diff --git a/src/node-saml/saml.ts b/src/node-saml/saml.ts
index ed537402..b34b0b5c 100644
--- a/src/node-saml/saml.ts
+++ b/src/node-saml/saml.ts
@@ -1374,9 +1374,10 @@ class SAML {
},
EncryptionMethod: [
// this should be the set that the xmlenc library supports
+ { "@Algorithm": "http://www.w3.org/2001/04/xmlenc#aes256-gcm" },
+ { "@Algorithm": "http://www.w3.org/2001/04/xmlenc#aes128-gcm" },
{ "@Algorithm": "http://www.w3.org/2001/04/xmlenc#aes256-cbc" },
{ "@Algorithm": "http://www.w3.org/2001/04/xmlenc#aes128-cbc" },
- { "@Algorithm": "http://www.w3.org/2001/04/xmlenc#tripledes-cbc" },
],
});
}
diff --git a/test/node-saml/tests.spec.ts b/test/node-saml/tests.spec.ts
index 6410b6be..144c0867 100644
--- a/test/node-saml/tests.spec.ts
+++ b/test/node-saml/tests.spec.ts
@@ -1978,7 +1978,7 @@ describe("node-saml /", function () {
};
const { profile } = await samlObj.validatePostRequestAsync(body);
profile!.should.eql({
- ID: "pfx00cb5227-d9d0-1d4b-bdb2-c7ad6c3c6906",
+ ID: "pfx087316a5-2dfb-cc05-2ba9-b46751936ff5",
issuer: "http://sp.example.com/demo1/metadata.php",
nameID: "ONELOGIN_f92cc1834efc0f73e9c09f482fce80037a6251e7",
nameIDFormat: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
@@ -1998,7 +1998,7 @@ describe("node-saml /", function () {
),
};
await assert.rejects(samlObj.validatePostRequestAsync(body), {
- message: "Encryption block is invalid.",
+ message: "Invalid RSAES-OAEP padding.",
});
});
diff --git a/test/node-saml/xml.spec.ts b/test/node-saml/xml.spec.ts
new file mode 100644
index 00000000..cbfbeca3
--- /dev/null
+++ b/test/node-saml/xml.spec.ts
@@ -0,0 +1,137 @@
+"use strict";
+import * as xmlenc from "xml-encryption";
+import * as fs from "fs";
+import * as util from "util";
+import * as should from "should";
+import assert = require("assert");
+
+export const encrytpXml = util.promisify(xmlenc.encrypt);
+export const decryptXml = util.promisify(xmlenc.decrypt);
+
+describe("xml /", async function () {
+ const rsa_pub = fs.readFileSync(__dirname + "/../static/testshib encryption pub.pem");
+ const pem = fs.readFileSync(__dirname + "/../static/testshib encryption cert.pem");
+ const key = fs.readFileSync(__dirname + "/../static/testshib encryption pvk.pem");
+
+ it("should decrypt aes128-cbc/rsa-oaep-mgf1p", async function () {
+ const encryptOptions: xmlenc.EncryptOptions = {
+ rsa_pub,
+ pem,
+ encryptionAlgorithm: "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
+ keyEncryptionAlgorithm: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
+ };
+
+ const decryptOptions: xmlenc.DecryptOptions = {
+ key,
+ disallowDecryptionWithInsecureAlgorithm: true,
+ };
+
+ const originalPayload = "XML payload";
+ const encryptedPayload = await encrytpXml(originalPayload, encryptOptions);
+ const decryptedPayload = await decryptXml(encryptedPayload, decryptOptions);
+
+ should(originalPayload).equal(decryptedPayload);
+ });
+
+ it("should decrypt aes256-cbc/rsa-oaep-mgf1p", async function () {
+ const encryptOptions: xmlenc.EncryptOptions = {
+ rsa_pub,
+ pem,
+ encryptionAlgorithm: "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
+ keyEncryptionAlgorithm: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
+ };
+
+ const decryptOptions: xmlenc.DecryptOptions = {
+ key,
+ disallowDecryptionWithInsecureAlgorithm: true,
+ };
+
+ const originalPayload = "XML payload";
+ const encryptedPayload = await encrytpXml(originalPayload, encryptOptions);
+ const decryptedPayload = await decryptXml(encryptedPayload, decryptOptions);
+
+ should(originalPayload).equal(decryptedPayload);
+ });
+
+ it("should decrypt aes128-gcm/rsa-oaep-mgf1p", async function () {
+ const encryptOptions: xmlenc.EncryptOptions = {
+ rsa_pub,
+ pem,
+ encryptionAlgorithm: "http://www.w3.org/2009/xmlenc11#aes128-gcm",
+ keyEncryptionAlgorithm: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
+ };
+
+ const decryptOptions: xmlenc.DecryptOptions = {
+ key,
+ disallowDecryptionWithInsecureAlgorithm: true,
+ };
+
+ const originalPayload = "XML payload";
+ const encryptedPayload = await encrytpXml(originalPayload, encryptOptions);
+ const decryptedPayload = await decryptXml(encryptedPayload, decryptOptions);
+
+ should(originalPayload).equal(decryptedPayload);
+ });
+
+ it("should decrypt aes256-gcm/rsa-oaep-mgf1p", async function () {
+ const encryptOptions: xmlenc.EncryptOptions = {
+ rsa_pub,
+ pem,
+ encryptionAlgorithm: "http://www.w3.org/2009/xmlenc11#aes256-gcm",
+ keyEncryptionAlgorithm: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
+ };
+
+ const decryptOptions: xmlenc.DecryptOptions = {
+ key,
+ disallowDecryptionWithInsecureAlgorithm: true,
+ };
+
+ const originalPayload = "XML payload";
+ const encryptedPayload = await encrytpXml(originalPayload, encryptOptions);
+ const decryptedPayload = await decryptXml(encryptedPayload, decryptOptions);
+
+ should(originalPayload).equal(decryptedPayload);
+ });
+
+ it("should not decrypt tripledes-cbc/rsa-oaep-mgf1p", async function () {
+ const encryptOptions: xmlenc.EncryptOptions = {
+ rsa_pub,
+ pem,
+ encryptionAlgorithm: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc",
+ keyEncryptionAlgorithm: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
+ warnInsecureAlgorithm: false,
+ };
+
+ const decryptOptions: xmlenc.DecryptOptions = {
+ key,
+ disallowDecryptionWithInsecureAlgorithm: true,
+ };
+
+ const originalPayload = "XML payload";
+ const encryptedPayload = await encrytpXml(originalPayload, encryptOptions);
+ const decryptedPayload = await assert.rejects(decryptXml(encryptedPayload, decryptOptions));
+
+ should(decryptedPayload).be.undefined();
+ });
+
+ it("should not decrypt aes256-gcm/rsa-1_5", async function () {
+ const encryptOptions: xmlenc.EncryptOptions = {
+ rsa_pub,
+ pem,
+ encryptionAlgorithm: "http://www.w3.org/2009/xmlenc11#aes256-gcm",
+ keyEncryptionAlgorithm: "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
+ warnInsecureAlgorithm: false,
+ };
+
+ const decryptOptions: xmlenc.DecryptOptions = {
+ key,
+ disallowDecryptionWithInsecureAlgorithm: true,
+ };
+
+ const originalPayload = "XML payload";
+ const encryptedPayload = await encrytpXml(originalPayload, encryptOptions);
+ const decryptedPayload = await assert.rejects(decryptXml(encryptedPayload, decryptOptions));
+
+ should(decryptedPayload).be.undefined();
+ });
+});
diff --git a/test/static/expected metadata.xml b/test/static/expected metadata.xml
index c0edf3cb..32529f92 100644
--- a/test/static/expected metadata.xml
+++ b/test/static/expected metadata.xml
@@ -33,9 +33,10 @@ nwtlCg==
+
+
-
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
diff --git a/test/static/expectedMetadataWithBothKeys.xml b/test/static/expectedMetadataWithBothKeys.xml
index db1f129d..5534e215 100644
--- a/test/static/expectedMetadataWithBothKeys.xml
+++ b/test/static/expectedMetadataWithBothKeys.xml
@@ -55,9 +55,10 @@ nwtlCg==
+
+
-
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
diff --git a/test/static/logout_request_with_encrypted_name_id.xml b/test/static/logout_request_with_encrypted_name_id.xml
index fbfb2a23..e179224f 100644
--- a/test/static/logout_request_with_encrypted_name_id.xml
+++ b/test/static/logout_request_with_encrypted_name_id.xml
@@ -1,25 +1,25 @@
-
- http://sp.example.com/demo1/metadata.php
+
+ http://sp.example.com/demo1/metadata.php
- myTkSwwgK+Lcx5JZukoHggbFBVA=ayMUV7pPijoh7ocMnIz2GPYK7Y4Olib+U1mIUX0o7uU22m+ZGUP2HkmvC7bIZ4N3MFyeUyPuEBTDdFtLaENTWzovGMNRXDSypNI5UwobGqAFu16BY9lL5uJ/6HAAEgayxaY5kVMEY4VmNUpNCIE0WMpzA91bnElbEFsxi6G8sUj49oDFYncbOHilThLoe0dPQxB7N1wfX73k5nZ/hkEPlbwvENJRRojvwlbcn7crviYRzbzJPa31iMKmaSTaoS7cIV0Q8V1jYuQV29Y4eNwbVa4ZGu06by5CFXHYZoev0zyEoOTCNgQuF72zxzOmzDF5yEH5fWPE0QwUhf8MMGOtGg==
+ TZyaJFBL1nzPZ0Rfo5Uf6M7djik=q7vWdkkgha/k4gLewZ67Yky4sNZXA0HH787fgKlCW0JSdlbxsEtQeqx1TJgCdONFMV1kmwgmqEpW8etqXbL2k2HygJS/QzE9Jmonw1PaLDNoEYyh2UVFl2JZgEr762Z3RgxxWhbxND1V5WQV/amw1zgd30FL3FPr+PYxkqXZtk2cuVFrkMN6axURbZZrazX4uj9TeBvi/SQNDuDXmBstJHWxR93oMZzelBJMlxY7XINLdL5NVu8uTENtVKZX3vLvhR4STLlTSsDO9QYfNoBc6d7rbjJziLDR6YGB6KGMTEUnApi7zgzckUgOojXl7Ql2wwfyrprsJ/RsGk24R1+cug==
MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=
-
-
-
-
-
-
-
- Rtg5L09Un3DdhYBFJvYp4w1WGKHIi0Umf9PaFdiSL2r+1NK+Z76NwhR4vsIu1lq2BJEX1ZMTEJ/kitF/PgEqeAOGyLu80dmXyNbhKwbEZrbv+dYx5vJ21nHIbLeeknNB70XsGFtcrWbCqt2r6/e5wFxD7HglPmxWEzNgz5SGEki35MWqtCbfX8lTCsnKFEKU9GfaHYIfPZzf/szwJZVGJps5HI/k7wuKbfS/U8odxsyWX73//+rkduhF9j5Iq95+xd1KRrxcuyvfYsXH5SWcnXt2nIlHWuCDHVNILoWDvskvOyGTP1e+8K+W2sgptoA98D6NJb+k+x/TCD1eFbce5w==
-
-
-
-
- hbSadp3tEX/QyaTsIpChQQat89Yc3shCc6728DoS4qzdrsswHIUoBjp5hKDjlECJBQvXSNFV3vYn93pm44/fl0Z3yTqKkt6eUI3lZQ3ZsVfzVwkNT2jAnZom+OThhVfb1vcpN62tDmGI2dLxzZAvOuvmuG52qambAnZ6hR4FevVyCww5AkD86x8Q8OWYUTwPsggDOuQEbDyMXG4YoRpUag9boTMoUcidmUQaeO6omLzr/Mg1P0xY8fkVetVh63L1T6Kp+6c17bSIW1q4e8SazujVoQZ5eCJP4DQHAvmmcEs=
-
-
-
- 1
+
+
+
+
+
+
+
+ bDnwEZFatLVCzoioybJCGEATgse6O9UfhsJ2zriOBd+IPND1iBopwmZpJk5e0zYQq7VkiKLhhxCcRmLUyNrljMWSZIafqHNkwOttpay0OfKdlZ2Ecj1hHOIE8tjkGU4mtuyKr6XnLN8fbfpP57HhYye/Yj4sUtEMwEKAxotYej5GKDXzLUCKVg7ex/CB5gc+h+cBCgiUhY3xUL3xFeoc6LwHwt05e/v1MMXKx2yuSmccokjWXHchwyjKoijcxZwLkQUmRUDj+kY57LrqIqbkVLXtXi3LIcZHHM42K9oZr31kOUIOmEackU59Z/ubGGpFWammMlGEBnnbbhmXwwYd4g==
+
+
+
+
+ utUjNNsfoMg7loM/8g7DmohZwLl9a8ijQtJHhZ7SpvOHbkaZQkyOvv7zAopNm2WahxAXV38OSL0C0hWnr3P+D7B3MuGc/4RJhPdl/rRaUAlgloRqtH3UDyt79pRRJPGZzGTkIuGbp69sK+jiRShsRDGZ3YsaIppbP4/A5IxuTiM0ykzQ8Vv4nXpZ4MPbIwj3I+PzFF/XCOL9JXWW9U3Ne41FM3twQlytqxG7Sx7eYSf6w09Lbl411EsGDjusNdQzpzf5ydbQHCXdgS6FaRg1y59F40XkaGMXgSvK5GaB090=
+
+
+
+ 1
diff --git a/test/static/pub.pem b/test/static/pub.pem
new file mode 100644
index 00000000..209071b0
--- /dev/null
+++ b/test/static/pub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6
+d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp1
+6wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iS
+yiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4
+Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QV
+Ld/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI
+9wIDAQAB
+-----END PUBLIC KEY-----
diff --git a/test/static/testshib encryption pub.pem b/test/static/testshib encryption pub.pem
new file mode 100644
index 00000000..71f0cadb
--- /dev/null
+++ b/test/static/testshib encryption pub.pem
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5hqjaroJpB+aR8FME7hQ
+9nMV0h7MpKtmgFLcK3vwP67feAK+xdt17i8RyUhxil9FCFR5K08Wjwo3NiHZqHqE
+Kitw+IJSndjLSsoNgKEIaiFSug2eV1oYElz06DBXTxc8iq/LazndqTUom51Ode9y
+I9AGa88cDM5iOqq9mhuGuvwuLtoyU78Ld+s1Ea6Mgf7L8M7fZVO7Ncu+FgIzI6Gt
+035ohYCLBmOoM7o0uj7DcMEvKOMFziwF40wYmyp3hCLlq3qwkM9pTVJltuz0Bt1v
+qDdrq3kTheA9JHMayRz3I/BZxAV3iRd4hzLKTkegD8ToTGU10Gme+ZAr1w/erc5h
+VrM0/XBmHQlnI5d31GU/mfIkm0XPTGRSpPy7E+dUvj9djvm/VqDdojf3uuwirGeL
+MRlO9P/lCerTktW3g27SV8gn3ETm2Mm7rkNqf24KJpDv0tKDosgbdaHr2IEYD4Rp
+qySp8kd25BhzushqKRkS8Xu5t7HAlVSHwiFhuLqrr4dUfkB8kZeM/ycfZLCn7oNU
+DFdgjGYSVMpakL97sC9slAW4/8UtXXZxLqcyq/YxdpCysPYP1hsAp+VgPC7GI6Cy
+iNojKPOptMqLZRYnViKxlOiWBJBzUBRUVuac8LXrMiDw8btWGa1Gh5vThuFUKsvm
+Roeuk7eyXEN9J7j6+fTYjnsCAwEAAQ==
+-----END PUBLIC KEY-----