Class: XMLSecurity::SignedDocument

Inherits:
REXML::Document
  • Object
show all
Defined in:
lib/xml_security.rb

Instance Method Summary collapse

Instance Method Details

#decode(private_key) ⇒ Object 



131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
 
# File 'lib/xml_security.rb', line 131

def decode private_key
  # This is the public key which encrypted the first CipherValue
  certs = REXML::XPath.match(self, '//ds:X509Certificate')#, 'ds' => "http://www.w3.org/2000/09/xmldsig#") array two elements    dcert   = REXML::XPath.first(self, '//ds:X509Certificate')#, 'ds' => "http://www.w3.org/2000/09/xmldsig#")

  #Find the certificate for the private key
  cert = certs.select{|c| OpenSSL::X509::Certificate.new(Base64.decode64(c.text)).check_private_key(private_key)}
  unless cert.empty?
    cert = cert[0]
  else
    return false
  end
  c1, c2 = REXML::XPath.match(self, '//xenc:CipherValue', 'xenc' => 'http://www.w3.org/2001/04/xmlenc#')

  # Generate the key used for the cipher below via the RSA::OAEP algo
  rsak      = RSA::Key.new private_key.n, private_key.d
  v1s       = Base64.decode64(c1.text)

  begin
    cipherkey = RSA::OAEP.decode rsak, v1s
  rescue RSA::OAEP::DecodeError
    return false
  end

  # The aes-128-cbc cipher has a 128 bit initialization vector (16 bytes)
  # and this is the first 16 bytes of the raw string.
  bytes  = Base64.decode64(c2.text).bytes.to_a
  iv     = bytes[0...16].pack('c*')
  others = bytes[16..-1].pack('c*')

  cipher = OpenSSL::Cipher.new('aes-128-cbc')
  cipher.decrypt
  cipher.iv  = iv
  cipher.key = cipherkey

  out = cipher.update(others)

  # The encrypted string's length might not be a multiple of the block
  # length of aes-128-cbc (16), so add in another block and then trim
  # off the padding. More info about padding is available at
  # http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html in
  # Section 5.2
  out << cipher.update("\x00" * 16)
  padding = out.bytes.to_a.last
  self.class.new(out[0..-(padding + 1)])
end

#validate(idp_cert_fingerprint, logger = nil, private_key = nil) ⇒ Object 



71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
 
# File 'lib/xml_security.rb', line 71

def validate (idp_cert_fingerprint, logger = nil, private_key = nil)
  # get cert from response
  base64_cert             = self.elements["//ds:X509Certificate"].text
  cert_text               = Base64.decode64(base64_cert)
  cert                    = OpenSSL::X509::Certificate.new(cert_text)

  # check cert matches registered idp cert
  fingerprint             = Digest::SHA1.hexdigest(cert.to_der)
  valid_flag              = fingerprint == idp_cert_fingerprint.gsub(":", "").downcase

  return valid_flag if !valid_flag

  if validate_doc(base64_cert, logger)
    return true
  # elsif private_key
  #   return decode(private_key)
  else
    return false
  end
end

#validate_doc(cert, logger) ⇒ Object 



92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
 
# File 'lib/xml_security.rb', line 92

def validate_doc(cert, logger)
  # validate references

  # remove signature node
  sig_element = REXML::XPath.first(self, "//ds:Signature", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
  return false unless sig_element
  sig_element.remove

   #временно выключили проверку дайджеста

#      #check digests
#      REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do | ref |
#
#        uri                   = ref.attributes.get_attribute("URI").value
#        hashed_element        = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
#        canoner               = XML::Util::XmlCanonicalizer.new(false, true)
#        canon_hashed_element  = canoner.canonicalize(hashed_element)
#        hash                  = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
#        digest_value          = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
#
#        valid_flag            = hash == digest_value
#
#        return valid_flag if !valid_flag
#      end

  # verify signature
  canoner                 = XML::Util::XmlCanonicalizer.new(false, true)
  signed_info_element     = REXML::XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
  canon_string            = canoner.canonicalize(signed_info_element)

  base64_signature        = REXML::XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
  signature               = Base64.decode64(base64_signature)

  # get certificate object
  valid_flag              = cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)

  return valid_flag
end