information_card 0.1.0

data/CHANGELOG

@@ -0,0 +1,2 @@
+* 0.1.0
+  - Initial release.

data/LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2007, ThoughtWorks
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright
+  notice, this list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright
+  notice, this list of conditions and the following disclaimer in the
+  documentation and/or other materials provided with the distribution.
+
+* Neither the name of ThoughtWorks nor the
+  names of its contributors may be used to endorse or promote products
+  derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README

@@ -0,0 +1,45 @@
+=Information Card
+
+A Ruby library for processing information cards.
+
+==Features
+* Easy to use API for decrypting, validating and processing SAML formatted information cards
+* Basic XML canonicalization (not yet fully c14n compliant)
+* Flexible configuration
+* Comprehensive test suite
+
+==Installing
+  gem intall information_card
+  
+The library is known to work with Ruby 1.8.4 and up on Win32, Max OSX and Ubuntu 6.06
+Examples were tested with Rails 1.2.3
+
+==Getting Started
+For documentation, visit http://informationcardruby.com/documents
+
+==Homepage
+http://informationcardruby.com
+
+See also:
+http://rubyforge.org/projects/informationcard
+http://www.codeplex.com/informationcardruby
+
+==Community
+Discussion regarding the Information Card library takes place on the RubyForge mailing lists
+
+http://rubyforge.org/mailman/listinfo/informationcard-users
+
+Please join us to discuss, ask questions and report bugs
+
+==Authors
+Joe Poon
+Jason Sallis
+
+==License
+Copyright (c) 2007 ThoughtWorks, released under the BSD license
+
+
+
+
+
+

data/Rakefile

@@ -0,0 +1,35 @@
+require 'rubygems'
+Gem::manage_gems
+require 'rake/gempackagetask'
+require 'rake/testtask'
+require 'rake/clean'
+
+CLEAN.include("pkg")
+
+# Gemspec reference - http://rubygems.org/read/chapter/20
+spec = Gem::Specification.new do |s|
+  s.name = "information_card"
+  s.version = "0.1.0"
+  s.author = "Joe Poon, Jason Sallis"
+  s.email = "informationcard-users@rubyforge.org"
+  s.homepage = "http://informationcardruby.com"
+  s.platform = Gem::Platform::RUBY
+  s.summary = "A library for processing information cards"
+  s.files = FileList["lib/**/*", "docs/**/*", "test/**/*", "Rakefile", "LICENSE", "CHANGELOG"].exclude("rdoc").to_a
+  s.require_path = "lib"
+  s.autorequire = "information_card"
+  s.has_rdoc = true
+  s.extra_rdoc_files = ["README"]  
+end
+
+Rake::GemPackageTask.new(spec) do |pkg|
+  pkg.need_tar = true
+end
+
+Rake::TestTask.new do |t|
+  t.libs << "test"
+  t.test_files = FileList["test/*test.rb"]
+  t.verbose = true
+end
+
+task :default => [:test]

data/lib/information_card.rb

@@ -0,0 +1,10 @@
+require 'information_card/claim_types'
+require 'information_card/config'
+require 'information_card/decrypter'
+require 'information_card/identity_token'
+require 'information_card/saml_token'
+require 'information_card/invalid_token'
+require 'information_card/processor'
+require 'information_card/xml_canonicalizer'
+require 'information_card/certificate_util'
+require 'information_card/namespaces'

data/lib/information_card/certificate_util.rb

@@ -0,0 +1,17 @@
+require 'openssl'
+
+module InformationCard
+  class CertificateUtil
+      
+    def self.lookup_private_key(directory, subject)
+      path = File.join(directory, '*.crt')
+      Dir[path].each do |cert_file|
+        cert = OpenSSL::X509::Certificate.new(File.read(cert_file))
+        return OpenSSL::PKey::RSA.new(File.read(cert_file.gsub(/.crt$/, '') + ".key")) if (cert.subject.to_s == subject)
+      end
+      raise "No private key found in #{path.gsub(/\*.crt/, '')} with subject #{subject}"
+    end
+  end
+end
+
+

data/lib/information_card/claim_types.rb

@@ -0,0 +1,43 @@
+module InformationCard
+  class ClaimTypes
+  
+    @@claims = {
+      :given_name => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
+      :email_address => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
+      :surname => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
+      :street_address => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress",
+      :locality => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality",
+      :state_province => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince",
+      :postal_code => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode",
+      :country => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country",
+      :home_phone => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone",
+      :other_phone => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone",
+      :mobile_phone => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone",
+      :date_of_birth => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth",
+      :gender => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender",
+      :ppid => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier",
+      :webpage => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage"
+    }
+  
+    def self.map(specified_claims)
+      values = []    
+      specified_claims.each do |claim_key|
+        raise "Undefined claim #{claim_key}" if not @@claims.include?(claim_key) 
+        values << @@claims[claim_key]
+      end
+      values
+    end
+    
+    def self.lookup(namespace, attribute_name)
+      # Some identity selector implementations specify the attribute name as part of the namespace.
+      # As a result, we need to remove the duplicated attribute name from the namespace.
+      # ex. namespace => http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
+      #     attribute_name => emailaddress
+      desired_claim = "#{namespace}/#{attribute_name}".gsub(/#{attribute_name}\/#{attribute_name}/, attribute_name) 
+      @@claims.each_pair do |key, value|
+        return key if value == desired_claim
+      end
+      raise "Undefined claim #{desired_claim}"
+    end
+  end
+end

data/lib/information_card/config.rb

@@ -0,0 +1,52 @@
+module InformationCard   
+  class Config
+    def self.certificate_location=(certificate_location)
+      @certificate_location = certificate_location
+    end
+    
+    def self.certificate_location
+      @certificate_location
+    end    
+
+    def self.certificate_subject=(certificate_subject)
+      @certificate_subject = certificate_subject
+    end
+    
+    def self.certificate_subject
+      @certificate_subject
+    end    
+
+    def self.audience_scope=(audience_scope)
+      @audience_scope = audience_scope
+    end
+    
+    def self.audience_scope
+      @audience_scope
+    end
+    
+    def self.audiences=(audiences)
+      @audiences = audiences
+    end
+    
+    def self.audiences
+      @audiences
+    end    
+
+    def self.required_claims=(required_claims)
+      @required_claims = required_claims
+    end
+    
+    def self.required_claims
+      @required_claims
+    end
+
+    def self.identity_claim=(identity_claim)
+      @identity_claim = identity_claim
+    end
+    
+    def self.identity_claim
+      @identity_claim
+    end
+    
+  end
+end    

data/lib/information_card/decrypter.rb

@@ -0,0 +1,53 @@
+module InformationCard
+  class Decrypter
+    
+    attr_reader :errors
+                
+    def initialize(encrypted_information_card_xml, certificate_location, certificate_subject)
+      @xml_document = REXML::Document.new(encrypted_information_card_xml)
+      @certificate_location = certificate_location
+      @certificate_subject = certificate_subject
+      @errors = {}      
+    end
+    
+    def decrypt
+      private_key = CertificateUtil.lookup_private_key(@certificate_location, @certificate_subject)      
+      encrypted_data = REXML::XPath.first(@xml_document, "enc:EncryptedData", {"enc" => Namespaces::XENC})
+      key_info = REXML::XPath.first(encrypted_data, "x:KeyInfo", {"x" => Namespaces::DS})   
+      encrypted_key = REXML::XPath.first(key_info, "e:EncryptedKey", {"e" => Namespaces::XENC})
+      key_cipher = REXML::XPath.first(encrypted_key, "e:CipherData/e:CipherValue", {"e" => Namespaces::XENC})
+      key = decrypt_key(key_cipher.text, private_key)
+
+      cipher_data = REXML::XPath.first(@xml_document, "enc:EncryptedData/enc:CipherData/enc:CipherValue", {"enc" => Namespaces::XENC})
+      decrypt_cipher_data(key, cipher_data.text)
+    end
+    
+    def valid?
+      # TODO: Should perform more validation and handle errors more gracefully.
+      #       ex. What if algorithm is not supported?
+      errors.empty?
+    end
+    
+    private 
+    
+    def decrypt_key(key_wrap_cipher, private_key, ssl_padding=OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+      # TODO: Encrypted method is assumed t obe rsa-oaep-mgf1p
+      from_key = OpenSSL::PKey::RSA.new(private_key)
+      key_wrap_str = Base64.decode64(key_wrap_cipher)
+      from_key.private_decrypt(key_wrap_str, ssl_padding)        
+    end
+    
+    def decrypt_cipher_data(key_cipher, cipher_data)
+      cipher_data_str = Base64.decode64(cipher_data)      
+      mcrypt_iv = cipher_data_str[0..15]
+      cipher_data_str = cipher_data_str[16..-1]
+      # TODO: Encryption method algorithm is assumed to be aes256-cbc.
+      cipher = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
+      cipher.decrypt
+      cipher.key = key_cipher
+      cipher.iv = mcrypt_iv  
+      result = cipher.update(cipher_data_str)
+      result << cipher.final
+    end
+  end
+end

data/lib/information_card/identity_token.rb

@@ -0,0 +1,23 @@
+module InformationCard
+  class IdentityToken
+    attr_reader :errors, :claims
+    
+    def initialize
+      @errors = {}
+      @claims = {}
+    end
+    
+    def valid?
+      @errors.empty?
+    end
+    
+    def unique_id
+      nil
+    end
+    
+    def ppid
+      nil
+    end 
+  end 
+end
+      

data/lib/information_card/invalid_token.rb

@@ -0,0 +1,8 @@
+module InformationCard
+  class InvalidToken < IdentityToken
+    def initialize(errors)
+      super()
+      @errors = errors
+    end
+  end
+end

data/lib/information_card/namespaces.rb

@@ -0,0 +1,7 @@
+module InformationCard
+  module Namespaces
+     XENC = "http://www.w3.org/2001/04/xmlenc#"
+     DS   = "http://www.w3.org/2000/09/xmldsig#"
+     SAML_ASSERTION = "urn:oasis:names:tc:SAML:1.0:assertion"
+  end
+end

data/lib/information_card/processor.rb

@@ -0,0 +1,15 @@
+module InformationCard
+  class Processor   
+    def self.process(encrypted_information_card_xml)
+      begin    
+        decrypter = Decrypter.new(encrypted_information_card_xml, 
+                                  InformationCard::Config.certificate_location, 
+                                  InformationCard::Config.certificate_subject)
+        decrypted_information_card = decrypter.decrypt
+      rescue => e
+        return InvalidToken.new({:decryption => e.message})
+      end              
+      SamlToken.create(decrypted_information_card)
+    end
+  end
+end

data/lib/information_card/saml_token.rb

@@ -0,0 +1,212 @@
+# Portions of this class were inspired by the XmlSecurity::SignedDocument class written by Todd Saxton
+# and the 'Self-Issued InfoCard Tutorial and Demo' written by Kim Cameron
+
+require 'rexml/document'
+require 'digest/sha1'
+require 'base64'
+
+module InformationCard
+  class SamlToken < IdentityToken
+    include REXML
+    
+    private :initialize
+    
+    def self.create(saml_input)
+      saml_doc = REXML::Document.new(saml_input)
+      saml_token = SamlToken.new(saml_doc) 
+           
+      saml_token.validate_document_conditions
+      saml_token.validate_document_integrity
+      return saml_token unless saml_token.valid?
+      
+      saml_token.process_claims
+      saml_token.validate_claims
+      
+      saml_token
+    end
+
+    def initialize(saml_doc)
+      super()
+      @doc = saml_doc
+    end
+    
+    def unique_id
+      identity_claim_value = @claims[InformationCard::Config.identity_claim]
+      return identity_claim_value unless InformationCard::Config.identity_claim == :ppid
+      
+      combined_key = ''
+      combined_key << @mod
+      combined_key << @exponent
+      combined_key << identity_claim_value
+      Digest::SHA1.hexdigest(combined_key)
+    end
+     
+    def ppid
+      claims[:ppid]
+    end
+ 
+    def process_claims            
+      attribute_nodes = XPath.match(@doc, "//saml:AttributeStatement/saml:Attribute", {"saml" => Namespaces::SAML_ASSERTION})
+      attribute_nodes.each do |node|
+        key = ClaimTypes.lookup(node.attributes['AttributeNamespace'], node.attributes['AttributeName'])      
+        @claims[key] = XPath.first(node, "saml:AttributeValue", "saml" => Namespaces::SAML_ASSERTION).text        
+      end
+    end
+    
+    def validate_claims
+      return if Config::required_claims.nil? or Config::required_claims.empty?
+      
+      claims_errors = []
+      Config::required_claims.each { |claim| claims_errors << claim if not @claims.key?(claim) }
+      @errors[:missing_claims] = claims_errors unless claims_errors.empty?
+    end
+        
+    def validate_document_conditions
+      validate_audiences
+      validate_conditions
+    end
+    
+    def validate_document_integrity
+      verify_digest
+      verify_signature     
+    end
+    
+    def validate_audiences
+      conditions = XPath.first(@doc, "//saml:Conditions", "saml" => Namespaces::SAML_ASSERTION)
+      audiences = XPath.match(@doc, "//saml:AudienceRestrictionCondition/saml:Audience", {"saml" => Namespaces::SAML_ASSERTION})
+      @errors[:audience] = "AudienceRestriction is not valid" unless valid_audiences?(audiences)      
+    end
+    
+    def validate_conditions    
+      conditions = XPath.first(@doc, "//saml:Conditions", "saml" => Namespaces::SAML_ASSERTION)
+  
+      condition_errors = {}
+      not_before_time = Time.parse(conditions.attributes['NotBefore'])
+      condition_errors[:not_before] = "Time is before #{not_before_time}" if Time.now < not_before_time     
+  
+      not_on_or_after_time = Time.parse(conditions.attributes['NotOnOrAfter'])
+      condition_errors[:not_on_or_after] = "Time is on or after #{not_on_or_after_time}" if Time.now >= not_on_or_after_time
+
+      @errors[:conditions] = condition_errors unless condition_errors.empty?    
+    end
+    
+    def verify_digest     
+      working_doc = REXML::Document.new(@doc.to_s)
+      
+      assertion_node = XPath.first(working_doc, "saml:Assertion", {"saml" => Namespaces::SAML_ASSERTION}) 
+      signature_node =  XPath.first(assertion_node, "ds:Signature", {"ds" => Namespaces::DS}) 
+      signed_info_node = XPath.first(signature_node, "ds:SignedInfo", {"ds" => Namespaces::DS})    
+      digest_value_node = XPath.first(signed_info_node, "ds:Reference/ds:DigestValue", {"ds" => Namespaces::DS})
+      
+      digest_value = digest_value_node.text
+
+      signature_node.remove
+      digest_errors = []
+      canonicalizer = InformationCard::XmlCanonicalizer.new
+      
+      reference_nodes = XPath.match(signed_info_node, "ds:Reference", {"ds" => Namespaces::DS})
+      # TODO: Check specification to see if digest is required.
+      @errors[:digest] = "No reference nodes to check digest" and return if reference_nodes.nil? or reference_nodes.empty?
+      
+      reference_nodes.each do |node|
+        uri = node.attributes['URI']
+        nodes_to_verify = XPath.match(working_doc, "saml:Assertion[@AssertionID='#{uri[1..uri.size]}']", {"saml" => Namespaces::SAML_ASSERTION})
+  
+        nodes_to_verify.each do |node|
+          canonicalized_signed_info = canonicalizer.canonicalize(node)          
+          signed_node_hash = Base64.encode64(Digest::SHA1.digest(canonicalized_signed_info)).chomp                    
+          digest_errors << "Invalid Digest for #{uri}. Expected #{signed_node_hash} but was #{digest_value}" unless signed_node_hash == digest_value
+        end
+                       
+        @errors[:digest] = digest_errors unless digest_errors.empty?
+      end  
+    end
+    
+    def verify_signature
+      assertion_node = XPath.first(@doc, "saml:Assertion", {"saml" => Namespaces::SAML_ASSERTION}) 
+      signature_node =  XPath.first(assertion_node, "ds:Signature", {"ds" => Namespaces::DS})    
+      modulus_node = XPath.first(signature_node, "ds:KeyInfo/ds:KeyValue/ds:RSAKeyValue/ds:Modulus", {"ds" => Namespaces::DS})
+      exponent_node = XPath.first(signature_node, "ds:KeyInfo/ds:KeyValue/ds:RSAKeyValue/ds:Exponent", {"ds" => Namespaces::DS})
+      
+      @mod = modulus_node.text
+      @exponent = exponent_node.text
+      public_key_string = get_public_key(@mod, @exponent)
+    
+      signed_info_node = XPath.first(signature_node, "ds:SignedInfo", {"ds" => Namespaces::DS})
+      signature_value_node = XPath.first(signature_node, "ds:SignatureValue", {"ds" => Namespaces::DS})
+
+      signature = Base64.decode64(signature_value_node.text)
+      canonicalized_signed_info = InformationCard::XmlCanonicalizer.new.canonicalize(signed_info_node)
+      
+      @errors[:signature] = "Invalid Signature" unless public_key_string.verify(OpenSSL::Digest::SHA1.new, signature, canonicalized_signed_info)  
+    end
+    
+    def valid_audiences?(audiences)
+      audience_scope = InformationCard::Config.audience_scope
+      registered_audiences = InformationCard::Config.audiences
+      
+      return false if registered_audiences.nil? or registered_audiences.empty?
+      
+      if audience_scope == :page
+        audiences.each{|audience| return true if registered_audiences.include?(audience.text)}
+      elsif audience_scope == :site
+        audiences.each do |audience|
+          registered_audiences.each do |registered_audience|
+            return true if audience.text.index(registered_audience) == 0
+          end
+        end
+      end      
+      false
+    end
+      
+    def get_public_key(mod, exponent)
+      mod_binary = Base64.decode64(mod)     
+      exponent_binary = Base64.decode64(exponent)
+     
+      exponent_encoding = make_asn_segment(0x02, exponent_binary)
+      modulusEncoding = make_asn_segment(0x02, mod_binary)
+      sequenceEncoding = make_asn_segment(0x30, modulusEncoding + exponent_encoding)
+      bitstringEncoding = make_asn_segment(0x03, sequenceEncoding)
+      hex_array = []
+      "300D06092A864886F70D0101010500".gsub(/../) { |m| hex_array << m.to_i(16) }
+      rsaAlgorithmIdentifier = hex_array.pack('C*')       
+      combined = rsaAlgorithmIdentifier + bitstringEncoding
+      publicKeyInfo = make_asn_segment(0x30, rsaAlgorithmIdentifier + bitstringEncoding)
+  
+      #encode the publicKeyInfo in base64 and add PEM brackets
+      public_key_64 = Base64.encode64(publicKeyInfo)
+      encoding = "-----BEGIN PUBLIC KEY-----\n"
+      offset = 0;
+      # strip out the newlines
+      public_key_64.delete!("=\n") 
+      while (segment = public_key_64[offset, 64])
+         encoding = encoding + segment + "\n"
+         offset += 64
+      end
+      encoding = encoding + "-----END PUBLIC KEY-----\n"
+      @pub_key = OpenSSL::PKey::RSA.new(encoding)
+      @pub_key
+    end
+    
+    def make_asn_segment(type, string)
+      case (type)
+        when 0x02
+          string = 0.chr + string if string[0] > 0x7f
+        when 0x03
+          string = 0.chr + string
+      end
+      length = string.length
+      
+      if (length < 128)
+         output = sprintf("%c%c%s", type, length, string)   
+      elsif (length < 0x0100)
+         output = sprintf("%c%c%c%s", type, 0x81, length, string)    
+      elsif (length < 0x010000)
+         output = sprintf("%c%c%c%c%s", type, 0x82, length/0x0100, length%0x0100, string)    
+      else
+          output = nil
+      end    
+      output
+    end
+  end
+end