spid-es 0.0.1 → 0.0.2

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    M2ZkYTA0N2Y4ODYwZjhmOTEzY2ZmMWYwNjc3MWZkOTI5NzE3OGE0Nw==
+    OGQ4MzVkZDM3MzIwYjA2ZDc5M2YwMzExMGM5OWFiMzkyNDAwOGM1ZA==
   data.tar.gz: !binary |-
-    NDhmODhjNjVjZDBjYWY4ZGZhZWJiMDg3MmQxMzBhNTQ5YjlkNWI2MQ==
+    NDQ1ZDQ2MmE3ZDhkNWExYzQxY2FkZTBmMTBhNTAyNzBjMTAyNTkyMA==
 SHA512:
   metadata.gz: !binary |-
-    ZWIxMWE3MDk0MmFlODJiYmY4MDI3OWMzOGQ5NzA0Mzk1ZGNjZDUwZTAxZDUx
-    M2Q4MDczNjNjOGE2ZTNkYTM3NzE3NTFjZmQ1NGQ0ZWM3MDZkZGMyMmMxMGVi
-    MWY3ZTczOTVjZmQ2NmFkMmI1MGRhZTRlMTNmNmExOTg1NDVlNDg=
+    YjEzM2JjZDdlNTljZWY0OWU5ZTY4ZWEyZjBhZjgzODAyYjVkMDNlZWFkYjEy
+    NjZjY2NlOGY2NGFmYzA4ODY4MTM2YzNhMGE4ZmIyYzhkN2VmYjNmMTA3MmQ3
+    ZWIwOGMyMjU1OWE3OWM3MmRhZjZjZTRlMzNmZmJmYzg0Mzc3MzE=
   data.tar.gz: !binary |-
-    NTZlOWI4OTRiYmZmYTU2OGIzMjhiYWM2NzRjOGE0ZjI4MGE0MjRkMWQyNWU2
-    NzMzMzVhNWJlMDE0N2JlMzUyZGMzY2I2NTY5NzhiZmZiMzhlNzJlNGU3YTVh
-    ZDIxMTk4YjNiNWIyNGEzMDA5MDRiMTQwYzg3ZTFlZDI5ZDliOTg=
+    MTM3NWQ5ZDI3ZmMxYzY5MmE2OTkzMTdkNzBjMTI2OTU5MGI1YzE2NWQxZmZh
+    YWI3ODA2MjY3YjQzYTdjN2JjZDg5OTgxZTQwOTlhNzY2Y2FlZTFiN2VkOGVh
+    NDQzN2JhODJlYmQ1MDcwY2UwNmYyNjZkM2MxMWFjMDkzZWM5MzY=

data/lib/spid/ruby-saml/error_handling.rb

@@ -0,0 +1,27 @@
+require "spid/ruby-saml/validation_error"
+
+module Spid
+  module Saml
+    module ErrorHandling
+      attr_accessor :errors
+
+      # Append the cause to the errors array, and based on the value of soft, return false or raise
+      # an exception. soft_override is provided as a means of overriding the object's notion of
+      # soft for just this invocation.
+      def append_error(error_msg, soft_override = nil)
+        @errors << error_msg
+
+        unless soft_override.nil? ? soft : soft_override
+          raise ValidationError.new(error_msg)
+        end
+
+        false
+      end
+
+      # Reset the errors array
+      def reset_errors!
+        @errors = []
+      end
+    end
+  end
+end

data/lib/spid/ruby-saml/utils.rb

@@ -0,0 +1,188 @@
+if RUBY_VERSION < '1.9'
+  require 'uuid'
+else
+  require 'securerandom'
+end
+
+module Spid
+  module Saml
+
+    # SAML2 Auxiliary class
+    #
+    class Utils
+      @@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
+
+      DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+      XENC      = "http://www.w3.org/2001/04/xmlenc#"
+
+      # Return a properly formatted x509 certificate
+      #
+      # @param cert [String] The original certificate
+      # @return [String] The formatted certificate
+      #
+      def self.format_cert(cert)
+        # don't try to format an encoded certificate or if is empty or nil
+        return cert if cert.nil? || cert.empty? || cert.match(/\x0d/)
+
+        cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "")
+        cert = cert.gsub(/[\n\r\s]/, "")
+        cert = cert.scan(/.{1,64}/)
+        cert = cert.join("\n")
+        "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----"
+      end
+
+      # Return a properly formatted private key
+      #
+      # @param key [String] The original private key
+      # @return [String] The formatted private key
+      #
+      def self.format_private_key(key)
+        # don't try to format an encoded private key or if is empty
+        return key if key.nil? || key.empty? || key.match(/\x0d/)
+
+        # is this an rsa key?
+        rsa_key = key.match("RSA PRIVATE KEY")
+        key = key.gsub(/\-{5}\s?(BEGIN|END)( RSA)? PRIVATE KEY\s?\-{5}/, "")
+        key = key.gsub(/[\n\r\s]/, "")
+        key = key.scan(/.{1,64}/)
+        key = key.join("\n")
+        key_label = rsa_key ? "RSA PRIVATE KEY" : "PRIVATE KEY"
+        "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----"
+      end
+
+      # Build the Query String signature that will be used in the HTTP-Redirect binding
+      # to generate the Signature
+      # @param params [Hash] Parameters to build the Query String
+      # @option params [String] :type 'SAMLRequest' or 'SAMLResponse'
+      # @option params [String] :data Base64 encoded SAMLRequest or SAMLResponse
+      # @option params [String] :relay_state The RelayState parameter
+      # @option params [String] :sig_alg The SigAlg parameter
+      # @return [String] The Query String
+      #
+      def self.build_query(params)
+        type, data, relay_state, sig_alg = [:type, :data, :relay_state, :sig_alg].map { |k| params[k]}
+
+        url_string = "#{type}=#{CGI.escape(data)}"
+        url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
+        url_string << "&SigAlg=#{CGI.escape(sig_alg)}"
+      end
+
+      # Validate the Signature parameter sent on the HTTP-Redirect binding
+      # @param params [Hash] Parameters to be used in the validation process
+      # @option params [OpenSSL::X509::Certificate] cert The Identity provider public certtificate
+      # @option params [String] sig_alg The SigAlg parameter
+      # @option params [String] signature The Signature parameter (base64 encoded)
+      # @option params [String] query_string The full GET Query String to be compared
+      # @return [Boolean] True if the Signature is valid, False otherwise
+      #
+      def self.verify_signature(params)
+        cert, sig_alg, signature, query_string = [:cert, :sig_alg, :signature, :query_string].map { |k| params[k]}
+        signature_algorithm = XMLSecurityNew::BaseDocument.new.algorithm(sig_alg)
+        return cert.public_key.verify(signature_algorithm.new, Base64.decode64(signature), query_string)
+      end
+
+      # Build the status error message
+      # @param status_code [String] StatusCode value
+      # @param status_message [Strig] StatusMessage value
+      # @return [String] The status error message
+      def self.status_error_msg(error_msg, status_code = nil, status_message = nil)
+        unless status_code.nil?
+          printable_code = status_code.split(':').last
+          error_msg << ', was ' + printable_code
+        end
+
+        unless status_message.nil?
+          error_msg << ' -> ' + status_message
+        end
+
+        error_msg
+      end
+
+      # Obtains the decrypted string from an Encrypted node element in XML
+      # @param encrypted_node [REXML::Element]     The Encrypted element
+      # @param private_key    [OpenSSL::PKey::RSA] The Service provider private key
+      # @return [String] The decrypted data
+      def self.decrypt_data(encrypted_node, private_key)
+        encrypt_data = REXML::XPath.first(
+          encrypted_node,
+          "./xenc:EncryptedData",
+          { 'xenc' => XENC }
+        )
+        symmetric_key = retrieve_symmetric_key(encrypt_data, private_key)
+        cipher_value = REXML::XPath.first(
+          encrypt_data,
+          "//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue",
+          { 'xenc' => XENC }
+        )
+        node = Base64.decode64(cipher_value.text)
+        encrypt_method = REXML::XPath.first(
+          encrypt_data,
+          "//xenc:EncryptedData/xenc:EncryptionMethod",
+          { 'xenc' => XENC }
+        )
+        algorithm = encrypt_method.attributes['Algorithm']
+        retrieve_plaintext(node, symmetric_key, algorithm)
+      end
+
+      # Obtains the symmetric key from the EncryptedData element
+      # @param encrypt_data [REXML::Element]     The EncryptedData element
+      # @param private_key [OpenSSL::PKey::RSA] The Service provider private key
+      # @return [String] The symmetric key
+      def self.retrieve_symmetric_key(encrypt_data, private_key)
+        encrypted_key = REXML::XPath.first(
+          encrypt_data,
+          "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey or \
+           //xenc:EncryptedKey[@Id=substring-after(//xenc:EncryptedData/ds:KeyInfo/ds:RetrievalMethod/@URI, '#')]",
+          { "ds" => DSIG, "xenc" => XENC }
+        )
+        encrypted_symmetric_key_element = REXML::XPath.first(
+          encrypted_key,
+          "./xenc:CipherData/xenc:CipherValue",
+          { "ds" => DSIG, "xenc" => XENC }
+        )
+        cipher_text = Base64.decode64(encrypted_symmetric_key_element.text)
+        encrypt_method = REXML::XPath.first(
+          encrypted_key,
+          "./xenc:EncryptionMethod",
+          {"ds" => DSIG,  "xenc" => XENC }
+        )
+        algorithm = encrypt_method.attributes['Algorithm']
+        retrieve_plaintext(cipher_text, private_key, algorithm)
+      end
+
+      # Obtains the deciphered text
+      # @param cipher_text [String]   The ciphered text
+      # @param symmetric_key [String] The symetric key used to encrypt the text
+      # @param algorithm [String]     The encrypted algorithm
+      # @return [String] The deciphered text
+      def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
+        case algorithm
+          when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt
+          when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
+          when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
+          when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
+          when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
+          when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
+        end
+
+        if cipher
+          iv_len = cipher.iv_len
+          data = cipher_text[iv_len..-1]
+          cipher.padding, cipher.key, cipher.iv = 0, symmetric_key, cipher_text[0..iv_len-1]
+          assertion_plaintext = cipher.update(data)
+          assertion_plaintext << cipher.final
+        elsif rsa
+          rsa.private_decrypt(cipher_text)
+        elsif oaep
+          oaep.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+        else
+          cipher_text
+        end
+      end
+
+      def self.uuid
+        RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
+      end
+    end
+  end
+end

data/lib/xml_security_new.rb

@@ -0,0 +1,368 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require 'rubygems'
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require 'nokogiri'
+require "digest/sha1"
+require "digest/sha2"
+require "spid/ruby-saml/error_handling"
+
+module XMLSecurityNew
+
+  class BaseDocument < REXML::Document
+    REXML::Document::entity_expansion_limit = 0
+
+    C14N            = "http://www.w3.org/2001/10/xml-exc-c14n#"
+    DSIG            = "http://www.w3.org/2000/09/xmldsig#"
+    NOKOGIRI_OPTIONS = Nokogiri::XML::ParseOptions::STRICT |
+                       Nokogiri::XML::ParseOptions::NONET
+
+    def canon_algorithm(element)
+      algorithm = element
+      if algorithm.is_a?(REXML::Element)
+        algorithm = element.attribute('Algorithm').value
+      end
+
+      case algorithm
+        when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
+             "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
+          Nokogiri::XML::XML_C14N_1_0
+        when "http://www.w3.org/2006/12/xml-c14n11",
+             "http://www.w3.org/2006/12/xml-c14n11#WithComments"
+          Nokogiri::XML::XML_C14N_1_1
+        else
+          Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+      end
+    end
+
+    def algorithm(element)
+      algorithm = element
+      if algorithm.is_a?(REXML::Element)
+        algorithm = element.attribute("Algorithm").value
+      end
+
+      algorithm = algorithm && algorithm =~ /(rsa-)?sha(.*?)$/i && $2.to_i
+
+      case algorithm
+      when 256 then OpenSSL::Digest::SHA256
+      when 384 then OpenSSL::Digest::SHA384
+      when 512 then OpenSSL::Digest::SHA512
+      else
+        OpenSSL::Digest::SHA1
+      end
+    end
+
+  end
+
+  class Document < BaseDocument
+    RSA_SHA1        = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+    RSA_SHA256      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+    RSA_SHA384      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
+    RSA_SHA512      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
+    SHA1            = "http://www.w3.org/2000/09/xmldsig#sha1"
+    SHA256          = 'http://www.w3.org/2001/04/xmlenc#sha256'
+    SHA384          = "http://www.w3.org/2001/04/xmldsig-more#sha384"
+    SHA512          = 'http://www.w3.org/2001/04/xmlenc#sha512'
+    ENVELOPED_SIG   = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+    INC_PREFIX_LIST = "#default samlp saml2p saml ds xs xsi md"
+
+    attr_accessor :uuid
+
+    def uuid
+      @uuid ||= begin
+        document.root.nil? ? nil : document.root.attributes['ID']
+      end
+    end
+
+    #<Signature>
+      #<SignedInfo>
+        #<CanonicalizationMethod />
+        #<SignatureMethod />
+        #<Reference>
+           #<Transforms>
+           #<DigestMethod>
+           #<DigestValue>
+        #</Reference>
+        #<Reference /> etc.
+      #</SignedInfo>
+      #<SignatureValue />
+      #<KeyInfo />
+      #<Object />
+    #</Signature>
+    def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_method = SHA256)
+      noko = Nokogiri::XML(self.to_s) do |config|
+        config.options = XMLSecurityNew::BaseDocument::NOKOGIRI_OPTIONS
+      end
+
+      signature_element = REXML::Element.new("ds:Signature").add_namespace('ds', DSIG)
+      signed_info_element = signature_element.add_element("ds:SignedInfo")
+      signed_info_element.add_element("ds:CanonicalizationMethod", {"Algorithm" => C14N})
+      signed_info_element.add_element("ds:SignatureMethod", {"Algorithm"=>signature_method})
+
+      # Add Reference
+      reference_element = signed_info_element.add_element("ds:Reference", {"URI" => "##{uuid}"})
+
+      # Add Transforms
+      transforms_element = reference_element.add_element("ds:Transforms")
+      transforms_element.add_element("ds:Transform", {"Algorithm" => ENVELOPED_SIG})
+      c14element = transforms_element.add_element("ds:Transform", {"Algorithm" => C14N})
+      c14element.add_element("ec:InclusiveNamespaces", {"xmlns:ec" => C14N, "PrefixList" => INC_PREFIX_LIST})
+
+      digest_method_element = reference_element.add_element("ds:DigestMethod", {"Algorithm" => digest_method})
+      inclusive_namespaces = INC_PREFIX_LIST.split(" ")
+      canon_doc = noko.canonicalize(canon_algorithm(C14N), inclusive_namespaces)
+      reference_element.add_element("ds:DigestValue").text = compute_digest(canon_doc, algorithm(digest_method_element))
+
+      # add SignatureValue
+      noko_sig_element = Nokogiri::XML(signature_element.to_s) do |config|
+        config.options = XMLSecurityNew::BaseDocument::NOKOGIRI_OPTIONS
+      end
+
+      noko_signed_info_element = noko_sig_element.at_xpath('//ds:Signature/ds:SignedInfo', 'ds' => DSIG)
+      canon_string = noko_signed_info_element.canonicalize(canon_algorithm(C14N))
+
+      signature = compute_signature(private_key, algorithm(signature_method).new, canon_string)
+      signature_element.add_element("ds:SignatureValue").text = signature
+
+      # add KeyInfo
+      key_info_element       = signature_element.add_element("ds:KeyInfo")
+      x509_element           = key_info_element.add_element("ds:X509Data")
+      x509_cert_element      = x509_element.add_element("ds:X509Certificate")
+      if certificate.is_a?(String)
+        certificate = OpenSSL::X509::Certificate.new(certificate)
+      end
+      x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, "")
+
+      # add the signature
+      issuer_element = self.elements["//saml:Issuer"]
+      if issuer_element
+        self.root.insert_after issuer_element, signature_element
+      else
+        if sp_sso_descriptor = self.elements["/md:EntityDescriptor"]
+          self.root.insert_before sp_sso_descriptor, signature_element
+        else
+          self.root.add_element(signature_element)
+        end
+      end
+    end
+
+    protected
+
+    def compute_signature(private_key, signature_algorithm, document)
+      Base64.encode64(private_key.sign(signature_algorithm, document)).gsub(/\n/, "")
+    end
+
+    def compute_digest(document, digest_algorithm)
+      digest = digest_algorithm.digest(document)
+      Base64.encode64(digest).strip!
+    end
+
+  end
+
+  class SignedDocument < BaseDocument
+    include Spid::Saml::ErrorHandling
+
+    attr_accessor :signed_element_id
+
+    def initialize(response, errors = [])
+      super(response)
+      @errors = errors
+    end
+
+    def signed_element_id
+      @signed_element_id ||= extract_signed_element_id
+    end
+
+    def validate_document(idp_cert_fingerprint, soft = true, options = {})
+      # get cert from response
+      cert_element = REXML::XPath.first(
+        self,
+        "//ds:X509Certificate",
+        { "ds"=>DSIG }
+      )
+
+      if cert_element
+        base64_cert = cert_element.text
+        cert_text = Base64.decode64(base64_cert)
+        begin
+          cert = OpenSSL::X509::Certificate.new(cert_text)
+        rescue OpenSSL::X509::CertificateError => e
+          return append_error("Certificate Error", soft)
+        end
+
+        if options[:fingerprint_alg]
+          fingerprint_alg = XMLSecurityNew::BaseDocument.new.algorithm(options[:fingerprint_alg]).new
+        else
+          fingerprint_alg = OpenSSL::Digest::SHA1.new
+        end
+        fingerprint = fingerprint_alg.hexdigest(cert.to_der)
+
+        # check cert matches registered idp cert
+        if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+          @errors << "Fingerprint mismatch"
+          return append_error("Fingerprint mismatch", soft)
+        end
+      else
+        if options[:cert]
+          base64_cert = Base64.encode64(options[:cert].to_pem)
+        else
+          if soft
+            return false
+          else
+            return append_error("Certificate element missing in response (ds:X509Certificate) and not cert provided at settings", soft)
+          end
+        end
+      end
+      validate_signature(base64_cert, soft)
+    end
+
+    def validate_signature(base64_cert, soft = true)
+
+      document = Nokogiri::XML(self.to_s) do |config|
+        config.options = XMLSecurityNew::BaseDocument::NOKOGIRI_OPTIONS
+      end
+
+      # create a rexml document
+      @working_copy ||= REXML::Document.new(self.to_s).root
+
+      # get signature node
+      sig_element = REXML::XPath.first(
+          @working_copy,
+          "//ds:Signature",
+          {"ds"=>DSIG}
+      )
+
+      # signature method
+      sig_alg_value = REXML::XPath.first(
+        sig_element,
+        "./ds:SignedInfo/ds:SignatureMethod",
+        {"ds"=>DSIG}
+      )
+      signature_algorithm = algorithm(sig_alg_value)
+
+      # get signature
+      base64_signature = REXML::XPath.first(
+        sig_element,
+        "./ds:SignatureValue",
+        {"ds" => DSIG}
+      ).text
+      signature = Base64.decode64(base64_signature)
+
+      # canonicalization method
+      canon_algorithm = canon_algorithm REXML::XPath.first(
+        sig_element,
+        './ds:SignedInfo/ds:CanonicalizationMethod',
+        'ds' => DSIG
+      )
+
+      noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
+      noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
+
+      canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
+      noko_sig_element.remove
+
+      # get inclusive namespaces
+      inclusive_namespaces = extract_inclusive_namespaces
+
+      # check digests
+      ref = REXML::XPath.first(sig_element, "//ds:Reference", {"ds"=>DSIG})
+      uri = ref.attributes.get_attribute("URI").value
+
+      hashed_element = document.at_xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+      
+      canon_algorithm = canon_algorithm REXML::XPath.first(
+        ref,
+        '//ds:CanonicalizationMethod',
+        { "ds" => DSIG }
+      )
+      canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
+
+      digest_algorithm = algorithm(REXML::XPath.first(
+        ref,
+        "//ds:DigestMethod",
+        { "ds" => DSIG }
+      ))
+      hash = digest_algorithm.digest(canon_hashed_element)
+      encoded_digest_value = REXML::XPath.first(
+        ref,
+        "//ds:DigestValue",
+        { "ds" => DSIG }
+      ).text
+      digest_value = Base64.decode64(encoded_digest_value)
+
+      unless digests_match?(hash, digest_value)
+        @errors << "Digest mismatch"
+        return append_error("Digest mismatch", soft)
+      end
+
+      # get certificate object
+      cert_text = Base64.decode64(base64_cert)
+      cert = OpenSSL::X509::Certificate.new(cert_text)
+
+      # verify signature
+      unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
+        return append_error("Key validation error", soft)
+      end
+
+      return true
+    end
+
+    private
+
+    def digests_match?(hash, digest_value)
+      hash == digest_value
+    end
+
+    def extract_signed_element_id
+      reference_element = REXML::XPath.first(
+        self,
+        "//ds:Signature/ds:SignedInfo/ds:Reference",
+        {"ds"=>DSIG}
+      )
+
+      return nil if reference_element.nil?
+
+      sei = reference_element.attribute("URI").value[1..-1]
+      sei.nil? ? reference_element.parent.parent.parent.attribute("ID").value : sei
+    end
+
+    def extract_inclusive_namespaces
+      element = REXML::XPath.first(
+        self,
+        "//ec:InclusiveNamespaces",
+        { "ec" => C14N }
+      )
+      if element
+        prefix_list = element.attributes.get_attribute("PrefixList").value
+        prefix_list.split(" ")
+      else
+        nil
+      end
+    end
+
+  end
+end

data/spid-es.gemspec

@@ -2,7 +2,7 @@ $LOAD_PATH.push File.expand_path('../lib', __FILE__)
 
 Gem::Specification.new do |s|
   s.name = 'spid-es'
-  s.version = '0.0.1'
+  s.version = '0.0.2'
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Fabiano Pavan"]

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: spid-es
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - Fabiano Pavan
@@ -97,6 +97,7 @@ files:
 - lib/spid-es.rb
 - lib/spid/ruby-saml/authrequest.rb
 - lib/spid/ruby-saml/coding.rb
+- lib/spid/ruby-saml/error_handling.rb
 - lib/spid/ruby-saml/logging.rb
 - lib/spid/ruby-saml/logout_request.rb
 - lib/spid/ruby-saml/logout_response.rb
@@ -104,9 +105,11 @@ files:
 - lib/spid/ruby-saml/request.rb
 - lib/spid/ruby-saml/response.rb
 - lib/spid/ruby-saml/settings.rb
+- lib/spid/ruby-saml/utils.rb
 - lib/spid/ruby-saml/validation_error.rb
 - lib/spid/ruby-saml/version.rb
 - lib/xml_security.rb
+- lib/xml_security_new.rb
 - spid-es.gemspec
 - test/certificates/certificate1
 - test/logoutrequest_test.rb