saml2 2.2.12 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 630f03aeb419e5d7ebae94ab4b809bf460be88903fdfdfe981d96dda990fbb5d
-  data.tar.gz: 2f17e8e081522cf5c7b2e8b5705bf600fd33fbc68e404203f865c442ffeea85c
+  metadata.gz: e68ac85048800a528987268cfb09cf9ed3adf9e501e14927969970eba7b48d53
+  data.tar.gz: 87edd68a1925ef511840fbff7003cce962ab3fc11bd47e3a9a74cb2300e98136
 SHA512:
-  metadata.gz: cad2fd1128ddfa7d8522ca592f8a72b717554ef0d8cddd55b160183e0656df306bebadd0f19e3b131267f8100f1a80ca0956c2c9a78a7eb0e9ad195eb4b72edc
-  data.tar.gz: d38744fc8b083257306a25b7d3f2e1538313f7791e2667debac3e915499153699ee8af484d6aed2769dc51baffa35e03694759af7e5b32407b77e973b7c66bef
+  metadata.gz: 45163bf19f9acbf26223766b165d40d62ad8f0fac6fadad901254912064c56db830c66e27a2e2d85bcd07c2be84c62156df516ae35c028b60b4b4ea692ae2645
+  data.tar.gz: 8e7d1b05ea37fc9c39024cfc1c2812170ef09fd4ead00b7b6c174cc9fbf8b0f3e8a8f5c4883ee9257bccfcca79482ffef1d07eac320147f69fed00bd60017480

data/lib/saml2/message.rb

@@ -119,22 +119,6 @@ module SAML2
       true
     end
 
-    # (see Signable#validate_signature)
-    # @param verification_time
-    #   Ignored. The message's {issue_instant} is always used.
-    def validate_signature(fingerprint: nil,
-                           cert: nil,
-                           verification_time: issue_instant,
-                           allow_expired_certificate: false,
-                           verify_certificate: true)
-      # verify the signature (certificate's validity) as of the time the message was generated
-      super(fingerprint: fingerprint,
-            cert: cert,
-            verification_time: verification_time,
-            allow_expired_certificate: allow_expired_certificate,
-            verify_certificate: verify_certificate)
-    end
-
     # (see Signable#sign)
     def sign(x509_certificate, private_key, algorithm_name = :sha256)
       super

data/lib/saml2/response.rb

@@ -89,18 +89,11 @@ module SAML2
     # @param verification_time optional [DateTime]
     #   Validate timestamps (signing certificate validity, issued at, etc.) as of
     #   this point in time.
-    # @param allow_expired_certificate optional [true, false]
-    #   Allow signing certificate to be expired.
-    # @param verify_certificate optional [true, false]
-    #   Don't validate the trust chain or validity dates of the signing
-    #   certificate.
     # @param ignore_audience_condition optional [true, false]
     #   Don't validate any Audience conditions.
     def validate(service_provider:,
                  identity_provider:,
                  verification_time: nil,
-                 allow_expired_certificate: false,
-                 verify_certificate: true,
                  ignore_audience_condition: false)
       raise ArgumentError, "service_provider should be an Entity object" unless service_provider.is_a?(Entity)
       raise ArgumentError, "service_provider should have at least one service_provider role" unless (sp = service_provider.service_providers.first)
@@ -140,9 +133,7 @@ module SAML2
 
       if signed?
         unless (signature_errors = validate_signature(fingerprint: idp.fingerprints,
-                                                      cert: certificates,
-                                                      allow_expired_certificate: allow_expired_certificate,
-                                                      verify_certificate: verify_certificate)).empty?
+                                                      cert: certificates)).empty?
           return errors.concat(signature_errors)
         end
         response_signed = true
@@ -153,9 +144,7 @@ module SAML2
       # this might be nil, if the assertion was encrypted
       if assertion&.signed?
         unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
-                                                                cert: certificates,
-                                                                allow_expired_certificate: allow_expired_certificate,
-                                                                verify_certificate: verify_certificate)).empty?
+                                                                cert: certificates)).empty?
           return errors.concat(signature_errors)
         end
         assertion_signed = true
@@ -211,9 +200,7 @@ module SAML2
       # check it now
       if assertion.signed? && !assertion_signed
         unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
-                                                                cert: certificates,
-                                                                allow_expired_certificate: allow_expired_certificate,
-                                                                verify_certificate: verify_certificate)).empty?
+                                                                cert: certificates)).empty?
           return errors.concat(signature_errors)
         end
         assertion_signed = true

data/lib/saml2/signable.rb

@@ -34,24 +34,24 @@ module SAML2
 
     # Validate the signature on this object.
     #
-    # Either +fingerprint+ or +cert+ must be provided.
+    # At least one of +key+, +fingerprint+ or +cert+ must be provided.
     #
+    # @param key optional [String, OpenSSL::PKey::PKey]
+    #   The exact public key to use. +fingerprint+ and +cert+ are ignored.
     # @param fingerprint optional [Array<String>, String]
     #   SHA1 fingerprints of trusted certificates. If provided, they will be
     #   checked against the {#signing_key} embedded in the {#signature}, and if
     #   a match is found, the certificate embedded in the signature will be
     #   added to the list of certificates used for verifying the signature.
     # @param cert optional [Array<String>, String]
-    # @param allow_expired_certificate [Boolean]
-    #   If set to true, verification_time will be adjusted to be just within the
-    #   certificate's expiration time, so that an expired certificate error will
-    #   not be thrown.
+    #   A single or array of trusted certificates. If provided, they will be
+    #   check against the {#signing_key} embedded in the {#signature}, and if
+    #   a match of public keys only is found, that key will be considered trusted
+    #   and used to verify the signature.
     # @return [Array<String>] An empty array on success, details of errors on failure.
-    def validate_signature(fingerprint: nil,
-                           cert: nil,
-                           verification_time: nil,
-                           allow_expired_certificate: false,
-                           verify_certificate: true)
+    def validate_signature(key: nil,
+                           fingerprint: nil,
+                           cert: nil)
       return ["not signed"] unless signed?
 
       certs = Array(cert)
@@ -59,39 +59,22 @@ module SAML2
       # see if any given fingerprints match the certificate embedded in the XML;
       # if so, extract the certificate, and add it to the allowed certificates list
       Array(fingerprint).each do |fp|
-        certs << signing_key.certificate if signing_key&.fingerprint == KeyInfo.format_fingerprint(fp)
+        certs << signing_key.certificate if signing_key&.fingerprint == SAML2::KeyInfo.format_fingerprint(fp)
       end
       certs = certs.uniq
-      return ["no trusted certificate found"] if certs.empty?
 
-      if verify_certificate == false && signing_key&.certificate
-        key = signing_key.certificate.public_key.to_s
+      trusted_keys = certs.map do |cert|
+        cert = cert.is_a?(String) ? OpenSSL::X509::Certificate.new(cert) : cert
+        cert.public_key.to_s
       end
-
-      if signing_key
-        signing_cert = signing_key.certificate
-        if allow_expired_certificate
-          verification_time = signing_cert.not_after - 1
-        end
-
-        # we explicitly trust the signing certificate, but it's not self-signed;
-        # xmlsec is weird and decides not to trust it in that case, so we skip
-        # certificate verification by xmlsec, and do it ourselves
-        if certs.include?(signing_cert) &&  signing_cert.issuer != signing_cert.subject
-          verification_time ||= Time.now.utc
-          return ["certificate has expired"] if verification_time > signing_cert.not_after
-          return ["certificate is not yet valid"] if verification_time < signing_cert.not_before
-
-          verify_certificate = false
-        end
+      if signing_key&.certificate && trusted_keys.include?(signing_key.certificate.public_key.to_s)
+        key ||= signing_key.certificate.public_key.to_s
       end
-      certs = nil if key # we're using a key explicitly, ignoring the certs
+
+      return ["no trusted signing key found"] if key.nil?
 
       begin
-        result = signature.verify_with(key: key,
-                                       certs: certs,
-                                       verification_time: verification_time,
-                                       verify_certificates: verify_certificate)
+        result = signature.verify_with(key: key)
         result ? [] : ["signature is invalid"]
       rescue XMLSec::VerificationError => e
         [e.message]
@@ -104,8 +87,8 @@ module SAML2
     #
     # @param (see #validate_signature)
     # @return [Boolean]
-    def valid_signature?(fingerprint: nil, cert: nil, verification_time: nil)
-      validate_signature(fingerprint: fingerprint, cert: cert, verification_time: verification_time).empty?
+    def valid_signature?(fingerprint: nil, cert: nil)
+      validate_signature(fingerprint: fingerprint, cert: cert).empty?
     end
 
     # Sign this object.

data/lib/saml2/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SAML2
-  VERSION = '2.2.12'
+  VERSION = '3.0.0'
 end

data/spec/lib/response_spec.rb

@@ -104,8 +104,7 @@ module SAML2
 
       # the signature is still valid (we have to set a weird verification time because the response
       # was signed with an expired signature)
-      expect(response.validate_signature(fingerprint: 'afe71c28ef740bc87425be13a2263d37971da1f9',
-                                         verification_time: Time.parse("2007-07-14 12:01:34Z"))).to eq []
+      expect(response.validate_signature(fingerprint: 'afe71c28ef740bc87425be13a2263d37971da1f9')).to eq []
 
       # the comment is ignored, but doesn't truncate the nameid
       expect(response.assertions.first.subject.name_id.id).to eq 'testuser@example.com'
@@ -175,8 +174,7 @@ module SAML2
 
         response = Response.parse(fixture("response_tampered_certificate.xml"))
         sp_entity.valid_response?(response, idp_entity,
-                                  verification_time: Time.parse('2015-02-12T22:51:30Z'),
-                                  allow_expired_certificate: true)
+                                  verification_time: Time.parse('2015-02-12T22:51:30Z'))
         expect(response.errors).to eq ["signature is invalid"]
       end
 
@@ -193,7 +191,7 @@ module SAML2
         idp_entity.identity_providers.first.keys << KeyDescriptor.new(fixture("othercertificate.pem"))
         sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
         expect(response.errors.length).to eq 1
-        expect(response.errors.first).to start_with('error occurred during signature verification')
+        expect(response.errors.first).to eq("no trusted signing key found")
       end
 
       it "validates signature by fingerprint" do
@@ -211,7 +209,7 @@ module SAML2
         idp_entity.identity_providers.first.fingerprints << "1c:37:7d:30:c1:83:18:ea:20:8b:dc:d5:35:b6:16:85:17:58:f7:ca"
 
         sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
-        expect(response.errors).to eq ["no trusted certificate found"]
+        expect(response.errors).to eq ["no trusted signing key found"]
       end
 
       it "protects against xml signature wrapping attacks targeting nameid" do
@@ -254,43 +252,6 @@ module SAML2
                                                   "43:0: ERROR: Element '{http://www.w3.org/2000/09/xmldsig#}Signature': This element is not expected."]
       end
 
-      it "errors on expired certificate" do
-        response = Response.parse(fixture("test6-response.xml"))
-        idp_entity.entity_id = 'http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php'
-        idp_entity.identity_providers.first.keys.clear
-        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
-
-        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse("2012-08-03T20:07:15Z"))
-        expect(response.errors.length).to eq 1
-        expect(response.errors.first).to match(/certificate has expired/)
-      end
-
-      it "ignores expired certificate when requested" do
-        response = Response.parse(fixture("test6-response.xml"))
-        sp_entity.entity_id = 'http://shard-2.canvas.dev/saml2'
-        idp_entity.entity_id = 'http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php'
-        idp_entity.identity_providers.first.keys.clear
-        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
-
-        sp_entity.valid_response?(response, idp_entity,
-                                  verification_time: Time.parse("2014-09-16T22:15:53Z"),
-                                  allow_expired_certificate: true)
-        expect(response.errors).to eq []
-      end
-
-      it "ignores invalid certificate when requested" do
-        response = Response.parse(fixture("test6-response.xml"))
-        sp_entity.entity_id = 'http://shard-2.canvas.dev/saml2'
-        idp_entity.entity_id = 'http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php'
-        idp_entity.identity_providers.first.keys.clear
-        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
-
-        sp_entity.valid_response?(response, idp_entity,
-                                  verification_time: Time.parse("2014-09-16T22:15:53Z"),
-                                  verify_certificate: false)
-        expect(response.errors).to eq []
-      end
-
       it "doesn't break the signature by decrypting elements first" do
         response = Response.parse(fixture("response_with_signed_assertion_and_encrypted_subject.xml"))
         sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml2
 version: !ruby/object:Gem::Version
-  version: 2.2.12
+  version: 3.0.0
 platform: ruby
 authors:
 - Cody Cutrer
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-25 00:00:00.000000000 Z
+date: 2018-06-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri