Support detached encrypted key

lib/passport-saml/saml.js

@@ -60,7 +60,7 @@ SAML.prototype.initialize = function (options) {
       options.cacheProvider = new InMemoryCacheProvider(
           {keyExpirationPeriodMs: options.requestIdExpirationPeriodMs });
   }
-  
+
   if (!options.logoutUrl) {
     // Default to Entry Point
     options.logoutUrl = options.entryPoint || '';
@@ -157,7 +157,7 @@ SAML.prototype.generateAuthorizeRequest = function (req, isPassive, callback) {
         '@IssueInstant': instant,
         '@ProtocolBinding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
         '@AssertionConsumerServiceURL': self.getCallbackUrl(req),
-        '@Destination': self.options.entryPoint,        
+        '@Destination': self.options.entryPoint,
         'saml:Issuer' : {
           '@xmlns:saml' : 'urn:oasis:names:tc:SAML:2.0:assertion',
           '#text': self.options.issuer
@@ -371,7 +371,7 @@ SAML.prototype.getAuthorizeForm = function (req, callback) {
       .replace(/"/g, '"')
       .replace(/</g, '&lt;')
       .replace(/>/g, '&gt;')
-       // Add other replacements here for HTML only 
+       // Add other replacements here for HTML only
        // Or for XML, only if the named entities are defined in its DTD.
       .replace(/\r\n/g, preserveCR) // Must be before the next replacement.
       .replace(/[\r\n]/g, preserveCR);
@@ -552,29 +552,26 @@ SAML.prototype.validatePostResponse = function (container, callback) {
       if (!self.options.decryptionPvk)
         throw new Error('No decryption key for encrypted SAML response');
 
-      var encryptedDatas = xpath( encryptedAssertions[0], "./*[local-name()='EncryptedData']");
-      if (encryptedDatas.length != 1)
-        throw new Error('Invalid signature');
-      var encryptedDataXml = encryptedDatas[0].toString();
+      var encryptedAssertionXml = encryptedAssertions[0].toString();
 
       var xmlencOptions = { key: self.options.decryptionPvk };
-      return Q.ninvoke(xmlenc, 'decrypt', encryptedDataXml, xmlencOptions)
+      return Q.ninvoke(xmlenc, 'decrypt', encryptedAssertionXml, xmlencOptions)
         .then(function(decryptedXml) {
           var decryptedDoc = new xmldom.DOMParser().parseFromString(decryptedXml);
           var decryptedAssertions = xpath(decryptedDoc, "/*[local-name()='Assertion']");
           if (decryptedAssertions.length != 1)
             throw new Error('Invalid EncryptedAssertion content');
 
-          if (self.options.cert && 
-              !validSignature && 
+          if (self.options.cert &&
+              !validSignature &&
               !self.validateSignature(decryptedXml, decryptedAssertions[0], self.options.cert))
             throw new Error('Invalid signature');
 
           self.processValidlySignedAssertion(decryptedAssertions[0].toString(), inResponseTo, callback);
         });
     }
 
-    // If there's no assertion, fall back on xml2js response parsing for the status & 
+    // If there's no assertion, fall back on xml2js response parsing for the status &
     //   LogoutResponse code.
 
     var parserConfig = {
@@ -708,7 +705,7 @@ SAML.prototype.processValidlySignedAssertion = function(xml, inResponseTo, callb
         }
       }
     }
-    
+
     // Test to see that if we have a SubjectConfirmation InResponseTo that it matches
     // the 'InResponseTo' attribute set in the Response
     if (self.options.validateInResponseTo) {

package.json

@@ -36,7 +36,7 @@
     "xml-crypto": "0.8.x",
     "xmldom": "0.1.x",
     "xmlbuilder": "2.5.x",
-    "xml-encryption": "~0.7"
+    "xml-encryption": "~0.10"
   },
   "devDependencies": {
     "body-parser": "1.9.x",

test/samlTests.js

@@ -45,7 +45,7 @@ describe('SAML.js', function() {
     // NOTE: This test only tests existence of the assertion, not the correctness
     it('calls callback with saml request object', function(done) {
       saml.getAuthorizeUrl(req, function(err, target) {
-        url.parse(target, true).query.should.have.property('SAMLRequest');
+        should(url.parse(target, true).query).have.property('SAMLRequest');
         done();
       });
     });