Class: OneLogin::KlRubySaml::Utils
- Inherits:
-
Object
- Object
- OneLogin::KlRubySaml::Utils
- Defined in:
- lib/onelogin/kl-ruby-saml/utils.rb
Overview
SAML2 Auxiliary class
Constant Summary collapse
- DSIG =
"http://www.w3.org/2000/09/xmldsig#"
- XENC =
"http://www.w3.org/2001/04/xmlenc#"
Class Method Summary collapse
-
.build_query(params) ⇒ String
Build the Query String signature that will be used in the HTTP-Redirect binding to generate the Signature.
-
.decrypt_data(encrypted_node, private_key) ⇒ String
Obtains the decrypted string from an Encrypted node element in XML.
-
.format_cert(cert) ⇒ String
Return a properly formatted x509 certificate.
-
.format_private_key(key) ⇒ String
Return a properly formatted private key.
-
.retrieve_plaintext(cipher_text, symmetric_key, algorithm) ⇒ String
Obtains the deciphered text.
-
.retrieve_symmetric_key(encrypt_data, private_key) ⇒ String
Obtains the symmetric key from the EncryptedData element.
-
.status_error_msg(error_msg, status_code = nil, status_message = nil) ⇒ String
Build the status error message.
-
.verify_signature(params) ⇒ Boolean
Validate the Signature parameter sent on the HTTP-Redirect binding.
Class Method Details
.build_query(params) ⇒ String
Build the Query String signature that will be used in the HTTP-Redirect binding to generate the Signature
55 56 57 58 59 60 61 |
# File 'lib/onelogin/kl-ruby-saml/utils.rb', line 55 def self.build_query(params) type, data, relay_state, sig_alg = [:type, :data, :relay_state, :sig_alg].map { |k| params[k]} url_string = "#{type}=#{CGI.escape(data)}" url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state url_string << "&SigAlg=#{CGI.escape(sig_alg)}" end |
.decrypt_data(encrypted_node, private_key) ⇒ String
Obtains the decrypted string from an Encrypted node element in XML
98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
# File 'lib/onelogin/kl-ruby-saml/utils.rb', line 98 def self.decrypt_data(encrypted_node, private_key) encrypt_data = REXML::XPath.first( encrypted_node, "./xenc:EncryptedData", { 'xenc' => XENC } ) symmetric_key = retrieve_symmetric_key(encrypt_data, private_key) cipher_value = REXML::XPath.first( encrypt_data, "//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue", { 'xenc' => XENC } ) node = Base64.decode64(cipher_value.text) encrypt_method = REXML::XPath.first( encrypt_data, "//xenc:EncryptedData/xenc:EncryptionMethod", { 'xenc' => XENC } ) algorithm = encrypt_method.attributes['Algorithm'] retrieve_plaintext(node, symmetric_key, algorithm) end |
.format_cert(cert) ⇒ String
Return a properly formatted x509 certificate
16 17 18 19 20 21 22 23 24 25 |
# File 'lib/onelogin/kl-ruby-saml/utils.rb', line 16 def self.format_cert(cert) # don't try to format an encoded certificate or if is empty or nil return cert if cert.nil? || cert.empty? || cert.match(/\x0d/) cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "") cert = cert.gsub(/[\n\r\s]/, "") cert = cert.scan(/.{1,64}/) cert = cert.join("\n") "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----" end |
.format_private_key(key) ⇒ String
Return a properly formatted private key
32 33 34 35 36 37 38 39 40 41 42 43 44 |
# File 'lib/onelogin/kl-ruby-saml/utils.rb', line 32 def self.format_private_key(key) # don't try to format an encoded private key or if is empty return key if key.nil? || key.empty? || key.match(/\x0d/) # is this an rsa key? rsa_key = key.match("RSA PRIVATE KEY") key = key.gsub(/\-{5}\s?(BEGIN|END)( RSA)? PRIVATE KEY\s?\-{5}/, "") key = key.gsub(/[\n\r\s]/, "") key = key.scan(/.{1,64}/) key = key.join("\n") key_label = rsa_key ? "RSA PRIVATE KEY" : "PRIVATE KEY" "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----" end |
.retrieve_plaintext(cipher_text, symmetric_key, algorithm) ⇒ String
Obtains the deciphered text
145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 |
# File 'lib/onelogin/kl-ruby-saml/utils.rb', line 145 def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm) case algorithm when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key end if cipher iv_len = cipher.iv_len data = cipher_text[iv_len..-1] cipher.padding, cipher.key, cipher.iv = 0, symmetric_key, cipher_text[0..iv_len-1] assertion_plaintext = cipher.update(data) assertion_plaintext << cipher.final elsif rsa rsa.private_decrypt(cipher_text) elsif oaep oaep.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING) else cipher_text end end |
.retrieve_symmetric_key(encrypt_data, private_key) ⇒ String
Obtains the symmetric key from the EncryptedData element
124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 |
# File 'lib/onelogin/kl-ruby-saml/utils.rb', line 124 def self.retrieve_symmetric_key(encrypt_data, private_key) encrypted_symmetric_key_element = REXML::XPath.first( encrypt_data, "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey/xenc:CipherData/xenc:CipherValue", { "ds" => DSIG, "xenc" => XENC } ) cipher_text = Base64.decode64(encrypted_symmetric_key_element.text) encrypt_method = REXML::XPath.first( encrypt_data, "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey/xenc:EncryptionMethod", {"ds" => DSIG, "xenc" => XENC } ) algorithm = encrypt_method.attributes['Algorithm'] retrieve_plaintext(cipher_text, private_key, algorithm) end |
.status_error_msg(error_msg, status_code = nil, status_message = nil) ⇒ String
Build the status error message
81 82 83 84 85 86 87 88 89 90 91 92 |
# File 'lib/onelogin/kl-ruby-saml/utils.rb', line 81 def self.status_error_msg(error_msg, status_code = nil, = nil) unless status_code.nil? printable_code = status_code.split(':').last error_msg << ', was ' + printable_code end unless .nil? error_msg << ' -> ' + end error_msg end |
.verify_signature(params) ⇒ Boolean
Validate the Signature parameter sent on the HTTP-Redirect binding
71 72 73 74 75 |
# File 'lib/onelogin/kl-ruby-saml/utils.rb', line 71 def self.verify_signature(params) cert, sig_alg, signature, query_string = [:cert, :sig_alg, :signature, :query_string].map { |k| params[k]} signature_algorithm = KlXMLSecurity::BaseDocument.new.algorithm(sig_alg) return cert.public_key.verify(signature_algorithm.new, Base64.decode64(signature), query_string) end |