icn_saml_idp 0.4.1

data/lib/saml_idp/signable.rb

@@ -0,0 +1,131 @@
+# Requires methods:
+#   * reference_id
+#   * raw
+#   * digest
+#   * algorithm
+require 'saml_idp/signed_info_builder'
+require 'saml_idp/signature_builder'
+module SamlIdp
+  module Signable
+    def self.included(base)
+      base.extend ClassMethods
+      base.send :attr_accessor, :reference_id
+    end
+
+    def signed
+      generated_reference_id do
+        with_signature do
+          send(self.class.raw_method)
+        end
+      end
+    end
+
+    def sign(el)
+      el << signature if sign?
+    end
+
+    def generated_reference_id
+      if reference_id
+        fin = yield reference_id if block_given?
+      else
+        self.reference_id = ref = reference_id_generator.call
+        fin = yield reference_id if block_given?
+        self.reference_id = nil
+      end
+      block_given? ? fin : ref
+    end
+    private :generated_reference_id
+
+    def reference_id_generator
+      SamlIdp.config.reference_id_generator
+    end
+    private :reference_id_generator
+
+    def with_signature
+      original = @sign
+      @sign = true
+      yield.tap do
+        @sign = original
+      end
+    end
+    private :with_signature
+
+    def without_signature
+      original = @sign
+      @sign = false
+      yield.tap do
+        @sign = original
+      end
+    end
+    private :without_signature
+
+    def sign?
+      !!@sign
+    end
+    private :sign?
+
+    def signature
+      SignatureBuilder.new(signed_info_builder).raw
+    end
+    private :signature
+
+    def signed_info_builder
+      SignedInfoBuilder.new(get_reference_id, get_digest, get_algorithm)
+    end
+    private :signed_info_builder
+
+    def get_reference_id
+      send(self.class.reference_id_method)
+    end
+    private :get_reference_id
+
+    def get_digest
+      without_signature do
+        send(self.class.digest_method)
+      end
+    end
+    private :get_digest
+
+    def get_algorithm
+      send(self.class.algorithm_method)
+    end
+    private :get_algorithm
+
+    def get_raw
+      send(self.class.raw_method)
+    end
+    private :get_raw
+
+    def noko_raw
+      Nokogiri::XML::Document.parse(get_raw)
+    end
+    private :noko_raw
+
+    def digest
+      # Make it check for inclusive at some point (https://github.com/onelogin/ruby-saml/blob/master/lib/xml_security.rb#L159)
+      inclusive_namespaces = []
+      # Also make customizable
+      canon_algorithm = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+      canon_hashed_element = noko_raw.canonicalize(canon_algorithm, inclusive_namespaces)
+      digest_algorithm = get_algorithm
+
+      hash                          = digest_algorithm.digest(canon_hashed_element)
+      Base64.strict_encode64(hash).gsub(/\n/, '')
+    end
+    private :digest
+
+    module ClassMethods
+      def self.module_method(name, default = nil)
+        default ||= name
+        define_method "#{name}_method" do |new_method_name = nil|
+          instance_variable_set("@#{name}", new_method_name) if new_method_name
+          instance_variable_get("@#{name}") || default
+        end
+      end
+      module_method :raw
+      module_method :digest
+      module_method :algorithm
+      module_method :reference_id
+    end
+  end
+end

data/lib/saml_idp/signature_builder.rb

@@ -0,0 +1,42 @@
+require 'builder'
+module SamlIdp
+  class SignatureBuilder
+    attr_accessor :signed_info_builder
+
+    def initialize(signed_info_builder)
+      self.signed_info_builder = signed_info_builder
+    end
+
+    def raw
+      builder = Builder::XmlMarkup.new
+      builder.tag! "ds:Signature", "xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#" do |signature|
+        signature << signed_info
+        signature.tag! "ds:SignatureValue", signature_value
+        signature.KeyInfo xmlns: "http://www.w3.org/2000/09/xmldsig#" do |key_info|
+          key_info.tag! "ds:X509Data" do |x509|
+            x509.tag! "ds:X509Certificate", x509_certificate
+          end
+        end
+      end
+    end
+
+    def x509_certificate
+      SamlIdp.config.x509_certificate
+      .to_s
+      .gsub(/-----BEGIN CERTIFICATE-----/,"")
+      .gsub(/-----END CERTIFICATE-----/,"")
+      .gsub(/\n/, "")
+    end
+    private :x509_certificate
+
+    def signed_info
+      signed_info_builder.raw
+    end
+    private :signed_info
+
+    def signature_value
+      signed_info_builder.signed
+    end
+    private :signature_value
+  end
+end

data/lib/saml_idp/signed_info_builder.rb

@@ -0,0 +1,88 @@
+require 'builder'
+module SamlIdp
+  class SignedInfoBuilder
+    include Algorithmable
+
+    SIGNATURE_METHODS = {
+      "sha1" => "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+      "sha224" => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha224",
+      "sha256" => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+      "sha384" => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
+      "sha512" => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+    }
+    DIGEST_METHODS = {
+      "sha1" => "http://www.w3.org/2000/09/xmldsig#sha1",
+      "sha224" => "http://www.w3.org/2001/04/xmldsig-more#sha224",
+      "sha256" => "http://www.w3.org/2001/04/xmlenc#sha256",
+      "sha384" => "http://www.w3.org/2001/04/xmldsig-more#sha384",
+      "sha512" => "http://www.w3.org/2001/04/xmlenc#sha512",
+    }
+
+
+    attr_accessor :reference_id
+    attr_accessor :digest_value
+    attr_accessor :raw_algorithm
+
+    def initialize(reference_id, digest_value, raw_algorithm)
+      self.reference_id = reference_id
+      self.digest_value = digest_value
+      self.raw_algorithm = raw_algorithm
+    end
+
+    def raw
+      builder = Builder::XmlMarkup.new
+      builder.tag! "ds:SignedInfo", "xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#" do |signed_info|
+        signed_info.tag!("ds:CanonicalizationMethod", Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#") {}
+        signed_info.tag!("ds:SignatureMethod", Algorithm: signature_method ) {}
+        signed_info.tag! "ds:Reference", URI: reference_string do |reference|
+          reference.tag! "ds:Transforms" do |transforms|
+            transforms.tag!("ds:Transform", Algorithm: "http://www.w3.org/2000/09/xmldsig#enveloped-signature") {}
+            transforms.tag!("ds:Transform", Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#") {}
+          end
+          reference.tag!("ds:DigestMethod", Algorithm: digest_method) {}
+          reference.tag! "ds:DigestValue", digest_value
+        end
+      end
+    end
+
+    def signed
+      encoded.gsub(/\n/, "")
+    end
+
+    def digest_method
+      DIGEST_METHODS.fetch(clean_algorithm_name, DIGEST_METHODS["sha1"])
+    end
+    private :digest_method
+
+    def signature_method
+      SIGNATURE_METHODS.fetch(clean_algorithm_name, SIGNATURE_METHODS["sha1"])
+    end
+    private :signature_method
+
+    def clean_algorithm_name
+      algorithm_name.to_s.downcase
+    end
+    private :clean_algorithm_name
+
+    def secret_key
+      SamlIdp.config.secret_key
+    end
+    private :secret_key
+
+    def password
+      SamlIdp.config.password
+    end
+    private :password
+
+    def encoded
+      key = OpenSSL::PKey::RSA.new(secret_key, password)
+      Base64.strict_encode64(key.sign(algorithm.new, raw))
+    end
+    private :encoded
+
+    def reference_string
+      "#_#{reference_id}"
+    end
+    private :reference_string
+  end
+end

data/lib/saml_idp/version.rb

@@ -0,0 +1,4 @@
+# encoding: utf-8
+module SamlIdp
+  VERSION = '0.4.1'
+end

data/lib/saml_idp/xml_security.rb

@@ -0,0 +1,181 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require 'nokogiri'
+require "digest/sha1"
+require "digest/sha2"
+
+module SamlIdp
+  module XMLSecurity
+    class SignedDocument < REXML::Document
+      ValidationError = Class.new(StandardError)
+      C14N = "http://www.w3.org/2001/10/xml-exc-c14n#"
+      DSIG = "http://www.w3.org/2000/09/xmldsig#"
+
+      attr_accessor :signed_element_id
+
+      def initialize(response)
+        super(response)
+        extract_signed_element_id
+      end
+
+      def validate(idp_cert_fingerprint, soft = true)
+        # get cert from response
+        cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
+        raise ValidationError.new("Certificate element missing in response (ds:X509Certificate)") unless cert_element
+        base64_cert  = cert_element.text
+        cert_text    = Base64.decode64(base64_cert)
+        cert         = OpenSSL::X509::Certificate.new(cert_text)
+
+        # check cert matches registered idp cert
+        fingerprint = fingerprint_cert(cert)
+        sha1_fingerprint = fingerprint_cert_sha1(cert)
+        plain_idp_cert_fingerprint = idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+
+        if fingerprint != plain_idp_cert_fingerprint && sha1_fingerprint != plain_idp_cert_fingerprint
+          return soft ? false : (raise ValidationError.new("Fingerprint mismatch"))
+        end
+
+        validate_doc(base64_cert, soft)
+      end
+
+      def fingerprint_cert(cert)
+        # pick algorithm based on the doc's digest algorithm
+        ref_elem = REXML::XPath.first(self, "//ds:Reference", {"ds"=>DSIG})
+        digest_algorithm = algorithm(REXML::XPath.first(ref_elem, "//ds:DigestMethod"))
+        digest_algorithm.hexdigest(cert.to_der)
+      end
+
+      def fingerprint_cert_sha1(cert)
+        OpenSSL::Digest::SHA1.hexdigest(cert.to_der)
+      end
+
+      def validate_doc(base64_cert, soft = true)
+        # validate references
+
+        # check for inclusive namespaces
+        inclusive_namespaces = extract_inclusive_namespaces
+
+        document = Nokogiri.parse(self.to_s)
+
+        # create a working copy so we don't modify the original
+        @working_copy ||= REXML::Document.new(self.to_s).root
+
+        # store and remove signature node
+        @sig_element ||= begin
+                           element = REXML::XPath.first(@working_copy, "//ds:Signature", {"ds"=>DSIG})
+                           element.remove
+                         end
+
+
+        # verify signature
+        signed_info_element     = REXML::XPath.first(@sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
+        noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
+        noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
+        canon_algorithm = canon_algorithm REXML::XPath.first(@sig_element, '//ds:CanonicalizationMethod', 'ds' => DSIG)
+        canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
+        noko_sig_element.remove
+
+        # check digests
+        REXML::XPath.each(@sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
+          uri                           = ref.attributes.get_attribute("URI").value
+
+          hashed_element                = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
+          canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
+          canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
+
+          digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))
+
+          hash                          = digest_algorithm.digest(canon_hashed_element)
+          digest_value                  = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)
+
+          unless digests_match?(hash, digest_value)
+            return soft ? false : (raise ValidationError.new("Digest mismatch"))
+          end
+        end
+
+        base64_signature        = REXML::XPath.first(@sig_element, "//ds:SignatureValue", {"ds"=>DSIG}).text
+        signature               = Base64.decode64(base64_signature)
+
+        # get certificate object
+        cert_text               = Base64.decode64(base64_cert)
+        cert                    = OpenSSL::X509::Certificate.new(cert_text)
+
+        # signature method
+        signature_algorithm     = algorithm(REXML::XPath.first(signed_info_element, "//ds:SignatureMethod", {"ds"=>DSIG}))
+
+        unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
+          return soft ? false : (raise ValidationError.new("Key validation error"))
+        end
+
+        return true
+      end
+
+      private
+
+      def digests_match?(hash, digest_value)
+        hash == digest_value
+      end
+
+      def extract_signed_element_id
+        reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
+        self.signed_element_id  = reference_element.attribute("URI").value[1..-1] unless reference_element.nil?
+      end
+
+      def canon_algorithm(element)
+        algorithm = element.attribute('Algorithm').value if element
+        case algorithm
+        when "http://www.w3.org/2001/10/xml-exc-c14n#"         then Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+        when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then Nokogiri::XML::XML_C14N_1_0
+        when "http://www.w3.org/2006/12/xml-c14n11"            then Nokogiri::XML::XML_C14N_1_1
+        else                                                        Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+        end
+      end
+
+      def algorithm(element)
+        algorithm = element.attribute("Algorithm").value if element
+        algorithm = algorithm && algorithm =~ /sha(.*?)$/i && $1.to_i
+        case algorithm
+        when 256 then OpenSSL::Digest::SHA256
+        when 384 then OpenSSL::Digest::SHA384
+        when 512 then OpenSSL::Digest::SHA512
+        else
+          OpenSSL::Digest::SHA1
+        end
+      end
+
+      def extract_inclusive_namespaces
+        if element = REXML::XPath.first(self, "//ec:InclusiveNamespaces", { "ec" => C14N })
+          prefix_list = element.attributes.get_attribute("PrefixList").value
+          prefix_list.split(" ")
+        else
+          []
+        end
+      end
+    end
+  end
+end