ruby-saml-mod 0.1.12 → 0.1.13
Sign up to get free protection for your applications and to get access to all the features.
- data/lib/xml_sec.rb +24 -6
- data/ruby-saml-mod.gemspec +2 -2
- metadata +4 -4
data/lib/xml_sec.rb
CHANGED
|
@@ -28,7 +28,7 @@ require "openssl"
|
|
|
28
28
|
require "digest/sha1"
|
|
29
29
|
require "tempfile"
|
|
30
30
|
require "shellwords"
|
|
31
|
-
|
|
31
|
+
|
|
32
32
|
module XMLSecurity
|
|
33
33
|
module SignedDocument
|
|
34
34
|
attr_reader :validation_error
|
|
@@ -50,16 +50,34 @@ module XMLSecurity
|
|
|
50
50
|
validate_doc(base64_cert, logger)
|
|
51
51
|
end
|
|
52
52
|
|
|
53
|
-
def
|
|
53
|
+
def canonicalize_doc(doc, method)
|
|
54
|
+
# this is not robust enough, but a switch to libxmlsec replacing all
|
|
55
|
+
# the hackery is imminent, so I'm not going to spend a lot of time on it.
|
|
56
|
+
mode = 0; comments = false
|
|
57
|
+
if method
|
|
58
|
+
mode = 1 if method =~ %r{xml-exc-c14n}
|
|
59
|
+
mode = 2 if method =~ %r{xml-c14n11}
|
|
60
|
+
comments = method =~ %r{#withcomments}i
|
|
61
|
+
end
|
|
62
|
+
doc.canonicalize(:mode => mode, :comments => comments)
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
def canonicalize_node(node, method)
|
|
54
66
|
tmp_document = LibXML::XML::Document.new
|
|
55
67
|
tmp_document.root = tmp_document.import(node)
|
|
56
|
-
tmp_document
|
|
68
|
+
canonicalize_doc(tmp_document, method)
|
|
57
69
|
end
|
|
58
70
|
|
|
59
71
|
def validate_doc(base64_cert, logger)
|
|
60
72
|
# validate references
|
|
61
73
|
sig_element = find_first("//ds:Signature", { "ds" => "http://www.w3.org/2000/09/xmldsig#" })
|
|
62
|
-
|
|
74
|
+
|
|
75
|
+
c14n_method = nil
|
|
76
|
+
c14n_method_element = sig_element.find_first(".//ds:CanonicalizationMethod", { "ds" => "http://www.w3.org/2000/09/xmldsig#" })
|
|
77
|
+
if c14n_method_element
|
|
78
|
+
c14n_method = c14n_method_element["Algorithm"]
|
|
79
|
+
end
|
|
80
|
+
|
|
63
81
|
# check digests
|
|
64
82
|
sig_element.find(".//ds:Reference", { "ds" => "http://www.w3.org/2000/09/xmldsig#" }).each do |ref|
|
|
65
83
|
# Find the referenced element
|
|
@@ -75,7 +93,7 @@ module XMLSecurity
|
|
|
75
93
|
ref_document_sig_element.remove! if ref_document_sig_element
|
|
76
94
|
|
|
77
95
|
# Canonicalize the referenced element's document
|
|
78
|
-
ref_document_canonicalized = ref_document
|
|
96
|
+
ref_document_canonicalized = canonicalize_doc(ref_document, c14n_method)
|
|
79
97
|
hash = Base64::encode64(Digest::SHA1.digest(ref_document_canonicalized)).chomp
|
|
80
98
|
digest_value = sig_element.find_first(".//ds:DigestValue", { "ds" => "http://www.w3.org/2000/09/xmldsig#" }).content
|
|
81
99
|
|
|
@@ -97,7 +115,7 @@ module XMLSecurity
|
|
|
97
115
|
|
|
98
116
|
# verify signature
|
|
99
117
|
signed_info_element = sig_element.find_first(".//ds:SignedInfo", { "ds" => "http://www.w3.org/2000/09/xmldsig#" })
|
|
100
|
-
canon_string = canonicalize_node(signed_info_element)
|
|
118
|
+
canon_string = canonicalize_node(signed_info_element, c14n_method)
|
|
101
119
|
|
|
102
120
|
base64_signature = sig_element.find_first(".//ds:SignatureValue", { "ds" => "http://www.w3.org/2000/09/xmldsig#" }).content
|
|
103
121
|
signature = Base64.decode64(base64_signature)
|
data/ruby-saml-mod.gemspec
CHANGED
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-saml-mod
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
hash:
|
|
4
|
+
hash: 1
|
|
5
5
|
prerelease:
|
|
6
6
|
segments:
|
|
7
7
|
- 0
|
|
8
8
|
- 1
|
|
9
|
-
-
|
|
10
|
-
version: 0.1.
|
|
9
|
+
- 13
|
|
10
|
+
version: 0.1.13
|
|
11
11
|
platform: ruby
|
|
12
12
|
authors:
|
|
13
13
|
- OneLogin LLC
|
|
@@ -18,7 +18,7 @@ autorequire:
|
|
|
18
18
|
bindir: bin
|
|
19
19
|
cert_chain: []
|
|
20
20
|
|
|
21
|
-
date: 2012-05-
|
|
21
|
+
date: 2012-05-13 00:00:00 Z
|
|
22
22
|
dependencies:
|
|
23
23
|
- !ruby/object:Gem::Dependency
|
|
24
24
|
name: libxml-ruby
|