samlify: Decrypt assertion broken

Since a tightened checking was introduced in xmldom a week ago, decryptAssertion in libsaml has been broken. Here is the change that affects how replaceChild behaves: https://github.com/xmldom/xmldom/commit/3bc6ccffc89cda391a4e003d36002dfbca2f5403

Because of this change, xml.replaceChild(assertionNode, encryptedAssertions[0]) fails with the error ‘Not found: child not in parent’ and an ERR_EXCEPTION_OF_ASSERTION_DECRYPTION is thrown.

This happens at least when the SAML response XML contains a header in the beginning (e.g. <?xml version="1.0" encoding="UTF-8"?>). When this is the case, entireXML contains the header as the first element, and Response as the second element, and EncryptedAssertion is a child of Response. Therefore, EncryptedAssertion is not a direct child of entireXML, and replaceChild fails due to the tightened checking.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 8
  • Comments: 19 (4 by maintainers)

Commits related to this issue

Most upvoted comments

I opened https://github.com/tngan/samlify/pull/511 just now to fix this.

+4
mastermatt on Feb 14, 2023

@isanttila and @jsgsdev Tempory solved using an old version of samplify 2.7.7.

+3
ambigus9 on Nov 23, 2022

@isanttila the commit doesn’t seem to be the only culprit as using an overrides with @xmldom/xmldom 0.8.5, which doesn’t contain the backported commit, doesnt fix the problem :

❯ npm ls --all
samlify@1.0.0 /Users/nlecam/Developpement/tests/samlify
└─┬ samlify@2.8.7
  ├─┬ @authenio/xml-encryption@2.0.2
  │ ├── @xmldom/xmldom@0.8.5 overridden
  │ ├── escape-html@1.0.3
  │ └── xpath@0.0.32 deduped
  ├── @xmldom/xmldom@0.8.5 overridden
  ├── camelcase@6.3.0
  ├── node-forge@1.3.1
  ├─┬ node-rsa@1.1.1
  │ └─┬ asn1@0.2.6
  │   └── safer-buffer@2.1.2
  ├── pako@1.0.11
  ├── uuid@8.3.2
  ├─┬ xml-crypto@3.0.1
  │ ├── @xmldom/xmldom@0.8.5 overridden
  │ └── xpath@0.0.32 deduped
  ├── xml@1.0.1
  └── xpath@0.0.32

❯ npm test
Error: error:1E08010C:DECODER routines::unsupported
    at Object.privateDecrypt (node:internal/crypto/cipher:79:12)
    at decryptKeyInfoWithScheme (/Users/nlecam/Developpement/tests/samlify/node_modules/@authenio/xml-encryption/lib/xmlenc.js:258:26)
    at decryptKeyInfo (/Users/nlecam/Developpement/tests/samlify/node_modules/@authenio/xml-encryption/lib/xmlenc.js:246:14)
    at Object.decrypt (/Users/nlecam/Developpement/tests/samlify/node_modules/@authenio/xml-encryption/lib/xmlenc.js:187:24)
    at /Users/nlecam/Developpement/tests/samlify/node_modules/samlify/build/src/libsaml.js:568:31
    at new Promise (<anonymous>)
    at Object.decryptAssertion (/Users/nlecam/Developpement/tests/samlify/node_modules/samlify/build/src/libsaml.js:553:20)
    at /Users/nlecam/Developpement/tests/samlify/node_modules/samlify/build/src/flow.js:222:60
    at step (/Users/nlecam/Developpement/tests/samlify/node_modules/samlify/build/src/flow.js:33:23)
    at Object.next (/Users/nlecam/Developpement/tests/samlify/node_modules/samlify/build/src/flow.js:14:53) {
  library: 'DECODER routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_UNSUPPORTED'
}
Error: ERR_EXCEPTION_OF_ASSERTION_DECRYPTION
    at /Users/nlecam/Developpement/tests/samlify/node_modules/samlify/build/src/libsaml.js:573:39
    at Object.decrypt (/Users/nlecam/Developpement/tests/samlify/node_modules/@authenio/xml-encryption/lib/xmlenc.js:214:12)
    at /Users/nlecam/Developpement/tests/samlify/node_modules/samlify/build/src/libsaml.js:568:31
    at new Promise (<anonymous>)
    at Object.decryptAssertion (/Users/nlecam/Developpement/tests/samlify/node_modules/samlify/build/src/libsaml.js:553:20)
    at /Users/nlecam/Developpement/tests/samlify/node_modules/samlify/build/src/flow.js:222:60
    at step (/Users/nlecam/Developpement/tests/samlify/node_modules/samlify/build/src/flow.js:33:23)
    at Object.next (/Users/nlecam/Developpement/tests/samlify/node_modules/samlify/build/src/flow.js:14:53)
    at fulfilled (/Users/nlecam/Developpement/tests/samlify/node_modules/samlify/build/src/flow.js:5:58)

Using samlify 2.7.7 fixes the problem :

❯ npm ls --all
samlify@1.0.0 /Users/nlecam/Developpement/tests/samlify
└─┬ samlify@2.7.7
  ├─┬ @authenio/xml-encryption@1.3.0
  │ ├── @xmldom/xmldom@0.7.9
  │ ├── escape-html@1.0.3
  │ ├── node-forge@0.10.0 deduped
  │ └── xpath@0.0.32
  ├── @types/xmldom@0.1.31
  ├── camelcase@5.3.1
  ├── node-forge@0.10.0
  ├─┬ node-rsa@1.1.1
  │ └─┬ asn1@0.2.6
  │   └── safer-buffer@2.1.2
  ├── pako@1.0.11
  ├── uuid@3.4.0
  ├─┬ xml-crypto@2.1.5
  │ ├── @xmldom/xmldom@0.7.9 deduped
  │ └── xpath@0.0.32
  ├── xml@1.0.1
  ├── xmldom@0.6.0
  └── xpath@0.0.27

❯ npm test

<nameID> {
  Role: [
    'offline_access',
    'view-profile',
    'default-roles-master',
    'manage-account-links',
    'uma_authorization',
    'manage-account'
  ]
}

I’ll check to see if I find a more recent xmldom version which works

+1
KuSh on Nov 28, 2022
Read more comments on GitHub
← ArchUnit: FreezingArchRule breaks when executed from IDE and maven
samlify: Error on the server side : Cannot read property 'SAMLResponse' of undefined →