR
+rLtcx2UfaFPn3QKvGOrX71ekb6FF0hzEq+U3Mbv2KEWBEwbu5D+N93uvf3ryeM7o
+X4t6Qi5gKe486PrOBu2CyUtveFBqECWCGRG5yN+/4bd2zh/hug3lD28hicA7rsnA
+FOrEmnhnDhzWzoG+ih1uCzjui21gFGeKRspWkXf+4Vgc7lL+tYCI0sVfe1huRwFh
+SkTC5yT/7mYw4aLlRAKOxAEMHQjj5bFyr8NZa296YIcdBbdRm8oqGDqWcK4wcu/I
+yFtbTMIWwNL9n/lLh695eNwDmg28
+-----END CERTIFICATE-----

test/key/sp/privkey.encrypted.pkcs8.pem

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIuQ2unbu0tjICAggA
+MBQGCCqGSIb3DQMHBAjKZQizh2v/CgSCBMjMV4AX1EmUgV2PjSYYehbnIEOZdiOU
+xiH2hEWZBvj6Lc+OtG01w/DubW7drMdbeQPY8ZWd0mFuhPKWbrU7C+u98vy9+dly
+hm22DfEda5BWD4YINKj7qdK+RtM0Im3gHtmppfNP6ZTIGB6TC6gy0pSbOsT2BaAO
+Ly/4wp/KSxgaCyTIyFlmUP34AGZoLz21FjQn6nD9TNGO6V+/0CUin5aezuoEbz6r
+aWhw+eaw/KtzIDfuj6mShbqBHWP74DfB16M5pU3MCOsfalzouoh+y4FbImRD+ILU
+CYibmXQXxbXFHtp30eYsJHVMg56HvkO1EZI6nHdOLUxJ6N/0Gs1FdsijMuqdjX9P
+OWPVMrXvCoWSSWcSQDIGKqxA7QJOubH3Q0F2cEWkgSht00EO3tm7LZqCVWv0lPh/
+S61WvUSu6YeGXgeZ7FMWBM3MEJIGAP6Uk0jJ//NGkdPEHe4K488UM8KswLMfUPdv
+PCI9vtqgDuWlMytQKbtUPgY9LHKa2aGF3FJq6XIDgyGAbPkSjdtMJS3cIzbB9vPD
+Pxpj6PLe2HRuE9fQsxQia3SFHhXlHo2MjUJZsyZbts70BeI1J8dJJSCfRtvxjCeL
+fet8LN/5wv7aIteJOiM6ffvexzwUUiBMSo+HtgZ49992MRf/bx5i87uAgxlshc2k
+tLJEW/UQXwpA2QaP3CJS8I2P3PwvmCKT77+s21vFeheNUOsfdwN2dQeEJU/9DDCN
+fGrCW2p9HAvh9TEAqJGToMU11OZjMhWEh/d1Xzo9VxuO5LDSNnv3w/MHXKUuZyNI
+mIBSTvwz/qs7bdDxZfTzhy6IxIYIT2jILg+sOR5jyej/bq3F3MxvKonX58X3U5NE
+HqKcFuqtsZfFINUrke2GjyQaHKvnUpwTx8H5SkCzpH6MuSrm78afX1Pkg8LvDO6c
+4YWSs6hX7xUZxuiACvF6oDAesk5KqlbH7DoEbgX003i+0RoRPGbm8a1ksrbxw+Vl
+Nsab4Wq6pXM0z5ZcDLrgI2PRc7yJLnoLiMDFIbKWWC3TTmLsNuQqyICRSsJtE9SH
+CQNq+hD82GElrnERllxCyGeues6Wx6ST2ruxil1oKTXygU8dg3Hw6tae3t5Gfnwv
+FZaTsU1rQF8fnRaWHID65e4XuXdvqx9ml7KHfDool6Kgjjz+AgSM0ns6R5WIDsZR
+2sBdorICollrE6zvCrpZiPxbr96M835lW0Zblj2a7rKWqDUd2t1+W4TbFgwGS7jM
+T8n5Fbje4f1BSpJCWZlo28aDzlfum003tdKrHizzWEjIoEsO+fad55qPMc94/4oW
+TXg7kn5jo2RMYniKV18cDIJhziGp5sA/fJX5w2z2mL1cyKLZpV6YcIrErxdJ/gQD
+Tx1Q9ayCenIAgnwn/PtRf0AI1n/yPYxHfln3Y9kvajgYe7lA4lFFMKpUMZ8xmZ8T
+KTWIK+tVSm+uYCrMPb+EwKxkoD+unvPjHFUfRjquCahx07HVd7+TMBA3LHwSWdtX
+DIdLBDUrvmhrdcUf8EyHBD4TGr/ZYiKPVCcT1E1op4mqBucfQGBfja02sDXL6Vu+
+vqKMK662XrRNUXUIRPF901f070QVmou7UW1tG9Dzi6Y7bcUfDjZwR7Y3LPrMEYfi
+mOk=
+-----END ENCRYPTED PRIVATE KEY-----

test/key/sp/privkey.unencrypted.pkcs8.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwgIBADANBgkqhkiG9w0BAQEFAASCBKwwggSoAgEAAoIBAgC6Jl6iPARyB13z
+JEJ12SEuGgpJwhMmXVVxStswVrvrKD/0oWM6CJjbtjhzMvvVcrLcvnYZBdyvJeE5
+eu3613wCuwNX4BNWYu38TDVVOYbmMpuwlB7e1iC6W92XqswTvK0LW+TjQsYC0HTx
+8/gdtVQs5LocSwVa3C0rEjbChWB8JTfuck4LP1JVawzFHCOY2fWXI6ct3MdnzvJT
+ojIgZELPAuE3T2NWhgrfpco+X5cXaZN44MBcnlsYfMF9LU8uGL3Mbtzy3TAsxVtL
+voLPpOkr+hMmdMEybPBnqwuWtsrdfLuB5FXuuFZ8SZj3tZeQYtRreMp+rktMB/re
+vPlmPOB5nwIDAQABAoIBAgCwsQD8n1lc3y9HPjCzafE7sE35qvTAYrFag0JAxONE
+mAT08Eeea1CkpHc6qbcu6Ntr+oFgyRarTZpWFCBWDDnS4a6Pt8rDIc5hv/iTt7Ib
+SQhM+JvAyqFwIwjYEK/7QAlFEenV6ajIPRP0Ia5ujJKktksN1gv0La/WBUjjJPTr
+gdKDgP4SgEHwhDF3rgzk/284Dbmr4pOxvi290AnHrVER+oPlxy/WS4mOEBYVU2Rq
+TbP07ej+ifYO/w9ZjJAc5l9UK2NDsv3JCUgui0PBgZ27z3dZ2TD2VbZXqSS4jahG
+UUhwCT0sOzIWVsZypv4PvTHJl/uvgS1Be01n/FAtcJGAKQKBgQ49glSkdtfJtjQm
+blqbacabkox+EM8EGkc9iveveD81E0gUYTL7AjVawowVYKQnYSZfsCdU7feLPQH2
+bwjzAgbiY+QbbFcTT9FJu5D31qM4jqk24Bu2vjecHpEy8sJKkvoqv0CdWTUKhk98
+7enh63LWo4Hjs6FVMAh8QKwsHjeMfQKBgQ0Sc4eO4ZSFuwCx8L4gG7MlvIeqVbHC
+8kwDzJY3qECxDaDD1ogbGuDVa9p8bnZNmhHE6+nyep7AGvXKzWUzWqYYz2nqxwuC
+/MAQHN6ruKFDaWzrDCfBMfwLsif4SgpcKkJj+1Y+LjPe1tgBw45cco9cWxZLPvVL
+yxEAVTbFWXFlSwKBgQu7F/ZqVYyGGpbzYc06YfS+jAc4gthG5O7y/9vyrPhE3NFw
+GHJK3RLe5Y1Ivwf7eMiH4zFDgZV/Go7XV7jjlzPco7Vx8dn5irM6Lk3KHQLwwHUd
+Q5kQ/boJ3hR3CAyOKm3zcQHlnWtYdDRfEg6tkaxUrPV/gqbQ6nTTBuPOpEXWcQKB
+gQnqSvMxr21mmleGoOK1nA0gvIXy75ksE3kREKeIg/i902Zz5U/Lr3GGsI5C/86A
+QjLkOUV0hQnRESIKuAzhDQsbmofuaxgSPQC5uAw2GI9JgLf6+XdWFUHm5TVoIVEG
+Y4+EIuphs83oYvHpNJnRCZwwI28fmBubZ+X3aKtoudVHTQKBgQCKN34ZGQUgs3OY
+0VNlrlM5BMqO4uJD/kv5BgepqfbVEud2Mwmu+W1nPKv0rdWyIZunL2xVGD/9yRk0
+ruC2q4dCQvFV2TsxN7Pkf+bvm9Ep9XokQE79g7EVty3mf8vYVv5KXDXEH808YxqU
+gFQYnB76DUsI08o13SQtjDCm/oLxSA==
+-----END PRIVATE KEY-----