Module: XMLSecurity::SignedDocument
- Defined in:
- lib/xml_sec.rb
Instance Attribute Summary collapse
-
#used_key ⇒ Object
readonly
Returns the value of attribute used_key.
-
#validation_error ⇒ Object
readonly
Returns the value of attribute validation_error.
Class Method Summary collapse
Instance Method Summary collapse
-
#decrypt!(settings) ⇒ Object
replaces EncryptedData nodes with decrypted copies.
- #decrypt_node(settings, xmlstr) ⇒ Object
- #has_signature? ⇒ Boolean
- #signatures ⇒ Object
- #signed_roots ⇒ Object
- #validate(idp_cert_fingerprint, logger = nil) ⇒ Object
- #validate_doc(xml, pem) ⇒ Object
- #xmlsec_decrypt(xmlstr, private_key) ⇒ Object
Instance Attribute Details
#used_key ⇒ Object (readonly)
Returns the value of attribute used_key.
307 308 309 |
# File 'lib/xml_sec.rb', line 307 def used_key @used_key end |
#validation_error ⇒ Object (readonly)
Returns the value of attribute validation_error.
307 308 309 |
# File 'lib/xml_sec.rb', line 307 def validation_error @validation_error end |
Class Method Details
.format_cert(cert) ⇒ Object
309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 |
# File 'lib/xml_sec.rb', line 309 def self.format_cert(cert) # re-encode the certificate in the proper format # this snippet is from http://bugs.ruby-lang.org/issues/4421 rsa = cert.public_key modulus = rsa.n exponent = rsa.e oid = OpenSSL::ASN1::ObjectId.new("rsaEncryption") alg_id = OpenSSL::ASN1::Sequence.new([oid, OpenSSL::ASN1::Null.new(nil)]) ary = [OpenSSL::ASN1::Integer.new(modulus), OpenSSL::ASN1::Integer.new(exponent)] pub_key = OpenSSL::ASN1::Sequence.new(ary) enc_pk = OpenSSL::ASN1::BitString.new(pub_key.to_der) subject_pk_info = OpenSSL::ASN1::Sequence.new([alg_id, enc_pk]) base64 = Base64.encode64(subject_pk_info.to_der) # This is the equivalent to the X.509 encoding used in >= 1.9.3 "-----BEGIN PUBLIC KEY-----\n#{base64}-----END PUBLIC KEY-----" end |
Instance Method Details
#decrypt!(settings) ⇒ Object
replaces EncryptedData nodes with decrypted copies
420 421 422 423 424 425 426 427 428 429 430 431 432 433 |
# File 'lib/xml_sec.rb', line 420 def decrypt!(settings) if settings.encryption_configured? xpath("//xenc:EncryptedData", Onelogin::NAMESPACES).each do |node| decrypted_xml = decrypt_node(settings, node.to_s) if decrypted_xml decrypted_doc = Nokogiri::XML(decrypted_xml) decrypted_node = decrypted_doc.root node.parent.next = decrypted_node node.parent.unlink end end end true end |
#decrypt_node(settings, xmlstr) ⇒ Object
435 436 437 438 439 440 441 442 443 444 |
# File 'lib/xml_sec.rb', line 435 def decrypt_node(settings, xmlstr) settings.all_private_keys.each do |key| result = xmlsec_decrypt(xmlstr, key) if result @used_key = key return result end end nil end |
#has_signature? ⇒ Boolean
327 328 329 |
# File 'lib/xml_sec.rb', line 327 def has_signature? signatures.any? end |
#signatures ⇒ Object
346 347 348 349 |
# File 'lib/xml_sec.rb', line 346 def signatures # we only return the first, cause our signature validation only checks the first @signatures ||= [self.at_xpath("//ds:Signature", Onelogin::NAMESPACES)].compact end |
#signed_roots ⇒ Object
331 332 333 334 335 336 337 338 339 340 341 342 343 344 |
# File 'lib/xml_sec.rb', line 331 def signed_roots signatures.map do |sig| ref = sig.at_xpath('./ds:SignedInfo/ds:Reference', Onelogin::NAMESPACES) signed_element_id = ref['URI'].sub(/^#/, '') if signed_element_id.empty? self.root else xpath_id_query = %Q(ancestor::*[@ID = "#{signed_element_id}"]) ref.at_xpath(xpath_id_query, Onelogin::NAMESPACES) end end.compact end |
#validate(idp_cert_fingerprint, logger = nil) ⇒ Object
351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 |
# File 'lib/xml_sec.rb', line 351 def validate(idp_cert_fingerprint, logger = nil) # get cert from response base64_cert = self.at_xpath("//ds:X509Certificate", Onelogin::NAMESPACES).content cert_text = Base64.decode64(base64_cert) cert = OpenSSL::X509::Certificate.new(cert_text) # check cert matches registered idp cert, unless we explicitly skip this check unless idp_cert_fingerprint == '*' fingerprint = Digest::SHA1.hexdigest(cert.to_der) expected_fingerprints = Array(idp_cert_fingerprint).map { |f| f.gsub(":", "").downcase } unless expected_fingerprints.include?(fingerprint) @validation_error = "Invalid fingerprint (expected one of [#{expected_fingerprints.join(', ')}], got #{fingerprint})" return false end end # Force encoding of the xml and the xml string for validation xml = to_xml(save_with: Nokogiri::XML::Node::SaveOptions::AS_XML, encoding: "ISO-8859-1") # validate it! validate_doc(xml, SignedDocument.format_cert(cert)) end |
#validate_doc(xml, pem) ⇒ Object
374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 |
# File 'lib/xml_sec.rb', line 374 def validate_doc(xml, pem) kmgr = nil ctx = nil result = false begin # set up the keymgr kmgr = XMLSecurity.xmlSecKeysMngrCreate raise "failed initializing key mgr" if XMLSecurity.xmlSecOpenSSLAppDefaultKeysMngrInit(kmgr) < 0 key = XMLSecurity.xmlSecOpenSSLAppKeyLoadMemory(pem, pem.length, :xmlSecKeyDataFormatPem, nil, nil, nil) raise "failed loading key" if key.null? raise "failed adding key to mgr" if XMLSecurity.xmlSecOpenSSLAppDefaultKeysMngrAdoptKey(kmgr, key) < 0 # parse the xml doc = XMLSecurity.xmlSecParseMemory(xml, xml.length, 0) root = XMLSecurity.xmlDocGetRootElement(doc) XMLSecurity.register_xml_id_attribute(doc, root) # get the root node, and then find the signature node = XMLSecurity.xmlSecFindNode(root, "Signature", "http://www.w3.org/2000/09/xmldsig#") raise "Signature node not found" if node.null? # create the sig context ctx = XMLSecurity.xmlSecDSigCtxCreate(kmgr) raise "failed creating digital signature context" if ctx.null? XMLSecurity.disable_xslt_transforms!(ctx) XMLSecurity.disable_remote_references!(ctx) # verify! raise "failed verifying dsig" if XMLSecurity.xmlSecDSigCtxVerify(ctx, node) < 0 result = ctx[:status] == :xmlSecDSigStatusSucceeded @validation_error = ctx[:status].to_s unless result rescue Exception => e @validation_error = e. ensure XMLSecurity.xmlSecDSigCtxDestroy(ctx) if ctx XMLSecurity.xmlFreeDoc(doc) if doc XMLSecurity.xmlSecKeysMngrDestroy(kmgr) if kmgr end result end |
#xmlsec_decrypt(xmlstr, private_key) ⇒ Object
446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 |
# File 'lib/xml_sec.rb', line 446 def xmlsec_decrypt(xmlstr, private_key) kmgr = nil ctx = nil doc = nil result = nil begin kmgr = XMLSecurity.xmlSecKeysMngrCreate raise "Failed initializing key mgr" if XMLSecurity.xmlSecOpenSSLAppDefaultKeysMngrInit(kmgr) < 0 key = XMLSecurity.xmlSecOpenSSLAppKeyLoad(private_key, :xmlSecKeyDataFormatPem, nil, nil, nil) raise "Failed loading key" if key.null? raise "Failed adding key to mgr" if XMLSecurity.xmlSecOpenSSLAppDefaultKeysMngrAdoptKey(kmgr, key) < 0 doc = XMLSecurity.xmlSecParseMemory(xmlstr, xmlstr.length, 0) raise "Failed to parse node" if doc.null? ctx = XMLSecurity.xmlSecEncCtxCreate(kmgr) raise "failed creating enc ctx" if ctx.null? node = XMLSecurity.xmlDocGetRootElement(doc) raise "failed decrypting" if XMLSecurity.xmlSecEncCtxDecrypt(ctx, node) < 0 ptr = FFI::MemoryPointer.new(:pointer, 1) sizeptr = FFI::MemoryPointer.new(:pointer, 1) XMLSecurity.xmlDocDumpFormatMemory(doc, ptr, sizeptr, 0) strptr = ptr.read_pointer result = strptr.null? ? nil : strptr.read_string rescue Exception => e @logger.warn "Could not decrypt: #{e.}" if @logger ensure XMLSecurity.xmlSecEncCtxDestroy(ctx) if ctx XMLSecurity.xmlFreeDoc(doc) if doc XMLSecurity.xmlSecKeysMngrDestroy(kmgr) if kmgr end result end |