samlsso 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +50 -0
- data/CODE_OF_CONDUCT.md +49 -0
- data/Gemfile +4 -0
- data/LICENSE +21 -0
- data/README.md +36 -0
- data/Rakefile +2 -0
- data/bin/console +14 -0
- data/bin/setup +8 -0
- data/lib/samlsso.rb +16 -0
- data/lib/samlsso/attribute_service.rb +32 -0
- data/lib/samlsso/attributes.rb +107 -0
- data/lib/samlsso/authrequest.rb +124 -0
- data/lib/samlsso/idp_metadata_parser.rb +85 -0
- data/lib/samlsso/logging.rb +20 -0
- data/lib/samlsso/logoutrequest.rb +100 -0
- data/lib/samlsso/logoutresponse.rb +110 -0
- data/lib/samlsso/metadata.rb +94 -0
- data/lib/samlsso/response.rb +271 -0
- data/lib/samlsso/saml_message.rb +117 -0
- data/lib/samlsso/settings.rb +115 -0
- data/lib/samlsso/slo_logoutrequest.rb +64 -0
- data/lib/samlsso/slo_logoutresponse.rb +99 -0
- data/lib/samlsso/utils.rb +42 -0
- data/lib/samlsso/validation_error.rb +5 -0
- data/lib/samlsso/version.rb +3 -0
- data/lib/schemas/saml-schema-assertion-2.0.xsd +283 -0
- data/lib/schemas/saml-schema-authn-context-2.0.xsd +23 -0
- data/lib/schemas/saml-schema-authn-context-types-2.0.xsd +821 -0
- data/lib/schemas/saml-schema-metadata-2.0.xsd +339 -0
- data/lib/schemas/saml-schema-protocol-2.0.xsd +302 -0
- data/lib/schemas/sstc-metadata-attr.xsd +35 -0
- data/lib/schemas/sstc-saml-attribute-ext.xsd +25 -0
- data/lib/schemas/sstc-saml-metadata-algsupport-v1.0.xsd +41 -0
- data/lib/schemas/sstc-saml-metadata-ui-v1.0.xsd +89 -0
- data/lib/schemas/xenc-schema.xsd +136 -0
- data/lib/schemas/xml.xsd +287 -0
- data/lib/schemas/xmldsig-core-schema.xsd +309 -0
- data/lib/xml_security.rb +276 -0
- data/samlsso.gemspec +44 -0
- metadata +168 -0
@@ -0,0 +1,309 @@
|
|
1
|
+
<?xml version="1.0" encoding="utf-8"?>
|
2
|
+
|
3
|
+
<!-- Schema for XML Signatures
|
4
|
+
http://www.w3.org/2000/09/xmldsig#
|
5
|
+
$Revision: 1.1 $ on $Date: 2002/02/08 20:32:26 $ by $Author: reagle $
|
6
|
+
|
7
|
+
Copyright 2001 The Internet Society and W3C (Massachusetts Institute
|
8
|
+
of Technology, Institut National de Recherche en Informatique et en
|
9
|
+
Automatique, Keio University). All Rights Reserved.
|
10
|
+
http://www.w3.org/Consortium/Legal/
|
11
|
+
|
12
|
+
This document is governed by the W3C Software License [1] as described
|
13
|
+
in the FAQ [2].
|
14
|
+
|
15
|
+
[1] http://www.w3.org/Consortium/Legal/copyright-software-19980720
|
16
|
+
[2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD
|
17
|
+
-->
|
18
|
+
|
19
|
+
|
20
|
+
<schema xmlns="http://www.w3.org/2001/XMLSchema"
|
21
|
+
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
|
22
|
+
targetNamespace="http://www.w3.org/2000/09/xmldsig#"
|
23
|
+
version="0.1" elementFormDefault="qualified">
|
24
|
+
|
25
|
+
<!-- Basic Types Defined for Signatures -->
|
26
|
+
|
27
|
+
<simpleType name="CryptoBinary">
|
28
|
+
<restriction base="base64Binary">
|
29
|
+
</restriction>
|
30
|
+
</simpleType>
|
31
|
+
|
32
|
+
<!-- Start Signature -->
|
33
|
+
|
34
|
+
<element name="Signature" type="ds:SignatureType"/>
|
35
|
+
<complexType name="SignatureType">
|
36
|
+
<sequence>
|
37
|
+
<element ref="ds:SignedInfo"/>
|
38
|
+
<element ref="ds:SignatureValue"/>
|
39
|
+
<element ref="ds:KeyInfo" minOccurs="0"/>
|
40
|
+
<element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/>
|
41
|
+
</sequence>
|
42
|
+
<attribute name="Id" type="ID" use="optional"/>
|
43
|
+
</complexType>
|
44
|
+
|
45
|
+
<element name="SignatureValue" type="ds:SignatureValueType"/>
|
46
|
+
<complexType name="SignatureValueType">
|
47
|
+
<simpleContent>
|
48
|
+
<extension base="base64Binary">
|
49
|
+
<attribute name="Id" type="ID" use="optional"/>
|
50
|
+
</extension>
|
51
|
+
</simpleContent>
|
52
|
+
</complexType>
|
53
|
+
|
54
|
+
<!-- Start SignedInfo -->
|
55
|
+
|
56
|
+
<element name="SignedInfo" type="ds:SignedInfoType"/>
|
57
|
+
<complexType name="SignedInfoType">
|
58
|
+
<sequence>
|
59
|
+
<element ref="ds:CanonicalizationMethod"/>
|
60
|
+
<element ref="ds:SignatureMethod"/>
|
61
|
+
<element ref="ds:Reference" maxOccurs="unbounded"/>
|
62
|
+
</sequence>
|
63
|
+
<attribute name="Id" type="ID" use="optional"/>
|
64
|
+
</complexType>
|
65
|
+
|
66
|
+
<element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/>
|
67
|
+
<complexType name="CanonicalizationMethodType" mixed="true">
|
68
|
+
<sequence>
|
69
|
+
<any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
|
70
|
+
<!-- (0,unbounded) elements from (1,1) namespace -->
|
71
|
+
</sequence>
|
72
|
+
<attribute name="Algorithm" type="anyURI" use="required"/>
|
73
|
+
</complexType>
|
74
|
+
|
75
|
+
<element name="SignatureMethod" type="ds:SignatureMethodType"/>
|
76
|
+
<complexType name="SignatureMethodType" mixed="true">
|
77
|
+
<sequence>
|
78
|
+
<element name="HMACOutputLength" minOccurs="0" type="ds:HMACOutputLengthType"/>
|
79
|
+
<any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
|
80
|
+
<!-- (0,unbounded) elements from (1,1) external namespace -->
|
81
|
+
</sequence>
|
82
|
+
<attribute name="Algorithm" type="anyURI" use="required"/>
|
83
|
+
</complexType>
|
84
|
+
|
85
|
+
<!-- Start Reference -->
|
86
|
+
|
87
|
+
<element name="Reference" type="ds:ReferenceType"/>
|
88
|
+
<complexType name="ReferenceType">
|
89
|
+
<sequence>
|
90
|
+
<element ref="ds:Transforms" minOccurs="0"/>
|
91
|
+
<element ref="ds:DigestMethod"/>
|
92
|
+
<element ref="ds:DigestValue"/>
|
93
|
+
</sequence>
|
94
|
+
<attribute name="Id" type="ID" use="optional"/>
|
95
|
+
<attribute name="URI" type="anyURI" use="optional"/>
|
96
|
+
<attribute name="Type" type="anyURI" use="optional"/>
|
97
|
+
</complexType>
|
98
|
+
|
99
|
+
<element name="Transforms" type="ds:TransformsType"/>
|
100
|
+
<complexType name="TransformsType">
|
101
|
+
<sequence>
|
102
|
+
<element ref="ds:Transform" maxOccurs="unbounded"/>
|
103
|
+
</sequence>
|
104
|
+
</complexType>
|
105
|
+
|
106
|
+
<element name="Transform" type="ds:TransformType"/>
|
107
|
+
<complexType name="TransformType" mixed="true">
|
108
|
+
<choice minOccurs="0" maxOccurs="unbounded">
|
109
|
+
<any namespace="##other" processContents="lax"/>
|
110
|
+
<!-- (1,1) elements from (0,unbounded) namespaces -->
|
111
|
+
<element name="XPath" type="string"/>
|
112
|
+
</choice>
|
113
|
+
<attribute name="Algorithm" type="anyURI" use="required"/>
|
114
|
+
</complexType>
|
115
|
+
|
116
|
+
<!-- End Reference -->
|
117
|
+
|
118
|
+
<element name="DigestMethod" type="ds:DigestMethodType"/>
|
119
|
+
<complexType name="DigestMethodType" mixed="true">
|
120
|
+
<sequence>
|
121
|
+
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
|
122
|
+
</sequence>
|
123
|
+
<attribute name="Algorithm" type="anyURI" use="required"/>
|
124
|
+
</complexType>
|
125
|
+
|
126
|
+
<element name="DigestValue" type="ds:DigestValueType"/>
|
127
|
+
<simpleType name="DigestValueType">
|
128
|
+
<restriction base="base64Binary"/>
|
129
|
+
</simpleType>
|
130
|
+
|
131
|
+
<!-- End SignedInfo -->
|
132
|
+
|
133
|
+
<!-- Start KeyInfo -->
|
134
|
+
|
135
|
+
<element name="KeyInfo" type="ds:KeyInfoType"/>
|
136
|
+
<complexType name="KeyInfoType" mixed="true">
|
137
|
+
<choice maxOccurs="unbounded">
|
138
|
+
<element ref="ds:KeyName"/>
|
139
|
+
<element ref="ds:KeyValue"/>
|
140
|
+
<element ref="ds:RetrievalMethod"/>
|
141
|
+
<element ref="ds:X509Data"/>
|
142
|
+
<element ref="ds:PGPData"/>
|
143
|
+
<element ref="ds:SPKIData"/>
|
144
|
+
<element ref="ds:MgmtData"/>
|
145
|
+
<any processContents="lax" namespace="##other"/>
|
146
|
+
<!-- (1,1) elements from (0,unbounded) namespaces -->
|
147
|
+
</choice>
|
148
|
+
<attribute name="Id" type="ID" use="optional"/>
|
149
|
+
</complexType>
|
150
|
+
|
151
|
+
<element name="KeyName" type="string"/>
|
152
|
+
<element name="MgmtData" type="string"/>
|
153
|
+
|
154
|
+
<element name="KeyValue" type="ds:KeyValueType"/>
|
155
|
+
<complexType name="KeyValueType" mixed="true">
|
156
|
+
<choice>
|
157
|
+
<element ref="ds:DSAKeyValue"/>
|
158
|
+
<element ref="ds:RSAKeyValue"/>
|
159
|
+
<any namespace="##other" processContents="lax"/>
|
160
|
+
</choice>
|
161
|
+
</complexType>
|
162
|
+
|
163
|
+
<element name="RetrievalMethod" type="ds:RetrievalMethodType"/>
|
164
|
+
<complexType name="RetrievalMethodType">
|
165
|
+
<sequence>
|
166
|
+
<element ref="ds:Transforms" minOccurs="0"/>
|
167
|
+
</sequence>
|
168
|
+
<attribute name="URI" type="anyURI"/>
|
169
|
+
<attribute name="Type" type="anyURI" use="optional"/>
|
170
|
+
</complexType>
|
171
|
+
|
172
|
+
<!-- Start X509Data -->
|
173
|
+
|
174
|
+
<element name="X509Data" type="ds:X509DataType"/>
|
175
|
+
<complexType name="X509DataType">
|
176
|
+
<sequence maxOccurs="unbounded">
|
177
|
+
<choice>
|
178
|
+
<element name="X509IssuerSerial" type="ds:X509IssuerSerialType"/>
|
179
|
+
<element name="X509SKI" type="base64Binary"/>
|
180
|
+
<element name="X509SubjectName" type="string"/>
|
181
|
+
<element name="X509Certificate" type="base64Binary"/>
|
182
|
+
<element name="X509CRL" type="base64Binary"/>
|
183
|
+
<any namespace="##other" processContents="lax"/>
|
184
|
+
</choice>
|
185
|
+
</sequence>
|
186
|
+
</complexType>
|
187
|
+
|
188
|
+
<complexType name="X509IssuerSerialType">
|
189
|
+
<sequence>
|
190
|
+
<element name="X509IssuerName" type="string"/>
|
191
|
+
<element name="X509SerialNumber" type="integer"/>
|
192
|
+
</sequence>
|
193
|
+
</complexType>
|
194
|
+
|
195
|
+
<!-- End X509Data -->
|
196
|
+
|
197
|
+
<!-- Begin PGPData -->
|
198
|
+
|
199
|
+
<element name="PGPData" type="ds:PGPDataType"/>
|
200
|
+
<complexType name="PGPDataType">
|
201
|
+
<choice>
|
202
|
+
<sequence>
|
203
|
+
<element name="PGPKeyID" type="base64Binary"/>
|
204
|
+
<element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/>
|
205
|
+
<any namespace="##other" processContents="lax" minOccurs="0"
|
206
|
+
maxOccurs="unbounded"/>
|
207
|
+
</sequence>
|
208
|
+
<sequence>
|
209
|
+
<element name="PGPKeyPacket" type="base64Binary"/>
|
210
|
+
<any namespace="##other" processContents="lax" minOccurs="0"
|
211
|
+
maxOccurs="unbounded"/>
|
212
|
+
</sequence>
|
213
|
+
</choice>
|
214
|
+
</complexType>
|
215
|
+
|
216
|
+
<!-- End PGPData -->
|
217
|
+
|
218
|
+
<!-- Begin SPKIData -->
|
219
|
+
|
220
|
+
<element name="SPKIData" type="ds:SPKIDataType"/>
|
221
|
+
<complexType name="SPKIDataType">
|
222
|
+
<sequence maxOccurs="unbounded">
|
223
|
+
<element name="SPKISexp" type="base64Binary"/>
|
224
|
+
<any namespace="##other" processContents="lax" minOccurs="0"/>
|
225
|
+
</sequence>
|
226
|
+
</complexType>
|
227
|
+
|
228
|
+
<!-- End SPKIData -->
|
229
|
+
|
230
|
+
<!-- End KeyInfo -->
|
231
|
+
|
232
|
+
<!-- Start Object (Manifest, SignatureProperty) -->
|
233
|
+
|
234
|
+
<element name="Object" type="ds:ObjectType"/>
|
235
|
+
<complexType name="ObjectType" mixed="true">
|
236
|
+
<sequence minOccurs="0" maxOccurs="unbounded">
|
237
|
+
<any namespace="##any" processContents="lax"/>
|
238
|
+
</sequence>
|
239
|
+
<attribute name="Id" type="ID" use="optional"/>
|
240
|
+
<attribute name="MimeType" type="string" use="optional"/> <!-- add a grep facet -->
|
241
|
+
<attribute name="Encoding" type="anyURI" use="optional"/>
|
242
|
+
</complexType>
|
243
|
+
|
244
|
+
<element name="Manifest" type="ds:ManifestType"/>
|
245
|
+
<complexType name="ManifestType">
|
246
|
+
<sequence>
|
247
|
+
<element ref="ds:Reference" maxOccurs="unbounded"/>
|
248
|
+
</sequence>
|
249
|
+
<attribute name="Id" type="ID" use="optional"/>
|
250
|
+
</complexType>
|
251
|
+
|
252
|
+
<element name="SignatureProperties" type="ds:SignaturePropertiesType"/>
|
253
|
+
<complexType name="SignaturePropertiesType">
|
254
|
+
<sequence>
|
255
|
+
<element ref="ds:SignatureProperty" maxOccurs="unbounded"/>
|
256
|
+
</sequence>
|
257
|
+
<attribute name="Id" type="ID" use="optional"/>
|
258
|
+
</complexType>
|
259
|
+
|
260
|
+
<element name="SignatureProperty" type="ds:SignaturePropertyType"/>
|
261
|
+
<complexType name="SignaturePropertyType" mixed="true">
|
262
|
+
<choice maxOccurs="unbounded">
|
263
|
+
<any namespace="##other" processContents="lax"/>
|
264
|
+
<!-- (1,1) elements from (1,unbounded) namespaces -->
|
265
|
+
</choice>
|
266
|
+
<attribute name="Target" type="anyURI" use="required"/>
|
267
|
+
<attribute name="Id" type="ID" use="optional"/>
|
268
|
+
</complexType>
|
269
|
+
|
270
|
+
<!-- End Object (Manifest, SignatureProperty) -->
|
271
|
+
|
272
|
+
<!-- Start Algorithm Parameters -->
|
273
|
+
|
274
|
+
<simpleType name="HMACOutputLengthType">
|
275
|
+
<restriction base="integer"/>
|
276
|
+
</simpleType>
|
277
|
+
|
278
|
+
<!-- Start KeyValue Element-types -->
|
279
|
+
|
280
|
+
<element name="DSAKeyValue" type="ds:DSAKeyValueType"/>
|
281
|
+
<complexType name="DSAKeyValueType">
|
282
|
+
<sequence>
|
283
|
+
<sequence minOccurs="0">
|
284
|
+
<element name="P" type="ds:CryptoBinary"/>
|
285
|
+
<element name="Q" type="ds:CryptoBinary"/>
|
286
|
+
</sequence>
|
287
|
+
<element name="G" type="ds:CryptoBinary" minOccurs="0"/>
|
288
|
+
<element name="Y" type="ds:CryptoBinary"/>
|
289
|
+
<element name="J" type="ds:CryptoBinary" minOccurs="0"/>
|
290
|
+
<sequence minOccurs="0">
|
291
|
+
<element name="Seed" type="ds:CryptoBinary"/>
|
292
|
+
<element name="PgenCounter" type="ds:CryptoBinary"/>
|
293
|
+
</sequence>
|
294
|
+
</sequence>
|
295
|
+
</complexType>
|
296
|
+
|
297
|
+
<element name="RSAKeyValue" type="ds:RSAKeyValueType"/>
|
298
|
+
<complexType name="RSAKeyValueType">
|
299
|
+
<sequence>
|
300
|
+
<element name="Modulus" type="ds:CryptoBinary"/>
|
301
|
+
<element name="Exponent" type="ds:CryptoBinary"/>
|
302
|
+
</sequence>
|
303
|
+
</complexType>
|
304
|
+
|
305
|
+
<!-- End KeyValue Element-types -->
|
306
|
+
|
307
|
+
<!-- End Signature -->
|
308
|
+
|
309
|
+
</schema>
|
data/lib/xml_security.rb
ADDED
@@ -0,0 +1,276 @@
|
|
1
|
+
# The contents of this file are subject to the terms
|
2
|
+
# of the Common Development and Distribution License
|
3
|
+
# (the License). You may not use this file except in
|
4
|
+
# compliance with the License.
|
5
|
+
#
|
6
|
+
# You can obtain a copy of the License at
|
7
|
+
# https://opensso.dev.java.net/public/CDDLv1.0.html or
|
8
|
+
# opensso/legal/CDDLv1.0.txt
|
9
|
+
# See the License for the specific language governing
|
10
|
+
# permission and limitations under the License.
|
11
|
+
#
|
12
|
+
# When distributing Covered Code, include this CDDL
|
13
|
+
# Header Notice in each file and include the License file
|
14
|
+
# at opensso/legal/CDDLv1.0.txt.
|
15
|
+
# If applicable, add the following below the CDDL Header,
|
16
|
+
# with the fields enclosed by brackets [] replaced by
|
17
|
+
# your own identifying information:
|
18
|
+
# "Portions Copyrighted [year] [name of copyright owner]"
|
19
|
+
#
|
20
|
+
# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
|
21
|
+
#
|
22
|
+
# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
|
23
|
+
# Portions Copyrighted 2007 Todd W Saxton.
|
24
|
+
|
25
|
+
require 'rubygems'
|
26
|
+
require "rexml/document"
|
27
|
+
require "rexml/xpath"
|
28
|
+
require "openssl"
|
29
|
+
require 'nokogiri'
|
30
|
+
require "digest/sha1"
|
31
|
+
require "digest/sha2"
|
32
|
+
require "samlsso/validation_error"
|
33
|
+
|
34
|
+
module XMLSecurity
|
35
|
+
|
36
|
+
class BaseDocument < REXML::Document
|
37
|
+
|
38
|
+
C14N = "http://www.w3.org/2001/10/xml-exc-c14n#"
|
39
|
+
DSIG = "http://www.w3.org/2000/09/xmldsig#"
|
40
|
+
|
41
|
+
def canon_algorithm(element)
|
42
|
+
algorithm = element
|
43
|
+
if algorithm.is_a?(REXML::Element)
|
44
|
+
algorithm = element.attribute('Algorithm').value
|
45
|
+
end
|
46
|
+
|
47
|
+
case algorithm
|
48
|
+
when "http://www.w3.org/2001/10/xml-exc-c14n#" then Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
|
49
|
+
when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then Nokogiri::XML::XML_C14N_1_0
|
50
|
+
when "http://www.w3.org/2006/12/xml-c14n11" then Nokogiri::XML::XML_C14N_1_1
|
51
|
+
else Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
55
|
+
def algorithm(element)
|
56
|
+
algorithm = element
|
57
|
+
if algorithm.is_a?(REXML::Element)
|
58
|
+
algorithm = element.attribute("Algorithm").value
|
59
|
+
algorithm = algorithm && algorithm =~ /sha(.*?)$/i && $1.to_i
|
60
|
+
end
|
61
|
+
|
62
|
+
case algorithm
|
63
|
+
when 256 then OpenSSL::Digest::SHA256
|
64
|
+
when 384 then OpenSSL::Digest::SHA384
|
65
|
+
when 512 then OpenSSL::Digest::SHA512
|
66
|
+
else
|
67
|
+
OpenSSL::Digest::SHA1
|
68
|
+
end
|
69
|
+
end
|
70
|
+
|
71
|
+
end
|
72
|
+
|
73
|
+
class Document < BaseDocument
|
74
|
+
SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
|
75
|
+
SHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
|
76
|
+
SHA384 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
|
77
|
+
SHA512 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
|
78
|
+
ENVELOPED_SIG = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
|
79
|
+
INC_PREFIX_LIST = "#default samlp saml ds xs xsi"
|
80
|
+
|
81
|
+
attr_accessor :uuid
|
82
|
+
|
83
|
+
#<Signature>
|
84
|
+
#<SignedInfo>
|
85
|
+
#<CanonicalizationMethod />
|
86
|
+
#<SignatureMethod />
|
87
|
+
#<Reference>
|
88
|
+
#<Transforms>
|
89
|
+
#<DigestMethod>
|
90
|
+
#<DigestValue>
|
91
|
+
#</Reference>
|
92
|
+
#<Reference /> etc.
|
93
|
+
#</SignedInfo>
|
94
|
+
#<SignatureValue />
|
95
|
+
#<KeyInfo />
|
96
|
+
#<Object />
|
97
|
+
#</Signature>
|
98
|
+
def sign_document(private_key, certificate, signature_method = SHA1, digest_method = SHA1)
|
99
|
+
noko = Nokogiri.parse(self.to_s)
|
100
|
+
canon_doc = noko.canonicalize(canon_algorithm(C14N))
|
101
|
+
|
102
|
+
signature_element = REXML::Element.new("ds:Signature").add_namespace('ds', DSIG)
|
103
|
+
signed_info_element = signature_element.add_element("ds:SignedInfo")
|
104
|
+
signed_info_element.add_element("ds:CanonicalizationMethod", {"Algorithm" => C14N})
|
105
|
+
signed_info_element.add_element("ds:SignatureMethod", {"Algorithm"=>signature_method})
|
106
|
+
|
107
|
+
# Add Reference
|
108
|
+
reference_element = signed_info_element.add_element("ds:Reference", {"URI" => "##{uuid}"})
|
109
|
+
|
110
|
+
# Add Transforms
|
111
|
+
transforms_element = reference_element.add_element("ds:Transforms")
|
112
|
+
transforms_element.add_element("ds:Transform", {"Algorithm" => ENVELOPED_SIG})
|
113
|
+
transforms_element.add_element("ds:Transform", {"Algorithm" => C14N})
|
114
|
+
transforms_element.add_element("ds:InclusiveNamespaces", {"xmlns" => C14N, "PrefixList" => INC_PREFIX_LIST})
|
115
|
+
|
116
|
+
digest_method_element = reference_element.add_element("ds:DigestMethod", {"Algorithm" => digest_method})
|
117
|
+
reference_element.add_element("ds:DigestValue").text = compute_digest(canon_doc, algorithm(digest_method_element))
|
118
|
+
|
119
|
+
# add SignatureValue
|
120
|
+
noko_sig_element = Nokogiri.parse(signature_element.to_s)
|
121
|
+
noko_signed_info_element = noko_sig_element.at_xpath('//ds:Signature/ds:SignedInfo', 'ds' => DSIG)
|
122
|
+
canon_string = noko_signed_info_element.canonicalize(canon_algorithm(C14N))
|
123
|
+
signature = compute_signature(private_key, algorithm(signature_method).new, canon_string)
|
124
|
+
signature_element.add_element("ds:SignatureValue").text = signature
|
125
|
+
|
126
|
+
# add KeyInfo
|
127
|
+
key_info_element = signature_element.add_element("ds:KeyInfo")
|
128
|
+
x509_element = key_info_element.add_element("ds:X509Data")
|
129
|
+
x509_cert_element = x509_element.add_element("ds:X509Certificate")
|
130
|
+
if certificate.is_a?(String)
|
131
|
+
certificate = OpenSSL::X509::Certificate.new(certificate)
|
132
|
+
end
|
133
|
+
x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, "")
|
134
|
+
|
135
|
+
# add the signature
|
136
|
+
issuer_element = self.elements["//saml:Issuer"]
|
137
|
+
if issuer_element
|
138
|
+
self.root.insert_after issuer_element, signature_element
|
139
|
+
else
|
140
|
+
self.root.add_element(signature_element)
|
141
|
+
end
|
142
|
+
end
|
143
|
+
|
144
|
+
protected
|
145
|
+
|
146
|
+
def compute_signature(private_key, signature_algorithm, document)
|
147
|
+
Base64.encode64(private_key.sign(signature_algorithm, document)).gsub(/\n/, "")
|
148
|
+
end
|
149
|
+
|
150
|
+
def compute_digest(document, digest_algorithm)
|
151
|
+
digest = digest_algorithm.digest(document)
|
152
|
+
Base64.encode64(digest).strip!
|
153
|
+
end
|
154
|
+
|
155
|
+
end
|
156
|
+
|
157
|
+
class SignedDocument < BaseDocument
|
158
|
+
|
159
|
+
attr_accessor :signed_element_id
|
160
|
+
attr_accessor :errors
|
161
|
+
|
162
|
+
def initialize(response, errors = [])
|
163
|
+
super(response)
|
164
|
+
@errors = errors
|
165
|
+
extract_signed_element_id
|
166
|
+
end
|
167
|
+
|
168
|
+
def validate_document(idp_cert_fingerprint, soft = true)
|
169
|
+
# get cert from response
|
170
|
+
cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
|
171
|
+
unless cert_element
|
172
|
+
if soft
|
173
|
+
return true # temp if no x509Ceritificate then whitelist this.
|
174
|
+
else
|
175
|
+
raise Samlsso::ValidationError.new("Certificate element missing in response (ds:X509Certificate)")
|
176
|
+
end
|
177
|
+
end
|
178
|
+
base64_cert = cert_element.text
|
179
|
+
cert_text = Base64.decode64(base64_cert)
|
180
|
+
cert = OpenSSL::X509::Certificate.new(cert_text)
|
181
|
+
|
182
|
+
# check cert matches registered idp cert
|
183
|
+
fingerprint = Digest::SHA1.hexdigest(cert.to_der)
|
184
|
+
|
185
|
+
if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
|
186
|
+
@errors << "Fingerprint mismatch"
|
187
|
+
return soft ? false : (raise Samlsso::ValidationError.new("Fingerprint mismatch"))
|
188
|
+
end
|
189
|
+
|
190
|
+
validate_signature(base64_cert, soft)
|
191
|
+
end
|
192
|
+
|
193
|
+
def validate_signature(base64_cert, soft = true)
|
194
|
+
# validate references
|
195
|
+
|
196
|
+
# check for inclusive namespaces
|
197
|
+
inclusive_namespaces = extract_inclusive_namespaces
|
198
|
+
|
199
|
+
document = Nokogiri.parse(self.to_s)
|
200
|
+
|
201
|
+
# create a working copy so we don't modify the original
|
202
|
+
@working_copy ||= REXML::Document.new(self.to_s).root
|
203
|
+
|
204
|
+
# store and remove signature node
|
205
|
+
@sig_element ||= begin
|
206
|
+
element = REXML::XPath.first(@working_copy, "//ds:Signature", {"ds"=>DSIG})
|
207
|
+
element.remove
|
208
|
+
end
|
209
|
+
|
210
|
+
# verify signature
|
211
|
+
signed_info_element = REXML::XPath.first(@sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
|
212
|
+
noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
|
213
|
+
noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
|
214
|
+
canon_algorithm = canon_algorithm REXML::XPath.first(@sig_element, '//ds:CanonicalizationMethod', 'ds' => DSIG)
|
215
|
+
canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
|
216
|
+
noko_sig_element.remove
|
217
|
+
|
218
|
+
# check digests
|
219
|
+
REXML::XPath.each(@sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
|
220
|
+
uri = ref.attributes.get_attribute("URI").value
|
221
|
+
|
222
|
+
hashed_element = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
|
223
|
+
canon_algorithm = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
|
224
|
+
canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
|
225
|
+
|
226
|
+
digest_algorithm = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod", 'ds' => DSIG))
|
227
|
+
|
228
|
+
hash = digest_algorithm.digest(canon_hashed_element)
|
229
|
+
digest_value = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)
|
230
|
+
|
231
|
+
unless digests_match?(hash, digest_value)
|
232
|
+
@errors << "Digest mismatch"
|
233
|
+
return soft ? false : (raise Samlsso::ValidationError.new("Digest mismatch"))
|
234
|
+
end
|
235
|
+
end
|
236
|
+
|
237
|
+
base64_signature = REXML::XPath.first(@sig_element, "//ds:SignatureValue", {"ds"=>DSIG}).text
|
238
|
+
signature = Base64.decode64(base64_signature)
|
239
|
+
|
240
|
+
# get certificate object
|
241
|
+
cert_text = Base64.decode64(base64_cert)
|
242
|
+
cert = OpenSSL::X509::Certificate.new(cert_text)
|
243
|
+
|
244
|
+
# signature method
|
245
|
+
signature_algorithm = algorithm(REXML::XPath.first(signed_info_element, "//ds:SignatureMethod", {"ds"=>DSIG}))
|
246
|
+
|
247
|
+
unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
|
248
|
+
@errors << "Key validation error"
|
249
|
+
return soft ? false : (raise Samlsso::ValidationError.new("Key validation error"))
|
250
|
+
end
|
251
|
+
|
252
|
+
return true
|
253
|
+
end
|
254
|
+
|
255
|
+
private
|
256
|
+
|
257
|
+
def digests_match?(hash, digest_value)
|
258
|
+
hash == digest_value
|
259
|
+
end
|
260
|
+
|
261
|
+
def extract_signed_element_id
|
262
|
+
reference_element = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
|
263
|
+
self.signed_element_id = reference_element.attribute("URI").value[1..-1] unless reference_element.nil?
|
264
|
+
end
|
265
|
+
|
266
|
+
def extract_inclusive_namespaces
|
267
|
+
if element = REXML::XPath.first(self, "//ec:InclusiveNamespaces", { "ec" => C14N })
|
268
|
+
prefix_list = element.attributes.get_attribute("PrefixList").value
|
269
|
+
prefix_list.split(" ")
|
270
|
+
else
|
271
|
+
[]
|
272
|
+
end
|
273
|
+
end
|
274
|
+
|
275
|
+
end
|
276
|
+
end
|