ruby-saml-mod 0.3.7 → 0.3.8
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/lib/xml_sec.rb +4 -2
- data/spec/fixtures/test7-response.xml +10 -0
- data/spec/response_spec.rb +13 -0
- metadata +5 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: b4cc34deecbeae7f009b7ece4531f33613e8b08b10cf621d8e3df114b4971951
|
|
4
|
+
data.tar.gz: 9fde047cb410eb4758e2a6d2d0fe8741646b8a817776d85adeae9ec368f421a5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d006b313304782023335b97fde466a53dafa11512307a121f5d87810beae934a02ee95b606711b43fa758f06a5204a1a2c2ad26c785fb83d60c4b7f05369c48a
|
|
7
|
+
data.tar.gz: 3948976cc68bc92780b151d545c4bb48b507c4d88640a9a7bf6ab2a9fda11b1a222fd2cac86fbac2f6133ab6c7cf3104df4eeaaa6f66271c92af471214d36a85
|
data/lib/xml_sec.rb
CHANGED
|
@@ -215,7 +215,7 @@ module XMLSecurity
|
|
|
215
215
|
attach_function :xmlSecEncCtxDecrypt, [ :pointer, :pointer ], :int
|
|
216
216
|
attach_function :xmlSecEncCtxDestroy, [ :pointer ], :void
|
|
217
217
|
|
|
218
|
-
attach_function :xmlSecErrorsDefaultCallback, [ :string, :int, :string, :string, :string, :int, :string ], :void
|
|
218
|
+
XmlSecErrorsDefaultCallbackPtr = attach_function :xmlSecErrorsDefaultCallback, [ :string, :int, :string, :string, :string, :int, :string ], :void
|
|
219
219
|
attach_function :xmlSecErrorsDefaultCallbackEnableOutput, [ :bool ], :void
|
|
220
220
|
attach_function :xmlSecErrorsSetCallback, [:pointer], :void
|
|
221
221
|
|
|
@@ -266,7 +266,6 @@ module XMLSecurity
|
|
|
266
266
|
raise "Failed initializing XMLSec" if self.xmlSecInit < 0
|
|
267
267
|
raise "Failed initializing app crypto" if self.xmlSecOpenSSLAppInit(nil) < 0
|
|
268
268
|
raise "Failed initializing crypto" if self.xmlSecOpenSSLInit < 0
|
|
269
|
-
self.xmlSecErrorsSetCallback(ErrorCallback)
|
|
270
269
|
|
|
271
270
|
def self.handle_xmlsec_error_callback(*args)
|
|
272
271
|
raise_exception_if_necessary(*args)
|
|
@@ -377,6 +376,8 @@ module XMLSecurity
|
|
|
377
376
|
result = false
|
|
378
377
|
|
|
379
378
|
begin
|
|
379
|
+
XMLSecurity.xmlSecErrorsSetCallback(ErrorCallback)
|
|
380
|
+
|
|
380
381
|
# set up the keymgr
|
|
381
382
|
kmgr = XMLSecurity.xmlSecKeysMngrCreate
|
|
382
383
|
raise "failed initializing key mgr" if XMLSecurity.xmlSecOpenSSLAppDefaultKeysMngrInit(kmgr) < 0
|
|
@@ -411,6 +412,7 @@ module XMLSecurity
|
|
|
411
412
|
XMLSecurity.xmlSecDSigCtxDestroy(ctx) if ctx
|
|
412
413
|
XMLSecurity.xmlFreeDoc(doc) if doc
|
|
413
414
|
XMLSecurity.xmlSecKeysMngrDestroy(kmgr) if kmgr
|
|
415
|
+
XMLSecurity.xmlSecErrorsSetCallback(XmlSecErrorsDefaultCallbackPtr)
|
|
414
416
|
end
|
|
415
417
|
|
|
416
418
|
result
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
|
2
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_641f919c529eb4b9c2c6447d577483256d45ac9c43" Version="2.0" IssueInstant="2014-09-16T22:15:53Z" Destination="http://shard-2.canvas.dev/saml_consume" InResponseTo="ffb009599eec994f0a4cbadbff1628f90695e44d22"><saml:Issuer>http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
3
|
+
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
4
|
+
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
|
|
5
|
+
<ds:Reference URI="#_641f919c529eb4b9c2c6447d577483256d45ac9c43"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>JjgISND0GviF1NMyrGHvCAAjQTE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>sHnaxEHN/COmtv0AzcnLV5GT2iOp9jtIo3cLeyO/ByzytLlWr5T7SKUK9pl3vs1faLiFm/S5r62srB/nf7AWFG0VRGi2QXb/gqu9A0Bm1PnqTRAtHHxH1E8oVKadiNTP1GXtmYphCgnM3ZCW6g7wUt/uS8+7sU9Q1TOTAVPzNso=</ds:SignatureValue>
|
|
6
|
+
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_3213cbee5db3b66a763035443e746877d161f0a7a5" Version="2.0" IssueInstant="2014-09-16T22:15:53Z"><saml:Issuer>http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
7
|
+
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
8
|
+
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
|
|
9
|
+
<ds:Reference URI="#_3213cbee5db3b66a763035443e746877d161f0a7a5"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>fVMHYHwOvYPwyftkUgdYe0MREmM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>hVs09lhchv3LKLa/JHNUkDB8Ze7p8g+HFoZmim2vZzvO0DX6SBT9dYDyJgHSwpyfNUr5Ba70/4Sw9/uGFBjhCqe1oQ5VqbmZW34ugvvXShzcnt6v/8S4e2tgOpnUS3XfQwYLt8Rq4k1D9fr3SdWws5UGbt5pSYGGyYgY+1AB9ow=</ds:SignatureValue>
|
|
10
|
+
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier="http://shard-2.canvas.dev/saml2" Format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">testuser<!-- comment -->@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2014-09-16T22:20:53Z" Recipient="http://shard-2.canvas.dev/saml_consume" InResponseTo="ffb009599eec994f0a4cbadbff1628f90695e44d22"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2014-09-16T22:15:23Z" NotOnOrAfter="2014-09-16T22:20:53Z"><saml:AudienceRestriction><saml:Audience>http://shard-2.canvas.dev/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-09-16T22:15:53Z" SessionNotOnOrAfter="2014-09-17T06:15:53Z" SessionIndex="_9f28445329a5ada29cca3cfae83a08d289d0816bc0"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">testuser@example.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">testuser@example.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">member</saml:AttributeValue></saml:Attribute><saml:Attribute Name="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Canvas</saml:AttributeValue></saml:Attribute><saml:Attribute Name="displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Canvas Üser</saml:AttributeValue></saml:Attribute><saml:Attribute Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Üser</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
|
data/spec/response_spec.rb
CHANGED
|
@@ -163,6 +163,19 @@ describe Onelogin::Saml::Response do
|
|
|
163
163
|
@response.fingerprint_from_idp.should == 'afe71c28ef740bc87425be13a2263d37971da1f9'
|
|
164
164
|
end
|
|
165
165
|
|
|
166
|
+
# see CVE-2017-11428
|
|
167
|
+
it "returns the full content of the NameID, even if a comment-insertion attack allows it to still validate the signature" do
|
|
168
|
+
# this file is a copy of test6-response.xml, with a comment inserted into the NameID
|
|
169
|
+
@xmlb64 = Base64.encode64(File.read(fixture_path("test7-response.xml")))
|
|
170
|
+
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
|
|
171
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2014-09-16T22:15:53Z"))
|
|
172
|
+
# the signature is still valid
|
|
173
|
+
@response.should be_is_valid
|
|
174
|
+
@response.status_code.should == "urn:oasis:names:tc:SAML:2.0:status:Success"
|
|
175
|
+
# the comment is ignored, but doesn't truncate the nameid
|
|
176
|
+
@response.name_id.should == 'testuser@example.com'
|
|
177
|
+
end
|
|
178
|
+
|
|
166
179
|
it "should map OIDs to known attributes" do
|
|
167
180
|
@xmlb64 = Base64.encode64(File.read(fixture_path("test3-response.xml")))
|
|
168
181
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-saml-mod
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.8
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- OneLogin LLC
|
|
@@ -14,7 +14,7 @@ authors:
|
|
|
14
14
|
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date:
|
|
17
|
+
date: 2018-04-03 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: nokogiri
|
|
@@ -108,6 +108,7 @@ files:
|
|
|
108
108
|
- spec/fixtures/test4-response.xml
|
|
109
109
|
- spec/fixtures/test5-response.xml
|
|
110
110
|
- spec/fixtures/test6-response.xml
|
|
111
|
+
- spec/fixtures/test7-response.xml
|
|
111
112
|
- spec/fixtures/wrong-key.pem
|
|
112
113
|
- spec/fixtures/xml_missigned_assertion.xml
|
|
113
114
|
- spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
|
|
@@ -138,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
138
139
|
version: '0'
|
|
139
140
|
requirements: []
|
|
140
141
|
rubyforge_project:
|
|
141
|
-
rubygems_version: 2.
|
|
142
|
+
rubygems_version: 2.7.3
|
|
142
143
|
signing_key:
|
|
143
144
|
specification_version: 4
|
|
144
145
|
summary: Ruby library for SAML service providers
|
|
@@ -154,6 +155,7 @@ test_files:
|
|
|
154
155
|
- spec/fixtures/test4-response.xml
|
|
155
156
|
- spec/fixtures/test5-response.xml
|
|
156
157
|
- spec/fixtures/test6-response.xml
|
|
158
|
+
- spec/fixtures/test7-response.xml
|
|
157
159
|
- spec/fixtures/wrong-key.pem
|
|
158
160
|
- spec/fixtures/xml_missigned_assertion.xml
|
|
159
161
|
- spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
|