How to sign a SAML assertion?

[ajinvise]

I want to sign this:

<saml:Assertion
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
  xmlns:xs="http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  ID="_SomeId"
  Version="2.0"
  IssueInstant="2004-12-05T09:22:05Z"
>   
  <saml:Issuer>https://issuer.com</saml:Issuer>
  <saml2:Subject>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">api_user</saml2:NameID>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml2:SubjectConfirmationData NotOnOrAfter="2020-08-21T09:23:24.511Z" Recipient="https://api.acme.com/oauth/token"/>
    </saml2:SubjectConfirmation>
  </saml2:Subject>
  <saml2:Conditions NotBefore="2020-08-21T09:03:24.511Z" NotOnOrAfter="2024-08-21T09:23:24.511Z">
    <saml2:AudienceRestriction>
      <saml2:Audience>www.acme.com</saml2:Audience>
    </saml2:AudienceRestriction>
  </saml2:Conditions>
  <saml2:AttributeStatement>
    <saml2:Attribute Name="api_key">
      <saml2:AttributeValue xsi:type="xs:string">API_KEY</saml2:AttributeValue>
    </saml2:Attribute>
  </saml2:AttributeStatement>
</saml:Assertion>

Doing it like this:

const assertion = '<THE XML HERE>'

const signer = new SignedXml({
    // From my X.509 certificate file
    privateKey,
    publicCert,
});

signer.computeSignature(assertion);
const signedAssertion = signer.getSignedXml();

Gives:

Error: error:1E08010C:DECODER routines::unsupported
library: 'DECODER routines',
reason: 'unsupported',
code: 'ERR_OSSL_UNSUPPORTED'

Adding:

signer.addReference({ xpath: "/" }); // since I want to sign the whole document?

Gives:

/me/project/node_modules/xml-crypto/src/utils.ts:20
  for (let i = 0; i < element.attributes.length; i++) {
                                         ^
TypeError: Cannot read properties of null (reading 'length')
    at Object.findAttr (/me/project/node_modules/xml-crypto/src/utils.ts:20:42)

What am I missing here?

[srd90]

IMHO this is more like a discussion item/question and proper place would have been https://github.com/node-saml/xml-crypto/discussions instead of issue #393.

Here is an example of signing SAML 2.0 response with xml-crypto (with version < 4.0.0): node-saml/passport-saml#836 (comment)
It is trivial to modify that example to handle just Assertion input. Just drop code related to handling of surrounding Response and make minor modifications to xpaths related to Assertion signing. Pay attention to placement of signature element in the resulting signed Assertion (for further information see example code's code comments).

btw. your example Assertion's subject confirmation's NotOnOrAfter="2020-08-21T09:23:24.511Z" is in the past. You would have hard time to get that through any SAML 2.0 SP side stack (assuming your SP has been implemented properly).