ruby-saml-mod 0.1.13 → 0.1.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. data/lib/onelogin/saml/response.rb +24 -7
  2. data/lib/xml_sec.rb +7 -7
  3. data/ruby-saml-mod.gemspec +2 -2
  4. metadata +4 -4
data/lib/onelogin/saml/response.rb CHANGED
@@ -47,18 +47,35 @@ module Onelogin::Saml
47
47
  return false
48
48
  end
49
49
 
50
- if @document.find_first("//ds:X509Certificate", Onelogin::NAMESPACES).nil?
51
- @validation_error = "No ds:X509Certificate element"
52
- return false
53
- end
54
-
55
50
  if !@settings.idp_cert_fingerprint
56
51
  @validation_error = "No fingerprint configured in SAML settings"
57
52
  return false
58
53
  end
59
54
 
60
- if !@document.validate(@settings.idp_cert_fingerprint, @logger)
61
- @validation_error = @document.validation_error
55
+ # Verify the original document if it has a signature, otherwise verify the signature
56
+ # in the encrypted portion. If there is no signature, then we can't verify.
57
+ verified = false
58
+ if @document.find_first("//ds:Signature", Onelogin::NAMESPACES)
59
+ verified = @document.validate(@settings.idp_cert_fingerprint, @logger)
60
+ if !verified
61
+ @validation_error = @document.validation_error
62
+ return false
63
+ end
64
+ end
65
+
66
+ # Technically we should also verify the signature inside the encrypted portion, but if
67
+ # the cryptext has already been verified, the encrypted contents couldn't have been
68
+ # tampered with. Once we switch to using libxmlsec this won't matter anymore anyway.
69
+ if !verified && @decrypted_document.find_first("//ds:Signature", Onelogin::NAMESPACES)
70
+ verified = @decrypted_document.validate(@settings.idp_cert_fingerprint, @logger)
71
+ if !verified
72
+ @validation_error = @document.validation_error
73
+ return false
74
+ end
75
+ end
76
+
77
+ if !verified
78
+ @validation_error = "No signature found in the response"
62
79
  return false
63
80
  end
64
81
 
data/lib/xml_sec.rb CHANGED
@@ -70,16 +70,16 @@ module XMLSecurity
70
70
 
71
71
  def validate_doc(base64_cert, logger)
72
72
  # validate references
73
- sig_element = find_first("//ds:Signature", { "ds" => "http://www.w3.org/2000/09/xmldsig#" })
73
+ sig_element = find_first("//ds:Signature", Onelogin::NAMESPACES)
74
74
 
75
75
  c14n_method = nil
76
- c14n_method_element = sig_element.find_first(".//ds:CanonicalizationMethod", { "ds" => "http://www.w3.org/2000/09/xmldsig#" })
76
+ c14n_method_element = sig_element.find_first(".//ds:CanonicalizationMethod", Onelogin::NAMESPACES)
77
77
  if c14n_method_element
78
78
  c14n_method = c14n_method_element["Algorithm"]
79
79
  end
80
80
 
81
81
  # check digests
82
- sig_element.find(".//ds:Reference", { "ds" => "http://www.w3.org/2000/09/xmldsig#" }).each do |ref|
82
+ sig_element.find(".//ds:Reference", Onelogin::NAMESPACES).each do |ref|
83
83
  # Find the referenced element
84
84
  uri = ref["URI"]
85
85
  ref_element = find_first("//*[@ID='#{uri[1,uri.size]}']")
@@ -89,13 +89,13 @@ module XMLSecurity
89
89
  ref_document.root = ref_document.import(ref_element)
90
90
 
91
91
  # Remove the Signature node
92
- ref_document_sig_element = ref_document.find_first(".//ds:Signature", { "ds" => "http://www.w3.org/2000/09/xmldsig#" })
92
+ ref_document_sig_element = ref_document.find_first(".//ds:Signature", Onelogin::NAMESPACES)
93
93
  ref_document_sig_element.remove! if ref_document_sig_element
94
94
 
95
95
  # Canonicalize the referenced element's document
96
96
  ref_document_canonicalized = canonicalize_doc(ref_document, c14n_method)
97
97
  hash = Base64::encode64(Digest::SHA1.digest(ref_document_canonicalized)).chomp
98
- digest_value = sig_element.find_first(".//ds:DigestValue", { "ds" => "http://www.w3.org/2000/09/xmldsig#" }).content
98
+ digest_value = sig_element.find_first(".//ds:DigestValue", Onelogin::NAMESPACES).content
99
99
 
100
100
  if hash != digest_value
101
101
  @validation_error = <<-EOF.gsub(/^\s+/, '')
@@ -114,10 +114,10 @@ module XMLSecurity
114
114
  end
115
115
 
116
116
  # verify signature
117
- signed_info_element = sig_element.find_first(".//ds:SignedInfo", { "ds" => "http://www.w3.org/2000/09/xmldsig#" })
117
+ signed_info_element = sig_element.find_first(".//ds:SignedInfo", Onelogin::NAMESPACES)
118
118
  canon_string = canonicalize_node(signed_info_element, c14n_method)
119
119
 
120
- base64_signature = sig_element.find_first(".//ds:SignatureValue", { "ds" => "http://www.w3.org/2000/09/xmldsig#" }).content
120
+ base64_signature = sig_element.find_first(".//ds:SignatureValue", Onelogin::NAMESPACES).content
121
121
  signature = Base64.decode64(base64_signature)
122
122
 
123
123
  cert_text = Base64.decode64(base64_cert)
data/ruby-saml-mod.gemspec CHANGED
@@ -1,9 +1,9 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = %q{ruby-saml-mod}
3
- s.version = "0.1.13"
3
+ s.version = "0.1.14"
4
4
 
5
5
  s.authors = ["OneLogin LLC", "Bracken", "Zach", "Cody"]
6
- s.date = %q{2012-05-13}
6
+ s.date = %q{2012-05-14}
7
7
  s.extra_rdoc_files = [
8
8
  "LICENSE"
9
9
  ]
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml-mod
3
3
  version: !ruby/object:Gem::Version
4
- hash: 1
4
+ hash: 7
5
5
  prerelease:
6
6
  segments:
7
7
  - 0
8
8
  - 1
9
- - 13
10
- version: 0.1.13
9
+ - 14
10
+ version: 0.1.14
11
11
  platform: ruby
12
12
  authors:
13
13
  - OneLogin LLC
@@ -18,7 +18,7 @@ autorequire:
18
18
  bindir: bin
19
19
  cert_chain: []
20
20
 
21
- date: 2012-05-13 00:00:00 Z
21
+ date: 2012-05-14 00:00:00 Z
22
22
  dependencies:
23
23
  - !ruby/object:Gem::Dependency
24
24
  name: libxml-ruby