Module: SAML2::Signable

Included in:

Entity, Entity::Group, Message, Role

Defined in:

lib/saml2/signable.rb

Instance Method Summary

• #sign(x509_certificate, private_key, algorithm_name = :sha256) ⇒ self

  Sign this object.

• #signature ⇒ Nokogiri::XML::Element^?
• #signed? ⇒ Boolean
• #signing_key ⇒ KeyInfo^?
• #valid_signature?(fingerprint: nil, cert: nil) ⇒ Boolean

  Check if the signature on this object is valid.

• #validate_signature(key: nil, fingerprint: nil, cert: nil) ⇒ Array<String>

  Validate the signature on this object.

Instance Method Details

#sign(x509_certificate, private_key, algorithm_name = :sha256) ⇒ self

Sign this object.

# File 'lib/saml2/signable.rb', line 103

def sign(x509_certificate, private_key, algorithm_name = :sha256)
  to_xml

  xml = @document.root
  xml.set_id_attribute('ID')
  xml.sign!(cert: x509_certificate, key: private_key, digest_alg: algorithm_name.to_s, signature_alg: "rsa-#{algorithm_name}", uri: "##{id}")
  # the Signature element must be the first element
  signature = xml.at_xpath("dsig:Signature", Namespaces::ALL)
  xml.children.first.add_previous_sibling(signature)

  self
end

#signature ⇒ Nokogiri::XML::Element^?

# File 'lib/saml2/signable.rb', line 8

def signature
  unless instance_variable_defined?(:@signature)
    @signature = xml.at_xpath('dsig:Signature', Namespaces::ALL)
    if @signature
      signed_node = @signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
      if signed_node == ''
        @signature = nil unless xml == xml.document.root
      elsif signed_node != "##{xml['ID']}"
        @signature = nil
      else
        # validating the schema will automatically add ID attributes, so check that first
        xml.set_id_attribute('ID') unless xml.document.get_id(xml['ID'])
      end
    end
  end
  @signature
end

#signed? ⇒ Boolean

# File 'lib/saml2/signable.rb', line 31

def signed?
  !!signature
end

#signing_key ⇒ KeyInfo^?

# File 'lib/saml2/signable.rb', line 27

def signing_key
  @signing_key ||= KeyInfo.from_xml(signature)
end

#valid_signature?(fingerprint: nil, cert: nil) ⇒ Boolean

Check if the signature on this object is valid.

Either fingerprint or cert must be provided.

# File 'lib/saml2/signable.rb', line 90

def valid_signature?(fingerprint: nil, cert: nil)
  validate_signature(fingerprint: fingerprint, cert: cert).empty?
end

#validate_signature(key: nil, fingerprint: nil, cert: nil) ⇒ Array<String>

Validate the signature on this object.

At least one of key, fingerprint or cert must be provided.

# File 'lib/saml2/signable.rb', line 52

def validate_signature(key: nil,
                       fingerprint: nil,
                       cert: nil)
  return ["not signed"] unless signed?

  certs = Array(cert)
  certs = certs.dup if certs.equal?(cert)
  # see if any given fingerprints match the certificate embedded in the XML;
  # if so, extract the certificate, and add it to the allowed certificates list
  Array(fingerprint).each do |fp|
    certs << signing_key.certificate if signing_key&.fingerprint == SAML2::KeyInfo.format_fingerprint(fp)
  end
  certs = certs.uniq

  trusted_keys = certs.map do |cert|
    cert = cert.is_a?(String) ? OpenSSL::X509::Certificate.new(cert) : cert
    cert.public_key.to_s
  end
  if signing_key&.certificate && trusted_keys.include?(signing_key.certificate.public_key.to_s)
    key ||= signing_key.certificate.public_key.to_s
  end

  return ["no trusted signing key found"] if key.nil?

  begin
    result = signature.verify_with(key: key)
    result ? [] : ["signature is invalid"]
  rescue XMLSec::VerificationError => e
    [e.message]
  end
end