RubyGems - saml2 - Versions diffs - 2.2.12 → 3.0.0 - Mend

saml2 2.2.12 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 630f03aeb419e5d7ebae94ab4b809bf460be88903fdfdfe981d96dda990fbb5d
-  data.tar.gz: 2f17e8e081522cf5c7b2e8b5705bf600fd33fbc68e404203f865c442ffeea85c
+  metadata.gz: e68ac85048800a528987268cfb09cf9ed3adf9e501e14927969970eba7b48d53
+  data.tar.gz: 87edd68a1925ef511840fbff7003cce962ab3fc11bd47e3a9a74cb2300e98136
 SHA512:
-  metadata.gz: cad2fd1128ddfa7d8522ca592f8a72b717554ef0d8cddd55b160183e0656df306bebadd0f19e3b131267f8100f1a80ca0956c2c9a78a7eb0e9ad195eb4b72edc
-  data.tar.gz: d38744fc8b083257306a25b7d3f2e1538313f7791e2667debac3e915499153699ee8af484d6aed2769dc51baffa35e03694759af7e5b32407b77e973b7c66bef
+  metadata.gz: 45163bf19f9acbf26223766b165d40d62ad8f0fac6fadad901254912064c56db830c66e27a2e2d85bcd07c2be84c62156df516ae35c028b60b4b4ea692ae2645
+  data.tar.gz: 8e7d1b05ea37fc9c39024cfc1c2812170ef09fd4ead00b7b6c174cc9fbf8b0f3e8a8f5c4883ee9257bccfcca79482ffef1d07eac320147f69fed00bd60017480

data/lib/saml2/message.rb CHANGED

@@ -119,22 +119,6 @@ module SAML2
       true
     end
-    # (see Signable#validate_signature)
-    # @param verification_time
-    #   Ignored. The message's {issue_instant} is always used.
-    def validate_signature(fingerprint: nil,
-                           cert: nil,
-                           verification_time: issue_instant,
-                           allow_expired_certificate: false,
-                           verify_certificate: true)
-      # verify the signature (certificate's validity) as of the time the message was generated
-      super(fingerprint: fingerprint,
-            cert: cert,
-            verification_time: verification_time,
-            allow_expired_certificate: allow_expired_certificate,
-            verify_certificate: verify_certificate)
-    end
     # (see Signable#sign)
     def sign(x509_certificate, private_key, algorithm_name = :sha256)
       super

data/lib/saml2/response.rb CHANGED

@@ -89,18 +89,11 @@ module SAML2
     # @param verification_time optional [DateTime]
     #   Validate timestamps (signing certificate validity, issued at, etc.) as of
     #   this point in time.
-    # @param allow_expired_certificate optional [true, false]
-    #   Allow signing certificate to be expired.
-    # @param verify_certificate optional [true, false]
-    #   Don't validate the trust chain or validity dates of the signing
-    #   certificate.
     # @param ignore_audience_condition optional [true, false]
     #   Don't validate any Audience conditions.
     def validate(service_provider:,
                  identity_provider:,
                  verification_time: nil,
-                 allow_expired_certificate: false,
-                 verify_certificate: true,
                  ignore_audience_condition: false)
       raise ArgumentError, "service_provider should be an Entity object" unless service_provider.is_a?(Entity)
       raise ArgumentError, "service_provider should have at least one service_provider role" unless (sp = service_provider.service_providers.first)
@@ -140,9 +133,7 @@ module SAML2
       if signed?
         unless (signature_errors = validate_signature(fingerprint: idp.fingerprints,
-                                                      cert: certificates,
-                                                      allow_expired_certificate: allow_expired_certificate,
-                                                      verify_certificate: verify_certificate)).empty?
+                                                      cert: certificates)).empty?
           return errors.concat(signature_errors)
         end
         response_signed = true
@@ -153,9 +144,7 @@ module SAML2
       # this might be nil, if the assertion was encrypted
       if assertion&.signed?
         unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
-                                                                cert: certificates,
-                                                                allow_expired_certificate: allow_expired_certificate,
-                                                                verify_certificate: verify_certificate)).empty?
+                                                                cert: certificates)).empty?
           return errors.concat(signature_errors)
         end
         assertion_signed = true
@@ -211,9 +200,7 @@ module SAML2
       # check it now
       if assertion.signed? && !assertion_signed
         unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
-                                                                cert: certificates,
-                                                                allow_expired_certificate: allow_expired_certificate,
-                                                                verify_certificate: verify_certificate)).empty?
+                                                                cert: certificates)).empty?
           return errors.concat(signature_errors)
         end
         assertion_signed = true

data/lib/saml2/signable.rb CHANGED

@@ -34,24 +34,24 @@ module SAML2
     # Validate the signature on this object.
     #
-    # Either +fingerprint+ or +cert+ must be provided.
+    # At least one of +key+, +fingerprint+ or +cert+ must be provided.
     #
+    # @param key optional [String, OpenSSL::PKey::PKey]
+    #   The exact public key to use. +fingerprint+ and +cert+ are ignored.
     # @param fingerprint optional [Array<String>, String]
     #   SHA1 fingerprints of trusted certificates. If provided, they will be
     #   checked against the {#signing_key} embedded in the {#signature}, and if
     #   a match is found, the certificate embedded in the signature will be
     #   added to the list of certificates used for verifying the signature.
     # @param cert optional [Array<String>, String]
-    # @param allow_expired_certificate [Boolean]
-    #   If set to true, verification_time will be adjusted to be just within the
-    #   certificate's expiration time, so that an expired certificate error will
-    #   not be thrown.
+    #   A single or array of trusted certificates. If provided, they will be
+    #   check against the {#signing_key} embedded in the {#signature}, and if
+    #   a match of public keys only is found, that key will be considered trusted
+    #   and used to verify the signature.
     # @return [Array<String>] An empty array on success, details of errors on failure.
-    def validate_signature(fingerprint: nil,
-                           cert: nil,
-                           verification_time: nil,
-                           allow_expired_certificate: false,
-                           verify_certificate: true)
+    def validate_signature(key: nil,
+                           fingerprint: nil,
+                           cert: nil)
       return ["not signed"] unless signed?
       certs = Array(cert)
@@ -59,39 +59,22 @@ module SAML2
       # see if any given fingerprints match the certificate embedded in the XML;
       # if so, extract the certificate, and add it to the allowed certificates list
       Array(fingerprint).each do |fp|
-        certs << signing_key.certificate if signing_key&.fingerprint == KeyInfo.format_fingerprint(fp)
+        certs << signing_key.certificate if signing_key&.fingerprint == SAML2::KeyInfo.format_fingerprint(fp)
       end
       certs = certs.uniq
-      return ["no trusted certificate found"] if certs.empty?
-      if verify_certificate == false && signing_key&.certificate
-        key = signing_key.certificate.public_key.to_s
+      trusted_keys = certs.map do |cert|
+        cert = cert.is_a?(String) ? OpenSSL::X509::Certificate.new(cert) : cert
+        cert.public_key.to_s
       end
-      if signing_key
-        signing_cert = signing_key.certificate
-        if allow_expired_certificate
-          verification_time = signing_cert.not_after - 1
-        end
-        # we explicitly trust the signing certificate, but it's not self-signed;
-        # xmlsec is weird and decides not to trust it in that case, so we skip
-        # certificate verification by xmlsec, and do it ourselves
-        if certs.include?(signing_cert) &&  signing_cert.issuer != signing_cert.subject
-          verification_time ||= Time.now.utc
-          return ["certificate has expired"] if verification_time > signing_cert.not_after
-          return ["certificate is not yet valid"] if verification_time < signing_cert.not_before
-          verify_certificate = false
-        end
+      if signing_key&.certificate && trusted_keys.include?(signing_key.certificate.public_key.to_s)
+        key ||= signing_key.certificate.public_key.to_s
       end
-      certs = nil if key # we're using a key explicitly, ignoring the certs
+      return ["no trusted signing key found"] if key.nil?
       begin
-        result = signature.verify_with(key: key,
-                                       certs: certs,
-                                       verification_time: verification_time,
-                                       verify_certificates: verify_certificate)
+        result = signature.verify_with(key: key)
         result ? [] : ["signature is invalid"]
       rescue XMLSec::VerificationError => e
         [e.message]
@@ -104,8 +87,8 @@ module SAML2
     #
     # @param (see #validate_signature)
     # @return [Boolean]
-    def valid_signature?(fingerprint: nil, cert: nil, verification_time: nil)
-      validate_signature(fingerprint: fingerprint, cert: cert, verification_time: verification_time).empty?
+    def valid_signature?(fingerprint: nil, cert: nil)
+      validate_signature(fingerprint: fingerprint, cert: cert).empty?
     end
     # Sign this object.

data/lib/saml2/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module SAML2
-  VERSION = '2.2.12'
+  VERSION = '3.0.0'
 end

data/spec/lib/response_spec.rb CHANGED

@@ -104,8 +104,7 @@ module SAML2
       # the signature is still valid (we have to set a weird verification time because the response
       # was signed with an expired signature)
-      expect(response.validate_signature(fingerprint: 'afe71c28ef740bc87425be13a2263d37971da1f9',
-                                         verification_time: Time.parse("2007-07-14 12:01:34Z"))).to eq []
+      expect(response.validate_signature(fingerprint: 'afe71c28ef740bc87425be13a2263d37971da1f9')).to eq []
       # the comment is ignored, but doesn't truncate the nameid
       expect(response.assertions.first.subject.name_id.id).to eq 'testuser@example.com'
@@ -175,8 +174,7 @@ module SAML2
         response = Response.parse(fixture("response_tampered_certificate.xml"))
         sp_entity.valid_response?(response, idp_entity,
-                                  verification_time: Time.parse('2015-02-12T22:51:30Z'),
-                                  allow_expired_certificate: true)
+                                  verification_time: Time.parse('2015-02-12T22:51:30Z'))
         expect(response.errors).to eq ["signature is invalid"]
       end
@@ -193,7 +191,7 @@ module SAML2
         idp_entity.identity_providers.first.keys << KeyDescriptor.new(fixture("othercertificate.pem"))
         sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
         expect(response.errors.length).to eq 1
-        expect(response.errors.first).to start_with('error occurred during signature verification')
+        expect(response.errors.first).to eq("no trusted signing key found")
       end
       it "validates signature by fingerprint" do
@@ -211,7 +209,7 @@ module SAML2
         idp_entity.identity_providers.first.fingerprints << "1c:37:7d:30:c1:83:18:ea:20:8b:dc:d5:35:b6:16:85:17:58:f7:ca"
         sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
-        expect(response.errors).to eq ["no trusted certificate found"]
+        expect(response.errors).to eq ["no trusted signing key found"]
       end
       it "protects against xml signature wrapping attacks targeting nameid" do
@@ -254,43 +252,6 @@ module SAML2
                                                   "43:0: ERROR: Element '{http://www.w3.org/2000/09/xmldsig#}Signature': This element is not expected."]
       end
-      it "errors on expired certificate" do
-        response = Response.parse(fixture("test6-response.xml"))
-        idp_entity.entity_id = 'http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php'
-        idp_entity.identity_providers.first.keys.clear
-        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
-        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse("2012-08-03T20:07:15Z"))
-        expect(response.errors.length).to eq 1
-        expect(response.errors.first).to match(/certificate has expired/)
-      end
-      it "ignores expired certificate when requested" do
-        response = Response.parse(fixture("test6-response.xml"))
-        sp_entity.entity_id = 'http://shard-2.canvas.dev/saml2'
-        idp_entity.entity_id = 'http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php'
-        idp_entity.identity_providers.first.keys.clear
-        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
-        sp_entity.valid_response?(response, idp_entity,
-                                  verification_time: Time.parse("2014-09-16T22:15:53Z"),
-                                  allow_expired_certificate: true)
-        expect(response.errors).to eq []
-      end
-      it "ignores invalid certificate when requested" do
-        response = Response.parse(fixture("test6-response.xml"))
-        sp_entity.entity_id = 'http://shard-2.canvas.dev/saml2'
-        idp_entity.entity_id = 'http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php'
-        idp_entity.identity_providers.first.keys.clear
-        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
-        sp_entity.valid_response?(response, idp_entity,
-                                  verification_time: Time.parse("2014-09-16T22:15:53Z"),
-                                  verify_certificate: false)
-        expect(response.errors).to eq []
-      end
       it "doesn't break the signature by decrypting elements first" do
         response = Response.parse(fixture("response_with_signed_assertion_and_encrypted_subject.xml"))
         sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml2
 version: !ruby/object:Gem::Version
-  version: 2.2.12
+  version: 3.0.0
 platform: ruby
 authors:
 - Cody Cutrer
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-06-25 00:00:00.000000000 Z
+date: 2018-06-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri