Add support for sha256-rsa-MGF1 signing algorithm (node-saml#328)

cornzz · cornzz · commit ef49b7e07e61 · 2025-02-13T16:46:30.000+01:00
diff --git a/src/signature-algorithms.ts b/src/signature-algorithms.ts
@@ -53,6 +53,53 @@ export class RsaSha256 implements SignatureAlgorithm {
   };
 }
 
+export class RsaSha256Mgf1 implements SignatureAlgorithm {
+  getSignature = createOptionalCallbackFunction(
+    (signedInfo: crypto.BinaryLike, privateKey: crypto.KeyLike): string => {
+      if (!(typeof privateKey === "string" || Buffer.isBuffer(privateKey))) {
+        throw new Error("keys must be strings or buffers");
+      }
+      const signer = crypto.createSign("RSA-SHA256");
+      signer.update(signedInfo);
+      const res = signer.sign(
+        {
+          key: privateKey,
+          padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: crypto.constants.RSA_PSS_SALTLEN_DIGEST,
+        },
+        "base64",
+      );
+
+      return res;
+    },
+  );
+
+  verifySignature = createOptionalCallbackFunction(
+    (material: string, key: crypto.KeyLike, signatureValue: string): boolean => {
+      if (!(typeof key === "string" || Buffer.isBuffer(key))) {
+        throw new Error("keys must be strings or buffers");
+      }
+      const verifier = crypto.createVerify("RSA-SHA256");
+      verifier.update(material);
+      const res = verifier.verify(
+        {
+          key: key,
+          padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: crypto.constants.RSA_PSS_SALTLEN_DIGEST,
+        },
+        signatureValue,
+        "base64",
+      );
+
+      return res;
+    },
+  );
+
+  getAlgorithmName = () => {
+    return "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1";
+  };
+}
+
 export class RsaSha512 implements SignatureAlgorithm {
   getSignature = createOptionalCallbackFunction(
     (signedInfo: crypto.BinaryLike, privateKey: crypto.KeyLike): string => {
diff --git a/src/signed-xml.ts b/src/signed-xml.ts
@@ -102,6 +102,7 @@ export class SignedXml {
   SignatureAlgorithms: Record<SignatureAlgorithmType, new () => SignatureAlgorithm> = {
     "http://www.w3.org/2000/09/xmldsig#rsa-sha1": signatureAlgorithms.RsaSha1,
     "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256": signatureAlgorithms.RsaSha256,
+    "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1": signatureAlgorithms.RsaSha256Mgf1,
     "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512": signatureAlgorithms.RsaSha512,
     // Disabled by default due to key confusion concerns.
     // 'http://www.w3.org/2000/09/xmldsig#hmac-sha1': SignatureAlgorithms.HmacSha1
diff --git a/src/types.ts b/src/types.ts
@@ -30,6 +30,7 @@ export type HashAlgorithmType =
 export type SignatureAlgorithmType =
   | "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
   | "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+  | "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1"
   | "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
   | "http://www.w3.org/2000/09/xmldsig#hmac-sha1"
   | string;
