Set key to be only for signing by adding signing_only in the SP

waterkip · waterkip · commit d2f8928ebd92 · 2025-01-03T19:38:17.000-04:00
In 3c87e51 we defined the signing key to be for signing and encryption. This new flag allows consumers to keep old behaviour where the key was/is only used for signing and not encrypting. Signed-off-by: Wesley Schwengle <waterkip@cpan.org>
diff --git a/lib/Net/SAML2/SP.pm b/lib/Net/SAML2/SP.pm
@@ -74,6 +74,11 @@ Path to the private key for the signing certificate
 Path to the public key that the IdP should use for encryption. This
 is used when generating the metadata.
 
+=item B<signing_only>
+
+Indicate that the key for signing is exclusively used for signing and not
+encryption and signing.
+
 =item B<cacert>
 
 Path to the CA certificate for verification
@@ -175,6 +180,8 @@ has 'cert'   => (isa => 'Str', is => 'ro', required => 1, predicate => 'has_cert
 has 'key'    => (isa => 'Str', is => 'ro', required => 1);
 has 'cacert' => (isa => 'Str', is => 'rw', required => 0, predicate => 'has_cacert');
 
+has 'signing_only' => (isa => 'Bool', is => 'ro', required => 0);
+
 has 'encryption_key'   => (isa => 'Str', is => 'ro', required => 0, predicate => 'has_encryption_key');
 has 'error_url'        => (isa => Uri, is => 'ro', required => 1, coerce => 1);
 has 'org_name'         => (isa => 'Str', is => 'ro', required => 1);
@@ -654,6 +661,8 @@ sub _generate_key_descriptors {
 
     my $key = $use eq 'encryption' ? $self->_encryption_key_text : $self->_cert_text;
 
+    $use = 'signing' if $self->signing_only && $use eq 'both';
+
     return $x->KeyDescriptor(
         $md,
         $use ne 'both' ? { use => $use } : {},
diff --git a/t/02-create-sp.t b/t/02-create-sp.t
@@ -219,6 +219,20 @@ use URN::OASIS::SAML2 qw(:bindings :urn);
     }
 
 }
+
+{
+    my $sp = net_saml2_sp(signing_only => 1);
+    my $xpath = get_xpath(
+        $sp->metadata,
+        md => URN_METADATA,
+        ds => URN_SIGNATURE,
+    );
+
+
+    my $kd = get_single_node_ok($xpath, "//md:KeyDescriptor");
+    is($kd->getAttribute('use'), 'signing', "Key descriptor says sign");
+}
+
 {
     my $sp = net_saml2_sp( ( encryption_key => 't/sign-nopw-cert.pem' ) );
 

Original file line number	Diff line number	Diff line change
`@@ -219,6 +219,20 @@ use URN::OASIS::SAML2 qw(:bindings :urn);`
`219`	`219`	`}`
`220`	`220`
`221`	`221`	`}`
	`222`	`+`
	`223`	`+{`
	`224`	`+ my $sp = net_saml2_sp(signing_only => 1);`
	`225`	`+ my $xpath = get_xpath(`
	`226`	`+ $sp->metadata,`
	`227`	`+ md => URN_METADATA,`
	`228`	`+ ds => URN_SIGNATURE,`
	`229`	`+ );`
	`230`	`+`
	`231`	`+`
	`232`	`+ my $kd = get_single_node_ok($xpath, "//md:KeyDescriptor");`
	`233`	`+ is($kd->getAttribute('use'), 'signing', "Key descriptor says sign");`
	`234`	`+}`
	`235`	`+`
`222`	`236`	`{`
`223`	`237`	`my $sp = net_saml2_sp( ( encryption_key => 't/sign-nopw-cert.pem' ) );`
`224`	`238`