Giters

node-saml / passport-saml

SAML 2.0 authentication with Passport

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[BUG] Error: error:0909006C:PEM routines:get_name:no start line

aw1875 opened this issue · comments

commented

To Reproduce

  1. Generate SP files using openssl req -x509 -newkey rsa:4096 -keyout sp-key.pem -out sp-cert.pem -nodes -days 900
  2. Add files to SAMLStrategy:
// I use readFileSync rather than fs.readFileSync because I imported only the readFileSync method from fs
privateCert: readFileSync(__dirname + "/cert/key.pem", "utf8"),
privateKey: readFileSync(__dirname + "/cert/cert.pem", "utf8"),
  1. Go to login url.

Expected behavior
Expected to redirect me to my IdP login flow so I can get required information that the IdP passes back.

Actual behavior
Returned an error that says:

Error: error:0909006C:PEM routines:get_name:no start line
    at Sign.sign (node:internal/crypto/sig:131:29)
    at SAML.signRequest (/var/www/.../node_modules/passport-saml/lib/node-saml/saml.js:176:40)
    at SAML._requestToUrlAsync (/var/www/.../node_modules/passport-saml/lib/node-saml/saml.js:374:18)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async SAML.getAuthorizeUrlAsync (/var/www/.../node_modules/passport-saml/lib/node-saml/saml.js:410:16)
    at async login-request (/var/www/.../node_modules/passport-saml/lib/passport-saml/strategy.js:106:43)

Environment

  • Node.js version: 16.13.1
  • passport-saml version: 3.2.1
commented

I should also note I converted my idp cert from the xml data to a pem using this tutorial to make sure there was no issues. My pem files all contain appropriate headers too (I believe but please correct me if I'm wrong).

The pem from my idp's xml data as well as my generated cert have:

-----BEGIN CERTIFICATE-----
...........................
-----END CERTIFICATE-----

The private key generated has:

-----BEGIN PRIVATE KEY-----
...........................
-----END PRIVATE KEY-----
commented

This looks like a file format issue. A related fix was #500, for Windows line breaks.

Please review the file formats in the test suite and try to understand how your file format differs.

commented

@markstos All the keys are created in Linux and are never used by Windows. I can take a closer look at the test suite but I don't see why this should be any issue when Linux handles creating the keys

commented

@aw1875 Me neither, but you are the only one reporting this issue, and node-saml is the most popular SAML library Node, so there's also a possibility this is something in your environment.

If you contribute a failing test to the test suite for a case we should handle, then it's clearly a bug with passport-saml.

commented

@aw1875 First of all: lot of issues including this one could be solved in a matter of minutes running code in debugger and investigating inputs at runtime.

Your bug report content raises following thoughts:

  1. He writes that he created sp-key.pem and sp-cert.pem but uses key.pem and cert.pem in his code sample. Maybe he renamed those files incorrectly or copy pasted content of generated files incorrectly. Did he actually check at runtime env whether content of key.pem is actually private key from sp-key.pem.
  2. He writes that strategy was configured with following values: 
    privateCert: readFileSync(__dirname + "/cert/key.pem", "utf8"),
privateKey: readFileSync(__dirname + "/cert/cert.pem", "utf8"),
    1. Why is he reading private key (key.pem) to privateCert especially when privateCert isn't even passport-saml 3.2.1's configuration option (it used to be back in the days SP's private key but that option was renamed to privateKey).
    2. Why is he reading cert.pem to privateKey because signature generation requires private key instead of certificate. Link to passport-saml 3.2.1 documentation https://github.com/node-saml/passport-saml/blob/6ba76ba3a015fea96a2dd38f661a6c1f85bc44a1/README.md
  3. Why didn't he just put breakpoint to signRequest method to see what it is actually using to generate signature?

    passport-saml/src/node-saml/saml.ts

    Lines 211 to 212 in 6ba76ba

    private signRequest(samlMessage: querystring.ParsedUrlQueryInput): void {
    this.options.privateKey = assertRequired(this.options.privateKey, "privateKey is required");

Based on aforementinod thoughts I assume that your passport-saml is currently using SP's or IdP's certificate as value of privateKey configuration option. Check that you use SP's private key as value of privateKey configuration option.

Random side note: you have open question related to encrypted assertion signature checking (#651). Consider investigating it in debugger and pay attention to content of decrypted assertion. See whether it could be related to inclusive namespaces. Consider also providing information of passport-saml version to that question (#651).

NOTE: this issue (#669) is not correct place to discuss about that question (#651). Just wanted to point out that using debugger you could gain better visibility to that problem also. If you continue to investigate it and find out something interesting do NOT post your SAML Idp's saml responses and/or assertions to github because those could contain sensitive information. Replicate problem with testcase and testdata.

commented

@srd90 Appreciate the response. I was actually going off a fairly outdated tutorial my school had so when I updated the passport-saml version I didn't realize the strategy had changed so much. I'm going to take a walk through the updated documentation and see if I can solve this along with your comment.

commented

@srd90 Thanks again. After making the appropriate changes I was successfully able to get this working. Again that is definitely on me for not checking the documentation after trying to follow an old tutorial but regardless I appreciate your help.