ruby-saml 1.16.0 → 1.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e3094dc9c1e3692dddfc40adc2a4c305fae0be74bcd28b296f231ece4fe89334
-  data.tar.gz: 1f47dcbd970af95d58049bdd7f8bfed6a5bf8a72a90c1938b2b8ef2a0d5dd05f
+  metadata.gz: 188af740c1b9627be73d3a4cbd8261316773d3b3da0b74b0ef49b5d1c9c04f02
+  data.tar.gz: 85cb561ba597924b7037be197dac6fd175c1a626969829e170bb44d8e8a1a50d
 SHA512:
-  metadata.gz: 52ea3c1013e7b42b2e30c42bfbfd38bee0457d7bd630df94fcb9e9bc7db126e6981308af877a9b4c475e563a10159a0612d38d79458f289341730a496adeb77a
-  data.tar.gz: e85c81f6fb8610793707c70c6dee09b4fe2053f307a7a2827df08038bc54b6250b77dfa3cf30d33d0029899aff1b82740347292df691a5e8757c3966058e842b
+  metadata.gz: 0b154ce0a94f1f1b525179d33f8a98d5422cabafe527f32104646135ae0a9218064638639b7ec5735de1dda8ef55faa5571f22f563d57f44e040a81b6116b5a1
+  data.tar.gz: 78ea0021299530423e28935782b851894ed9740c1e93c610575518532d22bcc20829dbe26b0569f38ad21894cc145b3d785c75765c8bd0dde6e078598d864545

data/.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: [SAML-Toolkits]

data/.github/workflows/test.yml

@@ -8,11 +8,57 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-20.04, macos-latest]
-        ruby-version: [2.1.9, 2.2.10, 2.3.8, 2.4.6, 2.5.8, 2.6.6, 2.7.2, 3.0.1, 3.1, 3.2, jruby-9.1.17.0, jruby-9.2.17.0, jruby-9.3.2.0, jruby-9.4.0.0, truffleruby]
+        os:
+          - ubuntu-20.04
+          - macos-latest
+          - windows-latest
+        ruby-version:
+          - 2.1
+          - 2.2
+          - 2.3
+          - 2.4
+          - 2.5
+          - 2.6
+          - 2.7
+          - 3.0
+          - 3.1
+          - 3.2
+          - 3.3
+          - jruby-9.1
+          - jruby-9.2
+          - jruby-9.3
+          - jruby-9.4
+          - truffleruby
+        exclude:
+          - os: macos-latest
+            ruby-version: 2.1
+          - os: macos-latest
+            ruby-version: 2.2
+          - os: macos-latest
+            ruby-version: 2.3
+          - os: macos-latest
+            ruby-version: 2.4
+          - os: macos-latest
+            ruby-version: 2.5
+          - os: macos-latest
+            ruby-version: jruby-9.1
+          - os: macos-latest
+            ruby-version: jruby-9.2
+          - os: windows-latest
+            ruby-version: 2.1
+          - os: windows-latest
+            ruby-version: jruby-9.1
+          - os: windows-latest
+            ruby-version: jruby-9.2
+          - os: windows-latest
+            ruby-version: jruby-9.3
+          - os: windows-latest
+            ruby-version: jruby-9.4
+          - os: windows-latest
+            ruby-version: truffleruby
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Set up Ruby ${{ matrix.ruby-version }}
         uses: ruby/setup-ruby@v1
         with:

data/CHANGELOG.md

@@ -1,11 +1,22 @@
 # Ruby SAML Changelog
+
+### 1.17.0  (Sep 10, 2024)
+* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
+* [#687](https://github.com/SAML-Toolkits/ruby-saml/pull/687) Add CI coverage for Ruby 3.3 and Windows.
+* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Add `Settings#sp_cert_multi` paramter to facilitate SP certificate and key rotation.
+* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Support multiple simultaneous SP decryption keys via `Settings#sp_cert_multi` parameter.
+* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Deprecate `Settings#certificate_new` parameter.
+* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) `:check_sp_cert_expiration` will use the first non-expired certificate/key when signing/decrypting. It will raise an error only if there are no valid certificates/keys.
+* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) `:check_sp_cert_expiration` now validates the certificate `not_before` condition; previously it was only validating `not_after`.
+* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) `:check_sp_cert_expiration` now causes the generated SP metadata to exclude any inactive/expired certificates.
+
 ### 1.16.0 (Oct 09, 2023)
 * [#671](https://github.com/SAML-Toolkits/ruby-saml/pull/671) Add support on LogoutRequest with Encrypted NameID
 
 ### 1.15.0 (Jan 04, 2023)
 * [#650](https://github.com/SAML-Toolkits/ruby-saml/pull/650) Replace strip! by strip on compute_digest method
 * [#638](https://github.com/SAML-Toolkits/ruby-saml/pull/638) Fix dateTime format for the validUntil attribute of the generated metadata 
-* [#576](https://github.com/SAML-Toolkits/ruby-saml/pull/576) Support idp cert multi with string keys
+* [#576](https://github.com/SAML-Toolkits/ruby-saml/pull/576) Support `Settings#idp_cert_multi` with string keys
 * [#567](https://github.com/SAML-Toolkits/ruby-saml/pull/567) Improve Code quality
 * Add info about new repo, new maintainer, new security contact
 * Fix tests, Adjust dependencies, Add ruby 3.2 and new jruby versions tests to the CI. Add coveralls support
@@ -29,6 +40,9 @@
 * Add warning about the use of IdpMetadataParser class and SSRF
 * CI: Migrate from Travis to Github Actions
 
+### 1.12.3  (Sep 10, 2024)
+* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
+
 ### 1.12.2 (Apr 08, 2021)
 * [#575](https://github.com/onelogin/ruby-saml/pull/575) Fix SloLogoutresponse bug on LogoutRequest
 

data/README.md

@@ -7,6 +7,8 @@
 Ruby SAML minor and tiny versions may introduce breaking changes. Please read
 [UPGRADING.md](UPGRADING.md) for guidance on upgrading to new Ruby SAML versions.
 
+There is a critical vulnerability affecting ruby-saml < 1.17.0 (CVE-2024-45409). Make sure you are using an updated version. (1.12.3 is safe)
+
 ## Overview
 
 The Ruby SAML library is for implementing the client side of a SAML authorization,
@@ -22,30 +24,10 @@ We created a demo project for Rails 4 that uses the latest version of this libra
 
 The following Ruby versions are covered by CI testing:
 
-* 2.1.x
-* 2.2.x
-* 2.3.x
-* 2.4.x
-* 2.5.x
-* 2.6.x
-* 2.7.x
-* 3.0.x
-* 3.1
-* 3.2
-* JRuby 9.1.x
-* JRuby 9.2.x
-* JRuby 9.3.X
-* JRuby 9.4.0
+* Ruby (MRI) 2.1 to 3.3
+* JRuby 9.1 to 9.4
 * TruffleRuby (latest)
 
-In addition, the following may work but are untested:
-
-* 1.8.7
-* 1.9.x
-* 2.0.x
-* JRuby 1.7.x
-* JRuby 9.0.x
-
 ## Adding Features, Pull Requests
 
 * Fork the repository
@@ -735,6 +717,48 @@ validation fails. You may disable such exceptions using the `settings.security[:
   settings.security[:soft] = true  # Do not raise error on failed signature/certificate validations
 ```
 
+#### Advanced SP Certificate Usage & Key Rollover
+
+Ruby SAML provides the `settings.sp_cert_multi` parameter to enable the following
+advanced usage scenarios:
+- Rotating SP certificates and private keys without disruption of service.
+- Specifying separate SP certificates for signing and encryption.
+
+The `sp_cert_multi` parameter replaces `certificate` and `private_key`
+(you may not specify both pparameters at the same time.) `sp_cert_multi` has the following shape:
+
+```ruby
+settings.sp_cert_multi = {
+  signing: [
+    { certificate: cert1, private_key: private_key1 },
+    { certificate: cert2, private_key: private_key2 }
+  ],
+  encryption: [
+    { certificate: cert1, private_key: private_key1 },
+    { certificate: cert3, private_key: private_key1 }
+  ],
+}
+```
+
+Certificate rotation is acheived by inserting new certificates at the bottom of each list,
+and then removing the old certificates from the top of the list once your IdPs have migrated.
+A common practice is for apps to publish the current SP metadata at a URL endpoint and have
+the IdP regularly poll for updates.
+
+Note the following:
+- You may re-use the same certificate and/or private key in multiple places, including for both signing and encryption.
+- The IdP should attempt to verify signatures with *all* `:signing` certificates,
+  and permit if *any one* succeeds. When signing, Ruby SAML will use the first SP certificate
+  in the `sp_cert_multi[:signing]` array. This will be the first active/non-expired certificate
+  in the array if `settings.security[:check_sp_cert_expiration]` is true.
+- The IdP may encrypt with any of the SP certificates in the `sp_cert_multi[:encryption]`
+  array. When decrypting, Ruby SAML attempt to decrypt with each SP private key in
+  `sp_cert_multi[:encryption]` until the decryption is successful. This will skip private
+  keys for inactive/expired certificates if `:check_sp_cert_expiration` is true.
+- If `:check_sp_cert_expiration` is true, the generated SP metadata XML will not include
+  inactive/expired certificates. This avoids validation errors when the IdP reads the SP
+  metadata.
+
 #### Audience Validation
 
 A service provider should only consider a SAML response valid if the IdP includes an <AudienceRestriction>
@@ -758,29 +782,6 @@ is invalid using the `settings.security[:strict_audience_validation]` parameter.
 settings.security[:strict_audience_validation] = true
 ```
 
-#### Key Rollover
-
-To update the SP X.509 certificate and private key without disruption of service, you may define the parameter
-`settings.certificate_new`. This will publish the new SP certificate in your metadata so that your IdP counterparties
-may cache it in preparation for rollover.
-
-For example, if you to rollover from `CERT A` to `CERT B`. Before rollover, your settings should look as follows.
-Both `CERT A` and `CERT B` will now appear in your SP metadata, however `CERT A` will still be used for signing
-and encryption at this time.
-
-```ruby
-  settings.certificate = "CERT A"
-  settings.private_key = "PRIVATE KEY FOR CERT A"
-  settings.certificate_new = "CERT B"
-```
-
-After the IdP has cached `CERT B`, you may then change your settings as follows:
-
-```ruby
-  settings.certificate = "CERT B"
-  settings.private_key = "PRIVATE KEY FOR CERT B"
-```
-
 ## Single Log Out
 
 Ruby SAML supports SP-initiated Single Logout and IdP-Initiated Single Logout.

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -72,9 +72,10 @@ module OneLogin
         request = deflate(request) if settings.compress_request
         base64_request = encode(request)
         request_params = {"SAMLRequest" => base64_request}
+        sp_signing_key = settings.get_sp_signing_key
 
-        if settings.idp_sso_service_binding == Utils::BINDINGS[:redirect] && settings.security[:authn_requests_signed] && settings.private_key
-          params['SigAlg']    = settings.security[:signature_method]
+        if settings.idp_sso_service_binding == Utils::BINDINGS[:redirect] && settings.security[:authn_requests_signed] && sp_signing_key
+          params['SigAlg'] = settings.security[:signature_method]
           url_string = OneLogin::RubySaml::Utils.build_query(
             :type => 'SAMLRequest',
             :data => base64_request,
@@ -82,7 +83,7 @@ module OneLogin
             :sig_alg => params['SigAlg']
           )
           sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
-          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
+          signature = sp_signing_key.sign(sign_algorithm.new, url_string)
           params['Signature'] = encode(signature)
         end
 
@@ -179,15 +180,13 @@ module OneLogin
       end
 
       def sign_document(document, settings)
-        if settings.idp_sso_service_binding == Utils::BINDINGS[:post] && settings.security[:authn_requests_signed] && settings.private_key && settings.certificate
-          private_key = settings.get_sp_key
-          cert = settings.get_sp_cert
+        cert, private_key = settings.get_sp_signing_pair
+        if settings.idp_sso_service_binding == Utils::BINDINGS[:post] && settings.security[:authn_requests_signed] && private_key && cert
           document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
         end
 
         document
       end
-
     end
   end
 end

data/lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -186,8 +186,6 @@ module OneLogin
         idpsso_descriptors.map {|id| IdpMetadata.new(id, id.parent.attributes["entityID"])}
       end
 
-      private
-
       # Retrieve the remote IdP metadata from the URL or a cached copy.
       # @param url [String] Url where the XML of the Identity Provider Metadata is published.
       # @param validate_cert [Boolean] If true and the URL is HTTPs, the cert of the domain is checked.
@@ -220,6 +218,8 @@ module OneLogin
         )
       end
 
+      private
+
       class IdpMetadata
         attr_reader :idpsso_descriptor, :entity_id
 

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -69,8 +69,9 @@ module OneLogin
         request = deflate(request) if settings.compress_request
         base64_request = encode(request)
         request_params = {"SAMLRequest" => base64_request}
+        sp_signing_key = settings.get_sp_signing_key
 
-        if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_requests_signed] && settings.private_key
+        if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_requests_signed] && sp_signing_key
           params['SigAlg'] = settings.security[:signature_method]
           url_string = OneLogin::RubySaml::Utils.build_query(
             :type => 'SAMLRequest',
@@ -79,7 +80,7 @@ module OneLogin
             :sig_alg => params['SigAlg']
           )
           sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
-          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
+          signature = settings.get_sp_signing_key.sign(sign_algorithm.new, url_string)
           params['Signature'] = encode(signature)
         end
 
@@ -138,9 +139,8 @@ module OneLogin
 
       def sign_document(document, settings)
         # embed signature
-        if settings.idp_slo_service_binding == Utils::BINDINGS[:post] && settings.security[:logout_requests_signed] && settings.private_key && settings.certificate
-          private_key = settings.get_sp_key
-          cert = settings.get_sp_cert
+        cert, private_key = settings.get_sp_signing_pair
+        if settings.idp_slo_service_binding == Utils::BINDINGS[:post] && settings.security[:logout_requests_signed] && private_key && cert
           document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
         end
 

data/lib/onelogin/ruby-saml/metadata.rb

@@ -62,29 +62,14 @@ module OneLogin
         }
       end
 
-      # Add KeyDescriptor if messages will be signed / encrypted
-      # with SP certificate, and new SP certificate if any
+      # Add KeyDescriptor elements for SP certificates.
       def add_sp_certificates(sp_sso, settings)
-        cert = settings.get_sp_cert
-        cert_new = settings.get_sp_cert_new
-
-        for sp_cert in [cert, cert_new]
-          if sp_cert
-            cert_text = Base64.encode64(sp_cert.to_der).gsub("\n", '')
-            kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
-            ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
-            xd = ki.add_element "ds:X509Data"
-            xc = xd.add_element "ds:X509Certificate"
-            xc.text = cert_text
-
-            if settings.security[:want_assertions_encrypted]
-              kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
-              ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
-              xd2 = ki2.add_element "ds:X509Data"
-              xc2 = xd2.add_element "ds:X509Certificate"
-              xc2.text = cert_text
-            end
-          end
+        certs = settings.get_sp_certs
+
+        certs[:signing].each { |cert, _| add_sp_cert_element(sp_sso, cert, :signing) }
+
+        if settings.security[:want_assertions_encrypted]
+          certs[:encryption].each { |cert, _| add_sp_cert_element(sp_sso, cert, :encryption) }
         end
 
         sp_sso
@@ -153,8 +138,7 @@ module OneLogin
       def embed_signature(meta_doc, settings)
         return unless settings.security[:metadata_signed]
 
-        private_key = settings.get_sp_key
-        cert = settings.get_sp_cert
+        cert, private_key = settings.get_sp_signing_pair
         return unless private_key && cert
 
         meta_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
@@ -172,6 +156,18 @@ module OneLogin
 
         ret
       end
+
+      private
+
+      def add_sp_cert_element(sp_sso, cert, use)
+        return unless cert
+        cert_text = Base64.encode64(cert.to_der).gsub("\n", '')
+        kd = sp_sso.add_element "md:KeyDescriptor", { "use" => use.to_s }
+        ki = kd.add_element "ds:KeyInfo", { "xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#" }
+        xd = ki.add_element "ds:X509Data"
+        xc = xd.add_element "ds:X509Certificate"
+        xc.text = cert_text
+      end
     end
   end
 end

data/lib/onelogin/ruby-saml/response.rb

@@ -915,9 +915,9 @@ module OneLogin
           begin
             encrypted_node = xpath_first_from_signed_assertion('/a:Subject/a:EncryptedID')
             if encrypted_node
-              node = decrypt_nameid(encrypted_node)
+              decrypt_nameid(encrypted_node)
             else
-              node = xpath_first_from_signed_assertion('/a:Subject/a:NameID')
+              xpath_first_from_signed_assertion('/a:Subject/a:NameID')
             end
           end
       end
@@ -969,7 +969,7 @@ module OneLogin
       # @return [XMLSecurity::SignedDocument] The SAML Response with the assertion decrypted
       #
       def generate_decrypted_document
-        if settings.nil? || !settings.get_sp_key
+        if settings.nil? || settings.get_sp_decryption_keys.empty?
           raise ValidationError.new('An EncryptedAssertion found and no SP private key found on the settings to decrypt it. Be sure you provided the :settings parameter at the initialize method')
         end
 
@@ -1012,42 +1012,42 @@ module OneLogin
       end
 
       # Decrypts an EncryptedID element
-      # @param encryptedid_node [REXML::Element] The EncryptedID element
+      # @param encrypted_id_node [REXML::Element] The EncryptedID element
       # @return [REXML::Document] The decrypted EncrypedtID element
       #
-      def decrypt_nameid(encryptedid_node)
-        decrypt_element(encryptedid_node, /(.*<\/(\w+:)?NameID>)/m)
+      def decrypt_nameid(encrypted_id_node)
+        decrypt_element(encrypted_id_node, /(.*<\/(\w+:)?NameID>)/m)
       end
 
-      # Decrypts an EncryptedID element
-      # @param encryptedid_node [REXML::Element] The EncryptedID element
-      # @return [REXML::Document] The decrypted EncrypedtID element
+      # Decrypts an EncryptedAttribute element
+      # @param encrypted_attribute_node [REXML::Element] The EncryptedAttribute element
+      # @return [REXML::Document] The decrypted EncryptedAttribute element
       #
-      def decrypt_attribute(encryptedattribute_node)
-        decrypt_element(encryptedattribute_node, /(.*<\/(\w+:)?Attribute>)/m)
+      def decrypt_attribute(encrypted_attribute_node)
+        decrypt_element(encrypted_attribute_node, /(.*<\/(\w+:)?Attribute>)/m)
       end
 
       # Decrypt an element
-      # @param encryptedid_node [REXML::Element] The encrypted element
-      # @param rgrex string Regex
+      # @param encrypt_node [REXML::Element] The encrypted element
+      # @param regexp [Regexp] The regular expression to extract the decrypted data
       # @return [REXML::Document] The decrypted element
       #
-      def decrypt_element(encrypt_node, rgrex)
-        if settings.nil? || !settings.get_sp_key
+      def decrypt_element(encrypt_node, regexp)
+        if settings.nil? || settings.get_sp_decryption_keys.empty?
           raise ValidationError.new('An ' + encrypt_node.name + ' found and no SP private key found on the settings to decrypt it')
         end
 
-
         if encrypt_node.name == 'EncryptedAttribute'
           node_header = '<node xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
         else
           node_header = '<node xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">'
         end
 
-        elem_plaintext = OneLogin::RubySaml::Utils.decrypt_data(encrypt_node, settings.get_sp_key)
+        elem_plaintext = OneLogin::RubySaml::Utils.decrypt_multi(encrypt_node, settings.get_sp_decryption_keys)
+
         # If we get some problematic noise in the plaintext after decrypting.
         # This quick regexp parse will grab only the Element and discard the noise.
-        elem_plaintext = elem_plaintext.match(rgrex)[0]
+        elem_plaintext = elem_plaintext.match(regexp)[0]
 
         # To avoid namespace errors if saml namespace is not defined
         # create a parent node first with the namespace defined

data/lib/onelogin/ruby-saml/settings.rb

@@ -60,8 +60,8 @@ module OneLogin
       attr_accessor :attributes_index
       attr_accessor :force_authn
       attr_accessor :certificate
-      attr_accessor :certificate_new
       attr_accessor :private_key
+      attr_accessor :sp_cert_multi
       attr_accessor :authn_context
       attr_accessor :authn_context_comparison
       attr_accessor :authn_context_decl_ref
@@ -70,6 +70,7 @@ module OneLogin
       attr_accessor :security
       attr_accessor :soft
       # Deprecated
+      attr_accessor :certificate_new
       attr_accessor :assertion_consumer_logout_service_url
       attr_reader   :assertion_consumer_logout_service_binding
       attr_accessor :issuer
@@ -180,10 +181,7 @@ module OneLogin
       # @return [OpenSSL::X509::Certificate|nil] Build the IdP certificate from the settings (previously format it)
       #
       def get_idp_cert
-        return nil if idp_cert.nil? || idp_cert.empty?
-
-        formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
-        OpenSSL::X509::Certificate.new(formatted_cert)
+        OneLogin::RubySaml::Utils.build_cert_object(idp_cert)
       end
 
       # @return [Hash with 2 arrays of OpenSSL::X509::Certificate] Build multiple IdP certificates from the settings.
@@ -191,7 +189,7 @@ module OneLogin
       def get_idp_cert_multi
         return nil if idp_cert_multi.nil? || idp_cert_multi.empty?
 
-        raise ArgumentError.new("Invalid value for idp_cert_multi") if not idp_cert_multi.is_a?(Hash)
+        raise ArgumentError.new("Invalid value for idp_cert_multi") unless idp_cert_multi.is_a?(Hash)
 
         certs = {:signing => [], :encryption => [] }
 
@@ -200,49 +198,70 @@ module OneLogin
           next if !certs_for_type || certs_for_type.empty?
 
           certs_for_type.each do |idp_cert|
-            formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
-            certs[type].push(OpenSSL::X509::Certificate.new(formatted_cert))
+            certs[type].push(OneLogin::RubySaml::Utils.build_cert_object(idp_cert))
           end
         end
 
         certs
       end
 
-      # @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
-      #
-      def get_sp_cert
-        return nil if certificate.nil? || certificate.empty?
+      # @return [Hash<Symbol, Array<Array<OpenSSL::X509::Certificate, OpenSSL::PKey::RSA>>>]
+      #   Build the SP certificates and private keys from the settings. If
+      #   check_sp_cert_expiration is true, only returns certificates and private keys
+      #   that are not expired.
+      def get_sp_certs
+        certs = get_all_sp_certs
+        return certs unless security[:check_sp_cert_expiration]
 
-        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate)
-        cert = OpenSSL::X509::Certificate.new(formatted_cert)
+        active_certs = { signing: [], encryption: [] }
+        certs.each do |use, pairs|
+          next if pairs.empty?
 
-        if security[:check_sp_cert_expiration]
-          if OneLogin::RubySaml::Utils.is_cert_expired(cert)
-            raise OneLogin::RubySaml::ValidationError.new("The SP certificate expired.")
-          end
+          pairs = pairs.select { |cert, _| !cert || OneLogin::RubySaml::Utils.is_cert_active(cert) }
+          raise OneLogin::RubySaml::ValidationError.new("The SP certificate expired.") if pairs.empty?
+
+          active_certs[use] = pairs.freeze
         end
+        active_certs.freeze
+      end
 
-        cert
+      # @return [Array<OpenSSL::X509::Certificate, OpenSSL::PKey::RSA>]
+      #   The SP signing certificate and private key.
+      def get_sp_signing_pair
+        get_sp_certs[:signing].first
       end
 
-      # @return [OpenSSL::X509::Certificate|nil] Build the New SP certificate from the settings (previously format it)
-      #
-      def get_sp_cert_new
-        return nil if certificate_new.nil? || certificate_new.empty?
+      # @return [OpenSSL::X509::Certificate] The SP signing certificate.
+      # @deprecated Use get_sp_signing_pair or get_sp_certs instead.
+      def get_sp_cert
+        node = get_sp_signing_pair
+        node[0] if node
+      end
 
-        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate_new)
-        OpenSSL::X509::Certificate.new(formatted_cert)
+      # @return [OpenSSL::PKey::RSA] The SP signing key.
+      def get_sp_signing_key
+        node = get_sp_signing_pair
+        node[1] if node
       end
 
-      # @return [OpenSSL::PKey::RSA] Build the SP private from the settings (previously format it)
-      #
-      def get_sp_key
-        return nil if private_key.nil? || private_key.empty?
+      # @deprecated Use get_sp_signing_key or get_sp_certs instead.
+      alias_method :get_sp_key, :get_sp_signing_key
 
-        formatted_private_key = OneLogin::RubySaml::Utils.format_private_key(private_key)
-        OpenSSL::PKey::RSA.new(formatted_private_key)
+      # @return [Array<OpenSSL::PKey::RSA>] The SP decryption keys.
+      def get_sp_decryption_keys
+        ary = get_sp_certs[:encryption].map { |pair| pair[1] }
+        ary.compact!
+        ary.uniq!(&:to_pem)
+        ary.freeze
       end
 
+      # @return [OpenSSL::X509::Certificate|nil] Build the New SP certificate from the settings.
+      #
+      # @deprecated Use get_sp_certs instead
+      def get_sp_cert_new
+        node = get_sp_certs[:signing].last
+        node[0] if node
+      end
 
       def idp_binding_from_embed_sign
         security[:embed_sign] ? Utils::BINDINGS[:post] : Utils::BINDINGS[:redirect]
@@ -280,6 +299,85 @@ module OneLogin
           :lowercase_url_encoding     => false
         }.freeze
       }.freeze
+
+      private
+
+      # @return [Hash<Symbol, Array<Array<OpenSSL::X509::Certificate, OpenSSL::PKey::RSA>>>]
+      #   Build the SP certificates and private keys from the settings. Returns all
+      #   certificates and private keys, even if they are expired.
+      def get_all_sp_certs
+        validate_sp_certs_params!
+        get_sp_certs_multi || get_sp_certs_single
+      end
+
+      # Validate certificate, certificate_new, private_key, and sp_cert_multi params.
+      def validate_sp_certs_params!
+        multi    = sp_cert_multi   && !sp_cert_multi.empty?
+        cert     = certificate     && !certificate.empty?
+        cert_new = certificate_new && !certificate_new.empty?
+        pk       = private_key     && !private_key.empty?
+        if multi && (cert || cert_new || pk)
+          raise ArgumentError.new("Cannot specify both sp_cert_multi and certificate, certificate_new, private_key parameters")
+        end
+      end
+
+      # Get certs from certificate, certificate_new, and private_key parameters.
+      def get_sp_certs_single
+        certs = { :signing => [], :encryption => [] }
+
+        sp_key = OneLogin::RubySaml::Utils.build_private_key_object(private_key)
+        cert = OneLogin::RubySaml::Utils.build_cert_object(certificate)
+        if cert || sp_key
+          ary = [cert, sp_key].freeze
+          certs[:signing] << ary
+          certs[:encryption] << ary
+        end
+
+        cert_new = OneLogin::RubySaml::Utils.build_cert_object(certificate_new)
+        if cert_new
+          ary = [cert_new, sp_key].freeze
+          certs[:signing] << ary
+          certs[:encryption] << ary
+        end
+
+        certs
+      end
+
+      # Get certs from get_sp_cert_multi parameter.
+      def get_sp_certs_multi
+        return if sp_cert_multi.nil? || sp_cert_multi.empty?
+
+        raise ArgumentError.new("sp_cert_multi must be a Hash") unless sp_cert_multi.is_a?(Hash)
+
+        certs = { :signing => [], :encryption => [] }.freeze
+
+        [:signing, :encryption].each do |type|
+          certs_for_type = sp_cert_multi[type] || sp_cert_multi[type.to_s]
+          next if !certs_for_type || certs_for_type.empty?
+
+          unless certs_for_type.is_a?(Array) && certs_for_type.all? { |cert| cert.is_a?(Hash) }
+            raise ArgumentError.new("sp_cert_multi :#{type} node must be an Array of Hashes")
+          end
+
+          certs_for_type.each do |pair|
+            cert = pair[:certificate] || pair['certificate'] || pair[:cert] || pair['cert']
+            key  = pair[:private_key] || pair['private_key'] || pair[:key] || pair['key']
+
+            unless cert && key
+              raise ArgumentError.new("sp_cert_multi :#{type} node Hashes must specify keys :certificate and :private_key")
+            end
+
+            certs[type] << [
+              OneLogin::RubySaml::Utils.build_cert_object(cert),
+              OneLogin::RubySaml::Utils.build_private_key_object(key)
+            ].freeze
+          end
+        end
+
+        certs.each { |_, ary| ary.freeze }
+        certs
+      end
     end
   end
 end
+

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -91,16 +91,16 @@ module OneLogin
       end
 
       # Decrypts an EncryptedID element
-      # @param encryptedid_node [REXML::Element] The EncryptedID element
+      # @param encrypted_id_node [REXML::Element] The EncryptedID element
       # @return [REXML::Document] The decrypted EncrypedtID element
       #
-      def decrypt_nameid(encrypt_node)
+      def decrypt_nameid(encrypted_id_node)
 
-        if settings.nil? || !settings.get_sp_key
-          raise ValidationError.new('An ' + encrypt_node.name + ' found and no SP private key found on the settings to decrypt it')
+        if settings.nil? || settings.get_sp_decryption_keys.empty?
+          raise ValidationError.new('An ' + encrypted_id_node.name + ' found and no SP private key found on the settings to decrypt it')
         end
 
-        elem_plaintext = OneLogin::RubySaml::Utils.decrypt_data(encrypt_node, settings.get_sp_key)
+        elem_plaintext = OneLogin::RubySaml::Utils.decrypt_multi(encrypted_id_node, settings.get_sp_decryption_keys)
         # If we get some problematic noise in the plaintext after decrypting.
         # This quick regexp parse will grab only the Element and discard the noise.
         elem_plaintext = elem_plaintext.match(/(.*<\/(\w+:)?NameID>)/m)[0]

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -78,9 +78,10 @@ module OneLogin
         response = deflate(response) if settings.compress_response
         base64_response = encode(response)
         response_params = {"SAMLResponse" => base64_response}
+        sp_signing_key = settings.get_sp_signing_key
 
-        if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_responses_signed] && settings.private_key
-          params['SigAlg']    = settings.security[:signature_method]
+        if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_responses_signed] && sp_signing_key
+          params['SigAlg'] = settings.security[:signature_method]
           url_string = OneLogin::RubySaml::Utils.build_query(
             :type => 'SAMLResponse',
             :data => base64_response,
@@ -88,7 +89,7 @@ module OneLogin
             :sig_alg => params['SigAlg']
           )
           sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
-          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
+          signature = sp_signing_key.sign(sign_algorithm.new, url_string)
           params['Signature'] = encode(signature)
         end
 
@@ -150,9 +151,8 @@ module OneLogin
 
       def sign_document(document, settings)
         # embed signature
-        if settings.idp_slo_service_binding == Utils::BINDINGS[:post] && settings.private_key && settings.certificate
-          private_key = settings.get_sp_key
-          cert = settings.get_sp_cert
+        cert, private_key = settings.get_sp_signing_pair
+        if settings.idp_slo_service_binding == Utils::BINDINGS[:post] && private_key && cert
           document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
         end
 

data/lib/onelogin/ruby-saml/utils.rb

@@ -34,16 +34,24 @@ module OneLogin
       $)x.freeze
       UUID_PREFIX = '_'
 
-      # Checks if the x509 cert provided is expired
-      #
-      # @param cert [Certificate] The x509 certificate
+      # Checks if the x509 cert provided is expired.
       #
+      # @param cert [OpenSSL::X509::Certificate|String] The x509 certificate.
+      # @return [true|false] Whether the certificate is expired.
       def self.is_cert_expired(cert)
-        if cert.is_a?(String)
-          cert = OpenSSL::X509::Certificate.new(cert)
-        end
+        cert = OpenSSL::X509::Certificate.new(cert) if cert.is_a?(String)
 
-        return cert.not_after < Time.now
+        cert.not_after < Time.now
+      end
+
+      # Checks if the x509 cert provided has both started and has not expired.
+      #
+      # @param cert [OpenSSL::X509::Certificate|String] The x509 certificate.
+      # @return [true|false] Whether the certificate is currently active.
+      def self.is_cert_active(cert)
+        cert = OpenSSL::X509::Certificate.new(cert) if cert.is_a?(String)
+        now = Time.now
+        cert.not_before <= now && cert.not_after >= now
       end
 
       # Interprets a ISO8601 duration value relative to a given timestamp.
@@ -61,20 +69,26 @@ module OneLogin
         matches = duration.match(DURATION_FORMAT)
 
         if matches.nil?
-          raise Exception.new("Invalid ISO 8601 duration")
+          raise StandardError.new("Invalid ISO 8601 duration")
         end
 
         sign = matches[1] == '-' ? -1 : 1
 
         durYears, durMonths, durDays, durHours, durMinutes, durSeconds, durWeeks =
-          matches[2..8].map { |match| match ? sign * match.tr(',', '.').to_f : 0.0 }
-
-        initial_datetime = Time.at(timestamp).utc.to_datetime
-        final_datetime = initial_datetime.next_year(durYears)
-        final_datetime = final_datetime.next_month(durMonths)
-        final_datetime = final_datetime.next_day((7*durWeeks) + durDays)
-        final_timestamp = final_datetime.to_time.utc.to_i + (durHours * 3600) + (durMinutes * 60) + durSeconds
-        return final_timestamp
+          matches[2..8].map do |match|
+            if match
+              match = match.tr(',', '.').gsub(/\.0*\z/, '')
+              sign * (match.include?('.') ? match.to_f : match.to_i)
+            else
+              0
+            end
+          end
+
+        datetime = Time.at(timestamp).utc.to_datetime
+        datetime = datetime.next_year(durYears)
+        datetime = datetime.next_month(durMonths)
+        datetime = datetime.next_day((7*durWeeks) + durDays)
+        datetime.to_time.utc.to_i + (durHours * 3600) + (durMinutes * 60) + durSeconds
       end
 
       # Return a properly formatted x509 certificate
@@ -128,6 +142,28 @@ module OneLogin
         "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----"
       end
 
+      # Given a certificate string, return an OpenSSL::X509::Certificate object.
+      #
+      # @param cert [String] The original certificate
+      # @return [OpenSSL::X509::Certificate] The certificate object
+      #
+      def self.build_cert_object(cert)
+        return nil if cert.nil? || cert.empty?
+
+        OpenSSL::X509::Certificate.new(format_cert(cert))
+      end
+
+      # Given a private key string, return an OpenSSL::PKey::RSA object.
+      #
+      # @param cert [String] The original private key
+      # @return [OpenSSL::PKey::RSA] The private key object
+      #
+      def self.build_private_key_object(private_key)
+        return nil if private_key.nil? || private_key.empty?
+
+        OpenSSL::PKey::RSA.new(format_private_key(private_key))
+      end
+
       # Build the Query String signature that will be used in the HTTP-Redirect binding
       # to generate the Signature
       # @param params [Hash] Parameters to build the Query String
@@ -199,7 +235,7 @@ module OneLogin
 
       # Validate the Signature parameter sent on the HTTP-Redirect binding
       # @param params [Hash] Parameters to be used in the validation process
-      # @option params [OpenSSL::X509::Certificate] cert The Identity provider public certtificate
+      # @option params [OpenSSL::X509::Certificate] cert The IDP public certificate
       # @option params [String] sig_alg The SigAlg parameter
       # @option params [String] signature The Signature parameter (base64 encoded)
       # @option params [String] query_string The full GET Query String to be compared
@@ -236,9 +272,29 @@ module OneLogin
         error_msg
       end
 
+      # Obtains the decrypted string from an Encrypted node element in XML,
+      # given multiple private keys to try.
+      # @param encrypted_node [REXML::Element] The Encrypted element
+      # @param private_keys [Array<OpenSSL::PKey::RSA>] The Service provider private key
+      # @return [String] The decrypted data
+      def self.decrypt_multi(encrypted_node, private_keys)
+        raise ArgumentError.new('private_keys must be specified') if !private_keys || private_keys.empty?
+
+        error = nil
+        private_keys.each do |key|
+          begin
+            return decrypt_data(encrypted_node, key)
+          rescue OpenSSL::PKey::PKeyError => e
+            error ||= e
+          end
+        end
+
+        raise(error) if error
+      end
+
       # Obtains the decrypted string from an Encrypted node element in XML
-      # @param encrypted_node [REXML::Element]     The Encrypted element
-      # @param private_key    [OpenSSL::PKey::RSA] The Service provider private key
+      # @param encrypted_node [REXML::Element] The Encrypted element
+      # @param private_key [OpenSSL::PKey::RSA] The Service provider private key
       # @return [String] The decrypted data
       def self.decrypt_data(encrypted_node, private_key)
         encrypt_data = REXML::XPath.first(
@@ -302,7 +358,7 @@ module OneLogin
 
       # Obtains the deciphered text
       # @param cipher_text [String]   The ciphered text
-      # @param symmetric_key [String] The symetric key used to encrypt the text
+      # @param symmetric_key [String] The symmetric key used to encrypt the text
       # @param algorithm [String]     The encrypted algorithm
       # @return [String] The deciphered text
       def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.16.0'
+    VERSION = '1.17.0'
   end
 end

data/lib/xml_security.rb

@@ -310,17 +310,30 @@ module XMLSecurity
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
       noko_sig_element.remove
 
+      # get signed info
+      signed_info_element = REXML::XPath.first(
+        sig_element,
+        "./ds:SignedInfo",
+        { "ds" => DSIG }
+      )
+
       # get inclusive namespaces
       inclusive_namespaces = extract_inclusive_namespaces
 
       # check digests
-      ref = REXML::XPath.first(sig_element, "//ds:Reference", {"ds"=>DSIG})
+      ref = REXML::XPath.first(signed_info_element, "./ds:Reference", {"ds"=>DSIG})
 
-      hashed_element = document.at_xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+      reference_nodes = document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+
+      if reference_nodes.length > 1 # ensures no elements with same ID to prevent signature wrapping attack.
+        return append_error("Digest mismatch. Duplicated ID found", soft)
+      end
+
+      hashed_element = reference_nodes[0]
 
       canon_algorithm = canon_algorithm REXML::XPath.first(
-        ref,
-        '//ds:CanonicalizationMethod',
+        signed_info_element,
+        './ds:CanonicalizationMethod',
         { "ds" => DSIG }
       )
 
@@ -330,13 +343,13 @@ module XMLSecurity
 
       digest_algorithm = algorithm(REXML::XPath.first(
         ref,
-        "//ds:DigestMethod",
+        "./ds:DigestMethod",
         { "ds" => DSIG }
       ))
       hash = digest_algorithm.digest(canon_hashed_element)
       encoded_digest_value = REXML::XPath.first(
         ref,
-        "//ds:DigestValue",
+        "./ds:DigestValue",
         { "ds" => DSIG }
       )
       digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(encoded_digest_value))
@@ -362,7 +375,7 @@ module XMLSecurity
     def process_transforms(ref, canon_algorithm)
       transforms = REXML::XPath.match(
         ref,
-        "//ds:Transforms/ds:Transform",
+        "./ds:Transforms/ds:Transform",
         { "ds" => DSIG }
       )
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.16.0
+  version: 1.17.0
 platform: ruby
 authors:
 - SAML Toolkit
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-09 00:00:00.000000000 Z
+date: 2024-09-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -183,6 +183,7 @@ extra_rdoc_files:
 - README.md
 files:
 - ".document"
+- ".github/FUNDING.yml"
 - ".github/workflows/test.yml"
 - ".gitignore"
 - CHANGELOG.md
@@ -247,7 +248,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.1
+rubygems_version: 3.5.18
 signing_key:
 specification_version: 4
 summary: SAML Ruby Tookit