Commit 4ca57f0

mo <mo.khan@gmail.com>
2017-12-15 22:42:16
return nil when unable to decrypt.
main
1 parent 5141c29
Changed files (2)
lib
saml
kit
xml_decryption.rb
spec
saml
xml_decryption_spec.rb
lib/saml/kit/xml_decryption.rb
@@ -12,6 +12,9 @@ module Saml
         symmetric_key = symmetric_key_from(encrypted_data)
         cipher_text = Base64.decode64(encrypted_data["CipherData"]["CipherValue"])
         to_plaintext(cipher_text, symmetric_key, encrypted_data["EncryptionMethod"]['Algorithm'])
+      rescue OpenSSL::PKey::RSAError => error
+        Saml::Kit.logger.error(error)
+        nil
       end
 
       private
spec/saml/xml_decryption_spec.rb
@@ -21,13 +21,13 @@ RSpec.describe Saml::Kit::XmlDecryption do
           "xmlns:xenc"=>"http://www.w3.org/2001/04/xmlenc#",
           "xmlns:dsig"=>"http://www.w3.org/2000/09/xmldsig#",
           "Type"=>"http://www.w3.org/2001/04/xmlenc#Element",
-          "EncryptionMethod"=> { 
+          "EncryptionMethod"=> {
             "Algorithm"=>"http://www.w3.org/2001/04/xmlenc#aes128-cbc"
           },
           "KeyInfo"=> {
             "xmlns:dsig"=>"http://www.w3.org/2000/09/xmldsig#",
             "EncryptedKey"=> {
-              "EncryptionMethod"=>{ 
+              "EncryptionMethod"=>{
                 "Algorithm"=>"http://www.w3.org/2001/04/xmlenc#rsa-1_5"
               },
               "CipherData"=>{
@@ -44,5 +44,47 @@ RSpec.describe Saml::Kit::XmlDecryption do
       decrypted = subject.decrypt(data)
       expect(decrypted.strip).to eql(secret)
     end
+
+    it 'returns nil when it cannot decrypt the data' do
+      certificate_pem, private_key_pem = Saml::Kit::SelfSignedCertificate.new(password).create
+      public_key = OpenSSL::X509::Certificate.new(certificate_pem).public_key
+      private_key = OpenSSL::PKey::RSA.new(private_key_pem, password)
+
+      cipher = OpenSSL::Cipher.new('AES-128-CBC')
+      cipher.encrypt
+      key = cipher.random_key
+      iv = cipher.random_iv
+      encrypted = cipher.update(secret) + cipher.final
+
+      data = {
+        "EncryptedData"=> {
+          "xmlns:xenc"=>"http://www.w3.org/2001/04/xmlenc#",
+          "xmlns:dsig"=>"http://www.w3.org/2000/09/xmldsig#",
+          "Type"=>"http://www.w3.org/2001/04/xmlenc#Element",
+          "EncryptionMethod"=> {
+            "Algorithm"=>"http://www.w3.org/2001/04/xmlenc#aes128-cbc"
+          },
+          "KeyInfo"=> {
+            "xmlns:dsig"=>"http://www.w3.org/2000/09/xmldsig#",
+            "EncryptedKey"=> {
+              "EncryptionMethod"=>{
+                "Algorithm"=>"http://www.w3.org/2001/04/xmlenc#rsa-1_5"
+              },
+              "CipherData"=>{
+                "CipherValue"=> Base64.encode64(public_key.public_encrypt(key))
+              }
+            }
+          },
+          "CipherData"=>{
+            "CipherValue"=> Base64.encode64(iv + encrypted)
+          }
+        }
+      }
+
+      new_private_key_pem = Saml::Kit::SelfSignedCertificate.new(password).create[1]
+      new_private_key = OpenSSL::PKey::RSA.new(new_private_key_pem, password)
+      subject = described_class.new(configuration: double(private_keys: [new_private_key]))
+      expect(subject.decrypt(data)).to be_nil
+    end
   end
 end