ERR_OSSL_PEM_BAD_BASE64_DECODE / Okta
MarkusRissmann opened this issue · comments
I have created a new account in Okta saml 2.0/ shaw1.
Downloaded the cert, removed the line endings (validated that it is still valid) and added it to my environment variables.
I am getting the following error:
context: {
exception: Error: error:09091064:PEM routines:PEM_read_bio_ex:bad base64 decode
at Sign.sign (internal/crypto/sig.js:103:29)
at SAML.signRequest (/www/myapp/AuthApi/node_modules/passport-saml/src/node-saml/saml.ts:230:36)
at SAML._requestToUrlAsync (/www/myapp/AuthApi/node_modules/passport-saml/src/node-saml/saml.ts:477:12)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at SAML.getAuthorizeUrlAsync (/www/myapp/AuthApi/node_modules/passport-saml/src/node-saml/saml.ts:530:12)
at login-request (/www/myapp/AuthApi/node_modules/passport-saml/src/passport-saml/strategy.ts:139:29) {
library: 'PEM routines',
function: 'PEM_read_bio_ex',
reason: 'bad base64 decode',
code: 'ERR_OSSL_PEM_BAD_BASE64_DECODE'
}
export class SamlStrategy extends PassportStrategy(Strategy) {
constructor(
) {
super({
entryPoint: 'http://xxx.okta.com/app',
issuer: 'http://www.okta.com/xxx',
cert: 'cert is here',
callbackUrl: 'https://authentication-xxx.xxx.com/api/auth/saml/callback)
digestAlgorithm: 'shaw1',
signatureAlgorithm: 'shaw1',
});
}
- Node.js version: 12.22.8
passport-saml
version: 3.2.1
I am using nestjs/typescript.
Please close or delete. Not sure what changed but now appears to be working.
Problem still exists. It occurs when I try to SSO from my application. It works if I am in Okta and click on the app button to my application.
If I manually follow the configured entry point it works as expected. So the cert is correct, the entry point is correct. So it is at the very beginning of the password-saml implementation that it is failing.
@MarkusRissmann you provided following stack trace / context:
context: { exception: Error: error:09091064:PEM routines:PEM_read_bio_ex:bad base64 decode at Sign.sign (internal/crypto/sig.js:103:29) at SAML.signRequest (/www/myapp/AuthApi/node_modules/passport-saml/src/node-saml/saml.ts:230:36) at SAML._requestToUrlAsync (/www/myapp/AuthApi/node_modules/passport-saml/src/node-saml/saml.ts:477:12) at processTicksAndRejections (internal/process/task_queues.js:97:5) at SAML.getAuthorizeUrlAsync (/www/myapp/AuthApi/node_modules/passport-saml/src/node-saml/saml.ts:530:12) at login-request (/www/myapp/AuthApi/node_modules/passport-saml/src/passport-saml/strategy.ts:139:29) { library: 'PEM routines', function: 'PEM_read_bio_ex', reason: 'bad base64 decode', code: 'ERR_OSSL_PEM_BAD_BASE64_DECODE' }
PEM
implicates certificate or key
bad base64 decode
implicates bad value
This
at Sign.sign (internal/crypto/sig.js:103:29)
at SAML.signRequest (/www/myapp/AuthApi/node_modules/passport-saml/src/node-saml/saml.ts:230:36)
i.e. this line:
passport-saml/src/node-saml/saml.ts
Line 230 in 6ba76ba
implicates that you have provided value to
privateKey
My guess is that your first problem is that whatever value you have provided to privateKey
it is somehow broken (i.e. not base64 encoded etc.). Put breakpoint to line 230 and see what privateKey
contains.
You wrote that you have configured passport-saml
with:
digestAlgorithm: 'shaw1', signatureAlgorithm: 'shaw1',
Your second problem shall be that once you have configured proper privateKey
you shall encounter some issues which are related to usage of shaw1
algorithm for digest and signature.
You probably meant sha1
(you should use stronger algorithm like sha256
).
Related to your environment:
- Node.js version: 12.22.8
Third problem is that you are still using EOLed nodejs version (nodejs 12 reached end of life 30 April 2022).
Thanks much, I will review everything. Some of the items here were hand typed and not copied from code (shaw1, too many late nights). I am betting that it is the private key. I will get back to you. We are using sha256.