ruby-saml-mod 0.1.13 → 0.1.14

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. data/lib/onelogin/saml/response.rb +24 -7
  2. data/lib/xml_sec.rb +7 -7
  3. data/ruby-saml-mod.gemspec +2 -2
  4. metadata +4 -4
data/lib/onelogin/saml/response.rb CHANGED
@@ -47,18 +47,35 @@ module Onelogin::Saml
47
47
  return false
48
48
  end
49
49
 
50
- if @document.find_first("//ds:X509Certificate", Onelogin::NAMESPACES).nil?
51
- @validation_error = "No ds:X509Certificate element"
52
- return false
53
- end
54
-
55
50
  if !@settings.idp_cert_fingerprint
56
51
  @validation_error = "No fingerprint configured in SAML settings"
57
52
  return false
58
53
  end
59
54
 
60
- if !@document.validate(@settings.idp_cert_fingerprint, @logger)
61
- @validation_error = @document.validation_error
55
+ # Verify the original document if it has a signature, otherwise verify the signature
56
+ # in the encrypted portion. If there is no signature, then we can't verify.
57
+ verified = false
58
+ if @document.find_first("//ds:Signature", Onelogin::NAMESPACES)
59
+ verified = @document.validate(@settings.idp_cert_fingerprint, @logger)
60
+ if !verified
61
+ @validation_error = @document.validation_error
62
+ return false
63
+ end
64
+ end
65
+
66
+ # Technically we should also verify the signature inside the encrypted portion, but if
67
+ # the cryptext has already been verified, the encrypted contents couldn't have been
68
+ # tampered with. Once we switch to using libxmlsec this won't matter anymore anyway.
69
+ if !verified && @decrypted_document.find_first("//ds:Signature", Onelogin::NAMESPACES)
70
+ verified = @decrypted_document.validate(@settings.idp_cert_fingerprint, @logger)
71
+ if !verified
72
+ @validation_error = @document.validation_error
73
+ return false
74
+ end
75
+ end
76
+
77
+ if !verified
78
+ @validation_error = "No signature found in the response"
62
79
  return false
63
80
  end
64
81
 
data/lib/xml_sec.rb CHANGED
@@ -70,16 +70,16 @@ module XMLSecurity
70
70
 
71
71
  def validate_doc(base64_cert, logger)
72
72
  # validate references
73
- sig_element = find_first("//ds:Signature", { "ds" => "http://www.w3.org/2000/09/xmldsig#" })
73
+ sig_element = find_first("//ds:Signature", Onelogin::NAMESPACES)
74
74
 
75
75
  c14n_method = nil
76
- c14n_method_element = sig_element.find_first(".//ds:CanonicalizationMethod", { "ds" => "http://www.w3.org/2000/09/xmldsig#" })
76
+ c14n_method_element = sig_element.find_first(".//ds:CanonicalizationMethod", Onelogin::NAMESPACES)
77
77
  if c14n_method_element
78
78
  c14n_method = c14n_method_element["Algorithm"]
79
79
  end
80
80
 
81
81
  # check digests
82
- sig_element.find(".//ds:Reference", { "ds" => "http://www.w3.org/2000/09/xmldsig#" }).each do |ref|
82
+ sig_element.find(".//ds:Reference", Onelogin::NAMESPACES).each do |ref|
83
83
  # Find the referenced element
84
84
  uri = ref["URI"]
85
85
  ref_element = find_first("//*[@ID='#{uri[1,uri.size]}']")
@@ -89,13 +89,13 @@ module XMLSecurity
89
89
  ref_document.root = ref_document.import(ref_element)
90
90
 
91
91
  # Remove the Signature node
92
- ref_document_sig_element = ref_document.find_first(".//ds:Signature", { "ds" => "http://www.w3.org/2000/09/xmldsig#" })
92
+ ref_document_sig_element = ref_document.find_first(".//ds:Signature", Onelogin::NAMESPACES)
93
93
  ref_document_sig_element.remove! if ref_document_sig_element
94
94
 
95
95
  # Canonicalize the referenced element's document
96
96
  ref_document_canonicalized = canonicalize_doc(ref_document, c14n_method)
97
97
  hash = Base64::encode64(Digest::SHA1.digest(ref_document_canonicalized)).chomp
98
- digest_value = sig_element.find_first(".//ds:DigestValue", { "ds" => "http://www.w3.org/2000/09/xmldsig#" }).content
98
+ digest_value = sig_element.find_first(".//ds:DigestValue", Onelogin::NAMESPACES).content
99
99
 
100
100
  if hash != digest_value
101
101
  @validation_error = <<-EOF.gsub(/^\s+/, '')
@@ -114,10 +114,10 @@ module XMLSecurity
114
114
  end
115
115
 
116
116
  # verify signature
117
- signed_info_element = sig_element.find_first(".//ds:SignedInfo", { "ds" => "http://www.w3.org/2000/09/xmldsig#" })
117
+ signed_info_element = sig_element.find_first(".//ds:SignedInfo", Onelogin::NAMESPACES)
118
118
  canon_string = canonicalize_node(signed_info_element, c14n_method)
119
119
 
120
- base64_signature = sig_element.find_first(".//ds:SignatureValue", { "ds" => "http://www.w3.org/2000/09/xmldsig#" }).content
120
+ base64_signature = sig_element.find_first(".//ds:SignatureValue", Onelogin::NAMESPACES).content
121
121
  signature = Base64.decode64(base64_signature)
122
122
 
123
123
  cert_text = Base64.decode64(base64_cert)
data/ruby-saml-mod.gemspec CHANGED
@@ -1,9 +1,9 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = %q{ruby-saml-mod}
3
- s.version = "0.1.13"
3
+ s.version = "0.1.14"
4
4
 
5
5
  s.authors = ["OneLogin LLC", "Bracken", "Zach", "Cody"]
6
- s.date = %q{2012-05-13}
6
+ s.date = %q{2012-05-14}
7
7
  s.extra_rdoc_files = [
8
8
  "LICENSE"
9
9
  ]
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml-mod
3
3
  version: !ruby/object:Gem::Version
4
- hash: 1
4
+ hash: 7
5
5
  prerelease:
6
6
  segments:
7
7
  - 0
8
8
  - 1
9
- - 13
10
- version: 0.1.13
9
+ - 14
10
+ version: 0.1.14
11
11
  platform: ruby
12
12
  authors:
13
13
  - OneLogin LLC
@@ -18,7 +18,7 @@ autorequire:
18
18
  bindir: bin
19
19
  cert_chain: []
20
20
 
21
- date: 2012-05-13 00:00:00 Z
21
+ date: 2012-05-14 00:00:00 Z
22
22
  dependencies:
23
23
  - !ruby/object:Gem::Dependency
24
24
  name: libxml-ruby