samlr 2.7.1.pre.2 → 2.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/samlr/signature.rb +34 -15
- data/lib/samlr/version.rb +1 -1
- metadata +17 -31
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 981235b1e8b9c47db48aa1ad9dd69103f68766c4e9f247980e2482f5c0130f38
|
|
4
|
+
data.tar.gz: ffda22321c9f2cb8564681747e426f59dc9cd77aed0761bb71e88d5c43ac393d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3001de515250f4deb3fff83454aab102c7c72a712304206a88a398b4a5db4f0aa00fc618ae9c85964b8ccfd60cefbc7b13b2fccb50820851b8257e22943a64af
|
|
7
|
+
data.tar.gz: df04ff380856705c2b15ce7bdbde71708c12d5d8ae3c518debfcd6f7042987fd7b347433bb09eb7f69f5391ac5f30feb3589756e51e34fa3b0da30d068b62700
|
data/lib/samlr/signature.rb
CHANGED
|
@@ -17,14 +17,8 @@ module Samlr
|
|
|
17
17
|
@options = options
|
|
18
18
|
@signature = nil
|
|
19
19
|
|
|
20
|
-
|
|
21
|
-
if
|
|
22
|
-
@signature = @document.at("#{prefix}/ds:Signature", NS_MAP)
|
|
23
|
-
else
|
|
24
|
-
id = @document.at("#{prefix}", NS_MAP)&.attribute('ID')
|
|
25
|
-
@signature = @document.at("#{prefix}/ds:Signature/ds:SignedInfo/ds:Reference[@URI='##{id}']", NS_MAP)&.parent&.parent if id
|
|
26
|
-
end
|
|
27
|
-
@signature.remove if @signature # enveloped signatures only
|
|
20
|
+
id = @document.at("#{prefix}", NS_MAP)&.attribute('ID')
|
|
21
|
+
@signature = find_signature_for_element_id(id) if id
|
|
28
22
|
|
|
29
23
|
@fingerprint = if options[:fingerprint]
|
|
30
24
|
Fingerprint.from_string(options[:fingerprint])
|
|
@@ -45,17 +39,19 @@ module Samlr
|
|
|
45
39
|
raise SignatureError.new("No signature at #{prefix}/ds:Signature") unless present?
|
|
46
40
|
|
|
47
41
|
verify_fingerprint! unless options[:skip_fingerprint]
|
|
48
|
-
|
|
49
|
-
|
|
42
|
+
verify_signature! # Do this first while signature is still available
|
|
43
|
+
verify_digests! # This may remove enveloped signatures
|
|
50
44
|
|
|
51
45
|
true
|
|
52
46
|
end
|
|
53
47
|
|
|
54
48
|
def references
|
|
55
49
|
@references ||= [].tap do |refs|
|
|
56
|
-
|
|
50
|
+
refs_xpath = @signature.xpath("./ds:SignedInfo/ds:Reference[@URI]", NS_MAP)
|
|
51
|
+
refs_xpath.each do |ref|
|
|
57
52
|
refs << Samlr::Reference.new(ref)
|
|
58
53
|
end
|
|
54
|
+
|
|
59
55
|
end
|
|
60
56
|
end
|
|
61
57
|
|
|
@@ -72,6 +68,18 @@ module Samlr
|
|
|
72
68
|
|
|
73
69
|
# Tests that the document content has not been edited
|
|
74
70
|
def verify_digests!
|
|
71
|
+
# Check if we need to remove an enveloped signature
|
|
72
|
+
if @signature && !@signature_removed
|
|
73
|
+
signed_element = @document.at("#{prefix}", NS_MAP)
|
|
74
|
+
is_enveloped = signed_element&.xpath(".//ds:Signature", NS_MAP)&.include?(@signature)
|
|
75
|
+
|
|
76
|
+
# Remove enveloped signature for digest verification
|
|
77
|
+
if is_enveloped
|
|
78
|
+
@signature.remove
|
|
79
|
+
@signature_removed = true
|
|
80
|
+
end
|
|
81
|
+
end
|
|
82
|
+
|
|
75
83
|
references.each do |reference|
|
|
76
84
|
node = referenced_node(reference.uri)
|
|
77
85
|
canoned = node.canonicalize(C14N, reference.namespaces)
|
|
@@ -85,11 +93,14 @@ module Samlr
|
|
|
85
93
|
|
|
86
94
|
# Tests correctness of the signature (and hence digests)
|
|
87
95
|
def verify_signature!
|
|
88
|
-
|
|
89
|
-
|
|
96
|
+
# Cache the canonicalized SignedInfo to avoid DOM issues with multiple verifications
|
|
97
|
+
unless @canonicalized_signed_info
|
|
98
|
+
node = @signature.at("./ds:SignedInfo", NS_MAP)
|
|
99
|
+
@canonicalized_signed_info = node.canonicalize(C14N)
|
|
100
|
+
end
|
|
90
101
|
|
|
91
|
-
unless x509.public_key.verify(signature_method.new, decoded_signature_value,
|
|
92
|
-
raise SignatureError.new("Signature validation error: Possible canonicalization mismatch", "This canonicalizer returns #{
|
|
102
|
+
unless x509.public_key.verify(signature_method.new, decoded_signature_value, @canonicalized_signed_info)
|
|
103
|
+
raise SignatureError.new("Signature validation error: Possible canonicalization mismatch", "This canonicalizer returns #{@canonicalized_signed_info}")
|
|
93
104
|
end
|
|
94
105
|
end
|
|
95
106
|
|
|
@@ -135,5 +146,13 @@ module Samlr
|
|
|
135
146
|
def certificate_node
|
|
136
147
|
signature.at("./ds:KeyInfo/ds:X509Data/ds:X509Certificate", NS_MAP)
|
|
137
148
|
end
|
|
149
|
+
|
|
150
|
+
def find_signature_for_element_id(element_id)
|
|
151
|
+
return nil unless element_id
|
|
152
|
+
|
|
153
|
+
return @document.at_xpath("//ds:Signature[ds:SignedInfo/ds:Reference[@URI='##{element_id}']]", NS_MAP)
|
|
154
|
+
|
|
155
|
+
end
|
|
156
|
+
|
|
138
157
|
end
|
|
139
158
|
end
|
data/lib/samlr/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: samlr
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.7.1
|
|
4
|
+
version: 2.7.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Morten Primdahl
|
|
@@ -10,41 +10,27 @@ cert_chain: []
|
|
|
10
10
|
date: 1980-01-02 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
|
-
name:
|
|
13
|
+
name: base64
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
|
15
15
|
requirements:
|
|
16
16
|
- - ">="
|
|
17
17
|
- !ruby/object:Gem::Version
|
|
18
|
-
version:
|
|
19
|
-
type: :runtime
|
|
20
|
-
prerelease: false
|
|
21
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
22
|
-
requirements:
|
|
23
|
-
- - ">="
|
|
24
|
-
- !ruby/object:Gem::Version
|
|
25
|
-
version: 1.5.5
|
|
26
|
-
- !ruby/object:Gem::Dependency
|
|
27
|
-
name: uuidtools
|
|
28
|
-
requirement: !ruby/object:Gem::Requirement
|
|
29
|
-
requirements:
|
|
30
|
-
- - ">="
|
|
31
|
-
- !ruby/object:Gem::Version
|
|
32
|
-
version: 2.1.3
|
|
18
|
+
version: '0'
|
|
33
19
|
type: :runtime
|
|
34
20
|
prerelease: false
|
|
35
21
|
version_requirements: !ruby/object:Gem::Requirement
|
|
36
22
|
requirements:
|
|
37
23
|
- - ">="
|
|
38
24
|
- !ruby/object:Gem::Version
|
|
39
|
-
version:
|
|
25
|
+
version: '0'
|
|
40
26
|
- !ruby/object:Gem::Dependency
|
|
41
|
-
name:
|
|
27
|
+
name: cgi
|
|
42
28
|
requirement: !ruby/object:Gem::Requirement
|
|
43
29
|
requirements:
|
|
44
30
|
- - ">="
|
|
45
31
|
- !ruby/object:Gem::Version
|
|
46
32
|
version: '0'
|
|
47
|
-
type: :
|
|
33
|
+
type: :runtime
|
|
48
34
|
prerelease: false
|
|
49
35
|
version_requirements: !ruby/object:Gem::Requirement
|
|
50
36
|
requirements:
|
|
@@ -52,13 +38,13 @@ dependencies:
|
|
|
52
38
|
- !ruby/object:Gem::Version
|
|
53
39
|
version: '0'
|
|
54
40
|
- !ruby/object:Gem::Dependency
|
|
55
|
-
name:
|
|
41
|
+
name: logger
|
|
56
42
|
requirement: !ruby/object:Gem::Requirement
|
|
57
43
|
requirements:
|
|
58
44
|
- - ">="
|
|
59
45
|
- !ruby/object:Gem::Version
|
|
60
46
|
version: '0'
|
|
61
|
-
type: :
|
|
47
|
+
type: :runtime
|
|
62
48
|
prerelease: false
|
|
63
49
|
version_requirements: !ruby/object:Gem::Requirement
|
|
64
50
|
requirements:
|
|
@@ -66,33 +52,33 @@ dependencies:
|
|
|
66
52
|
- !ruby/object:Gem::Version
|
|
67
53
|
version: '0'
|
|
68
54
|
- !ruby/object:Gem::Dependency
|
|
69
|
-
name:
|
|
55
|
+
name: nokogiri
|
|
70
56
|
requirement: !ruby/object:Gem::Requirement
|
|
71
57
|
requirements:
|
|
72
58
|
- - ">="
|
|
73
59
|
- !ruby/object:Gem::Version
|
|
74
|
-
version:
|
|
75
|
-
type: :
|
|
60
|
+
version: 1.5.5
|
|
61
|
+
type: :runtime
|
|
76
62
|
prerelease: false
|
|
77
63
|
version_requirements: !ruby/object:Gem::Requirement
|
|
78
64
|
requirements:
|
|
79
65
|
- - ">="
|
|
80
66
|
- !ruby/object:Gem::Version
|
|
81
|
-
version:
|
|
67
|
+
version: 1.5.5
|
|
82
68
|
- !ruby/object:Gem::Dependency
|
|
83
|
-
name:
|
|
69
|
+
name: uuidtools
|
|
84
70
|
requirement: !ruby/object:Gem::Requirement
|
|
85
71
|
requirements:
|
|
86
72
|
- - ">="
|
|
87
73
|
- !ruby/object:Gem::Version
|
|
88
|
-
version:
|
|
89
|
-
type: :
|
|
74
|
+
version: 2.1.3
|
|
75
|
+
type: :runtime
|
|
90
76
|
prerelease: false
|
|
91
77
|
version_requirements: !ruby/object:Gem::Requirement
|
|
92
78
|
requirements:
|
|
93
79
|
- - ">="
|
|
94
80
|
- !ruby/object:Gem::Version
|
|
95
|
-
version:
|
|
81
|
+
version: 2.1.3
|
|
96
82
|
description: Helps you implement a SAML SP
|
|
97
83
|
email: primdahl@me.com
|
|
98
84
|
executables:
|
|
@@ -145,7 +131,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
145
131
|
requirements:
|
|
146
132
|
- - ">="
|
|
147
133
|
- !ruby/object:Gem::Version
|
|
148
|
-
version: '2
|
|
134
|
+
version: '3.2'
|
|
149
135
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
150
136
|
requirements:
|
|
151
137
|
- - ">="
|