Return the certs/public keys in the parsed metadata (#435)

* Attach the certs to parsed data * Tweak naming to align with validation logic * Better naming * Trim the certs before setting * Handle multiple certs * Export WrapError type * Add `WrapError` to index export * tweak --------- Co-authored-by: Deepak Prabhakara <[email protected]>
boxyhq · Nov 9, 2023 · 323b6e6 · 323b6e6
1 parent b36231b
commit 323b6e6
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 6 deletions.
diff --git a/lib/index.ts b/lib/index.ts
@@ -4,7 +4,7 @@ import { hasValidSignature, validateSignature, certToPEM } from './validateSigna
 
 import { request } from './request';
 import { stripCertHeaderAndFooter, PubKeyInfo } from './cert';
-import { parse, validate, parseIssuer } from './response';
+import { parse, validate, parseIssuer, WrapError } from './response';
 import { parseMetadata } from './metadata';
 import { createPostForm } from './post';
 import { sign } from './sign';
@@ -24,4 +24,5 @@ export default {
   validateSignature,
   decryptXml,
   parseIssuer,
+  WrapError,
 };
diff --git a/lib/metadata.ts b/lib/metadata.ts
@@ -133,6 +133,10 @@ const parseMetadata = async (idpMeta: string, validateOpts): Promise<Record<stri
           validTos.push(vt);
         }
 
+        if (X509Certificates.length > 0) {
+          ret.publicKey = X509Certificates.map((_) => _.trim()).join(',');
+        }
+
         if (tPrints.length > 0) {
           ret.thumbprint = tPrints.join(',');
         }

diff --git a/lib/response.ts b/lib/response.ts
@@ -276,4 +276,4 @@ function parseAttributes(assertion, tokenHandler, cb) {
   cb(null, profile);
 }
 
-export { parse, validate, parseIssuer };
+export { parse, validate, parseIssuer, WrapError };
diff --git a/lib/validateSignature.ts b/lib/validateSignature.ts
@@ -3,7 +3,7 @@ import { select } from 'xpath';
 import { thumbprint } from './utils';
 import { parseFromString } from './utils';
 
-const certToPEM = (cert) => {
+const _certToPEM = (cert) => {
   if (cert.indexOf('BEGIN CERTIFICATE') === -1 && cert.indexOf('END CERTIFICATE') === -1) {
     cert = cert.match(/.{1,64}/g).join('\n');
     cert = '-----BEGIN CERTIFICATE-----\n' + cert;
@@ -14,6 +14,15 @@ const certToPEM = (cert) => {
   }
 };
 
+const certToPEM = (cert) => {
+  if (cert.indexOf(',') !== -1) {
+    const _certs = cert.split(',');
+    return _certs.map((_cert) => _certToPEM(_cert)).join(',');
+  }
+
+  return _certToPEM(cert);
+};
+
 const hasValidSignature = (xml, cert, certThumbprint) => {
   const doc = parseFromString(xml);
   let signature =
@@ -42,13 +51,13 @@ const hasValidSignature = (xml, cert, certThumbprint) => {
 
   signed.getCertFromKeyInfo = function getKey(keyInfo) {
     if (certThumbprint) {
-      const embeddedSignature = keyInfo!.childNodes[0].ownerDocument!.getElementsByTagNameNS(
+      const embeddedCert = keyInfo!.childNodes[0].ownerDocument!.getElementsByTagNameNS(
         'http://www.w3.org/2000/09/xmldsig#',
         'X509Certificate'
       );
 
-      if (embeddedSignature.length > 0) {
-        const base64cer = embeddedSignature[0].firstChild!.toString();
+      if (embeddedCert.length > 0) {
+        const base64cer = embeddedCert[0].firstChild!.toString();
 
         calculatedThumbprint = thumbprint(base64cer);