ruby-saml-mod 0.1.15 → 0.1.16

data/lib/onelogin/saml/response.rb

@@ -22,14 +22,15 @@ module Onelogin::Saml
       
       @decrypted_document = LibXML::XML::Document.document(@document)
       @decrypted_document.extend(XMLSecurity::SignedDocument)
-      @decrypted_document.decrypt(@settings)
+      @decrypted_document.decrypt!(@settings)
       
       @in_response_to = @decrypted_document.find_first("/samlp:Response", Onelogin::NAMESPACES)['InResponseTo'] rescue nil
       @destination = @decrypted_document.find_first("/samlp:Response", Onelogin::NAMESPACES)['Destination'] rescue nil
       @name_id = @decrypted_document.find_first("/samlp:Response/saml:Assertion/saml:Subject/saml:NameID", Onelogin::NAMESPACES).content rescue nil
       @saml_attributes = {}
       @decrypted_document.find("//saml:Attribute", Onelogin::NAMESPACES).each do |attr|
-        @saml_attributes[attr['FriendlyName']] = attr.content.strip rescue nil
+        attrname = attr['FriendlyName'] || Onelogin::ATTRIBUTES[attr['Name']] || attr['Name']
+        @saml_attributes[attrname] = attr.content.strip rescue nil
       end
       @name_qualifier = @decrypted_document.find_first("/samlp:Response/saml:Assertion/saml:Subject/saml:NameID", Onelogin::NAMESPACES)["NameQualifier"] rescue nil
       @session_index = @decrypted_document.find_first("/samlp:Response/saml:Assertion/saml:AuthnStatement", Onelogin::NAMESPACES)["SessionIndex"] rescue nil
@@ -62,10 +63,7 @@ module Onelogin::Saml
           return false
         end
       end
-      
-      # Technically we should also verify the signature inside the encrypted portion, but if
-      # the cryptext has already been verified, the encrypted contents couldn't have been
-      # tampered with. Once we switch to using libxmlsec this won't matter anymore anyway.
+
       if !verified && @decrypted_document.find_first("//ds:Signature", Onelogin::NAMESPACES)
         verified = @decrypted_document.validate(@settings.idp_cert_fingerprint, @logger)
         if !verified
@@ -95,7 +93,7 @@ module Onelogin::Saml
     end
     
     def fingerprint_from_idp
-      if base64_cert = @document.find_first("//ds:X509Certificate", Onelogin::NAMESPACES)
+      if base64_cert = @decrypted_document.find_first("//ds:X509Certificate", Onelogin::NAMESPACES)
         cert_text = Base64.decode64(base64_cert.content)
         cert = OpenSSL::X509::Certificate.new(cert_text)
         Digest::SHA1.hexdigest(cert.to_der)
@@ -104,4 +102,4 @@ module Onelogin::Saml
       end
     end
   end
-end
+end

data/lib/onelogin/saml/settings.rb

@@ -46,10 +46,7 @@ module Onelogin::Saml
     attr_accessor :tech_contact_email
     
     ## Attributes for xml encryption
-    
-    # The path to the xmlsec1 binary used for xml decryption
-    attr_accessor :xmlsec1_path
-    
+
     # The PEM-encoded certificate
     attr_accessor :xmlsec_certificate
     
@@ -57,7 +54,7 @@ module Onelogin::Saml
     attr_accessor :xmlsec_privatekey
     
     def encryption_configured?
-      self.xmlsec1_path && self.xmlsec_certificate && self.xmlsec_privatekey
+      !!self.xmlsec_privatekey
     end
   end
-end
+end

data/lib/onelogin/saml.rb

@@ -10,6 +10,28 @@ module Onelogin
     "xenc" => "http://www.w3.org/2001/04/xmlenc#",
     "ds" => "http://www.w3.org/2000/09/xmldsig#"
   }
+
+  # for SAML2 IDPs that omit the FriendlyName, map from the registered name
+  # http://middleware.internet2.edu/dir/edu-schema-oid-registry.html
+  ATTRIBUTES = {
+    "urn:oid:1.3.6.1.4.1.5923.1.1.2" => "eduPerson",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.1" => "eduPersonAffiliation",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.7" => "eduPersonEntitlement",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.2" => "eduPersonNickname",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.3" => "eduPersonOrgDN",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.4" => "eduPersonOrgUnitDN",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.5" => "eduPersonPrimaryAffiliation",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.8" => "eduPersonPrimaryOrgUnitDN",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" => "eduPersonPrincipalName",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.9" => "eduPersonScopedAffiliation",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.10" => "eduPersonTargetedID",
+    "urn:oid:1.3.6.1.4.1.5923.1.2.2" => "eduOrg",
+    "urn:oid:1.3.6.1.4.1.5923.1.2.1.2" => "eduOrgHomePageURI",
+    "urn:oid:1.3.6.1.4.1.5923.1.2.1.3" => "eduOrgIdentityAuthNPolicyURI",
+    "urn:oid:1.3.6.1.4.1.5923.1.2.1.4" => "eduOrgLegalName",
+    "urn:oid:1.3.6.1.4.1.5923.1.2.1.5" => "eduOrgSuperiorURI",
+    "urn:oid:1.3.6.1.4.1.5923.1.2.1.6" => "eduOrgWhitePagesURI",
+  }
 end
 
 require 'onelogin/saml/auth_request'
@@ -20,4 +42,4 @@ require 'onelogin/saml/name_identifiers'
 require 'onelogin/saml/status_codes'
 require 'onelogin/saml/meta_data'
 require 'onelogin/saml/log_out_request'
-require 'onelogin/saml/logout_response'
+require 'onelogin/saml/logout_response'

data/lib/xml_sec.rb

@@ -23,136 +23,333 @@
 # Portions Copyrighted 2007 Todd W Saxton.
 
 require 'rubygems'
+require 'ffi'
+require 'base64'
 require "xml/libxml"
 require "openssl"
 require "digest/sha1"
-require "tempfile"
-require "shellwords"
 
 module XMLSecurity
+  extend FFI::Library
+  ffi_lib "xmlsec1"
+
+  enum :xmlSecKeyDataFormat, [
+      :xmlSecKeyDataFormatUnknown,
+      :xmlSecKeyDataFormatBinary,
+      :xmlSecKeyDataFormatPem,
+      :xmlSecKeyDataFormatDer,
+      :xmlSecKeyDataFormatPkcs8Pem,
+      :xmlSecKeyDataFormatPkcs8Der,
+      :xmlSecKeyDataFormatPkcs12,
+      :xmlSecKeyDataFormatCertPem,
+      :xmlSecKeyDataFormatCertDer
+  ]
+
+  enum :xmlSecKeyInfoMode, [
+      :xmlSecKeyInfoModeRead,
+      :xmlSecKeyInfoModeWrite
+  ]
+
+  enum :xmlSecAllocMode, [
+      :xmlSecAllocModeExact,
+      :xmlSecAllocModeDouble
+  ]
+
+  enum :xmlSecTransformStatus, [
+      :xmlSecTransformStatusNone,
+      :xmlSecTransformStatusWorking,
+      :xmlSecTransformStatusFinished,
+      :xmlSecTransformStatusOk,
+      :xmlSecTransformStatusFail
+  ]
+
+  enum :xmlSecTransformOperation, [
+      :xmlSecTransformOperationNone, 0,
+      :xmlSecTransformOperationEncode,
+      :xmlSecTransformOperationDecode,
+      :xmlSecTransformOperationSign,
+      :xmlSecTransformOperationVerify,
+      :xmlSecTransformOperationEncrypt,
+      :xmlSecTransformOperationDecrypt
+  ]
+
+  enum :xmlSecDSigStatus, [
+      :xmlSecDSigStatusUnknown, 0,
+      :xmlSecDSigStatusSucceeded,
+      :xmlSecDSigStatusInvalid
+  ]
+
+  class XmlSecPtrList < FFI::Struct
+    layout \
+      :id,                          :string,
+      :data,                        :pointer,        # xmlSecPtr*
+      :use,                         :uint,
+      :max,                         :uint,
+      :allocMode,                   :xmlSecAllocMode
+  end
+
+  class XmlSecKeyReq < FFI::Struct
+    layout \
+      :keyId,                       :string,         # xmlSecKeyDataId
+      :keyType,                     :uint,           # xmlSecKeyDataType
+      :keyUsage,                    :uint,           # xmlSecKeyUsage
+      :keyBitsSize,                 :uint,           # xmlSecSize
+      :keyUseWithList,              XmlSecPtrList,
+      :reserved1,                   :pointer,        # void *
+      :reserved2,                   :pointer         # void *
+  end
+
+  class XmlSecTransformCtx < FFI::Struct
+    layout \
+      :userData,                    :pointer,        # void *
+      :flags,                       :uint,
+      :flags2,                      :uint,
+      :enabledUris,                 :uint,
+      :enabledTransforms,           XmlSecPtrList,
+      :preExecCallback,             :pointer,        # xmlSecTransformCtxPreExecuteCallback
+      :result,                      :pointer,        # xmlSecBufferPtr
+      :status,                      :xmlSecTransformStatus,
+      :uri,                         :string,
+      :xptrExpr,                    :string,
+      :first,                       :pointer,        # xmlSecTransformPtr
+      :last,                        :pointer,        # xmlSecTransformPtr
+      :reserved0,                   :pointer,        # void *
+      :reserved1,                   :pointer         # void *
+  end
+
+  class XmlSecKeyInfoCtx < FFI::Struct
+    layout \
+      :userDate,                    :pointer,
+      :flags,                       :uint,
+      :flags2,                      :uint,
+      :keysMngr,                    :pointer,
+      :mode,                        :xmlSecKeyInfoMode,
+      :enabledKeyData,              XmlSecPtrList,
+      :base64LineSize,              :int,
+      :retrievalMethodCtx,          XmlSecTransformCtx,
+      :maxRetrievalMethodLevel,     :int,
+      :encCtx,                      :pointer,
+      :maxEncryptedKeyLevel,        :int,
+      :certsVerificationTime,       :time_t,
+      :certsVerificationDepth,      :int,
+      :pgpReserved,                 :pointer,
+      :curRetrievalMethodLevel,     :int,
+      :curEncryptedKeyLevel,        :int,
+      :keyReq,                      XmlSecKeyReq,
+      :reserved0,                   :pointer,
+      :reserved1,                   :pointer
+  end
+
+  class XmlSecDSigCtx < FFI::Struct
+    layout \
+      :userData,                    :pointer,     # void *
+      :flags,                       :uint,
+      :flags2,                      :uint,
+      :keyInfoReadCtx,              XmlSecKeyInfoCtx.by_value,
+      :keyInfoWriteCtx,             XmlSecKeyInfoCtx.by_value,
+      :transformCtx,                XmlSecTransformCtx.by_value,
+      :enabledReferenceUris,        :uint,        # xmlSecTransformUriType
+      :enabledReferenceTransforms,  :pointer,     # xmlSecPtrListPtr
+      :referencePreExecuteCallback, :pointer,     # xmlSecTransformCtxPreExecuteCallback
+      :defSignMethodId,             :string,      # xmlSecTransformId
+      :defC14NMethodId,             :string,      # xmlSecTransformId
+      :defDigestMethodId,           :string,      # xmlSecTransformId
+
+      :signKey,                     :pointer,     # xmlSecKeyPtr
+      :operation,                   :xmlSecTransformOperation,
+      :result,                      :pointer,     # xmlSecBufferPtr
+      :status,                      :xmlSecDSigStatus,
+      :signMethod,                  :pointer,     # xmlSecTransformPtr
+      :c14nMethod,                  :pointer,     # xmlSecTransformPtr
+      :preSignMemBufMethod,         :pointer,     # xmlSecTransformPtr
+      :signValueNode,               :pointer,     # xmlNodePtr
+      :id,                          :string,
+      :signedInfoReferences,        XmlSecPtrList,
+      :manifestReferences,          XmlSecPtrList,
+      :reserved0,                   :pointer,
+      :reserved1,                   :pointer
+  end
+
+  # xmlsec functions
+  attach_function :xmlSecInit, [], :int
+  attach_function :xmlSecParseMemory, [ :pointer, :uint, :int ], :pointer
+  attach_function :xmlSecFindNode, [ :pointer, :string, :string ], :pointer
+  attach_function :xmlSecDSigCtxCreate, [ :pointer ], XmlSecDSigCtx.by_ref
+  attach_function :xmlSecDSigCtxVerify, [ XmlSecDSigCtx.by_ref, :pointer ], :int
+  attach_function :xmlSecCryptoInit, [], :int
+  attach_function :xmlSecCryptoDLLoadLibrary, [ :string ], :int
+  attach_function :xmlSecCryptoAppInit, [ :pointer ], :int
+  attach_function :xmlSecAddIDs, [ :pointer, :pointer, :pointer ], :void
+  attach_function :xmlSecDSigCtxDestroy, [ XmlSecDSigCtx.by_ref ], :void
+
+  attach_function :xmlSecKeysMngrCreate, [], :pointer
+  attach_function :xmlSecCryptoAppDefaultKeysMngrInit, [ :pointer ], :int
+  attach_function :xmlSecCryptoAppKeyLoad, [ :string, :xmlSecKeyDataFormat, :pointer, :pointer, :pointer ], :pointer
+  attach_function :xmlSecCryptoAppKeyLoadMemory, [ :pointer, :uint, :xmlSecKeyDataFormat, :pointer, :pointer, :pointer ], :pointer
+  attach_function :xmlSecCryptoAppDefaultKeysMngrAdoptKey, [ :pointer, :pointer ], :int
+  attach_function :xmlSecKeysMngrDestroy, [ :pointer ], :void
+
+  attach_function :xmlSecEncCtxCreate, [ :pointer ], :pointer
+  attach_function :xmlSecEncCtxDecrypt, [ :pointer, :pointer ], :int
+  attach_function :xmlSecEncCtxDestroy, [ :pointer ], :void
+
+  # libxml functions
+  attach_function :xmlInitParser, [], :void
+  attach_function :xmlDocGetRootElement, [ :pointer ], :pointer
+  attach_function :xmlDocDumpFormatMemory, [ :pointer, :pointer, :pointer, :int ], :void
+  attach_function :xmlFreeDoc, [ :pointer ], :void
+
+  self.xmlInitParser
+  raise "Failed initializing XMLSec" if self.xmlSecInit < 0
+  raise "Failed initializing xmlsec with openssl" if self.xmlSecCryptoDLLoadLibrary("openssl") < 0
+  raise "Failed initializing app crypto" if self.xmlSecCryptoAppInit(nil) < 0
+  raise "Failed initializing crypto" if self.xmlSecCryptoInit < 0
+
   module SignedDocument
     attr_reader :validation_error
 
+    def self.format_cert(cert)
+      # re-encode the certificate in the proper format
+      # this snippet is from http://bugs.ruby-lang.org/issues/4421
+      rsa = cert.public_key
+      modulus = rsa.n
+      exponent = rsa.e
+      oid = OpenSSL::ASN1::ObjectId.new("rsaEncryption")
+      alg_id = OpenSSL::ASN1::Sequence.new([oid, OpenSSL::ASN1::Null.new(nil)])
+      ary = [OpenSSL::ASN1::Integer.new(modulus), OpenSSL::ASN1::Integer.new(exponent)]
+      pub_key = OpenSSL::ASN1::Sequence.new(ary)
+      enc_pk = OpenSSL::ASN1::BitString.new(pub_key.to_der)
+      subject_pk_info = OpenSSL::ASN1::Sequence.new([alg_id, enc_pk])
+      base64 = Base64.encode64(subject_pk_info.to_der)
+
+      # This is the equivalent to the X.509 encoding used in >= 1.9.3
+      "-----BEGIN PUBLIC KEY-----\n#{base64}-----END PUBLIC KEY-----"
+    end
+
     def validate(idp_cert_fingerprint, logger = nil)
       # get cert from response
       base64_cert = self.find_first("//ds:X509Certificate", Onelogin::NAMESPACES).content
       cert_text = Base64.decode64(base64_cert)
       cert = OpenSSL::X509::Certificate.new(cert_text)
 
-      # check cert matches registered idp cert
-      fingerprint = Digest::SHA1.hexdigest(cert.to_der)
-      expected_fingerprint = idp_cert_fingerprint.gsub(":", "").downcase
-      if fingerprint != expected_fingerprint
-        @validation_error = "Invalid fingerprint (expected #{expected_fingerprint}, got #{fingerprint})"
-        return false
+      # check cert matches registered idp cert, unless we explicitly skip this check
+      unless idp_cert_fingerprint == '*'
+        fingerprint = Digest::SHA1.hexdigest(cert.to_der)
+        expected_fingerprint = idp_cert_fingerprint.gsub(":", "").downcase
+        if fingerprint != expected_fingerprint
+          @validation_error = "Invalid fingerprint (expected #{expected_fingerprint}, got #{fingerprint})"
+          return false
+        end
       end
 
-      validate_doc(base64_cert, logger)
-    end
+      # create a copy of the document with the certificate removed
+      doc = LibXML::XML::Document.new
+      doc.root = doc.import(self.root)
+      sigcert = doc.find_first("//ds:Signature/ds:KeyInfo", Onelogin::NAMESPACES)
+      sigcert.remove!
 
-    def canonicalize_doc(doc, method)
-      # this is not robust enough, but a switch to libxmlsec replacing all
-      # the hackery is imminent, so I'm not going to spend a lot of time on it.
-      mode = 0; comments = false
-      if method
-        mode = 1 if method =~ %r{xml-exc-c14n}
-        mode = 2 if method =~ %r{xml-c14n11}
-        comments = method =~ %r{#withcomments}i
-      end
-      doc.canonicalize(:mode => mode, :comments => comments)
+      # validate it!
+      validate_doc(doc.to_s(:indent => false), SignedDocument.format_cert(cert))
     end
 
-    def canonicalize_node(node, method)
-      tmp_document = LibXML::XML::Document.new
-      tmp_document.root = tmp_document.import(node)
-      canonicalize_doc(tmp_document, method)
-    end
+    def validate_doc(xml, pem)
+      kmgr = nil
+      ctx = nil
+      result = false
 
-    def validate_doc(base64_cert, logger)
-      # validate references
-      sig_element = find_first("//ds:Signature", Onelogin::NAMESPACES)
+      begin
+        # set up the keymgr
+        kmgr = XMLSecurity.xmlSecKeysMngrCreate
+        raise "failed initializing key mgr" if XMLSecurity.xmlSecCryptoAppDefaultKeysMngrInit(kmgr) < 0
+        key = XMLSecurity.xmlSecCryptoAppKeyLoadMemory(pem, pem.length, :xmlSecKeyDataFormatPem, nil, nil, nil)
+        raise "failed loading key" if key.null?
+        raise "failed adding key to mgr" if XMLSecurity.xmlSecCryptoAppDefaultKeysMngrAdoptKey(kmgr, key) < 0
 
-      c14n_method = nil
-      c14n_method_element = sig_element.find_first(".//ds:CanonicalizationMethod", Onelogin::NAMESPACES)
-      if c14n_method_element
-        c14n_method = c14n_method_element["Algorithm"]
-      end
+        # parse the xml
+        doc = XMLSecurity.xmlSecParseMemory(xml, xml.length, 0)
+        root = XMLSecurity.xmlDocGetRootElement(doc)
 
-      # check digests
-      sig_element.find(".//ds:Reference", Onelogin::NAMESPACES).each do |ref|
-        # Find the referenced element
-        uri = ref["URI"]
-        ref_element = find_first("//*[@ID='#{uri[1,uri.size]}']")
-
-        # Create a copy document with it
-        ref_document = LibXML::XML::Document.new
-        ref_document.root = ref_document.import(ref_element)
-
-        # Remove the Signature node
-        ref_document_sig_element = ref_document.find_first(".//ds:Signature", Onelogin::NAMESPACES)
-        ref_document_sig_element.remove! if ref_document_sig_element
-
-        # Canonicalize the referenced element's document
-        ref_document_canonicalized = canonicalize_doc(ref_document, c14n_method)
-        hash = Base64::encode64(Digest::SHA1.digest(ref_document_canonicalized)).chomp
-        digest_value = sig_element.find_first(".//ds:DigestValue", Onelogin::NAMESPACES).content
-
-        if hash != digest_value
-          @validation_error = <<-EOF.gsub(/^\s+/, '')
-            Invalid references digest.
-            Got digest of
-            #{hash}
-            but expected
-            #{digest_value}
-            XML from response:
-            #{ref_document.to_s(:indent => false)}
-            Canonized XML:
-            #{ref_document_canonicalized}
-            EOF
-          return false
-        end
-      end
- 
-      # verify signature
-      signed_info_element = sig_element.find_first(".//ds:SignedInfo", Onelogin::NAMESPACES)
-      canon_string = canonicalize_node(signed_info_element, c14n_method)
+        # add the ID attribute as an id. yeah, hacky
+        idary = FFI::MemoryPointer.new(:pointer, 2)
+        idary[0].put_pointer(0, FFI::MemoryPointer.from_string("ID"))
+        idary[1].put_pointer(0, nil)
+        XMLSecurity.xmlSecAddIDs(doc, root, idary)
 
-      base64_signature = sig_element.find_first(".//ds:SignatureValue", Onelogin::NAMESPACES).content
-      signature = Base64.decode64(base64_signature)
+        # get the root node, and then find the signature
+        node = XMLSecurity.xmlSecFindNode(root, "Signature", "http://www.w3.org/2000/09/xmldsig#")
+        raise "Signature node not found" if node.null?
 
-      cert_text = Base64.decode64(base64_cert)
-      cert = OpenSSL::X509::Certificate.new(cert_text)
+        # create the sig context
+        ctx = XMLSecurity.xmlSecDSigCtxCreate(kmgr)
+        raise "failed creating digital signature context" if ctx.null?
 
-      if !cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
-        @validation_error = "Invalid public key"
-        return false
+        # verify!
+        raise "failed verifying dsig" if XMLSecurity.xmlSecDSigCtxVerify(ctx, node) < 0
+        result = ctx[:status] == :xmlSecDSigStatusSucceeded
+        @validation_error = ctx[:status].to_s unless result
+      rescue Exception => e
+        @validation_error = e.message
+      ensure
+        XMLSecurity.xmlSecDSigCtxDestroy(ctx) if ctx
+        XMLSecurity.xmlFreeDoc(doc) if doc
+        XMLSecurity.xmlSecKeysMngrDestroy(kmgr) if kmgr
       end
-      return true
+
+      result
     end
 
-    def decrypt(settings)
+    # replaces EncryptedData nodes with decrypted copies
+    def decrypt!(settings)
       if settings.encryption_configured?
         find("//xenc:EncryptedData", Onelogin::NAMESPACES).each do |node|
-          Tempfile.open("ruby-saml-decrypt") do |f|
-            f.puts node.to_s
-            f.close
-            command = [ settings.xmlsec1_path, "decrypt", "--privkey-pem", settings.xmlsec_privatekey, f.path ].shelljoin
-            decrypted_xml = %x{#{command}}
-            if $?.exitstatus != 0
-              @logger.warn "Could not decrypt: #{decrypted_xml}" if @logger
-              return false
-            else
-              decrypted_doc = LibXML::XML::Document.string(decrypted_xml)
-              decrypted_node = decrypted_doc.root
-              decrypted_node = self.import(decrypted_node)
-              node.parent.next = decrypted_node
-              node.parent.remove!
-            end
-            f.unlink
+          decrypted_xml = decrypt_node(settings, node.to_s)
+          if decrypted_xml
+            decrypted_doc = LibXML::XML::Document.string(decrypted_xml)
+            decrypted_node = decrypted_doc.root
+            decrypted_node = self.import(decrypted_node)
+            node.parent.next = decrypted_node
+            node.parent.remove!
           end
         end
       end
       true
     end
+
+    def decrypt_node(settings, xmlstr)
+      kmgr = nil
+      ctx = nil
+      doc = nil
+      result = nil
+      begin
+        kmgr = XMLSecurity.xmlSecKeysMngrCreate
+        raise "Failed initializing key mgr" if XMLSecurity.xmlSecCryptoAppDefaultKeysMngrInit(kmgr) < 0
+
+        key = XMLSecurity.xmlSecCryptoAppKeyLoad(settings.xmlsec_privatekey, :xmlSecKeyDataFormatPem, nil, nil, nil)
+        raise "Failed loading key" if key.null?
+        raise "Failed adding key to mgr" if XMLSecurity.xmlSecCryptoAppDefaultKeysMngrAdoptKey(kmgr, key) < 0
+
+        doc = XMLSecurity.xmlSecParseMemory(xmlstr, xmlstr.length, 0)
+        raise "Failed to parse node" if doc.null?
+
+        ctx = XMLSecurity.xmlSecEncCtxCreate(kmgr)
+        raise "failed creating enc ctx" if ctx.null?
+
+        node = XMLSecurity.xmlDocGetRootElement(doc)
+        raise "failed decrypting" if XMLSecurity.xmlSecEncCtxDecrypt(ctx, node) < 0
+
+        ptr = FFI::MemoryPointer.new(:pointer, 1)
+        sizeptr = FFI::MemoryPointer.new(:pointer, 1)
+        XMLSecurity.xmlDocDumpFormatMemory(doc, ptr, sizeptr, 0)
+        strptr = ptr.read_pointer
+        result = strptr.null? ? nil : strptr.read_string
+      rescue Exception => e
+        @logger.warn "Could not decrypt: #{e.message}" if @logger
+      ensure
+        XMLSecurity.xmlSecEncCtxDestroy(ctx) if ctx
+        XMLSecurity.xmlFreeDoc(doc) if doc
+        XMLSecurity.xmlSecKeysMngrDestroy(kmgr) if kmgr
+      end
+      result
+    end
   end
 end

data/ruby-saml-mod.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name = %q{ruby-saml-mod}
-  s.version = "0.1.15"
+  s.version = "0.1.16"
 
   s.authors = ["OneLogin LLC", "Bracken", "Zach", "Cody"]
   s.date = %q{2012-06-20}

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: ruby-saml-mod
 version: !ruby/object:Gem::Version 
-  hash: 5
+  hash: 59
   prerelease: 
   segments: 
   - 0
   - 1
-  - 15
-  version: 0.1.15
+  - 16
+  version: 0.1.16
 platform: ruby
 authors: 
 - OneLogin LLC