saml2 3.0.11 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 953f52449cc1cbab86280c3265ecf74cde4eb8db37946a99aa2d85f59d7a4754
-  data.tar.gz: f211ab22f71726b292c5182fba1b5040284c4a243f03458b84f33983f95dadbc
+  metadata.gz: 1a9f01162da7309af02b28de55593de014c32eba85d87a7af95360423cd03550
+  data.tar.gz: 71b3e1f1309c840e649e8d6a3dfad701b01349c5c8b3c3378b96733ef62718cf
 SHA512:
-  metadata.gz: 271dd3d0bd8325c59b61ed416fd0ed16d1cbc284d957593220f905c3f5c5f8d001bdcc125fcd96e1d28ffe3ad2ec22a6fec027c768df82ddb5dca609ba435c58
-  data.tar.gz: 87337ae1fd36828023da486e932582009b76f666e04fd336e4d4b4e0a244366c62c7491255b320b2575c6439d56c856200f883a2087fdc70b82f746927fef8db
+  metadata.gz: 0b8ff067a719d4e450a94b23967b6519a2c51ed806decb7b342f06c29ace840625b2d03056a986fbd54c12fe9adc2997ab24731be40341d52f01d34d5e14f220
+  data.tar.gz: 2de7817d5dda92bacd3e87fe302a7f7f35e70ca7a2234b4237a45951456ab19c66da8ef836c9004ae289f4d7f8d38ef47ff4f6efc21a2d641bc8d0c62a00f1df

data/lib/saml2/key.rb

@@ -11,6 +11,8 @@ module SAML2
   class KeyInfo < Base
     # @return [String] The PEM encoded certificate.
     attr_reader :x509
+    # @return [OpenSSL::PKey::PKey] An RSA Public Key
+    attr_accessor :key
 
     # @param x509 [String] The PEM encoded certificate.
     def initialize(x509 = nil)
@@ -19,7 +21,15 @@ module SAML2
 
     # (see Base#from_xml)
     def from_xml(node)
-      self.x509 = node.at_xpath('dsig:KeyInfo/dsig:X509Data/dsig:X509Certificate', Namespaces::ALL)&.content&.strip
+      self.x509 = node.at_xpath('dsig:X509Data/dsig:X509Certificate', Namespaces::ALL)&.content&.strip
+      if (rsa_key_value = node.at_xpath('dsig:KeyValue/dsig:RSAKeyValue', Namespaces::ALL))
+        modulus = crypto_binary_to_integer(rsa_key_value.at_xpath('dsig:Modulus', Namespaces::ALL)&.content&.strip)
+        exponent = crypto_binary_to_integer(rsa_key_value.at_xpath('dsig:Exponent', Namespaces::ALL)&.content&.strip)
+        if modulus && exponent
+          @key = OpenSSL::PKey::RSA.new
+          key.set_key(modulus, exponent, nil)
+        end
+      end
     end
 
     def x509=(value)
@@ -28,9 +38,15 @@ module SAML2
 
     # @return [OpenSSL::X509::Certificate]
     def certificate
+      return nil if x509.nil?
       @certificate ||= OpenSSL::X509::Certificate.new(Base64.decode64(x509))
     end
 
+    # @return [OpenSSL::PKey::PKey]
+    def public_key
+      key || certificate&.public_key
+    end
+
     # Formats a fingerprint as all lowercase, with a : every two characters,
     # stripping all non-hexadecimal characters.
     # @param fingerprint [String]
@@ -41,17 +57,35 @@ module SAML2
 
     # @return [String]
     def fingerprint
+      return nil unless certificate
       @fingerprint ||= self.class.format_fingerprint(Digest::SHA1.hexdigest(certificate.to_der))
     end
 
     # (see Base#build)
     def build(builder)
       builder['dsig'].KeyInfo do |key_info|
-        key_info['dsig'].X509Data do |x509_data|
-          x509_data['dsig'].X509Certificate(x509)
+        if x509
+          key_info['dsig'].X509Data do |x509_data|
+            x509_data['dsig'].X509Certificate(x509)
+          end
+        end
+        if key.is_a?(OpenSSL::PKey::RSA)
+          key_info['dsig'].KeyValue do |key_value|
+            key_value['dsig'].RSAKeyValue do |rsa_key_value|
+              rsa_key_value['dsig'].Modulus(Base64.encode64(key.n.to_s(2)))
+              rsa_key_value['dsig'].Exponent(Base64.encode64(key.e.to_s(2)))
+            end
+          end
         end
       end
     end
+
+    private
+
+    def crypto_binary_to_integer(str)
+      return nil unless str
+      OpenSSL::BN.new(Base64.decode64(str), 2)
+    end
   end
 
   class KeyDescriptor < KeyInfo
@@ -99,7 +133,7 @@ module SAML2
 
     # (see Base#from_xml)
     def from_xml(node)
-      super
+      super(node.at_xpath('dsig:KeyInfo', Namespaces::ALL))
       self.use = node['use']
       self.encryption_methods = load_object_array(node, 'md:EncryptionMethod', EncryptionMethod)
     end

data/lib/saml2/response.rb

@@ -127,14 +127,16 @@ module SAML2
         return errors
       end
 
-      certificates = idp.signing_keys.map(&:certificate)
-      if idp.fingerprints.empty? && certificates.empty?
+      certificates = idp.signing_keys.map(&:certificate).compact
+      keys = idp.signing_keys.map(&:key).compact
+      if idp.fingerprints.empty? && certificates.empty? && keys.empty?
         errors << "could not find certificate to validate message"
         return errors
       end
 
       if signed?
-        unless (signature_errors = validate_signature(fingerprint: idp.fingerprints,
+        unless (signature_errors = validate_signature(key: keys,
+                                                      fingerprint: idp.fingerprints,
                                                       cert: certificates)).empty?
           return errors.concat(signature_errors)
         end
@@ -145,7 +147,8 @@ module SAML2
 
       # this might be nil, if the assertion was encrypted
       if assertion&.signed?
-        unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
+        unless (signature_errors = assertion.validate_signature(key: keys,
+                                                                fingerprint: idp.fingerprints,
                                                                 cert: certificates)).empty?
           return errors.concat(signature_errors)
         end

data/lib/saml2/signable.rb

@@ -27,7 +27,7 @@ module SAML2
     def signing_key
       unless instance_variable_defined?(:@signing_key)
         # don't use `... if signature.at_xpath(...)` - we need to make sure we assign the nil
-        @signing_key = signature.at_xpath('dsig:KeyInfo', Namespaces::ALL) ? KeyInfo.from_xml(signature) : nil
+        @signing_key = (key_info = signature.at_xpath('dsig:KeyInfo', Namespaces::ALL)) ? KeyInfo.from_xml(key_info) : nil
       end
       @signing_key
     end
@@ -38,20 +38,21 @@ module SAML2
 
     # Validate the signature on this object.
     #
-    # At least one of +key+, +fingerprint+ or +cert+ must be provided.
+    # At least one of +key+, +fingerprint+ or +cert+ must be provided. If the signature
+    # doesn't specify which key to use, the first provided key will be used.
     #
-    # @param key optional [String, OpenSSL::PKey::PKey]
-    #   The exact public key to use. +fingerprint+ and +cert+ are ignored.
+    # @param key optional [String, OpenSSL::PKey::PKey, Array<String>, Array<OpenSSL::PKey::PKey>]
+    #   Public keys that are allowed to be the valid key.
     # @param fingerprint optional [Array<String>, String]
     #   SHA1 fingerprints of trusted certificates. If provided, they will be
     #   checked against the {#signing_key} embedded in the {#signature}, and if
-    #   a match is found, the certificate embedded in the signature will be
-    #   added to the list of certificates used for verifying the signature.
+    #   a match is found, the key embedded in the signature will be
+    #   used for verifying the signature.
     # @param cert optional [Array<String>, String]
     #   A single or array of trusted certificates. If provided, they will be
-    #   check against the {#signing_key} embedded in the {#signature}, and if
-    #   a match of public keys only is found, that key will be considered trusted
-    #   and used to verify the signature.
+    #   checked against the {#signing_key} embedded in the {#signature}, and if
+    #   a match is found, the key embedded in the signature will be used for
+    #   verifying the signature.
     # @return [Array<String>] An empty array on success, details of errors on failure.
     def validate_signature(key: nil,
                            fingerprint: nil,
@@ -67,23 +68,25 @@ module SAML2
       end
       certs = certs.uniq
 
-      trusted_keys = certs.map do |cert|
+      trusted_keys = Array.wrap(key).map(&:to_s)
+      trusted_keys.concat(certs.map do |cert|
         cert = cert.is_a?(String) ? OpenSSL::X509::Certificate.new(cert) : cert
         cert.public_key.to_s
-      end
-      if signing_key&.certificate && trusted_keys.include?(signing_key.certificate.public_key.to_s)
-        key ||= signing_key.certificate.public_key.to_s
+      end)
+
+      if trusted_keys.include?(signing_key&.public_key&.to_s)
+        verification_key = signing_key.public_key.to_s
       end
       # signature doesn't say who signed it. hope and pray it's with the only certificate
       # we know about
-      if signing_key.nil? && key.nil? && trusted_keys.length == 1
-        key = trusted_keys.first
+      if signing_key.nil?
+        verification_key = trusted_keys.first
       end
 
-      return ["no trusted signing key found"] if key.nil?
+      return ["no trusted signing key found"] if verification_key.nil?
 
       begin
-        result = signature.verify_with(key: key)
+        result = signature.verify_with(key: verification_key)
         result ? [] : ["signature is invalid"]
       rescue XMLSec::VerificationError => e
         [e.message]
@@ -96,8 +99,8 @@ module SAML2
     #
     # @param (see #validate_signature)
     # @return [Boolean]
-    def valid_signature?(fingerprint: nil, cert: nil)
-      validate_signature(fingerprint: fingerprint, cert: cert).empty?
+    def valid_signature?(**kwargs)
+      validate_signature(**kwargs).empty?
     end
 
     # Sign this object.

data/lib/saml2/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SAML2
-  VERSION = '3.0.11'
+  VERSION = '3.1.0'
 end

data/spec/fixtures/response_with_rsa_key_value.xml

@@ -0,0 +1 @@
+<Response xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_f0b41a2d2b524b8c92027ef426b3cf3b" Version="2.0" IssueInstant="2021-08-02T16:53:20Z" Destination="https://whartononline.instructure.com/login/saml" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://test.pep.siemens.knowledgeanywhere.com</Issuer><Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></Status><Assertion Version="2.0" ID="_8be8f34e76e14fe3a990dcc00e60d13d" IssueInstant="2021-08-02T16:53:20Z" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://test.pep.siemens.knowledgeanywhere.com</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#_8be8f34e76e14fe3a990dcc00e60d13d"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>VQGa66oHsKF7zCXzob8WTCBLHUI=</DigestValue></Reference></SignedInfo><SignatureValue>S+He/m2bwH+QiGmR/eH9K71TXCQ2hC8BI5pgKWyN3gFfCfEvUYgnksXu/oE1wVxvpp2dtWPiT/8vejTJWfl4Yz8VT8gDcH9xKWhPzsHba8qCHui3U486dR1SwkwII3H0cK0Xhr/dKvco85QPAUsZTKZ+dq5HdeLu6n6aERzC/136iuw/eyCFDfFS2E3dfTHd2u+E9uUh6wI/nCpSzxMxQw9Wz9i941jdLKovuqILEVbbV33sg9VZRFNAs+D92YYiegKnnBBP2+H2fXFA2Wc5uP8yAAsrFMvHA7R1tIP7jci8vEplK/Hlkdta8KQVq4fIKsXUeYu17uNFfbSIXkL5oQ==</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>vyYuRxa/PI/r3N4lxOxL/O1OtwYexfmY3mF6mvjMr4YD762UZWNNhLZsFaWqUs3HQQwAZCg0sU65s4a+t4XANuRX1k3E1oPHBmqfLZ8spBeRfyHxc0KSah10RFfCO1LZdte2Avtpvh5RMkGkMhbWFAYQmc24u6sHvI1OVUkKmBiwss6QJAi6bttMsp0VNuW7TmmsPjxmaq5dddSryLHpVP/VbnnLu4fWOnLBMTtDY37l6ZAyqKW8PEaXWSFJSjGlA+9D76+bf5C+snk0yooARZduPny5biXtoHbC3DnPDBbCN70bvkxGNqMBiqPQrI2B7zZUXA1nDiK/iHPxl5X3ZQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue></KeyInfo></Signature><Subject><NameID>chad@instructure.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData Recipient="https://whartononline.instructure.com/login/saml" NotOnOrAfter="2021-08-02T16:58:20Z" /></SubjectConfirmation></Subject><Conditions NotBefore="2021-08-02T16:48:20Z" NotOnOrAfter="2021-08-02T16:58:20Z"><AudienceRestriction><Audience>http://whartononline.instructure.com/saml2</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2021-08-02T16:53:20Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name="FIRST_NAME"><AttributeValue>Chad</AttributeValue></Attribute><Attribute Name="LAST_NAME"><AttributeValue>Broadhead</AttributeValue></Attribute><Attribute Name="EMAIL"><AttributeValue>chad@instructure.com</AttributeValue></Attribute><Attribute Name="UserGuid"><AttributeValue>c555db14-fc81-4836-98de-62f592f36ede</AttributeValue></Attribute></AttributeStatement></Assertion></Response>

data/spec/lib/key_spec.rb

@@ -9,5 +9,15 @@ module SAML2
         expect(KeyInfo.format_fingerprint("\u200F abcdefghijklmnop 1234567890-\n a1")).to eq("ab:cd:ef:12:34:56:78:90:a1")
       end
     end
+
+    describe '#certificate' do
+      it "doesn't asplode if the keyinfo is just an rsa key value" do
+        response = Nokogiri::XML(fixture("response_with_rsa_key_value.xml"))
+        key = KeyInfo.from_xml(response.at_xpath('//dsig:KeyInfo', Namespaces::ALL))
+        expect(key.certificate).to be_nil
+        expect(key.fingerprint).to be_nil
+        expect(key.key).not_to be_nil
+      end
+    end
   end
 end

data/spec/lib/signable_spec.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require_relative '../spec_helper'
+
+module SAML2
+  describe Signable do
+    describe '#valid_signature?' do
+      it 'can work with an explicit key from metadata' do
+        response = Response.parse(fixture("response_with_rsa_key_value.xml"))
+        key = response.assertions.first.signing_key.key
+        expect(response.assertions.first.valid_signature?(key: [key])).to eq true
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'byebug'
 require 'saml2'
 
 def fixture(name)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml2
 version: !ruby/object:Gem::Version
-  version: 3.0.11
+  version: 3.1.0
 platform: ruby
 authors:
 - Cody Cutrer
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-01-08 00:00:00.000000000 Z
+date: 2021-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -76,14 +76,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '11.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '11.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -197,6 +197,7 @@ files:
 - spec/fixtures/response_tampered_signature.xml
 - spec/fixtures/response_with_attribute_signed.xml
 - spec/fixtures/response_with_encrypted_assertion.xml
+- spec/fixtures/response_with_rsa_key_value.xml
 - spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml
 - spec/fixtures/response_without_keyinfo.xml
 - spec/fixtures/service_provider.xml
@@ -222,6 +223,7 @@ files:
 - spec/lib/message_spec.rb
 - spec/lib/response_spec.rb
 - spec/lib/service_provider_spec.rb
+- spec/lib/signable_spec.rb
 - spec/spec_helper.rb
 homepage: https://github.com/instructure/ruby-saml2
 licenses:
@@ -242,7 +244,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.24
 signing_key:
 specification_version: 4
 summary: SAML 2.0 Library
@@ -251,6 +253,7 @@ test_files:
 - spec/lib/logout_response_spec.rb
 - spec/lib/indexed_object_spec.rb
 - spec/lib/attribute_spec.rb
+- spec/lib/signable_spec.rb
 - spec/lib/entity_spec.rb
 - spec/lib/attribute_consuming_service_spec.rb
 - spec/lib/key_spec.rb
@@ -271,6 +274,7 @@ test_files:
 - spec/fixtures/xml_missigned_assertion.xml
 - spec/fixtures/certificate.pem
 - spec/fixtures/noconditions_response.xml
+- spec/fixtures/response_with_rsa_key_value.xml
 - spec/fixtures/entities.xml
 - spec/fixtures/response_assertion_signed_reffed_from_response.xml
 - spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml