56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
# File 'lib/saml_2_ruby/xml_sec.rb', line 56
def validate_doc(base64_cert, logger)
sig_element = XPath.first(self, "//ds:Signature", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
sig_element.remove
logger.info("checking digests") if !logger.nil?
XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do | ref |
uri = ref.attributes.get_attribute("URI").value
logger.info("URI = " + uri[1,uri.size]) if !logger.nil?
hashed_element = XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
logger.info("hashed element = " + hashed_element.to_s) if !logger.nil?
canoner = XML::Util::XmlCanonicalizer.new(false, true)
canon_hashed_element = canoner.canonicalize_element(hashed_element)
logger.info("canon hashed element = " + canon_hashed_element) if !logger.nil?
hash = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
digest_value = XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
logger.info("hashed_element_hash = " + hash) if !logger.nil?
logger.info("digest_value_element = " + digest_value) if !logger.nil?
valid_flag = hash == digest_value
return valid_flag if !valid_flag
end
logger.info("checking dig sig") if !logger.nil?
canoner = XML::Util::XmlCanonicalizer.new(false, true)
signed_info_element = XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
canon_string = canoner.canonicalize_element(signed_info_element)
logger.info("canon INFO = " + canon_string) if !logger.nil?
base64_signature = XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
logger.info("base 64 SIG = " + base64_signature) if !logger.nil?
signature = Base64.decode64(base64_signature)
logger.info("SIG = " + signature) if !logger.nil?
cert_text = Base64.decode64(base64_cert)
cert = OpenSSL::X509::Certificate.new(cert_text)
valid_flag = cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
return valid_flag
end
|