ruby-saml-mod 0.3.7 → 0.3.8

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: b1b242e9ff3858681e80c4091494d480e2611088
4
- data.tar.gz: 1dc877f9a2879b6e37687b78ab439da852f408bf
2
+ SHA256:
3
+ metadata.gz: b4cc34deecbeae7f009b7ece4531f33613e8b08b10cf621d8e3df114b4971951
4
+ data.tar.gz: 9fde047cb410eb4758e2a6d2d0fe8741646b8a817776d85adeae9ec368f421a5
5
5
  SHA512:
6
- metadata.gz: 05a823a73ff85abcccc37895b2d4fbbfe94f87963c892a3e3ddf4281e28ec023cc6ea50625ffc23788ad3cd9b353df7190823e10ae4752f6412fb9e2df2ec1b7
7
- data.tar.gz: 76e7c832f85e0e1e47a14484c3a55af32ab437b77b07a386f403ddb30ec2503f3fff5f293df0ff17b41b22fbce27372f0c3d2c7f98a2cb841c8d439f38f56a87
6
+ metadata.gz: d006b313304782023335b97fde466a53dafa11512307a121f5d87810beae934a02ee95b606711b43fa758f06a5204a1a2c2ad26c785fb83d60c4b7f05369c48a
7
+ data.tar.gz: 3948976cc68bc92780b151d545c4bb48b507c4d88640a9a7bf6ab2a9fda11b1a222fd2cac86fbac2f6133ab6c7cf3104df4eeaaa6f66271c92af471214d36a85
@@ -215,7 +215,7 @@ module XMLSecurity
215
215
  attach_function :xmlSecEncCtxDecrypt, [ :pointer, :pointer ], :int
216
216
  attach_function :xmlSecEncCtxDestroy, [ :pointer ], :void
217
217
 
218
- attach_function :xmlSecErrorsDefaultCallback, [ :string, :int, :string, :string, :string, :int, :string ], :void
218
+ XmlSecErrorsDefaultCallbackPtr = attach_function :xmlSecErrorsDefaultCallback, [ :string, :int, :string, :string, :string, :int, :string ], :void
219
219
  attach_function :xmlSecErrorsDefaultCallbackEnableOutput, [ :bool ], :void
220
220
  attach_function :xmlSecErrorsSetCallback, [:pointer], :void
221
221
 
@@ -266,7 +266,6 @@ module XMLSecurity
266
266
  raise "Failed initializing XMLSec" if self.xmlSecInit < 0
267
267
  raise "Failed initializing app crypto" if self.xmlSecOpenSSLAppInit(nil) < 0
268
268
  raise "Failed initializing crypto" if self.xmlSecOpenSSLInit < 0
269
- self.xmlSecErrorsSetCallback(ErrorCallback)
270
269
 
271
270
  def self.handle_xmlsec_error_callback(*args)
272
271
  raise_exception_if_necessary(*args)
@@ -377,6 +376,8 @@ module XMLSecurity
377
376
  result = false
378
377
 
379
378
  begin
379
+ XMLSecurity.xmlSecErrorsSetCallback(ErrorCallback)
380
+
380
381
  # set up the keymgr
381
382
  kmgr = XMLSecurity.xmlSecKeysMngrCreate
382
383
  raise "failed initializing key mgr" if XMLSecurity.xmlSecOpenSSLAppDefaultKeysMngrInit(kmgr) < 0
@@ -411,6 +412,7 @@ module XMLSecurity
411
412
  XMLSecurity.xmlSecDSigCtxDestroy(ctx) if ctx
412
413
  XMLSecurity.xmlFreeDoc(doc) if doc
413
414
  XMLSecurity.xmlSecKeysMngrDestroy(kmgr) if kmgr
415
+ XMLSecurity.xmlSecErrorsSetCallback(XmlSecErrorsDefaultCallbackPtr)
414
416
  end
415
417
 
416
418
  result
@@ -0,0 +1,10 @@
1
+ <?xml version="1.0" encoding="UTF-8"?>
2
+ <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_641f919c529eb4b9c2c6447d577483256d45ac9c43" Version="2.0" IssueInstant="2014-09-16T22:15:53Z" Destination="http://shard-2.canvas.dev/saml_consume" InResponseTo="ffb009599eec994f0a4cbadbff1628f90695e44d22"><saml:Issuer>http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
3
+ <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
4
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
5
+ <ds:Reference URI="#_641f919c529eb4b9c2c6447d577483256d45ac9c43"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>JjgISND0GviF1NMyrGHvCAAjQTE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>sHnaxEHN/COmtv0AzcnLV5GT2iOp9jtIo3cLeyO/ByzytLlWr5T7SKUK9pl3vs1faLiFm/S5r62srB/nf7AWFG0VRGi2QXb/gqu9A0Bm1PnqTRAtHHxH1E8oVKadiNTP1GXtmYphCgnM3ZCW6g7wUt/uS8+7sU9Q1TOTAVPzNso=</ds:SignatureValue>
6
+ <ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_3213cbee5db3b66a763035443e746877d161f0a7a5" Version="2.0" IssueInstant="2014-09-16T22:15:53Z"><saml:Issuer>http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
7
+ <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
8
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
9
+ <ds:Reference URI="#_3213cbee5db3b66a763035443e746877d161f0a7a5"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>fVMHYHwOvYPwyftkUgdYe0MREmM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>hVs09lhchv3LKLa/JHNUkDB8Ze7p8g+HFoZmim2vZzvO0DX6SBT9dYDyJgHSwpyfNUr5Ba70/4Sw9/uGFBjhCqe1oQ5VqbmZW34ugvvXShzcnt6v/8S4e2tgOpnUS3XfQwYLt8Rq4k1D9fr3SdWws5UGbt5pSYGGyYgY+1AB9ow=</ds:SignatureValue>
10
+ <ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier="http://shard-2.canvas.dev/saml2" Format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">testuser<!-- comment -->@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2014-09-16T22:20:53Z" Recipient="http://shard-2.canvas.dev/saml_consume" InResponseTo="ffb009599eec994f0a4cbadbff1628f90695e44d22"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2014-09-16T22:15:23Z" NotOnOrAfter="2014-09-16T22:20:53Z"><saml:AudienceRestriction><saml:Audience>http://shard-2.canvas.dev/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-09-16T22:15:53Z" SessionNotOnOrAfter="2014-09-17T06:15:53Z" SessionIndex="_9f28445329a5ada29cca3cfae83a08d289d0816bc0"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">testuser@example.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">testuser@example.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">member</saml:AttributeValue></saml:Attribute><saml:Attribute Name="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Canvas</saml:AttributeValue></saml:Attribute><saml:Attribute Name="displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Canvas Üser</saml:AttributeValue></saml:Attribute><saml:Attribute Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Üser</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
@@ -163,6 +163,19 @@ describe Onelogin::Saml::Response do
163
163
  @response.fingerprint_from_idp.should == 'afe71c28ef740bc87425be13a2263d37971da1f9'
164
164
  end
165
165
 
166
+ # see CVE-2017-11428
167
+ it "returns the full content of the NameID, even if a comment-insertion attack allows it to still validate the signature" do
168
+ # this file is a copy of test6-response.xml, with a comment inserted into the NameID
169
+ @xmlb64 = Base64.encode64(File.read(fixture_path("test7-response.xml")))
170
+ @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
171
+ @response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2014-09-16T22:15:53Z"))
172
+ # the signature is still valid
173
+ @response.should be_is_valid
174
+ @response.status_code.should == "urn:oasis:names:tc:SAML:2.0:status:Success"
175
+ # the comment is ignored, but doesn't truncate the nameid
176
+ @response.name_id.should == 'testuser@example.com'
177
+ end
178
+
166
179
  it "should map OIDs to known attributes" do
167
180
  @xmlb64 = Base64.encode64(File.read(fixture_path("test3-response.xml")))
168
181
  @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml-mod
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.7
4
+ version: 0.3.8
5
5
  platform: ruby
6
6
  authors:
7
7
  - OneLogin LLC
@@ -14,7 +14,7 @@ authors:
14
14
  autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
- date: 2017-10-28 00:00:00.000000000 Z
17
+ date: 2018-04-03 00:00:00.000000000 Z
18
18
  dependencies:
19
19
  - !ruby/object:Gem::Dependency
20
20
  name: nokogiri
@@ -108,6 +108,7 @@ files:
108
108
  - spec/fixtures/test4-response.xml
109
109
  - spec/fixtures/test5-response.xml
110
110
  - spec/fixtures/test6-response.xml
111
+ - spec/fixtures/test7-response.xml
111
112
  - spec/fixtures/wrong-key.pem
112
113
  - spec/fixtures/xml_missigned_assertion.xml
113
114
  - spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
@@ -138,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
138
139
  version: '0'
139
140
  requirements: []
140
141
  rubyforge_project:
141
- rubygems_version: 2.6.13
142
+ rubygems_version: 2.7.3
142
143
  signing_key:
143
144
  specification_version: 4
144
145
  summary: Ruby library for SAML service providers
@@ -154,6 +155,7 @@ test_files:
154
155
  - spec/fixtures/test4-response.xml
155
156
  - spec/fixtures/test5-response.xml
156
157
  - spec/fixtures/test6-response.xml
158
+ - spec/fixtures/test7-response.xml
157
159
  - spec/fixtures/wrong-key.pem
158
160
  - spec/fixtures/xml_missigned_assertion.xml
159
161
  - spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml