Commit 53d37a8

mo <mo.khan@gmail.com>
2017-11-25 06:02:08
verify encrypted assertion.
main
1 parent 5c690dc
Changed files (4)
lib
saml
kit
configuration.rb
response.rb
service_provider_metadata.rb
spec
saml
response_spec.rb
lib/saml/kit/configuration.rb
@@ -24,7 +24,11 @@ module Saml
       end
 
       def stripped_signing_certificate
-        signing_certificate_pem.to_s.gsub(BEGIN_CERT, '').gsub(END_CERT, '').gsub(/\n/, '')
+        normalize(signing_certificate_pem)
+      end
+
+      def stripped_encryption_certificate
+        normalize(encryption_certificate_pem)
       end
 
       def signing_x509
@@ -38,6 +42,12 @@ module Saml
       def encryption_private_key
         OpenSSL::PKey::RSA.new(encryption_private_key_pem, encryption_private_key_password)
       end
+
+      private
+
+      def normalize(certificate)
+        certificate.to_s.gsub(BEGIN_CERT, '').gsub(END_CERT, '').gsub(/\n/, '')
+      end
     end
   end
 end
lib/saml/kit/response.rb
@@ -183,7 +183,7 @@ module Saml
             yield temp
             raw_xml_to_encrypt = temp.target!
 
-            encryption_certificate = OpenSSL::X509::Certificate.new(request.provider.encryption_certificates.first[:text])
+            encryption_certificate = OpenSSL::X509::Certificate.new(Base64.decode64(request.provider.encryption_certificates.first[:text]))
             public_key = encryption_certificate.public_key
 
             cipher = OpenSSL::Cipher.new('AES-256-CBC')
@@ -194,9 +194,10 @@ module Saml
 
             xml.EncryptedAssertion xmlns: Namespaces::ASSERTION do
               xml.EncryptedData xmlns: Namespaces::XMLENC, TYPE: "http://www.w3.org/2001/04/xmlenc#Element" do
+                xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
                 xml.KeyInfo xmlns: Namespaces::XMLDSIG do
                   xml.EncryptedKey xmlns: Namespaces::XMLENC do
-                    xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
+                    xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#rsa-1_5"
                     xml.CipherData do
                       xml.CipherValue Base64.encode64(public_key.public_encrypt(key))
                     end
lib/saml/kit/service_provider_metadata.rb
@@ -58,6 +58,15 @@ module Saml
                     end
                   end
                 end
+                if @configuration.encryption_certificate_pem.present?
+                  xml.KeyDescriptor use: "encryption" do
+                    xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
+                      xml.X509Data do
+                        xml.X509Certificate @configuration.stripped_encryption_certificate
+                      end
+                    end
+                  end
+                end
                 logout_urls.each do |item|
                   xml.SingleLogoutService Binding: item[:binding], Location: item[:location]
                 end
spec/saml/response_spec.rb
@@ -409,7 +409,7 @@ RSpec.describe Saml::Kit::Response do
     let(:request) { double(:request, id: SecureRandom.uuid, acs_url: FFaker::Internet.http_url, provider: provider, name_id_format: Saml::Kit::Namespaces::PERSISTENT, issuer: FFaker::Internet.http_url, signed?: true, trusted?: true) }
     let(:provider) { double(want_assertions_signed: false, encryption_certificates: [{ text: encryption_pem }]) }
     let(:encryption_pem) do
-      Saml::Kit.configuration.encryption_certificate_pem
+      Saml::Kit.configuration.stripped_encryption_certificate
     end
 
     describe "#build" do
@@ -423,6 +423,9 @@ RSpec.describe Saml::Kit::Response do
         subject.encrypt = true
         result = Hash.from_xml(subject.to_xml)
         expect(result['Response']['EncryptedAssertion']).to be_present
+        decrypted = Saml::Kit::Cryptography.new.decrypt(result['Response']['EncryptedAssertion'])
+        decrypted_hash = Hash.from_xml(decrypted)
+        #expect(decrypted_hash['Assertion']).to be_present
       end
     end
   end