-
Notifications
You must be signed in to change notification settings - Fork 475
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Uncaught Crypto error with malformed key (support password-protected private keys) #233
Comments
Correction: |
For future reference, if you are having trouble figuring out the correct private key format, you can use this little script to test: "use strict";
var fs = require("fs")
var SAML = require("passport-saml").SAML;
var saml = new SAML({
privateCert : fs.readFileSync("./tmp.pem")
})
var message = { SAMLResponse: "BOOM" };
saml.signRequest(message)
console.log(message.Signature) Using that, I determined that the private key must start with It doesn't work to put The certificate itself can be on a single line, or presumably will also work with linebreaks. This behavior is inconsistent with other parts of It also be nice if |
If my private key is password protected, sha256, I get a different header and footer: |
@whatch How do you enter the password? Do you have server prompt you to enter the password when it boots up? What if the server reboots in the middle of the night while you are in vacation? Passwords are typically not used for SSL certificates and similar things, but it's not practical to have the right person enter the password when it's needed, potentially resulting in downtime. |
We don't, but keep it in a .env file.
It's default practice for me when I use samlify: https://github.com/tngan/samlify/blob/71660123524daedecb7c15d648a7ad09c0d75e5c/test/flow.ts#L74 It also seems reasonable to me to protect even the private key with a password. @whatch Have you find a way to use an encrypted private key? |
password-protecting the private key is supported by the SAML spec, so we should support it here too, regardless of my opinion of the practice. A pull request with code/test/docs to address this is welcome. |
When you generate private key using openssl if creates in PEM encoded PKCS#1 format. openssl pkcs8 -in <pem_in_PKCS#1> -topk8 -nocrypt -out <pem_in_PKCS#2> PEM encoded PKCS#1 format private key begins with PEM encoded PKCS#8 format private key begins with If you have encrypted private key (-----BEGIN ENCRYPTED PRIVATE KEY-----) convert to (-----BEGIN RSA PRIVATE KEY-----) which is PKCS#1 and then to PKCS#8 (-----BEGIN PRIVATE KEY-----). |
just dropping here to help someone .. this formats certs |
Using Node 6.11.1 + Sails 1.0
This happens if you provide the just the base64
privateCert
not enclosed in-----BEGIN RSA PRIVATE KEY-----
and-----END RSA PRIVATE KEY-----
This probably also happens if you try to validate the IDP signature later on. (I haven't got there yet)
Maybe add an error handling for this case or a key check (and update documentation)?
The text was updated successfully, but these errors were encountered: