saml2 2.2.7 → 2.2.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f95046518e86db9aca974fb6de4d3ce9da5d74dbd057a7cb72835404506f0e16
-  data.tar.gz: c2ee8956692d288bb2f1f1de24b5116ff9a79e441d6ad19bc6d2cb47a60923eb
+  metadata.gz: c16820ad8709894d30598abdc66c7258eaaa4bcce559a3f540e898226ecad9b7
+  data.tar.gz: cb81f7ca257db3e1aa45896749961cfb0ab63473499d70614931b02de5a975cd
 SHA512:
-  metadata.gz: bc8d753aa0e783a6f104b6e8eb33f40f06438e955f4e9b71323cc22c15d1ac3e604130a77293e2e67b7dad9cc7669bfce07a8ee35bd0216f52ed11cfb24620eb
-  data.tar.gz: 54d210d78f6b28627595f7fff05dcc469d4694d3a154ea05a451ff9f8ec9c1a9ba41274593ebfac6fded65852e12068611d7a14f6424d85ea37b39d6bcc6f8f7
+  metadata.gz: 9aacff1311c151b1f8e53d9e63f519b5ff4d21c9c664c22ffcaff42519d9e22530445f8f287c8ab797f0ae7df12aee9d35e9ca9539e782262b2ff4c940a0626a
+  data.tar.gz: f7287daba3d0a8d5671f109c30deb9dabce202cbe5b0e7d821c50fb09afbc7cbd056dadf43f2d7ef16582a6bf46b271caf14e131b1f622520e48b1bdaa78d26d

data/lib/saml2/response.rb

@@ -131,6 +131,18 @@ module SAML2
         response_signed = true
       end
 
+      assertion = assertions.first
+
+      # this might be nil, if the assertion was encrypted
+      if assertion&.signed?
+        unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
+                                                                cert: certificates,
+                                                                allow_expired_certificate: allow_expired_certificate)).empty?
+          return errors.concat(signature_errors)
+        end
+        assertion_signed = true
+      end
+
       find_decryption_key = ->(embedded_certificates) do
         key = nil
         embedded_certificates.each do |cert_info|
@@ -160,6 +172,8 @@ module SAML2
         if decypted_anything
           # have to re-validate the schema, since we just replaced content
           super()
+          # also clear this cached value so that we can see cached assertions
+          remove_instance_variable(:@assertions)
           return errors unless errors.empty?
         end
       end
@@ -169,13 +183,15 @@ module SAML2
         return errors
       end
 
-      assertion = assertions.first
+      assertion ||= assertions.first
       unless assertion
         errors << "no assertion found"
         return errors
       end
 
-      if assertion.signed?
+      # if we didn't previously check the assertion's signature (because it was encrypted)
+      # check it now
+      if assertion.signed? && !assertion_signed
         unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
                                                                 cert: certificates,
                                                                 allow_expired_certificate: allow_expired_certificate)).empty?

data/lib/saml2/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SAML2
-  VERSION = '2.2.7'
+  VERSION = '2.2.8'
 end

data/spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml

@@ -0,0 +1,116 @@
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_9a15e699-2d04-4ba7-a521-cfa4dcd21f44" Version="2.0" IssueInstant="2015-02-12T22:51:29Z" Destination="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984">
+  <saml:Issuer>issuer</saml:Issuer>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </samlp:Status>
+  <saml:Assertion ID="_cdfc3faf-90ad-462f-880d-677483210684" Version="2.0" IssueInstant="2015-02-12T22:51:29Z">
+    <saml:Issuer>issuer</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+<SignedInfo>
+<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+<Reference URI="#_cdfc3faf-90ad-462f-880d-677483210684">
+<Transforms>
+<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+</Transforms>
+<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+<DigestValue>r/MVi1aNDe8SSyvsDVmyQHNvl+sW0CjFeCnRnV5KL0w=</DigestValue>
+</Reference>
+</SignedInfo>
+<SignatureValue>jRdOoXHY7uEg/ryIL+o8qXBlIlPJyw3nk27VkXWAOG28n17BDCUm5/qAngTK9eUB
+4vkudLuRKs7bgSSa7UcAf0lytddqylJ561sb3+xFcggt5g5BDUpgjPOsdETuRyQ8
+IGCPt+dsR2L5qWbZch4JkZwaOqs7EZUJ8dqljPObmYuMNzmyZ6VCIVFvOuVO0a8l
+Ps4rqrwQ4BWGWyT0YPHXCAWWGxgDiWvpFEeTZ4T6XoSQlL+gzwUkBT07Q1l/iWaE
+7JLrIBt4rglJE+FrWjJp7rV8y3UlFpOjlow6tZiCHUS9b1DhOn02A5dW1KiusmGs
+gnL0yJLDPfDo1+2+YzWo3A==</SignatureValue>
+<KeyInfo>
+<X509Data>
+<X509Certificate>MIID+jCCAuKgAwIBAgIJAIz/He5UafnhMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
+BAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQKEw5Db2R5IFNBTUwgVGVzdDEk
+MCIGA1UEAxMbaHR0cDovL3Nzby5jYW52YXMuZGV2L1NBTUwyMB4XDTE1MDIwOTIy
+MTkxOVoXDTE1MDMxMTIyMTkxOVowWzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0
+YWgxFzAVBgNVBAoTDkNvZHkgU0FNTCBUZXN0MSQwIgYDVQQDExtodHRwOi8vc3Nv
+LmNhbnZhcy5kZXYvU0FNTDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCwlbZhVkDi6YAHFpkxSoInc9Jrmezv0XKi8YzrDzO9Y7zHJlYygUQmgvD4I5fQ
+tVW8sbp7gS5cCBmjbGJRXx3996qLq12//WLYMDkHktrbU1zZ6vsJ8ajHyQv4OFvq
+qBnForSkuJbNi/QVTKiwbbBOZ75CbNBs1InoMN5MY2S5NhG9JhLjpktxNKfXFEi5
+Wr0rc2T0lSbTHv7L6DUFKeKX7uK9bNREozZDwkyYUHZl1Vez88WiJw7CmzNEnm5v
+13M6e60788M7E5FZBkTDkFK5+RV10ycYYNN7E8l0HzWSaB4+aJhKsK/Q7Yv+MG/j
+Oj8KMeZvEJfhxx1Dz8idgy8RAgMBAAGjgcAwgb0wHQYDVR0OBBYEFOvkP77RRJET
+X//KwdohNVfZBSvbMIGNBgNVHSMEgYUwgYKAFOvkP77RRJETX//KwdohNVfZBSvb
+oV+kXTBbMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDEXMBUGA1UEChMOQ29k
+eSBTQU1MIFRlc3QxJDAiBgNVBAMTG2h0dHA6Ly9zc28uY2FudmFzLmRldi9TQU1M
+MoIJAIz/He5UafnhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAQ6
+iucYVoOHBXHGybLUj8i3yZEI8C0mZQ/NBsihMGBP58vNSSKUJr4JPvYUIudwkLVH
+T1FWdfMVVVUxqJvCFWfWcpCyKTe4FQ0WyTasq1F9LtCaeMczlkpK+E2XBlNyPGoo
+1fCDO6pXD7EIOprIFl3blspb5ROF8lCESjFKmyxVGHEOMs2GA0cX3xvW+AvCbYUC
+Cg8Yo62X9vWW6PaKXHs3N+g1Ig16NwjdVIYvcxLc2KY0vrqu/R5c8RbmCxMZyss9
+5y5OLZblsTw3CPgxgMcCiBSYXnO0VTpT9ANW/SpeSE8XnfumxUjsUtxO4qN4O2es
+ZtltN+yN40INHGRWnHc=</X509Certificate>
+</X509Data>
+</KeyInfo>
+</Signature>
+    <saml:Subject>
+      <saml:EncryptedID>
+        <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
+          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+            <X509Data>
+              <X509Certificate>MIID+jCCAuKgAwIBAgIJAIz/He5UafnhMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
+                BAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQKEw5Db2R5IFNBTUwgVGVzdDEk
+                MCIGA1UEAxMbaHR0cDovL3Nzby5jYW52YXMuZGV2L1NBTUwyMB4XDTE1MDIwOTIy
+                MTkxOVoXDTE1MDMxMTIyMTkxOVowWzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0
+                YWgxFzAVBgNVBAoTDkNvZHkgU0FNTCBUZXN0MSQwIgYDVQQDExtodHRwOi8vc3Nv
+                LmNhbnZhcy5kZXYvU0FNTDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+                AQCwlbZhVkDi6YAHFpkxSoInc9Jrmezv0XKi8YzrDzO9Y7zHJlYygUQmgvD4I5fQ
+                tVW8sbp7gS5cCBmjbGJRXx3996qLq12//WLYMDkHktrbU1zZ6vsJ8ajHyQv4OFvq
+                qBnForSkuJbNi/QVTKiwbbBOZ75CbNBs1InoMN5MY2S5NhG9JhLjpktxNKfXFEi5
+                Wr0rc2T0lSbTHv7L6DUFKeKX7uK9bNREozZDwkyYUHZl1Vez88WiJw7CmzNEnm5v
+                13M6e60788M7E5FZBkTDkFK5+RV10ycYYNN7E8l0HzWSaB4+aJhKsK/Q7Yv+MG/j
+                Oj8KMeZvEJfhxx1Dz8idgy8RAgMBAAGjgcAwgb0wHQYDVR0OBBYEFOvkP77RRJET
+                X//KwdohNVfZBSvbMIGNBgNVHSMEgYUwgYKAFOvkP77RRJETX//KwdohNVfZBSvb
+                oV+kXTBbMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDEXMBUGA1UEChMOQ29k
+                eSBTQU1MIFRlc3QxJDAiBgNVBAMTG2h0dHA6Ly9zc28uY2FudmFzLmRldi9TQU1M
+                MoIJAIz/He5UafnhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAQ6
+                iucYVoOHBXHGybLUj8i3yZEI8C0mZQ/NBsihMGBP58vNSSKUJr4JPvYUIudwkLVH
+                T1FWdfMVVVUxqJvCFWfWcpCyKTe4FQ0WyTasq1F9LtCaeMczlkpK+E2XBlNyPGoo
+                1fCDO6pXD7EIOprIFl3blspb5ROF8lCESjFKmyxVGHEOMs2GA0cX3xvW+AvCbYUC
+                Cg8Yo62X9vWW6PaKXHs3N+g1Ig16NwjdVIYvcxLc2KY0vrqu/R5c8RbmCxMZyss9
+                5y5OLZblsTw3CPgxgMcCiBSYXnO0VTpT9ANW/SpeSE8XnfumxUjsUtxO4qN4O2es
+                ZtltN+yN40INHGRWnHc=</X509Certificate>
+            </X509Data>
+            <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
+              <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
+              <CipherData>
+                <CipherValue>N0tORClqCAyqs4XhId26gk7HpP4ApuqwYuzy/VrkRACAsWZeM4OXfjcrFfJPlcf1
+                  gLx5tV/tTW/mHw98hXsGCGul/8LVazqGfsjTOtHXkO0i/RPgwVw/aa5+/Ggb+PQ9
+                  o09y2HII5cmlCSJyUMaqk4g653y6PWF1emRtI6OxMK2St5YKQGzVq5KeWkiV7d7b
+                  A6ZeR/n0qzjJ2z/qJzzOul4jjlz0/XR2Xb7FrkImza9zS2L7AwRqCpVkRw64/XAM
+                  /d/SnpgbcNo/RAJzjbOCndBGu6G161nOnQF1+rrVBsDx4HIuImzuvbNBOz0YFe0F
+                  DyLeXfOpHKgikh4wKa2okQ==</CipherValue>
+              </CipherData>
+            </EncryptedKey>
+          </KeyInfo>
+          <CipherData>
+            <CipherValue>TTwKeCn5Kqlhjqcj3XFZQ8o64rpYG8uohhBMAwxtqBojTOHe0Itn720Mb7BHHXwI
+              KrQn29N8SfC18/daWcNwGTH5njZFYYkHlhBXvb9q8z97jYTiTlNEi1GoWhalLYex
+              GnfLxpoBl2EaJw1j2mibbA==</CipherValue>
+          </CipherData>
+        </EncryptedData>
+      </saml:EncryptedID>
+      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <saml:SubjectConfirmationData NotOnOrAfter="2015-02-12T22:54:29Z" Recipient="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"/>
+      </saml:SubjectConfirmation>
+    </saml:Subject>
+    <saml:Conditions NotBefore="2015-02-12T22:51:24Z" NotOnOrAfter="2015-02-12T22:51:59Z">
+      <saml:AudienceRestriction>
+        <saml:Audience>http://siteadmin.instructure.com/saml2</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+    <saml:AuthnStatement AuthnInstant="2015-02-12T22:51:29Z">
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+  </saml:Assertion>
+</samlp:Response>

data/spec/lib/response_spec.rb

@@ -278,6 +278,12 @@ module SAML2
         expect(response.errors).to eq []
       end
 
+      it "doesn't break the signature by decrypting elements first" do
+        response = Response.parse(fixture("response_with_signed_assertion_and_encrypted_subject.xml"))
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
+        expect(response.errors).to eq []
+        expect(response.assertions.first.subject.name_id.id).to eq 'jacob'
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml2
 version: !ruby/object:Gem::Version
-  version: 2.2.7
+  version: 2.2.8
 platform: ruby
 authors:
 - Cody Cutrer
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-06 00:00:00.000000000 Z
+date: 2018-06-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -194,6 +194,7 @@ files:
 - spec/fixtures/response_tampered_signature.xml
 - spec/fixtures/response_with_attribute_signed.xml
 - spec/fixtures/response_with_encrypted_assertion.xml
+- spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml
 - spec/fixtures/service_provider.xml
 - spec/fixtures/test3-response.xml
 - spec/fixtures/test6-response.xml
@@ -267,6 +268,7 @@ test_files:
 - spec/fixtures/noconditions_response.xml
 - spec/fixtures/entities.xml
 - spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
+- spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml
 - spec/fixtures/othercertificate.pem
 - spec/fixtures/xslt-transform-response.xml
 - spec/fixtures/response_with_encrypted_assertion.xml