Class: XMLSecurity::SignedDocument

Inherits:

BaseDocument

• Object
• REXML::Document
• BaseDocument
• XMLSecurity::SignedDocument

Defined in:

lib/xml_security.rb

Constant Summary

Constants inherited from BaseDocument

BaseDocument::C14N, BaseDocument::DSIG, BaseDocument::NOKOGIRI_OPTIONS

Instance Attribute Summary

• #signed_element_id ⇒ Object

Instance Method Summary

• #initialize(response) ⇒ SignedDocument constructor

  A new instance of SignedDocument.

• #validate_document(idp_cert_fingerprint, soft = true) ⇒ Object
• #validate_signature(base64_cert, soft = true) ⇒ Object

Methods inherited from BaseDocument

#algorithm, #canon_algorithm

Constructor Details

#initialize(response) ⇒ SignedDocument

Returns a new instance of SignedDocument.

# File 'lib/xml_security.rb', line 175

def initialize(response)
  super(response)
  extract_signed_element_id
end

Instance Attribute Details

#signed_element_id ⇒ Object

# File 'lib/xml_security.rb', line 180

def signed_element_id
  @signed_element_id ||= extract_signed_element_id
end

Instance Method Details

#validate_document(idp_cert_fingerprint, soft = true) ⇒ Object

Raises:

• (OneLogin::RubySaml::ValidationError)

# File 'lib/xml_security.rb', line 184

def validate_document(idp_cert_fingerprint, soft = true)
  # get cert from response
  cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
  raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate)") unless cert_element
  base64_cert  = OneLogin::RubySaml::Utils.element_text(cert_element)
  cert_text    = Base64.decode64(base64_cert)
  cert         = OpenSSL::X509::Certificate.new(cert_text)

  # check cert matches registered idp cert
  fingerprint = Digest::SHA1.hexdigest(cert.to_der)

  if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
    return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Fingerprint mismatch"))
  end

  validate_signature(base64_cert, soft)
end

#validate_signature(base64_cert, soft = true) ⇒ Object

# File 'lib/xml_security.rb', line 202

def validate_signature(base64_cert, soft = true)
  # validate references

  # check for inclusive namespaces
  inclusive_namespaces = extract_inclusive_namespaces

  document = Nokogiri::XML(self.to_s) do |config|
    config.options = NOKOGIRI_OPTIONS
  end

  # create a working copy so we don't modify the original
  @working_copy ||= REXML::Document.new(self.to_s).root

  # store and remove signature node
  @sig_element ||= begin
    element = REXML::XPath.first(@working_copy, "//ds:Signature", {"ds"=>DSIG})
    element.remove
  end

  # verify signature
  signed_info_element     = REXML::XPath.first(@sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
  noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
  noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
  canon_algorithm = canon_algorithm REXML::XPath.first(@sig_element, '//ds:CanonicalizationMethod', 'ds' => DSIG)
  canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
  noko_sig_element.remove

  # check digests
  REXML::XPath.each(@sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
    uri                           = ref.attributes.get_attribute("URI").value

    hashed_element                = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
    canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
    canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)

    digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod", 'ds' => DSIG))

    hash                          = digest_algorithm.digest(canon_hashed_element)
    digest_value                  = Base64.decode64(OneLogin::RubySaml::Utils.element_text(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG})))

    unless digests_match?(hash, digest_value)
      return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Digest mismatch"))
    end
  end

  base64_signature        = OneLogin::RubySaml::Utils.element_text(REXML::XPath.first(@sig_element, "//ds:SignatureValue", {"ds"=>DSIG}))
  signature               = Base64.decode64(base64_signature)

  # get certificate object
  cert_text               = Base64.decode64(base64_cert)
  cert                    = OpenSSL::X509::Certificate.new(cert_text)

  # signature method
  signature_algorithm     = algorithm(REXML::XPath.first(signed_info_element, "//ds:SignatureMethod", {"ds"=>DSIG}))

  unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
    return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Key validation error"))
  end

  return true
end