ruby-saml 0.8.16 → 0.9

data/lib/schemas/{xmldsig_schema.xsd → xmldsig-core-schema.xsd}

@@ -1,13 +1,4 @@
 <?xml version="1.0" encoding="utf-8"?>
-<!DOCTYPE schema
-  PUBLIC "-//W3C//DTD XMLSchema 200102//EN" "http://www.w3.org/2001/XMLSchema.dtd"
- [
-   <!ATTLIST schema 
-     xmlns:ds CDATA #FIXED "http://www.w3.org/2000/09/xmldsig#">
-   <!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'>
-   <!ENTITY % p ''>
-   <!ENTITY % s ''>
-  ]>
 
 <!-- Schema for XML Signatures
     http://www.w3.org/2000/09/xmldsig#

data/lib/xml_security.rb

@@ -30,17 +30,13 @@ require 'nokogiri'
 require "digest/sha1"
 require "digest/sha2"
 require "onelogin/ruby-saml/validation_error"
-require "onelogin/ruby-saml/utils"
 
 module XMLSecurity
 
   class BaseDocument < REXML::Document
-    REXML::Document::entity_expansion_limit = 0
 
     C14N            = "http://www.w3.org/2001/10/xml-exc-c14n#"
     DSIG            = "http://www.w3.org/2000/09/xmldsig#"
-    NOKOGIRI_OPTIONS = Nokogiri::XML::ParseOptions::STRICT |
-                       Nokogiri::XML::ParseOptions::NONET
 
     def canon_algorithm(element)
       algorithm = element
@@ -49,14 +45,10 @@ module XMLSecurity
       end
 
       case algorithm
-        when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
-             "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
-          Nokogiri::XML::XML_C14N_1_0
-        when "http://www.w3.org/2006/12/xml-c14n11",
-             "http://www.w3.org/2006/12/xml-c14n11#WithComments"
-          Nokogiri::XML::XML_C14N_1_1
-        else
-          Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+        when "http://www.w3.org/2001/10/xml-exc-c14n#"         then Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+        when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then Nokogiri::XML::XML_C14N_1_0
+        when "http://www.w3.org/2006/12/xml-c14n11"            then Nokogiri::XML::XML_C14N_1_1
+        else                                                        Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
       end
     end
 
@@ -64,10 +56,9 @@ module XMLSecurity
       algorithm = element
       if algorithm.is_a?(REXML::Element)
         algorithm = element.attribute("Algorithm").value
+        algorithm = algorithm && algorithm =~ /sha(.*?)$/i && $1.to_i
       end
 
-      algorithm = algorithm && algorithm =~ /(rsa-)?sha(.*?)$/i && $2.to_i
-
       case algorithm
       when 256 then OpenSSL::Digest::SHA256
       when 384 then OpenSSL::Digest::SHA384
@@ -80,24 +71,14 @@ module XMLSecurity
   end
 
   class Document < BaseDocument
-    RSA_SHA1        = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
-    RSA_SHA256      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
-    RSA_SHA384      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
-    RSA_SHA512      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
-    SHA1            = "http://www.w3.org/2000/09/xmldsig#sha1"
-    SHA256          = 'http://www.w3.org/2001/04/xmlenc#sha256'
-    SHA384          = "http://www.w3.org/2001/04/xmldsig-more#sha384"
-    SHA512          = 'http://www.w3.org/2001/04/xmlenc#sha512'
+    SHA1            = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+    SHA256          = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+    SHA384          = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
+    SHA512          = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
     ENVELOPED_SIG   = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
-    INC_PREFIX_LIST = "#default samlp saml ds xs xsi md"
+    INC_PREFIX_LIST = "#default samlp saml ds xs xsi"
 
-    attr_writer :uuid
-
-    def uuid
-      @uuid ||= begin
-        document.root.nil? ? nil : document.root.attributes['ID']
-      end
-    end
+    attr_accessor :uuid
 
     #<Signature>
       #<SignedInfo>
@@ -114,15 +95,14 @@ module XMLSecurity
       #<KeyInfo />
       #<Object />
     #</Signature>
-    def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_method = SHA1)
-      noko = Nokogiri::XML(self.to_s) do |config|
-        config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
-      end
+    def sign_document(private_key, certificate, signature_method = SHA1, digest_method = SHA1)
+      noko = Nokogiri.parse(self.to_s)
+      canon_doc = noko.canonicalize(canon_algorithm(C14N))
 
       signature_element = REXML::Element.new("ds:Signature").add_namespace('ds', DSIG)
       signed_info_element = signature_element.add_element("ds:SignedInfo")
       signed_info_element.add_element("ds:CanonicalizationMethod", {"Algorithm" => C14N})
-      signed_info_element.add_element("ds:SignatureMethod", {"Algorithm" => signature_method})
+      signed_info_element.add_element("ds:SignatureMethod", {"Algorithm"=>signature_method})
 
       # Add Reference
       reference_element = signed_info_element.add_element("ds:Reference", {"URI" => "##{uuid}"})
@@ -130,22 +110,16 @@ module XMLSecurity
       # Add Transforms
       transforms_element = reference_element.add_element("ds:Transforms")
       transforms_element.add_element("ds:Transform", {"Algorithm" => ENVELOPED_SIG})
-      c14element = transforms_element.add_element("ds:Transform", {"Algorithm" => C14N})
-      c14element.add_element("ec:InclusiveNamespaces", {"xmlns:ec" => C14N, "PrefixList" => INC_PREFIX_LIST})
+      transforms_element.add_element("ds:Transform", {"Algorithm" => C14N})
+      transforms_element.add_element("ds:InclusiveNamespaces", {"xmlns" => C14N, "PrefixList" => INC_PREFIX_LIST})
 
       digest_method_element = reference_element.add_element("ds:DigestMethod", {"Algorithm" => digest_method})
-      inclusive_namespaces = INC_PREFIX_LIST.split(" ")
-      canon_doc = noko.canonicalize(canon_algorithm(C14N), inclusive_namespaces)
       reference_element.add_element("ds:DigestValue").text = compute_digest(canon_doc, algorithm(digest_method_element))
 
       # add SignatureValue
-      noko_sig_element = Nokogiri::XML(signature_element.to_s) do |config|
-        config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
-      end
-
+      noko_sig_element = Nokogiri.parse(signature_element.to_s)
       noko_signed_info_element = noko_sig_element.at_xpath('//ds:Signature/ds:SignedInfo', 'ds' => DSIG)
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm(C14N))
-
       signature = compute_signature(private_key, algorithm(signature_method).new, canon_string)
       signature_element.add_element("ds:SignatureValue").text = signature
 
@@ -163,11 +137,7 @@ module XMLSecurity
       if issuer_element
         self.root.insert_after issuer_element, signature_element
       else
-        if sp_sso_descriptor = self.elements["/md:EntityDescriptor"]
-          self.root.insert_before sp_sso_descriptor, signature_element
-        else
-          self.root.add_element(signature_element)
-        end
+        self.root.add_element(signature_element)
       end
     end
 
@@ -186,178 +156,96 @@ module XMLSecurity
 
   class SignedDocument < BaseDocument
 
-    attr_writer :signed_element_id
+    attr_accessor :signed_element_id
+    attr_accessor :errors
 
-    def signed_element_id
-      @signed_element_id ||= extract_signed_element_id
+    def initialize(response, errors = [])
+      super(response)
+      @errors = errors
+      extract_signed_element_id
     end
 
-    def validate_document(idp_cert_fingerprint, soft = true, options = {})
+    def validate_document(idp_cert_fingerprint, soft = true)
       # get cert from response
-      cert_element = REXML::XPath.first(
-        self,
-        "//ds:X509Certificate",
-        { "ds"=>DSIG }
-      )
-
-      if cert_element
-        base64_cert = OneLogin::RubySaml::Utils.element_text(cert_element)
-        cert_text = Base64.decode64(base64_cert)
-        begin
-          cert = OpenSSL::X509::Certificate.new(cert_text)
-        rescue OpenSSL::X509::CertificateError => _e
-          return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Certificate Error"))
-        end
-
-        if options[:fingerprint_alg]
-          fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(options[:fingerprint_alg]).new
-        else
-          fingerprint_alg = OpenSSL::Digest::SHA1.new
-        end
-        fingerprint = fingerprint_alg.hexdigest(cert.to_der)
-
-        # check cert matches registered idp cert
-        if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
-          return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Fingerprint mismatch"))
-        end
-      else
-        if options[:cert]
-          cert = options[:cert]
-          if cert.is_a? String
-            cert = OpenSSL::X509::Certificate.new(cert)
-          end
-          base64_cert = Base64.encode64(cert.to_pem)
+      cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
+      unless cert_element
+        if soft
+          return false
         else
-          return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate) and not cert provided at settings"))
+          raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate)")
         end
       end
-      validate_signature(base64_cert, soft)
-    end
+      base64_cert  = cert_element.text
+      cert_text    = Base64.decode64(base64_cert)
+      cert         = OpenSSL::X509::Certificate.new(cert_text)
 
-    def validate_document_with_cert(idp_cert, soft = true)
-      # get cert from response
-      cert_element = REXML::XPath.first(
-        self,
-        "//ds:X509Certificate",
-        { "ds"=>DSIG }
-      )
-
-      if cert_element
-        base64_cert = OneLogin::RubySaml::Utils.element_text(cert_element)
-        cert_text = Base64.decode64(base64_cert)
-        begin
-          cert = OpenSSL::X509::Certificate.new(cert_text)
-        rescue OpenSSL::X509::CertificateError => _e
-          return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Certificate Error"))
-        end
+      # check cert matches registered idp cert
+      fingerprint = Digest::SHA1.hexdigest(cert.to_der)
 
-        # check saml response cert matches provided idp cert
-        if idp_cert.to_pem != cert.to_pem
-          return false
-        end
-      elsif not idp_cert
-        return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate) and not cert provided at settings"))
-      else
-        base64_cert = Base64.encode64(idp_cert.to_pem)
+      if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+        @errors << "Fingerprint mismatch"
+        return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Fingerprint mismatch"))
       end
-      validate_signature(base64_cert, true)
+
+      validate_signature(base64_cert, soft)
     end
 
     def validate_signature(base64_cert, soft = true)
+      # validate references
 
-      document = Nokogiri::XML(self.to_s) do |config|
-        config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
-      end
-
-      # create a rexml document
-      @working_copy ||= REXML::Document.new(self.to_s).root
+      # check for inclusive namespaces
+      inclusive_namespaces = extract_inclusive_namespaces
 
-      # get signature node
-      sig_element = REXML::XPath.first(
-          @working_copy,
-          "//ds:Signature",
-          {"ds"=>DSIG}
-      )
+      document = Nokogiri.parse(self.to_s)
 
-      if sig_element.nil?
-        return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("No Signature Node"))
-      end
+      # create a working copy so we don't modify the original
+      @working_copy ||= REXML::Document.new(self.to_s).root
 
-      # signature method
-      sig_alg_value = REXML::XPath.first(
-        sig_element,
-        "./ds:SignedInfo/ds:SignatureMethod",
-        {"ds"=>DSIG}
-      )
-      signature_algorithm = algorithm(sig_alg_value)
-
-      # get signature
-      base64_signature = REXML::XPath.first(
-        sig_element,
-        "./ds:SignatureValue",
-        {"ds" => DSIG}
-      )
-
-      if base64_signature.nil?
-        return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("SignatureValue not found"))
+      # store and remove signature node
+      @sig_element ||= begin
+        element = REXML::XPath.first(@working_copy, "//ds:Signature", {"ds"=>DSIG})
+        element.remove
       end
 
-      signature = Base64.decode64(OneLogin::RubySaml::Utils.element_text(base64_signature))
-
-      # canonicalization method
-      canon_algorithm = canon_algorithm REXML::XPath.first(
-        sig_element,
-        './ds:SignedInfo/ds:CanonicalizationMethod',
-        'ds' => DSIG
-      )
-
+      # verify signature
+      signed_info_element     = REXML::XPath.first(@sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
       noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
       noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
-
+      canon_algorithm = canon_algorithm REXML::XPath.first(@sig_element, '//ds:CanonicalizationMethod', 'ds' => DSIG)
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
       noko_sig_element.remove
 
-      # get inclusive namespaces
-      inclusive_namespaces = extract_inclusive_namespaces
-
       # check digests
-      ref = REXML::XPath.first(sig_element, "//ds:Reference", {"ds"=>DSIG})
-
-      hashed_element = document.at_xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
-
-      canon_algorithm = canon_algorithm REXML::XPath.first(
-        ref,
-        '//ds:CanonicalizationMethod',
-        { "ds" => DSIG }
-      )
-
-      canon_algorithm = process_transforms(ref, canon_algorithm)
-
-      canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
-
-      digest_algorithm = algorithm(REXML::XPath.first(
-        ref,
-        "//ds:DigestMethod",
-        { "ds" => DSIG }
-      ))
-      hash = digest_algorithm.digest(canon_hashed_element)
-      encoded_digest_value = REXML::XPath.first(
-        ref,
-        "//ds:DigestValue",
-        { "ds" => DSIG }
-      )
-      digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(encoded_digest_value))
-
-      unless digests_match?(hash, digest_value)
-        return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Digest mismatch"))
+      REXML::XPath.each(@sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
+        uri                           = ref.attributes.get_attribute("URI").value
+
+        hashed_element                = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
+        canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
+        canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
+
+        digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod", 'ds' => DSIG))
+
+        hash                          = digest_algorithm.digest(canon_hashed_element)
+        digest_value                  = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)
+
+        unless digests_match?(hash, digest_value)
+          @errors << "Digest mismatch"
+          return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Digest mismatch"))
+        end
       end
 
+      base64_signature        = REXML::XPath.first(@sig_element, "//ds:SignatureValue", {"ds"=>DSIG}).text
+      signature               = Base64.decode64(base64_signature)
+
       # get certificate object
-      cert_text = Base64.decode64(base64_cert)
-      cert = OpenSSL::X509::Certificate.new(cert_text)
+      cert_text               = Base64.decode64(base64_cert)
+      cert                    = OpenSSL::X509::Certificate.new(cert_text)
+
+      # signature method
+      signature_algorithm     = algorithm(REXML::XPath.first(signed_info_element, "//ds:SignatureMethod", {"ds"=>DSIG}))
 
-      # verify signature
       unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
+        @errors << "Key validation error"
         return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Key validation error"))
       end
 
@@ -366,61 +254,21 @@ module XMLSecurity
 
     private
 
-    def process_transforms(ref, canon_algorithm)
-      transforms = REXML::XPath.match(
-        ref,
-        "//ds:Transforms/ds:Transform",
-        { "ds" => DSIG }
-      )
-
-      transforms.each do |transform_element|
-        if transform_element.attributes && transform_element.attributes["Algorithm"]
-          algorithm = transform_element.attributes["Algorithm"]
-          case algorithm
-            when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
-                 "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
-              canon_algorithm = Nokogiri::XML::XML_C14N_1_0
-            when "http://www.w3.org/2006/12/xml-c14n11",
-                 "http://www.w3.org/2006/12/xml-c14n11#WithComments"
-              canon_algorithm = Nokogiri::XML::XML_C14N_1_1
-            when "http://www.w3.org/2001/10/xml-exc-c14n#",
-                 "http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
-              canon_algorithm = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
-          end
-        end
-      end
-
-      canon_algorithm
-    end
-
     def digests_match?(hash, digest_value)
       hash == digest_value
     end
 
     def extract_signed_element_id
-      reference_element = REXML::XPath.first(
-        self,
-        "//ds:Signature/ds:SignedInfo/ds:Reference",
-        {"ds"=>DSIG}
-      )
-
-      return nil if reference_element.nil?
-
-      sei = reference_element.attribute("URI").value[1..-1]
-      sei.nil? ? reference_element.parent.parent.parent.attribute("ID").value : sei
+      reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
+      self.signed_element_id  = reference_element.attribute("URI").value[1..-1] unless reference_element.nil?
     end
 
     def extract_inclusive_namespaces
-      element = REXML::XPath.first(
-        self,
-        "//ec:InclusiveNamespaces",
-        { "ec" => C14N }
-      )
-      if element
+      if element = REXML::XPath.first(self, "//ec:InclusiveNamespaces", { "ec" => C14N })
         prefix_list = element.attributes.get_attribute("PrefixList").value
         prefix_list.split(" ")
       else
-        nil
+        []
       end
     end