Support different keys for decryption and signature verification.

[deskoh]

Client can only be configured to use the same private key (i.e. key.pem) for signature verification and assertion decryption.

This PR allows different keys to be configured.

[LoneRifle]

Under what circumstances is there a need to support different keys? From what I understand, spcp setups typically recycle the decrypt assertion key for signing. Also.. is there a way to make this change without breaking backward compatibility?

[deskoh]

Correct me if I'm wrong, my understanding is that the application keys (or more specifically the X.509 certs) used by SPCP for signature (verification) and assertion encryption are provided by the service provider, both of which could (and should) be different?

[LoneRifle]

Your understanding is correct - that said, I feel the need to retain backward compatibility so that those who have opted to use the same certs can continue to specify it as appKey in settings, perhaps as a fallback for this.appSigningKey and this.appEncryptionKey, ie, in the ctor,

this.appSigningKey = config.appSigningKey || config.appKey
this.appEncryptionKey = config.appEncryptionKey || config.appKey

The PR lgtm otherwise. If you could incorporate my proposed change I'll happily accept then kick out a minor release

[deskoh]

Good suggestion and valid point.

To simplify usage, I added optional appEncryptionKey to be provided if it is different from appKey. This will avoid the need to deal with up to 3 'keys' parameters in the config, (Furthermore, the appKey is also used for JWT signing, which will make the usage even more complicated).

Aside, is it desirable to create a TypeScript definition? Included some jsdoc type error fixes in this PR as well.

[LoneRifle]

I would if I could. Happy to take a separate PR for that

[LoneRifle]

lgtm. thanks for incorporating my suggestions