From 0c302cff501963475703a845d88d95cec97b5819 Mon Sep 17 00:00:00 2001 From: Wesley Schwengle Date: Fri, 26 Apr 2024 08:42:45 -0400 Subject: [PATCH] Set key to be only for signing by adding signing_only in the SP In 3c87e51 we defined the signing key to be for signing and encryption. This new flag allows consumers to keep old behaviour where the key was/is only used for signing and not encrypting. Signed-off-by: Wesley Schwengle --- lib/Net/SAML2/SP.pm | 9 +++++++++ t/02-create-sp.t | 14 ++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/lib/Net/SAML2/SP.pm b/lib/Net/SAML2/SP.pm index 7345c45..cec68a6 100644 --- a/lib/Net/SAML2/SP.pm +++ b/lib/Net/SAML2/SP.pm @@ -74,6 +74,11 @@ Path to the private key for the signing certificate Path to the public key that the IdP should use for encryption. This is used when generating the metadata. +=item B + +Indicate that the key for signing is exclusively used for signing and not +encryption and signing. + =item B Path to the CA certificate for verification @@ -175,6 +180,8 @@ has 'cert' => (isa => 'Str', is => 'ro', required => 1, predicate => 'has_cert has 'key' => (isa => 'Str', is => 'ro', required => 1); has 'cacert' => (isa => 'Str', is => 'rw', required => 0, predicate => 'has_cacert'); +has 'signing_only' => (isa => 'Bool', is => 'ro', required => 0); + has 'encryption_key' => (isa => 'Str', is => 'ro', required => 0, predicate => 'has_encryption_key'); has 'error_url' => (isa => Uri, is => 'ro', required => 1, coerce => 1); has 'org_name' => (isa => 'Str', is => 'ro', required => 1); @@ -654,6 +661,8 @@ sub _generate_key_descriptors { my $key = $use eq 'encryption' ? $self->_encryption_key_text : $self->_cert_text; + $use = 'signing' if $self->signing_only && $use eq 'both'; + return $x->KeyDescriptor( $md, $use ne 'both' ? { use => $use } : {}, diff --git a/t/02-create-sp.t b/t/02-create-sp.t index 664c74a..8ca7d45 100644 --- a/t/02-create-sp.t +++ b/t/02-create-sp.t @@ -219,6 +219,20 @@ use URN::OASIS::SAML2 qw(:bindings :urn); } } + +{ + my $sp = net_saml2_sp(signing_only => 1); + my $xpath = get_xpath( + $sp->metadata, + md => URN_METADATA, + ds => URN_SIGNATURE, + ); + + + my $kd = get_single_node_ok($xpath, "//md:KeyDescriptor"); + is($kd->getAttribute('use'), 'signing', "Key descriptor says sign"); +} + { my $sp = net_saml2_sp( ( encryption_key => 't/sign-nopw-cert.pem' ) );