RubyGems - omniauth-suomifi - Versions diffs - 0.3.0 → 0.4.0 - Mend

omniauth-suomifi 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/omniauth-suomifi.rb +1 -0
data/lib/omniauth-suomifi/ruby_saml_extensions.rb +68 -0
data/lib/omniauth-suomifi/version.rb +1 -1
metadata +11 -10

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4a1f6be0c9db1b5a90f38af2f9eb08aa48330aaf0fac09d820a91134a7d22ba9
-  data.tar.gz: a03dae85e69231eb5106a76499bebf5a0dd8ddb639b8bcb3cc05348879d73470
+  metadata.gz: 3a565773bca57e1803acfbf666ee25c54474374831857b4a1d7eeec965dbf289
+  data.tar.gz: f555e8a657886b482b19bc93decac583dd3f6101c2060a48f9f811cc27af1272
 SHA512:
-  metadata.gz: e3b5d2142c659ecdda0d3e88b625e0005b35f58bb25b4f44d06dff8b984deb733b148f8e85537d05584a7d817d0f1b36bb3efba52599e71b9858003209417e1a
-  data.tar.gz: a60c7e15ffa8aecad4d896d3de2ebb4aa20ac3cd44fb7764b093d66c85a8330b90954f889319e21704bfb2c70f1fc66f0f8bb5cf0b7774c1b31d18991e7bf2f5
+  metadata.gz: df188a2b7f673b6b2710a63dda35c123b5d757d2a0310b11b76ed43f58ec0c8cc39aa682bb2c99caa8967c5a8083137dc7340804e311aaae7ac20aaabed91739
+  data.tar.gz: ce866b947cce063f0df0233bca9a5de7836b2b0326c4dab6398abb6255cd4b58627d365d9abcae09d74bc27fc4f0c7a07ab8f67eaac73efc2ebf0e3891758aeb

data/lib/omniauth-suomifi.rb CHANGED

@@ -2,3 +2,4 @@
 require 'omniauth-suomifi/version'
 require 'omniauth/strategies/suomifi'
+require 'omniauth-suomifi/ruby_saml_extensions'

data/lib/omniauth-suomifi/ruby_saml_extensions.rb ADDED

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+# This overrides the decryption method in RubySaml in order to add support for
+# AES GCM decryption required by Suomi.fi. The Suomi.fi AES GCM cipher text
+# contains an auth tag that needs to be extracted from the end of the cipher
+# text before decrypting it. Otherwise the `cipher.final` method would fail
+# becuse the decrypted data is incorrect.
+#
+# Related to this GitHub issue:
+# https://github.com/onelogin/ruby-saml/issues/541
+#
+# This differs from the original implementation only with the following aspects:
+# - Detects the AES GCM cipher methods
+# - For the AES CGM cipher methods, extracts the auth tag from the end of the
+#   cipher text, assuming it to be 16 bytes in length.
+#
+# Regarding the authentication tag, see:
+# https://tools.ietf.org/html/rfc5116#section-5.1
+#
+# > An authentication tag with a length of 16 octets (128
+# > bits) is used.  The AEAD_AES_128_GCM ciphertext is formed by
+# > appending the authentication tag provided as an output to the GCM
+# > encryption operation to the ciphertext that is output by that
+# > operation.
+OneLogin::RubySaml::Utils.class_eval do
+  # Obtains the deciphered text
+  # @param cipher_text [String]   The ciphered text
+  # @param symmetric_key [String] The symetric key used to encrypt the text
+  # @param algorithm [String]     The encrypted algorithm
+  # @return [String] The deciphered text
+  def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
+    case algorithm
+      when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt
+      when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
+      when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
+      when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
+      when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-128-GCM').decrypt
+      when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-192-GCM').decrypt
+      when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-256-GCM').decrypt
+      when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
+      when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
+    end
+    if cipher
+      iv_len = cipher.iv_len
+      data = cipher_text[iv_len..-1]
+      cipher.padding, cipher.key, cipher.iv = 0, symmetric_key, cipher_text[0..iv_len-1]
+      assertion_plaintext = cipher.update(data)
+      assertion_plaintext << cipher.final
+    elsif auth_cipher
+      iv_len, text_len, tag_len = auth_cipher.iv_len, cipher_text.length, 16
+      data = cipher_text[iv_len..text_len-1-tag_len]
+      auth_cipher.padding = 0
+      auth_cipher.key = symmetric_key
+      auth_cipher.iv = cipher_text[0..iv_len-1]
+      auth_cipher.auth_data = ''
+      auth_cipher.auth_tag = cipher_text[text_len-tag_len..-1]
+      assertion_plaintext = auth_cipher.update(data)
+      assertion_plaintext << auth_cipher.final
+    elsif rsa
+      rsa.private_decrypt(cipher_text)
+    elsif oaep
+      oaep.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+    else
+      cipher_text
+    end
+  end
+end

data/lib/omniauth-suomifi/version.rb CHANGED

@@ -2,6 +2,6 @@
 module OmniAuth
   module Suomifi
-    VERSION = '0.3.0'
+    VERSION = '0.4.0'
   end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-suomifi
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Antti Hukkanen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-10-15 00:00:00.000000000 Z
+date: 2020-10-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-saml
@@ -16,42 +16,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.10.1
+        version: 1.10.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.10.1
+        version: 1.10.3
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.9'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
@@ -106,14 +106,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.16.0
+        version: 0.19.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.16.0
+        version: 0.19.0
 description: Suomi.fi e-Identification service integration for OmniAuth.
 email:
 - antti.hukkanen@mainiotech.fi
@@ -125,6 +125,7 @@ files:
 - README.md
 - Rakefile
 - lib/omniauth-suomifi.rb
+- lib/omniauth-suomifi/ruby_saml_extensions.rb
 - lib/omniauth-suomifi/test.rb
 - lib/omniauth-suomifi/test/certificate_generator.rb
 - lib/omniauth-suomifi/test/templates/encrypted_data_template.xml