normalize signature line endings before loading signature block to xm…

…l-crypto (#512)

src/passport-saml/saml.ts

@@ -695,6 +695,7 @@ class SAML {
       getKeyInfo: key => "<X509Data></X509Data>",
       getKey: keyInfo => Buffer.from(this.certToPEM(cert)),
     };
+    signature = this.normalizeNewlines(signature.toString());
     sig.loadSignature(signature);
     // We expect each signature to contain exactly one reference to the top level of the xml we
     //   are validating, so if we see anything else, reject.
@@ -714,7 +715,7 @@ class SAML {
     if (totalReferencedNodes.length > 1) {
       return false;
     }
-    fullXml = fullXml.replace(/\r\n?/g, '\n');
+    fullXml = this.normalizeNewlines(fullXml);
     return sig.checkSignature(fullXml);
   }
 
@@ -1395,6 +1396,13 @@ class SAML {
     ].join('\n');
     return wrappedKey;
   }
+
+  normalizeNewlines(xml : string) : string {
+    // we can use this utility before passing XML to `xml-crypto`
+    // we are considered the XML processor and are responsible for newline normalization
+    // https://github.com/node-saml/passport-saml/issues/431#issuecomment-718132752
+    return xml.replace(/\r\n?/g, "\n");
+  }
 }
 
 export { SAML };

test/static/signatures/valid/response.root-signed.assertion-signed.xml

@@ -35,5 +35,35 @@
                 </saml:AttributeValue>
             </saml:Attribute>
         </saml:AttributeStatement>
-    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>UlVrWcRgUXgqQRuYZNEIhLEYv4oC8Kd5/HAl9Cb/jiQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>vWCTy3IYpsGMl+RJQKZvCN/zZvMp/mBs7Y4Y3ihq0lnX2PDsJaHLEUPX+WTlQN8e791PDCkk+uIu+X+Y1sOyFxIjD5dAikZA2d3QWDC5mcHqj/gvzeiirAWA06Maw3jvaZlquBhpixFk+6mcbAP33UvqgA0Zkjb2qYq0GrOno+bED1vUl2Os9EQB30phllxP5WuJlhUz5Y+X1WXT7AS6f0haTvkFwdMRbniDdjvMiEBfbITUQfM3K361L4TKlYB2T/NRpXv+zjGx9xAl93s4DFdbUzI3jvkBYHhIsRFURwWP5UyczT9P4uuJIiaLXLnOYAX4ZgxVtyWltJKRUhRlzg==</ds:SignatureValue></ds:Signature></saml:Assertion>
-<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>btmMhWeiNWFtvX59ONbp9AlYcxu9w+dpaWRWEA40Too=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>XcZR4j7Hy7QQPoYuAlIi4k/6BK+Nq/ByyPOzIdlkMD4BT7HobxgMv0LeFvgdvE0QMA1IUQgGVuMKRMdwy02HowhQHPrLzHomwKXIy0GaBuDKudLcjYH4Sqlo1DMn5MHhXyzE4j66FlJFoR0fvjWyz4vbRHFpxMcVoqrb4NBDT5f5LN63IXlexZOOCR0n6ZimyNpu91LzCtK4mYb53OjT1Glbq3zslxas+jqEk4+S2wqZyIQjqzsUrOl540L9+9x/KlfKB2jeb2i2wjiwLORzzlZXPrOxLZzisZMnossS9QXImj9ItF9vE9coIJGbF30YSSmGeLgdxjRLJGQFdg5dPg==</ds:SignatureValue></ds:Signature></samlp:Response>
+        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+            <ds:SignedInfo>
+                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+                <ds:Reference URI="#_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb">
+                    <ds:Transforms>
+                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+                    </ds:Transforms>
+                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+                    <ds:DigestValue>yFyp0ukUesUFin+8yRA2Ldw7F4vJtnHIUaCd+iwswtE=</ds:DigestValue>
+                </ds:Reference>
+            </ds:SignedInfo>
+            <ds:SignatureValue>GXh443ZANwMWTpdn5Yx8Drlx3iuxM7UvQG5Qtw7wJ2GuNaaiR8rhsAvcxWPFhivOEhahS3j8JRAxSpkfB7F/hei3IkKCa21q+gSwfnSjTsFWkicKMTFT575Dq1ucBMir3bAPKjSk282j2NDy7dK6SZMrTd7ilxxEK+ihnLJnk2U2ezqUztEdJwo+t10SXRPQqkIawqCAOCLMT1PrvkjF9hJsFnV9RQRJH7vlB5eWttie+VUYXtzPeh8ZFCKP8aXfj/YPUx6C49EU16JK0UUApdi2bzHAOTMKAAl1L+ul/rlpS/oNwYWtbOWA/yZbgBXLG4oJUQR3zFXPyu7gV0K1Fg==</ds:SignatureValue>
+        </ds:Signature>
+    </saml:Assertion>
+    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:SignedInfo>
+            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+            <ds:Reference URI="#_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa">
+                <ds:Transforms>
+                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+                </ds:Transforms>
+                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+                <ds:DigestValue>pUbHXQ1WaHtmlrr02h5L59TD4yPouUCTUMinVxyj5R4=</ds:DigestValue>
+            </ds:Reference>
+        </ds:SignedInfo>
+        <ds:SignatureValue>tm/5eCuuiPlC0jlRNqMv4ReNpn4Ss3CekShExbXcMpP7odyrCYmlks7BwB5VH3GNaSqRlOM6mGHLJw32cfo7nYNDZo2fJutdegUwwhfbCJ9MwoJH1nE/eHnknxIaXQv6fSxA9uVeGBlAG1f7S/3lJ+94zMDcxydElotigOyLp2F4INBXl/fzbDgLAVdeMkyUjy+3Kv2pNY8KNcAnRateKnmtFskBq48bidXLFNYeLpsV1t7vj+tUef9+mRxMsHE5PzrQ2bvm3I/k6nmg/WEy5Hnyz5oGKxKH/3boYALMH94fy0hhALm8LQ0DwJxLrX6F0pxyXr+QuVpAPLDqSh32Jg==</ds:SignatureValue>
+    </ds:Signature>
+</samlp:Response>