Allow encryption key to be specified in the metadata.xml

timlegge · timlegge · commit 787bd1f9ceb5 · 2023-01-11T19:29:33.000-04:00
diff --git a/lib/Net/SAML2/SP.pm b/lib/Net/SAML2/SP.pm
@@ -64,6 +64,11 @@ Path to the signing certificate
 
 Path to the private key for the signing certificate
 
+=item B<encryption_key>
+
+Path to the public key that the IdP should use for encryption. This
+is used when generating the metadata.
+
 =item B<cacert>
 
 Path to the CA certificate for verification
@@ -156,6 +161,7 @@ has 'cert'   => (isa => 'Str', is => 'ro', required => 1);
 has 'key'    => (isa => 'Str', is => 'ro', required => 1);
 has 'cacert' => (isa => 'Str', is => 'rw', required => 0, predicate => 'has_cacert');
 
+has 'encryption_key'   => (isa => 'Str', is => 'ro', required => 0, predicate => 'has_encryption_key');
 has 'error_url'        => (isa => Uri, is => 'ro', required => 1, coerce => 1);
 has 'org_name'         => (isa => 'Str', is => 'ro', required => 1);
 has 'org_display_name' => (isa => 'Str', is => 'ro', required => 1);
@@ -172,6 +178,7 @@ has 'acs_url_artifact' => (isa => 'Str', is => 'ro', required => 0);
 
 has '_cert_text' => (isa => 'Str', is => 'ro', init_arg => undef, builder => '_build_cert_text', lazy => 1);
 
+has '_encryption_key_text' => (isa => 'Str', is => 'ro', init_arg => undef, builder => '_build_encryption_key_text', lazy => 1);
 has 'authnreq_signed'         => (isa => 'Bool', is => 'ro', required => 0, default => 1);
 has 'want_assertions_signed'  => (isa => 'Bool', is => 'ro', required => 0, default => 1);
 
@@ -268,6 +275,15 @@ around BUILDARGS => sub {
     return $self->$orig(%args);
 };
 
+sub _build_encryption_key_text {
+    my ($self) = @_;
+
+    my $cert = Crypt::OpenSSL::X509->new_from_file($self->encryption_key);
+    my $text = $cert->as_string;
+    $text =~ s/-----[^-]*-----//gm;
+    return $text;
+}
+
 sub _build_cert_text {
     my ($self) = @_;
 
@@ -520,7 +536,9 @@ sub generate_metadata {
                 protocolSupportEnumeration => URN_PROTOCOL,
             },
 
-            $self->_generate_key_descriptors($x),
+            $self->_generate_key_descriptors($x, 'signing'),
+
+            $self->has_encryption_key ? $self->_generate_key_descriptors($x, 'encryption') : (),
 
             $self->_generate_single_logout_service($x),
 
@@ -554,6 +572,7 @@ sub generate_metadata {
 sub _generate_key_descriptors {
     my $self = shift;
     my $x    = shift;
+    my $use  = shift;
 
     return
            if !$self->authnreq_signed
@@ -562,22 +581,21 @@ sub _generate_key_descriptors {
 
     return $x->KeyDescriptor(
         $md,
-        { use => 'signing' },
+        { use => $use },
         $x->KeyInfo(
             $ds,
             $x->X509Data(
                 $ds,
                 $x->X509Certificate(
                     $ds,
-                    $self->_cert_text,
+                    $use eq 'signing' ? $self->_cert_text : $self->_encryption_key_text,
                 )
             ),
             $x->KeyName(
                 $ds,
-                Digest::MD5::md5_hex($self->_cert_text)
+                Digest::MD5::md5_hex($use eq 'signing' ? $self->_cert_text : $self->_encryption_key_text)
             ),
-
-        )
+        ),
     );
 }
 
diff --git a/t/02-create-sp.t b/t/02-create-sp.t
@@ -162,6 +162,11 @@ use URN::OASIS::SAML2 qw(:bindings :urn);
         is($kd->getAttribute('use'),
             "signing", "Key descriptor is there for signing only");
 
+        ok(
+            !$kd->getAttribute('encryption'),
+            "Key descriptor encryption is undefined"
+        );
+
         my $ki = get_single_node_ok($xpath, $kd->nodePath() . "/ds:KeyInfo");
 
         my $cert = get_single_node_ok($xpath,
@@ -193,6 +198,30 @@ use URN::OASIS::SAML2 qw(:bindings :urn);
 
     }
 
+}
+{
+    my $sp = net_saml2_sp( ( encryption_key => 't/sign-nopw-cert.pem' ) );
+
+    my $xpath = get_xpath(
+        $sp->metadata,
+        md => URN_METADATA,
+        ds => URN_SIGNATURE,
+    );
+
+    # Test SPSSODescriptor
+    my $node = get_single_node_ok($xpath, '/node()/md:SPSSODescriptor');
+    my $p = $node->nodePath();
+
+    my $kd = get_single_node_ok($xpath, "$p/md:KeyDescriptor[\@use='signing']");
+
+    is($kd->getAttribute('use'),
+        "signing", "Key descriptor is there for signing");
+
+    $kd = get_single_node_ok($xpath, "$p/md:KeyDescriptor[\@use='encryption']");
+
+    is($kd->getAttribute('use'),
+        "encryption", "Key descriptor is there for encryption");
+
 }
 
 {
diff --git a/xt/testapp/config.yml b/xt/testapp/config.yml
@@ -6,6 +6,7 @@ template: "template_toolkit"
 issuer: "https://netsaml2-testapp.local"
 url: "https://netsaml2-testapp.local"
 cert: "sign-certonly.pem"
+encryption_key: "sign-certonly.pem"
 key: "sign-nopw-cert.pem"
 slo_url_soap: "/slo-soap"
 slo_url_redirect: "/sls-redirect-response"
diff --git a/xt/testapp/lib/Saml2Test.pm b/xt/testapp/lib/Saml2Test.pm
@@ -262,6 +262,7 @@ sub _sp {
         url    => config->{url},
         cert   => config->{cert},
         key    => config->{key},
+        config->{encryption_key} ? (encryption_key => config->{encryption_key}) : (),
         cacert => config->{cacert} || '',
         slo_url_soap => config->{slo_url_soap},
         slo_url_redirect => config->{slo_url_redirect},
