Module: XMLSecurity::SignedDocument

Defined in:

lib/xml_sec.rb

Instance Attribute Summary

• #used_key ⇒ Object readonly

  Returns the value of attribute used_key.

• #validation_error ⇒ Object readonly

  Returns the value of attribute validation_error.

Class Method Summary

• .format_cert(cert) ⇒ Object

Instance Method Summary

• #decrypt!(settings) ⇒ Object

  replaces EncryptedData nodes with decrypted copies.

• #decrypt_node(settings, xmlstr) ⇒ Object
• #has_signature? ⇒ Boolean
• #signatures ⇒ Object
• #signed_roots ⇒ Object
• #validate(idp_cert_fingerprint, logger = nil) ⇒ Object
• #validate_doc(xml, pem) ⇒ Object
• #xmlsec_decrypt(xmlstr, private_key) ⇒ Object

Instance Attribute Details

#used_key ⇒ Object (readonly)

Returns the value of attribute used_key.

# File 'lib/xml_sec.rb', line 307

def used_key
  @used_key
end

#validation_error ⇒ Object (readonly)

Returns the value of attribute validation_error.

# File 'lib/xml_sec.rb', line 307

def validation_error
  @validation_error
end

Class Method Details

.format_cert(cert) ⇒ Object

# File 'lib/xml_sec.rb', line 309

def self.format_cert(cert)
  # re-encode the certificate in the proper format
  # this snippet is from http://bugs.ruby-lang.org/issues/4421
  rsa = cert.public_key
  modulus = rsa.n
  exponent = rsa.e
  oid = OpenSSL::ASN1::ObjectId.new("rsaEncryption")
  alg_id = OpenSSL::ASN1::Sequence.new([oid, OpenSSL::ASN1::Null.new(nil)])
  ary = [OpenSSL::ASN1::Integer.new(modulus), OpenSSL::ASN1::Integer.new(exponent)]
  pub_key = OpenSSL::ASN1::Sequence.new(ary)
  enc_pk = OpenSSL::ASN1::BitString.new(pub_key.to_der)
  subject_pk_info = OpenSSL::ASN1::Sequence.new([alg_id, enc_pk])
  base64 = Base64.encode64(subject_pk_info.to_der)

  # This is the equivalent to the X.509 encoding used in >= 1.9.3
  "-----BEGIN PUBLIC KEY-----\n#{base64}-----END PUBLIC KEY-----"
end

Instance Method Details

#decrypt!(settings) ⇒ Object

replaces EncryptedData nodes with decrypted copies

# File 'lib/xml_sec.rb', line 420

def decrypt!(settings)
  if settings.encryption_configured?
    xpath("//xenc:EncryptedData", Onelogin::NAMESPACES).each do |node|
      decrypted_xml = decrypt_node(settings, node.to_s)
      if decrypted_xml
        decrypted_doc = Nokogiri::XML(decrypted_xml)
        decrypted_node = decrypted_doc.root
        node.parent.next = decrypted_node
        node.parent.unlink
      end
    end
  end
  true
end

#decrypt_node(settings, xmlstr) ⇒ Object

# File 'lib/xml_sec.rb', line 435

def decrypt_node(settings, xmlstr)
  settings.all_private_keys.each do |key|
    result = xmlsec_decrypt(xmlstr, key)
    if result
      @used_key = key
      return result
    end
  end
  nil
end

#has_signature? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/xml_sec.rb', line 327

def has_signature?
  signatures.any?
end

#signatures ⇒ Object

# File 'lib/xml_sec.rb', line 346

def signatures
  # we only return the first, cause our signature validation only checks the first
  @signatures ||= [self.at_xpath("//ds:Signature", Onelogin::NAMESPACES)].compact
end

#signed_roots ⇒ Object

# File 'lib/xml_sec.rb', line 331

def signed_roots
  signatures.map do |sig|
    ref = sig.at_xpath('./ds:SignedInfo/ds:Reference', Onelogin::NAMESPACES)
    signed_element_id = ref['URI'].sub(/^#/, '')

    if signed_element_id.empty?
      self.root
    else
      xpath_id_query = %Q(ancestor::*[@ID = "#{signed_element_id}"])

      ref.at_xpath(xpath_id_query, Onelogin::NAMESPACES)
    end
  end.compact
end

#validate(idp_cert_fingerprint, logger = nil) ⇒ Object

# File 'lib/xml_sec.rb', line 351

def validate(idp_cert_fingerprint, logger = nil)
  # get cert from response
  base64_cert = self.at_xpath("//ds:X509Certificate", Onelogin::NAMESPACES).content
  cert_text = Base64.decode64(base64_cert)
  cert = OpenSSL::X509::Certificate.new(cert_text)

  # check cert matches registered idp cert, unless we explicitly skip this check
  unless idp_cert_fingerprint == '*'
    fingerprint = Digest::SHA1.hexdigest(cert.to_der)
    expected_fingerprints = Array(idp_cert_fingerprint).map { |f| f.gsub(":", "").downcase }
    unless expected_fingerprints.include?(fingerprint)
      @validation_error = "Invalid fingerprint (expected one of [#{expected_fingerprints.join(', ')}], got #{fingerprint})"
      return false
    end
  end

  # Force encoding of the xml and the xml string for validation
  xml = to_xml(save_with: Nokogiri::XML::Node::SaveOptions::AS_XML, encoding: "ISO-8859-1")

  # validate it!
  validate_doc(xml, SignedDocument.format_cert(cert))
end

#validate_doc(xml, pem) ⇒ Object

# File 'lib/xml_sec.rb', line 374

def validate_doc(xml, pem)
  kmgr = nil
  ctx = nil
  result = false

  begin
    # set up the keymgr
    kmgr = XMLSecurity.xmlSecKeysMngrCreate
    raise "failed initializing key mgr" if XMLSecurity.xmlSecOpenSSLAppDefaultKeysMngrInit(kmgr) < 0
    key = XMLSecurity.xmlSecOpenSSLAppKeyLoadMemory(pem, pem.length, :xmlSecKeyDataFormatPem, nil, nil, nil)
    raise "failed loading key" if key.null?
    raise "failed adding key to mgr" if XMLSecurity.xmlSecOpenSSLAppDefaultKeysMngrAdoptKey(kmgr, key) < 0

    # parse the xml
    doc = XMLSecurity.xmlSecParseMemory(xml, xml.length, 0)
    root = XMLSecurity.xmlDocGetRootElement(doc)

    XMLSecurity.register_xml_id_attribute(doc, root)

    # get the root node, and then find the signature
    node = XMLSecurity.xmlSecFindNode(root, "Signature", "http://www.w3.org/2000/09/xmldsig#")
    raise "Signature node not found" if node.null?

    # create the sig context
    ctx = XMLSecurity.xmlSecDSigCtxCreate(kmgr)
    raise "failed creating digital signature context" if ctx.null?

    XMLSecurity.disable_xslt_transforms!(ctx)
    XMLSecurity.disable_remote_references!(ctx)

    # verify!
    raise "failed verifying dsig" if XMLSecurity.xmlSecDSigCtxVerify(ctx, node) < 0
    result = ctx[:status] == :xmlSecDSigStatusSucceeded
    @validation_error = ctx[:status].to_s unless result
  rescue Exception => e
    @validation_error = e.message
  ensure
    XMLSecurity.xmlSecDSigCtxDestroy(ctx) if ctx
    XMLSecurity.xmlFreeDoc(doc) if doc
    XMLSecurity.xmlSecKeysMngrDestroy(kmgr) if kmgr
  end

  result
end

#xmlsec_decrypt(xmlstr, private_key) ⇒ Object

# File 'lib/xml_sec.rb', line 446

def xmlsec_decrypt(xmlstr, private_key)
  kmgr = nil
  ctx = nil
  doc = nil
  result = nil
  begin
    kmgr = XMLSecurity.xmlSecKeysMngrCreate
    raise "Failed initializing key mgr" if XMLSecurity.xmlSecOpenSSLAppDefaultKeysMngrInit(kmgr) < 0

    key = XMLSecurity.xmlSecOpenSSLAppKeyLoad(private_key, :xmlSecKeyDataFormatPem, nil, nil, nil)
    raise "Failed loading key" if key.null?
    raise "Failed adding key to mgr" if XMLSecurity.xmlSecOpenSSLAppDefaultKeysMngrAdoptKey(kmgr, key) < 0

    doc = XMLSecurity.xmlSecParseMemory(xmlstr, xmlstr.length, 0)
    raise "Failed to parse node" if doc.null?

    ctx = XMLSecurity.xmlSecEncCtxCreate(kmgr)
    raise "failed creating enc ctx" if ctx.null?

    node = XMLSecurity.xmlDocGetRootElement(doc)
    raise "failed decrypting" if XMLSecurity.xmlSecEncCtxDecrypt(ctx, node) < 0

    ptr = FFI::MemoryPointer.new(:pointer, 1)
    sizeptr = FFI::MemoryPointer.new(:pointer, 1)
    XMLSecurity.xmlDocDumpFormatMemory(doc, ptr, sizeptr, 0)
    strptr = ptr.read_pointer
    result = strptr.null? ? nil : strptr.read_string
  rescue Exception => e
    @logger.warn "Could not decrypt: #{e.message}" if @logger
  ensure
    XMLSecurity.xmlSecEncCtxDestroy(ctx) if ctx
    XMLSecurity.xmlFreeDoc(doc) if doc
    XMLSecurity.xmlSecKeysMngrDestroy(kmgr) if kmgr
  end
  result
end