Add ds:KeyName to md:KeyDescriptor/ds:Keyinfo

Some SAML implemenations (such as the Dutch eHerkenning) require a KeyName on
the KeyDescriptor node.

Signed-off-by: Wesley Schwengle <wesley@opndev.io>

Author: waterkip

Makefile.PL

@@ -24,6 +24,7 @@ my %WriteMakefileArgs = (
     "DateTime" => 0,
     "DateTime::Format::XSD" => 0,
     "DateTime::HiRes" => 0,
+    "Digest::MD5" => 0,
     "Exporter" => 0,
     "File::Slurper" => 0,
     "HTTP::Request::Common" => 0,
@@ -84,6 +85,7 @@ my %FallbackPrereqs = (
   "DateTime" => 0,
   "DateTime::Format::XSD" => 0,
   "DateTime::HiRes" => 0,
+  "Digest::MD5" => 0,
   "Exporter" => 0,
   "File::Slurper" => 0,
   "HTTP::Request::Common" => 0,

cpanfile

@@ -8,6 +8,7 @@ requires "Crypt::OpenSSL::X509" => "0";
 requires "DateTime" => "0";
 requires "DateTime::Format::XSD" => "0";
 requires "DateTime::HiRes" => "0";
+requires "Digest::MD5" => "0";
 requires "Exporter" => "0";
 requires "File::Slurper" => "0";
 requires "HTTP::Request::Common" => "0";

lib/Net/SAML2/SP.pm

@@ -28,6 +28,8 @@ Net::SAML2::SP - SAML Service Provider object
 use Crypt::OpenSSL::X509;
 use XML::Generator;
 
+use Digest::MD5 ();
+
 use Net::SAML2::Binding::POST;
 use Net::SAML2::Binding::Redirect;
 use Net::SAML2::Binding::SOAP;
@@ -349,7 +351,12 @@ sub generate_metadata {
                             $ds,
                             $self->_cert_text,
                         )
-                    )
+                    ),
+                    $x->KeyName(
+                     $ds,
+                     Digest::MD5::md5_hex($self->_cert_text)
+                    ),
+
                 )
             ),
             $x->SingleLogoutService(

t/02-create-sp.t

@@ -39,7 +39,7 @@ if (is(@ssos, 2, "Got two assertionConsumerService(s)")) {
 get_single_node_ok($xpath, '//ds:Signature');
 
 {
-    my $sp = net_saml2_sp(sign_metadata => 0);
+    my $sp    = net_saml2_sp(sign_metadata => 0);
     my $xpath = get_xpath(
         $sp->metadata,
         md => 'urn:oasis:names:tc:SAML:2.0:metadata',
@@ -72,13 +72,13 @@ get_single_node_ok($xpath, '//ds:Signature');
         error_url        => '/error',
     );
 
-    my $xpc = get_xpath(
+    my $xpath = get_xpath(
         $sp->metadata,
         md => 'urn:oasis:names:tc:SAML:2.0:metadata',
         ds => 'http://www.w3.org/2000/09/xmldsig#'
     );
 
-    my $node = get_single_node_ok($xpc, '/md:EntityDescriptor');
+    my $node = get_single_node_ok($xpath, '/md:EntityDescriptor');
     is(
         $node->getAttribute('entityID'),
         'Some entity ID',
@@ -89,68 +89,77 @@ get_single_node_ok($xpath, '//ds:Signature');
 
     {
         # Test ContactPerson
-        my $node = get_single_node_ok($xpc, '/node()/md:ContactPerson');
+        my $node = get_single_node_ok($xpath, '/node()/md:ContactPerson');
         my $p    = $node->nodePath();
 
-        my $company = get_single_node_ok($xpc, "$p/md:Company");
+        my $company = get_single_node_ok($xpath, "$p/md:Company");
         is(
             $company->textContent,
             'Net::SAML2::SP testsuite',
             "Got the correct company name for the contact person"
         );
 
-        my $email = get_single_node_ok($xpc, "$p/md:EmailAddress");
+        my $email = get_single_node_ok($xpath, "$p/md:EmailAddress");
         is($email->textContent, 'test@example.com',
             ".. and the correct email");
     }
 
     {
         # Test Organisation
-        my $node = get_single_node_ok($xpc, '/node()/md:Organization');
+        my $node = get_single_node_ok($xpath, '/node()/md:Organization');
         my $p    = $node->nodePath();
 
-        my $name = get_single_node_ok($xpc, "$p/md:OrganizationName");
-        is(
-            $name->textContent,
-            'Net::SAML2::SP',
-            "Got the correct company name"
-        );
+        my $name = get_single_node_ok($xpath, "$p/md:OrganizationName");
+        is($name->textContent, 'Net::SAML2::SP',
+            "Got the correct company name");
 
         my $display_name
-            = get_single_node_ok($xpc, "$p/md:OrganizationDisplayName");
+            = get_single_node_ok($xpath, "$p/md:OrganizationDisplayName");
         is(
             $display_name->textContent,
             'Net::SAML2::SP testsuite',
             ".. and the correct display name"
         );
 
-        my $url = get_single_node_ok($xpc, "$p/md:OrganizationURL");
+        my $url = get_single_node_ok($xpath, "$p/md:OrganizationURL");
         is($url->textContent, 'http://www.example.com',
             ".. and the correct URI");
     }
 
     {
         # Test SPSSODescriptor
-        my $node = get_single_node_ok($xpc, '/node()/md:SPSSODescriptor');
+        my $node = get_single_node_ok($xpath, '/node()/md:SPSSODescriptor');
         is($node->getAttribute('AuthnRequestsSigned'),
             '1', '.. and authn request needs signing');
         is($node->getAttribute('WantAssertionsSigned'),
             '1', '.. as does assertions');
-        is(
-            $node->getAttribute('errorURL'),
-            'http://localhost:3000/error',
-            'Got the correct error URI'
-        );
+        is($node->getAttribute('errorURL'),
+            'http://localhost:3000/error', 'Got the correct error URI');
 
-        # TODO: Add more tests for other metadata parts
+        my $p = $node->nodePath();
 
-    }
+        my $kd = get_single_node_ok($xpath, "$p/md:KeyDescriptor");
 
-    {
-        # Test Signature
-        my $node = get_single_node_ok($xpc, '/node()/ds:Signature');
+        is($kd->getAttribute('use'),
+            "signing", "Key descriptor is there for signing only");
+
+        my $ki = get_single_node_ok($xpath, $kd->nodePath() . "/ds:KeyInfo");
+
+        my $cert = get_single_node_ok($xpath,
+            $ki->nodePath() . "/ds:X509Data/ds:X509Certificate");
+        ok($cert->textContent, "And we have the certificate data");
+
+        my $keyname
+            = get_single_node_ok($xpath, $ki->nodePath() . "/ds:KeyName");
+        ok($keyname->textContent, "... and we have a key name");
     }
 
 }
 
+{
+    # Test Signature
+    my $node = get_single_node_ok($xpath, '/node()/ds:Signature');
+
+}
+
 done_testing;