ruby-saml 1.12.4 → 1.18.1

data/lib/xml_security.rb

@@ -185,15 +185,13 @@ module XMLSecurity
       x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, "")
 
       # add the signature
-      issuer_element = self.elements["//saml:Issuer"]
+      issuer_element = elements["//saml:Issuer"]
       if issuer_element
-        self.root.insert_after issuer_element, signature_element
+        root.insert_after(issuer_element, signature_element)
+      elsif first_child = root.children[0]
+        root.insert_before(first_child, signature_element)
       else
-        if sp_sso_descriptor = self.elements["/md:EntityDescriptor"]
-          self.root.insert_before sp_sso_descriptor, signature_element
-        else
-          self.root.add_element(signature_element)
-        end
+        root.add_element(signature_element)
       end
     end
 
@@ -205,7 +203,7 @@ module XMLSecurity
 
     def compute_digest(document, digest_algorithm)
       digest = digest_algorithm.digest(document)
-      Base64.encode64(digest).strip!
+      Base64.encode64(digest).strip
     end
 
   end
@@ -218,12 +216,31 @@ module XMLSecurity
     def initialize(response, errors = [])
       super(response)
       @errors = errors
+      reset_elements
+    end
+
+    def reset_elements
+      @referenced_xml = nil
+      @cached_signed_info = nil
+      @signature = nil
+      @signature_algorithm = nil
+      @ref = nil
+      @processed = false
+    end
+
+    def processed
+      @processed
+    end
+
+    def referenced_xml
+      @referenced_xml
     end
 
     def signed_element_id
       @signed_element_id ||= extract_signed_element_id
     end
 
+    # Validates the referenced_xml, which is the signed part of the document
     def validate_document(idp_cert_fingerprint, soft = true, options = {})
       # get cert from response
       cert_element = REXML::XPath.first(
@@ -244,7 +261,7 @@ module XMLSecurity
         if options[:fingerprint_alg]
           fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(options[:fingerprint_alg]).new
         else
-          fingerprint_alg = OpenSSL::Digest::SHA1.new
+          fingerprint_alg = OpenSSL::Digest.new('SHA1')
         end
         fingerprint = fingerprint_alg.hexdigest(cert.to_der)
 
@@ -252,6 +269,7 @@ module XMLSecurity
         if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
           return append_error("Fingerprint mismatch", soft)
         end
+        base64_cert = Base64.encode64(cert.to_der)
       else
         if options[:cert]
           base64_cert = Base64.encode64(options[:cert].to_pem)
@@ -263,12 +281,10 @@ module XMLSecurity
           end
         end
       end
-      check_malformed_doc = true
-      check_malformed_doc = options[:check_malformed_doc] if options.key?(:check_malformed_doc)
-      validate_signature(base64_cert, soft, check_malformed_doc)
+      validate_signature(base64_cert, soft)
     end
 
-    def validate_document_with_cert(idp_cert, soft = true, check_malformed_doc = true)
+    def validate_document_with_cert(idp_cert, soft = true)
       # get cert from response
       cert_element = REXML::XPath.first(
         self,
@@ -289,16 +305,18 @@ module XMLSecurity
         if idp_cert.to_pem != cert.to_pem
           return append_error("Certificate of the Signature element does not match provided certificate", soft)
         end
-      else
-        base64_cert = Base64.encode64(idp_cert.to_pem)
       end
-      validate_signature(base64_cert, true, check_malformed_doc)
+
+      encoded_idp_cert = Base64.encode64(idp_cert.to_pem)
+      validate_signature(encoded_idp_cert, true)
     end
 
-    def validate_signature(base64_cert, soft = true, check_malformed_doc = true)
+    def cache_referenced_xml(soft, check_malformed_doc = true)
+      reset_elements
+      @processed = true
 
       begin
-        document = XMLSecurity::BaseDocument.safe_load_xml(self, check_malformed_doc)
+        nokogiri_document = XMLSecurity::BaseDocument.safe_load_xml(self, check_malformed_doc)
       rescue StandardError => error
         @errors << error.message
         return false if soft
@@ -315,13 +333,15 @@ module XMLSecurity
           {"ds"=>DSIG}
       )
 
+      return if sig_element.nil?
+
       # signature method
       sig_alg_value = REXML::XPath.first(
         sig_element,
         "./ds:SignedInfo/ds:SignatureMethod",
         {"ds"=>DSIG}
       )
-      signature_algorithm = algorithm(sig_alg_value)
+      @signature_algorithm = algorithm(sig_alg_value)
 
       # get signature
       base64_signature = REXML::XPath.first(
@@ -329,7 +349,11 @@ module XMLSecurity
         "./ds:SignatureValue",
         {"ds" => DSIG}
       )
-      signature = Base64.decode64(OneLogin::RubySaml::Utils.element_text(base64_signature))
+
+      return if base64_signature.nil?
+
+      base64_signature_text = OneLogin::RubySaml::Utils.element_text(base64_signature)
+      @signature = base64_signature_text.nil? ? nil : Base64.decode64(base64_signature_text)
 
       # canonicalization method
       canon_algorithm = canon_algorithm REXML::XPath.first(
@@ -338,66 +362,75 @@ module XMLSecurity
         'ds' => DSIG
       )
 
-      noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
+      noko_sig_element = nokogiri_document.at_xpath('//ds:Signature', 'ds' => DSIG)
       noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
 
-      canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
-      noko_sig_element.remove
+      @cached_signed_info = noko_signed_info_element.canonicalize(canon_algorithm)
 
-      # get signed info
-      signed_info_element = REXML::XPath.first(
-        sig_element,
-        "./ds:SignedInfo",
-        { "ds" => DSIG }
-      )
+      ### Now get the @referenced_xml to use?
+      rexml_signed_info = REXML::Document.new(@cached_signed_info.to_s).root
+
+      noko_sig_element.remove
 
       # get inclusive namespaces
       inclusive_namespaces = extract_inclusive_namespaces
 
       # check digests
-      ref = REXML::XPath.first(signed_info_element, "./ds:Reference", {"ds"=>DSIG})
-
-      reference_nodes = document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+      @ref = REXML::XPath.first(rexml_signed_info, "./ds:Reference", {"ds"=>DSIG})
+      return if @ref.nil?
 
-      if reference_nodes.length > 1 # ensures no elements with same ID to prevent signature wrapping attack.
-        return append_error("Duplicated IDs found", soft)
-      end
+      reference_nodes = nokogiri_document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
 
       hashed_element = reference_nodes[0]
+      return if hashed_element.nil?
 
       canon_algorithm = canon_algorithm REXML::XPath.first(
-        signed_info_element,
+        rexml_signed_info,
         './ds:CanonicalizationMethod',
         { "ds" => DSIG }
       )
 
-      canon_algorithm = process_transforms(ref, canon_algorithm)
+      canon_algorithm = process_transforms(@ref, canon_algorithm)
 
-      canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
+      @referenced_xml = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
+    end
+
+    def validate_signature(base64_cert, soft = true)
+      if !@processed
+        cache_referenced_xml(soft)
+      end
+
+      return append_error("No Signature Algorithm Method found", soft) if @signature_algorithm.nil?  
+      return append_error("No Signature node found", soft) if @signature.nil?  
+      return append_error("No canonized SignedInfo ", soft) if @cached_signed_info.nil?
+      return append_error("No Reference node found", soft) if @ref.nil?
+      return append_error("No referenced XML", soft) if @referenced_xml.nil?
+
+      # get certificate object
+      cert_text = Base64.decode64(base64_cert)
+      cert = OpenSSL::X509::Certificate.new(cert_text)
 
       digest_algorithm = algorithm(REXML::XPath.first(
-        ref,
+        @ref,
         "./ds:DigestMethod",
         { "ds" => DSIG }
       ))
-      hash = digest_algorithm.digest(canon_hashed_element)
+      hash = digest_algorithm.digest(@referenced_xml)
       encoded_digest_value = REXML::XPath.first(
-        ref,
+        @ref,
         "./ds:DigestValue",
         { "ds" => DSIG }
       )
-      digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(encoded_digest_value))
+      encoded_digest_value_text = OneLogin::RubySaml::Utils.element_text(encoded_digest_value)
+      digest_value = encoded_digest_value_text.nil? ? nil : Base64.decode64(encoded_digest_value_text)
 
-      unless digests_match?(hash, digest_value)
+      # Compare the computed "hash" with the "signed" hash
+      unless hash && hash == digest_value
         return append_error("Digest mismatch", soft)
       end
 
-      # get certificate object
-      cert_text = Base64.decode64(base64_cert)
-      cert = OpenSSL::X509::Certificate.new(cert_text)
-
       # verify signature
-      unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
+      unless cert.public_key.verify(@signature_algorithm.new, @signature, @cached_signed_info)
         return append_error("Key validation error", soft)
       end
 

data/ruby-saml.gemspec

@@ -6,17 +6,17 @@ Gem::Specification.new do |s|
   s.version = OneLogin::RubySaml::VERSION
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["OneLogin LLC"]
+  s.authors = ["SAML Toolkit", "Sixto Martin"]
+  s.email = ['contact@iamdigitalservices.com', 'sixto.martin.garcia@gmail.com']
   s.date = Time.now.strftime("%Y-%m-%d")
-  s.description = %q{SAML toolkit for Ruby on Rails}
-  s.email = %q{support@onelogin.com}
+  s.description = %q{SAML Ruby toolkit. Add SAML support to your Ruby software using this library}
   s.license = 'MIT'
   s.extra_rdoc_files = [
     "LICENSE",
     "README.md"
   ]
   s.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
-  s.homepage = %q{https://github.com/onelogin/ruby-saml}
+  s.homepage = %q{https://github.com/saml-toolkits/ruby-saml}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
   s.rubygems_version = %q{1.3.7}
@@ -27,12 +27,18 @@ Gem::Specification.new do |s|
   # Nokogiri's version dependent on the Ruby version, even though we would
   # have liked to constrain Ruby 1.8.7 to install only the 1.5.x versions.
   if defined?(JRUBY_VERSION)
-    if JRUBY_VERSION < '9.2.0.0'
+    if JRUBY_VERSION < '9.1.7.0'
       s.add_runtime_dependency('nokogiri', '>= 1.8.2', '<= 1.8.5')
       s.add_runtime_dependency('jruby-openssl', '>= 0.9.8')
       s.add_runtime_dependency('json', '< 2.3.0')
+    elsif JRUBY_VERSION < '9.2.0.0'
+      s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
+    elsif JRUBY_VERSION < '9.3.2.0'
+      s.add_runtime_dependency('nokogiri', '>= 1.11.4')
+      s.add_runtime_dependency('rexml')
     else
-      s.add_runtime_dependency('nokogiri', '>= 1.8.2')
+      s.add_runtime_dependency('nokogiri', '>= 1.13.10')
+      s.add_runtime_dependency('rexml')
     end
   elsif RUBY_VERSION < '1.9'
     s.add_runtime_dependency('uuid')
@@ -41,28 +47,48 @@ Gem::Specification.new do |s|
     s.add_runtime_dependency('nokogiri', '>= 1.5.10', '<= 1.6.8.1')
     s.add_runtime_dependency('json', '< 2.3.0')
   elsif RUBY_VERSION < '2.3'
-    s.add_runtime_dependency('nokogiri', '>= 1.9.1', '<= 1.10.0')
+    s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
+  elsif RUBY_VERSION < '2.5'
+    s.add_runtime_dependency('nokogiri', '>= 1.10.10', '< 1.11.0')
+    s.add_runtime_dependency('rexml')
+  elsif RUBY_VERSION < '2.6'
+    s.add_runtime_dependency('nokogiri', '>= 1.11.4')
+    s.add_runtime_dependency('rexml')
   else
-    s.add_runtime_dependency('nokogiri', '>= 1.10.5')
+    s.add_runtime_dependency('nokogiri', '>= 1.13.10')
     s.add_runtime_dependency('rexml')
   end
 
+  if RUBY_VERSION >= '3.4.0'
+    s.add_runtime_dependency("logger")
+    s.add_runtime_dependency("base64")
+    s.add_runtime_dependency('mutex_m')
+  end
+
   s.add_development_dependency('simplecov', '<0.22.0')
   if RUBY_VERSION < '2.4.1'
     s.add_development_dependency('simplecov-lcov', '<0.8.0')
-    s.add_development_dependency('term-ansicolor', '1.2.2')
-    s.add_development_dependency('mime-types', '<3.6.0')
   else
     s.add_development_dependency('simplecov-lcov', '>0.7.0')
   end
 
-  s.add_development_dependency('coveralls')
-  s.add_development_dependency('minitest', '~> 5.5')
+  s.add_development_dependency('minitest', '~> 5.5', '<5.19.0')
   s.add_development_dependency('mocha',    '~> 0.14')
-  s.add_development_dependency('rake',     '~> 10')
+
+  if RUBY_VERSION < '2.0'
+    s.add_development_dependency('rake',     '~> 10')
+  else
+    s.add_development_dependency('rake',     '>= 12.3.3')
+  end
+
   s.add_development_dependency('shoulda',  '~> 2.11')
   s.add_development_dependency('systemu',  '~> 2')
-  s.add_development_dependency('timecop',  '<= 0.6.0')
+
+  if RUBY_VERSION < '2.1'
+    s.add_development_dependency('timecop',  '<= 0.6.0')
+  else
+    s.add_development_dependency('timecop',  '~> 0.9')
+  end
 
   if defined?(JRUBY_VERSION)
     # All recent versions of JRuby play well with pry

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.12.4
+  version: 1.18.1
 platform: ruby
 authors:
-- OneLogin LLC
+- SAML Toolkit
+- Sixto Martin
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-03-12 00:00:00.000000000 Z
+date: 2025-07-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -16,14 +17,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.10.5
+        version: 1.13.10
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.10.5
+        version: 1.13.10
 - !ruby/object:Gem::Dependency
   name: rexml
   requirement: !ruby/object:Gem::Requirement
@@ -66,20 +67,6 @@ dependencies:
     - - ">"
       - !ruby/object:Gem::Version
         version: 0.7.0
-- !ruby/object:Gem::Dependency
-  name: coveralls
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -87,6 +74,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5.5'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 5.19.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -94,6 +84,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5.5'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 5.19.0
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
@@ -112,16 +105,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: shoulda
   requirement: !ruby/object:Gem::Requirement
@@ -154,16 +147,16 @@ dependencies:
   name: timecop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "<="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: '0.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "<="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: '0.9'
 - !ruby/object:Gem::Dependency
   name: pry-byebug
   requirement: !ruby/object:Gem::Requirement
@@ -178,8 +171,11 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: SAML toolkit for Ruby on Rails
-email: support@onelogin.com
+description: SAML Ruby toolkit. Add SAML support to your Ruby software using this
+  library
+email:
+- contact@iamdigitalservices.com
+- sixto.martin.garcia@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files:
@@ -187,14 +183,15 @@ extra_rdoc_files:
 - README.md
 files:
 - ".document"
+- ".github/FUNDING.yml"
 - ".github/workflows/test.yml"
 - ".gitignore"
-- ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - LICENSE
 - README.md
 - Rakefile
-- changelog.md
+- UPGRADING.md
 - gemfiles/nokogiri-1.5.gemfile
 - lib/onelogin/ruby-saml.rb
 - lib/onelogin/ruby-saml/attribute_service.rb
@@ -231,7 +228,7 @@ files:
 - lib/schemas/xmldsig-core-schema.xsd
 - lib/xml_security.rb
 - ruby-saml.gemspec
-homepage: https://github.com/onelogin/ruby-saml
+homepage: https://github.com/saml-toolkits/ruby-saml
 licenses:
 - MIT
 metadata: {}

data/.travis.yml

@@ -1,48 +0,0 @@
-language: ruby
-rvm:
-  - 1.9.3
-  - 2.0.0
-  - 2.1.10
-  - 2.2.10
-  - 2.3.8
-  - 2.4.6
-  - 2.5.8
-  - 2.6.6
-  - 2.7.2
-  - 3.0.0
-  - jruby-1.7.27
-  - jruby-9.1.17.0
-  - jruby-9.2.13.0
-gemfile:
-  - Gemfile
-  - gemfiles/nokogiri-1.5.gemfile
-before_install:
-  - gem update bundler
-matrix:
-  exclude:
-    - rvm: jruby-1.7.27
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: jruby-9.1.17.0
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: jruby-9.2.13.0
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.1.5
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.1.10
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.2.10
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.3.8
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.4.6
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.5.8
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.6.6
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.7.2
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 3.0.0
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-env:
-  - JRUBY_OPTS="--debug"