From abc5e056075eaf49259f3c5d0ebb7fb1b8c242ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=81=82=E3=82=8F=E3=82=8F=E3=82=8F=E3=81=A8=E3=83=BC?=
 =?UTF-8?q?=E3=81=AB=E3=82=85?=
 <17376330+u1-liquid@users.noreply.github.com>
Date: Tue, 1 Apr 2025 06:37:33 +0900
Subject: [PATCH] =?UTF-8?q?fix(SSO/SAML):=20JWK=E9=96=A2=E6=95=B0=E3=81=AE?=
 =?UTF-8?q?=E4=BB=95=E6=A7=98=E5=A4=89=E6=9B=B4=E3=81=AB=E5=AF=BE=E5=BF=9C?=
 =?UTF-8?q?=20(MisskeyIO#966)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 packages/backend/src/misc/gen-x509-cert-from-jwk.ts           | 4 ++--
 .../backend/src/server/sso/SAMLIdentifyProviderService.ts     | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/packages/backend/src/misc/gen-x509-cert-from-jwk.ts b/packages/backend/src/misc/gen-x509-cert-from-jwk.ts
index 2d5698daa..b2650a499 100644
--- a/packages/backend/src/misc/gen-x509-cert-from-jwk.ts
+++ b/packages/backend/src/misc/gen-x509-cert-from-jwk.ts
@@ -18,13 +18,13 @@ export async function genX509CertFromJWK(
 	cert.setSubject(attrs);
 	cert.setIssuer(attrs);
 	cert.publicKey = await jose
-		.importJWK(JSON.parse(publicKey), alg)
+		.importJWK(JSON.parse(publicKey), alg, { extractable: true })
 		.then((k) => jose.exportSPKI(k as jose.CryptoKey))
 		.then((k) => forge.pki.publicKeyFromPem(k));
 
 	cert.sign(
 		await jose
-			.importJWK(JSON.parse(privateKey), alg)
+			.importJWK(JSON.parse(privateKey), alg, { extractable: true })
 			.then((k) => jose.exportPKCS8(k as jose.CryptoKey))
 			.then((k) => forge.pki.privateKeyFromPem(k)),
 		forge.md.sha256.create(),
diff --git a/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts b/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts
index fcae13987..b0399ad6e 100644
--- a/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts
+++ b/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts
@@ -238,7 +238,7 @@ export class SAMLIdentifyProviderService {
 			const idp = saml.IdentityProvider({
 				metadata: await this.createIdPMetadataXml(ssoServiceProvider),
 				privateKey: await jose
-					.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'), ssoServiceProvider.signatureAlgorithm)
+					.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'), ssoServiceProvider.signatureAlgorithm, { extractable: true })
 					.then(k => jose.exportPKCS8(k as jose.CryptoKey)),
 			});
 
@@ -392,7 +392,7 @@ export class SAMLIdentifyProviderService {
 				const idp = saml.IdentityProvider({
 					metadata: await this.createIdPMetadataXml(ssoServiceProvider),
 					privateKey: await jose
-						.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'), ssoServiceProvider.signatureAlgorithm)
+						.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'), ssoServiceProvider.signatureAlgorithm, { extractable: true })
 						.then(k => jose.exportPKCS8(k as jose.CryptoKey)),
 					loginResponseTemplate: { context: 'ignored' },
 				});