[BUG] Error: error:0909006C:PEM routines:get_name:no start line
aw1875 opened this issue · comments
To Reproduce
- Generate SP files using
openssl req -x509 -newkey rsa:4096 -keyout sp-key.pem -out sp-cert.pem -nodes -days 900
- Add files to SAMLStrategy:
// I use readFileSync rather than fs.readFileSync because I imported only the readFileSync method from fs
privateCert: readFileSync(__dirname + "/cert/key.pem", "utf8"),
privateKey: readFileSync(__dirname + "/cert/cert.pem", "utf8"),
- Go to login url.
Expected behavior
Expected to redirect me to my IdP login flow so I can get required information that the IdP passes back.
Actual behavior
Returned an error that says:
Error: error:0909006C:PEM routines:get_name:no start line
at Sign.sign (node:internal/crypto/sig:131:29)
at SAML.signRequest (/var/www/.../node_modules/passport-saml/lib/node-saml/saml.js:176:40)
at SAML._requestToUrlAsync (/var/www/.../node_modules/passport-saml/lib/node-saml/saml.js:374:18)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async SAML.getAuthorizeUrlAsync (/var/www/.../node_modules/passport-saml/lib/node-saml/saml.js:410:16)
at async login-request (/var/www/.../node_modules/passport-saml/lib/passport-saml/strategy.js:106:43)
Environment
- Node.js version: 16.13.1
passport-saml
version: 3.2.1
I should also note I converted my idp cert from the xml data to a pem using this tutorial to make sure there was no issues. My pem files all contain appropriate headers too (I believe but please correct me if I'm wrong).
The pem from my idp's xml data as well as my generated cert have:
-----BEGIN CERTIFICATE-----
...........................
-----END CERTIFICATE-----
The private key generated has:
-----BEGIN PRIVATE KEY-----
...........................
-----END PRIVATE KEY-----
This looks like a file format issue. A related fix was #500, for Windows line breaks.
Please review the file formats in the test suite and try to understand how your file format differs.
@markstos All the keys are created in Linux and are never used by Windows. I can take a closer look at the test suite but I don't see why this should be any issue when Linux handles creating the keys
@aw1875 Me neither, but you are the only one reporting this issue, and node-saml is the most popular SAML library Node, so there's also a possibility this is something in your environment.
If you contribute a failing test to the test suite for a case we should handle, then it's clearly a bug with passport-saml.
@aw1875 First of all: lot of issues including this one could be solved in a matter of minutes running code in debugger and investigating inputs at runtime.
Your bug report content raises following thoughts:
- He writes that he created
sp-key.pem
andsp-cert.pem
but useskey.pem
andcert.pem
in his code sample. Maybe he renamed those files incorrectly or copy pasted content of generated files incorrectly. Did he actually check at runtime env whether content ofkey.pem
is actually private key fromsp-key.pem
. - He writes that strategy was configured with following values:
privateCert: readFileSync(__dirname + "/cert/key.pem", "utf8"), privateKey: readFileSync(__dirname + "/cert/cert.pem", "utf8"),
- Why is he reading private key (
key.pem
) toprivateCert
especially whenprivateCert
isn't even passport-saml 3.2.1's configuration option (it used to be back in the days SP's private key but that option was renamed toprivateKey
). - Why is he reading
cert.pem
toprivateKey
because signature generation requires private key instead of certificate. Link to passport-saml 3.2.1 documentation https://github.com/node-saml/passport-saml/blob/6ba76ba3a015fea96a2dd38f661a6c1f85bc44a1/README.md
- Why is he reading private key (
- Why didn't he just put breakpoint to signRequest method to see what it is actually using to generate signature?
passport-saml/src/node-saml/saml.ts
Lines 211 to 212 in 6ba76ba
Based on aforementinod thoughts I assume that your passport-saml is currently using SP's or IdP's certificate as value of privateKey
configuration option. Check that you use SP's private key as value of privateKey
configuration option.
Random side note: you have open question related to encrypted assertion signature checking (#651). Consider investigating it in debugger and pay attention to content of decrypted assertion. See whether it could be related to inclusive namespaces. Consider also providing information of passport-saml version to that question (#651).
NOTE: this issue (#669) is not correct place to discuss about that question (#651). Just wanted to point out that using debugger you could gain better visibility to that problem also. If you continue to investigate it and find out something interesting do NOT post your SAML Idp's saml responses and/or assertions to github because those could contain sensitive information. Replicate problem with testcase and testdata.
@srd90 Appreciate the response. I was actually going off a fairly outdated tutorial my school had so when I updated the passport-saml version I didn't realize the strategy had changed so much. I'm going to take a walk through the updated documentation and see if I can solve this along with your comment.