Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passport-saml breaks callback #154

Closed
SafinWasi opened this issue Sep 6, 2022 · 4 comments · Fixed by #156
Closed

Passport-saml breaks callback #154

SafinWasi opened this issue Sep 6, 2022 · 4 comments · Fixed by #156
Assignees
@christian-hawk
Labels
bug Something isn't working

Comments

@SafinWasi
Copy link
Contributor

Describe the bug
Passport-saml version 3.2.1 has a bug where it cannot use single-line decryption private keys (node-saml/passport-saml#672). This breaks the callback at /inbound-saml/sp/callback with a get_name:no start line error, detailed below. v0.17.0 is what uses this passport-saml version. v0.16.0, which uses passport-saml version 3.2.0, does not have this bug.

To Reproduce
Steps to reproduce the behavior:

  1. Install and configure inbound-saml v0.17.0 as a side install to Gluu Server 4.4.1 as described here.
  2. Add a trust relationship to an external IDP as described here. For the test, I used https://samltest.id.
  3. Begin the OIDC flow with an appropriate request to the authorization endpoint, detailed here
  4. Login to the IDP with credentials
  5. Upon callback, inbound-saml will throw an exception
  6. To verify, use v0.16.0 with the same setup.

Expected behavior
inbound-saml should decrypt the incoming SAML response properly.

Actual behavior
inbound-saml is unable to decrypt the SAML response with the one-line private key used by passport-saml because of the bug mentioned above, and throws an exception

Logs/Output

Error: error:0909006C:PEM routines:get_name:no start line
    at Object.privateDecrypt (node:internal/crypto/cipher:79:12)
    at decryptKeyInfoWithScheme (/root/inbound-saml-0.17.0/node_modules/xml-encryption/lib/xmlenc.js:258:26)
    at decryptKeyInfo (/root/inbound-saml-0.17.0/node_modules/xml-encryption/lib/xmlenc.js:246:14)
    at Object.decrypt (/root/inbound-saml-0.17.0/node_modules/xml-encryption/lib/xmlenc.js:187:24)
    at node:internal/util:361:7
    at new Promise (<anonymous>)
    at Object.decrypt (node:internal/util:347:12)
    at decryptXml (/root/inbound-saml-0.17.0/node_modules/passport-saml/src/node-saml/xml.ts:50:46)
    at SAML.validatePostResponseAsync (/root/inbound-saml-0.17.0/node_modules/passport-saml/src/node-saml/saml.ts:804:46)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

Additional context
Until passport-saml fixes this bug, 3.2.0 should be the version used.
@SafinWasi SafinWasi added the bug Something isn't working label Sep 6, 2022
@christian-hawk christian-hawk self-assigned this Sep 7, 2022
@christian-hawk
Copy link
Contributor

@SafinWasi it looks like it may take "some" time to this issue be solved in passport-saml. Also, the issue you mentioned in passport-saml repo is only for HTTP-Post. Can you confirm this is happening also with HTTP-Redirect binding?

@SafinWasi
Copy link
Contributor Author

Can confirm, this is happening with HTTP-Redirect
Tail of output:

Gb5tyLmjWhjlTY3M=-----END RSA PRIVATE KEY-----",
    "authnRequestBinding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
    "entryPoint": "https://samltest.id/idp/profile/SAML2/Redirect/SSO"
}
Error: error:0909006C:PEM routines:get_name:no start line
    at Object.privateDecrypt (node:internal/crypto/cipher:79:12)
    at decryptKeyInfoWithScheme (/root/inbound-saml-0.17.0/node_modules/xml-encryption/lib/xmlenc.js:258:26)
    at decryptKeyInfo (/root/inbound-saml-0.17.0/node_modules/xml-encryption/lib/xmlenc.js:246:14)
    at Object.decrypt (/root/inbound-saml-0.17.0/node_modules/xml-encryption/lib/xmlenc.js:187:24)
    at node:internal/util:361:7
    at new Promise (<anonymous>)
    at Object.decrypt (node:internal/util:347:12)
    at decryptXml (/root/inbound-saml-0.17.0/node_modules/passport-saml/src/node-saml/xml.ts:50:46)
    at SAML.validatePostResponseAsync (/root/inbound-saml-0.17.0/node_modules/passport-saml/src/node-saml/saml.ts:804:46)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

@christian-hawk
Copy link
Contributor

Debugging to get more info, as the linked passport-saml bug issue reports that HTTP-Redirect does not present this bug.

@christian-hawk christian-hawk mentioned this issue Sep 22, 2022
Open
@christian-hawk
Copy link
Contributor

Found the issue and opened a new issue in xml-encryption module: auth0/node-xml-encryption#99 .

It's an unreported breaking change (may also be seen as a bug) in xml-encryption module, that replaced the node-forge module with the native crypto module to reduce dependency / security issues.

node-forge accepted "single line" private keys, crypto does not.

As passport-saml uses xml-encryption, we got this issue. Gonna open a PR to patch in inbound-saml so we don't need to wait for dependencies fixes.

@christian-hawk christian-hawk mentioned this issue Sep 22, 2022
Merged
3 tasks
@christian-hawk christian-hawk linked a pull request Sep 22, 2022 that will close this issue
fix: use multi-line keys and certs #156
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@christian-hawk christian-hawk

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: use multi-line keys and certs GluuFederation/inbound-saml
2 participants
@SafinWasi @christian-hawk