Class: Ciam::Saml::Utils
- Inherits:
-
Object
- Object
- Ciam::Saml::Utils
- Defined in:
- lib/ciam/ruby-saml/utils.rb
Overview
SAML2 Auxiliary class
Constant Summary collapse
- DSIG =
"http://www.w3.org/2000/09/xmldsig#"
- XENC =
"http://www.w3.org/2001/04/xmlenc#"
- @@uuid_generator =
UUID.new
Class Method Summary collapse
-
.build_query(params) ⇒ String
Build the Query String signature that will be used in the HTTP-Redirect binding to generate the Signature.
-
.decrypt_data(encrypted_node, private_key) ⇒ String
Obtains the decrypted string from an Encrypted node element in XML.
-
.element_text(element) ⇒ Object
Given a REXML::Element instance, return the concatenation of all child text nodes.
-
.format_cert(cert) ⇒ String
Return a properly formatted x509 certificate.
-
.format_private_key(key) ⇒ String
Return a properly formatted private key.
-
.original_uri_match?(destination_url, settings_url) ⇒ Boolean
If Rails’ URI.parse can’t match to valid URL, default back to the original matching service.
-
.retrieve_plaintext(cipher_text, symmetric_key, algorithm) ⇒ String
Obtains the deciphered text.
-
.retrieve_symmetric_key(encrypt_data, private_key) ⇒ String
Obtains the symmetric key from the EncryptedData element.
-
.status_error_msg(error_msg, status_code = nil, status_message = nil) ⇒ String
Build the status error message.
-
.uri_match?(destination_url, settings_url) ⇒ Boolean
Given two strings, attempt to match them as URIs using Rails’ parse method.
- .uuid ⇒ Object
-
.verify_signature(params) ⇒ Boolean
Validate the Signature parameter sent on the HTTP-Redirect binding.
Class Method Details
.build_query(params) ⇒ String
Build the Query String signature that will be used in the HTTP-Redirect binding to generate the Signature
62 63 64 65 66 67 68 |
# File 'lib/ciam/ruby-saml/utils.rb', line 62 def self.build_query(params) type, data, relay_state, sig_alg = [:type, :data, :relay_state, :sig_alg].map { |k| params[k]} url_string = "#{type}=#{CGI.escape(data)}" url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state url_string << "&SigAlg=#{CGI.escape(sig_alg)}" end |
.decrypt_data(encrypted_node, private_key) ⇒ String
Obtains the decrypted string from an Encrypted node element in XML
105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 |
# File 'lib/ciam/ruby-saml/utils.rb', line 105 def self.decrypt_data(encrypted_node, private_key) encrypt_data = REXML::XPath.first( encrypted_node, "./xenc:EncryptedData", { 'xenc' => XENC } ) symmetric_key = retrieve_symmetric_key(encrypt_data, private_key) cipher_value = REXML::XPath.first( encrypt_data, "//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue", { 'xenc' => XENC } ) node = Base64.decode64(cipher_value.text) encrypt_method = REXML::XPath.first( encrypt_data, "//xenc:EncryptedData/xenc:EncryptionMethod", { 'xenc' => XENC } ) algorithm = encrypt_method.attributes['Algorithm'] retrieve_plaintext(node, symmetric_key, algorithm) end |
.element_text(element) ⇒ Object
Given a REXML::Element instance, return the concatenation of all child text nodes. Assumes that there all children other than text nodes can be ignored (e.g. comments). If nil is passed, nil will be returned.
218 219 220 |
# File 'lib/ciam/ruby-saml/utils.rb', line 218 def self.element_text(element) element.texts.map(&:value).join if element end |
.format_cert(cert) ⇒ String
Return a properly formatted x509 certificate
23 24 25 26 27 28 29 30 31 32 |
# File 'lib/ciam/ruby-saml/utils.rb', line 23 def self.format_cert(cert) # don't try to format an encoded certificate or if is empty or nil return cert if cert.nil? || cert.empty? || cert.match(/\x0d/) cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "") cert = cert.gsub(/[\n\r\s]/, "") cert = cert.scan(/.{1,64}/) cert = cert.join("\n") "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----" end |
.format_private_key(key) ⇒ String
Return a properly formatted private key
39 40 41 42 43 44 45 46 47 48 49 50 51 |
# File 'lib/ciam/ruby-saml/utils.rb', line 39 def self.format_private_key(key) # don't try to format an encoded private key or if is empty return key if key.nil? || key.empty? || key.match(/\x0d/) # is this an rsa key? rsa_key = key.match("RSA PRIVATE KEY") key = key.gsub(/\-{5}\s?(BEGIN|END)( RSA)? PRIVATE KEY\s?\-{5}/, "") key = key.gsub(/[\n\r\s]/, "") key = key.scan(/.{1,64}/) key = key.join("\n") key_label = rsa_key ? "RSA PRIVATE KEY" : "PRIVATE KEY" "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----" end |
.original_uri_match?(destination_url, settings_url) ⇒ Boolean
If Rails’ URI.parse can’t match to valid URL, default back to the original matching service.
211 212 213 |
# File 'lib/ciam/ruby-saml/utils.rb', line 211 def self.original_uri_match?(destination_url, settings_url) destination_url == settings_url end |
.retrieve_plaintext(cipher_text, symmetric_key, algorithm) ⇒ String
Obtains the deciphered text
158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 |
# File 'lib/ciam/ruby-saml/utils.rb', line 158 def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm) case algorithm when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key end if cipher iv_len = cipher.iv_len data = cipher_text[iv_len..-1] cipher.padding, cipher.key, cipher.iv = 0, symmetric_key, cipher_text[0..iv_len-1] assertion_plaintext = cipher.update(data) assertion_plaintext << cipher.final elsif rsa rsa.private_decrypt(cipher_text) elsif oaep oaep.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING) else cipher_text end end |
.retrieve_symmetric_key(encrypt_data, private_key) ⇒ String
Obtains the symmetric key from the EncryptedData element
131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 |
# File 'lib/ciam/ruby-saml/utils.rb', line 131 def self.retrieve_symmetric_key(encrypt_data, private_key) encrypted_key = REXML::XPath.first( encrypt_data, "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey or \ //xenc:EncryptedKey[@Id=substring-after(//xenc:EncryptedData/ds:KeyInfo/ds:RetrievalMethod/@URI, '#')]", { "ds" => DSIG, "xenc" => XENC } ) encrypted_symmetric_key_element = REXML::XPath.first( encrypted_key, "./xenc:CipherData/xenc:CipherValue", { "ds" => DSIG, "xenc" => XENC } ) cipher_text = Base64.decode64(encrypted_symmetric_key_element.text) encrypt_method = REXML::XPath.first( encrypted_key, "./xenc:EncryptionMethod", {"ds" => DSIG, "xenc" => XENC } ) algorithm = encrypt_method.attributes['Algorithm'] retrieve_plaintext(cipher_text, private_key, algorithm) end |
.status_error_msg(error_msg, status_code = nil, status_message = nil) ⇒ String
Build the status error message
88 89 90 91 92 93 94 95 96 97 98 99 |
# File 'lib/ciam/ruby-saml/utils.rb', line 88 def self.status_error_msg(error_msg, status_code = nil, = nil) unless status_code.nil? printable_code = status_code.split(':').last error_msg << ', was ' + printable_code end unless .nil? error_msg << ' -> ' + end error_msg end |
.uri_match?(destination_url, settings_url) ⇒ Boolean
Given two strings, attempt to match them as URIs using Rails’ parse method. If they can be parsed, then the fully-qualified domain name and the host should performa a case-insensitive match, per the RFC for URIs. If Rails can not parse the string in to URL pieces, return a boolean match of the two strings. This maintains the previous functionality.
193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 |
# File 'lib/ciam/ruby-saml/utils.rb', line 193 def self.uri_match?(destination_url, settings_url) dest_uri = URI.parse(destination_url) acs_uri = URI.parse(settings_url) if dest_uri.scheme.nil? || acs_uri.scheme.nil? || dest_uri.host.nil? || acs_uri.host.nil? raise URI::InvalidURIError else dest_uri.scheme.downcase == acs_uri.scheme.downcase && dest_uri.host.downcase == acs_uri.host.downcase && dest_uri.path == acs_uri.path && dest_uri.query == acs_uri.query end rescue URI::InvalidURIError original_uri_match?(destination_url, settings_url) end |
.uuid ⇒ Object
183 184 185 |
# File 'lib/ciam/ruby-saml/utils.rb', line 183 def self.uuid RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}" end |
.verify_signature(params) ⇒ Boolean
Validate the Signature parameter sent on the HTTP-Redirect binding
78 79 80 81 82 |
# File 'lib/ciam/ruby-saml/utils.rb', line 78 def self.verify_signature(params) cert, sig_alg, signature, query_string = [:cert, :sig_alg, :signature, :query_string].map { |k| params[k]} signature_algorithm = Ciam::XMLSecurityNew::BaseDocument.new.algorithm(sig_alg) return cert.public_key.verify(signature_algorithm.new, Base64.decode64(signature), query_string) end |