[ENHANCE]: add support for public keys

[RopoMen]

Hi,

TL;DR; Allow Public Key usage through cert option.

Background

I'm currently maintaining suomifi-passport-saml Fork and we are trying to get back to upstream usage, because node-saml currently supports SAML Authn Request Extensions.

But node-saml is lacking support for plain public key usage, it only supports certs through cert configuration option. suomifi-passport-saml currently has this kind-of "hax" https://github.com/vrk-kpa/suomifi-passport-saml/blob/master/lib/passport-saml/saml.js#L546-L570 to allow public key usage, pretty trivial.

SAML Metadata can contain KeyInfo in two formats; ds:RSAKeyValue and/or ds:X509Data both must represent the same key. See http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop.html
2.5.1 Key Representation

In the case of the latter, only a single certificate is permitted. If both forms are used, then they MUST represent the same key.

Also in same document, section 2.6.1 Key Processing

Each key expressed by a md:KeyDescriptor element within a particular role MUST be treated as valid when processing messages or assertions in the context of that role. Specifically, any signatures or transport communications (e.g., TLS/SSL sessions) verifiable with a signing key MUST be treated as valid, and any encryption keys found MAY be used to encrypt messages or assertions (or encryption keys) intended for the containing entity.

... a metadata consumer MUST extract the public key found in the certificate and MUST NOT honor, interpret, or make use of any of the information found in the certificate other than as an aid in identifying the key used...

This means that even if certificate is expired or it is found in revocation list, public key cannot be ignored, it must be treated as valid. x509 certificate can be seen as a container for the public key.

SAML idP's / SP's may be able to provide both key presentations or only ds:RSAKeyValue or only ds:X509Data. Usually there is some technical limitation which is not in "our hands" if only one of the key presentations is available.

What should be done?

In short term: allow both x509 certificates and plain public keys through cert configuration parameter. certToPem() function https://github.com/node-saml/node-saml/blob/master/src/crypto.ts#L27-L36 should be re-named and re-factored to handle both -----BEGIN CERTIFICATE----- and -----BEGIN PUBLIC KEY----- cases, or in more generally if cert contains reasonable header information it should not be modified. Why?, because verifier.verify() returned by crypto.createVerify() has pretty wide range of formats which it accepts.

This would allow plain public key usage as well.

In long term: allow both x509 certificates and plain public keys through keyInfos (or such) configuration parameter. Key infos could be more wider set of presentatios which verifier.verify() accepts. This could be breaking change or cert could be left in the configuration interface, but internally cert would be treaded as x509 certificate as it is now done. And internallly add it to keyInfos array. And deprecate certusage.

This change would take node-saml closer to handle SAML idp metadata.

I'll try to add PR in few hours into the short term case.

[RopoMen]

I have not checked the code yet so deeply that I could asses if I should add idpPublicKey configuration option. If adding idpPublicKey option is simple, I'll prefer that. Although I'm pretty sure that internal handling of cert must be changed, because it would be cert and/or public key not just cert.

[RopoMen]

I think that this issue has also relation to this #14

[cjbarth]

I'm glad to hear that you're interested in getting your changes upstreamed into this project. That will, of course, make things better for you and everyone else :)

It seems to me that certToPem() should do the minimum amount possible to be compatible with verifier.verify(), since this is its purpose.

I'm interested in the long-term solution. We will have a semver-major version bump, at a minimum, in May 2023, to correspond to dropping Node 14. As such, feel free to propose a breaking change. May will be here before we know it, and it make take a while to get all the kinks worked out of a PR.

This may also be related to node-saml/xml-crypto#243, node-saml/xml-crypto#249, and #36.

Reference: https://stackoverflow.com/a/29707204/271351

[joshgummersall]

Hey @cjbarth, I'm curious if/when this fix will be published? I figured 4.0.5 might have the fix but I still see certToPEM in the source code.

[cjbarth]

I'm working on it. xml-crypto has taken my attention lately and I'm working at wrapping that up so that I can include that in 5.x.

In the meantime, you can install from a git commit if needed. Then you could let me know if something isn't working 😉

[joshgummersall]

I've been installing from a git commit, it's just a bit slower (in CI) than downloading the pre-compiled assets directly. Cheers, I will sit tight!

EDIT: No issues up to git+https://github.com/node-saml/node-saml.git#9657c6663a44d856684ac96beb5b887c1a2311f6

[RopoMen]

@cjbarth organization where I'm working would need this public key support feature. We are using @node-saml/passport-saml so we would need releases from both of these packages.

Could you make 5.x release with public key support and after that 6.x with no xml-crypto? (node-saml+passport-saml)

[cjbarth]

I'm not sure what kind of public key support you're looking for.

As a reference, this is the last PR that needs to land at xml-crypto before I can turn my attention to node-saml: node-saml/xml-crypto#389

Update: Oh, you must be talking about the changes in this PR; you want them released immediately as 5.x and then the other stuff as 6.x? I can understand that, but, instead of creating more work for me, why not contribute to the outstanding work that I'm trying to get in to 5.x?

[RopoMen]

I'm not sure what kind of public key support you're looking for.

Feature which was added in this issue, this is not released yet and not usable through @node-saml/passport-saml