Commit bca0ae5

mo <mo.khan@gmail.com>
2017-11-04 18:14:44
verify if a fingerprint matches a cert.
main
1 parent 1917c88
Changed files (4)
lib
saml
kit
authentication_request.rb
service_provider_metadata.rb
spec
saml
authentication_request_spec.rb
service_provider_metadata_spec.rb
lib/saml/kit/authentication_request.rb
@@ -61,7 +61,7 @@ module Saml
 
       def must_be_registered_service_provider
         return unless login_request?
-        return if service_provider.matches?(fingerprint)
+        return if service_provider.matches?(fingerprint, use: "signing")
 
         errors[:base] << error_message(:invalid)
       end
lib/saml/kit/service_provider_metadata.rb
@@ -14,8 +14,13 @@ module Saml
         end
       end
 
-      def matches?(fingerprint)
-        #fingerprint.algorithm(OpenSSL::Digest::SHA256).present?
+      def matches?(fingerprint, use: :signing)
+        if :signing == use
+          sha256 = fingerprint.algorithm(OpenSSL::Digest::SHA256)
+          signing_certificates.find do |signing_certificate|
+            sha256 == signing_certificate[:fingerprint]
+          end
+        end
       end
 
       private
spec/saml/authentication_request_spec.rb
@@ -77,8 +77,7 @@ RSpec.describe Saml::Kit::AuthenticationRequest do
       builder.acs_url = acs_url
       xml = builder.to_xml
 
-      fingerprint = Saml::Kit::Fingerprint.new(Hash.from_xml(xml)['AuthnRequest']['Signature']['KeyInfo']['X509Data']['X509Certificate'])
-      allow(service_provider_metadata).to receive(:matches?).with(fingerprint).and_return(false)
+      allow(service_provider_metadata).to receive(:matches?).and_return(false)
       expect(described_class.new(xml)).to be_invalid
     end
spec/saml/service_provider_metadata_spec.rb
@@ -150,4 +150,20 @@ RSpec.describe Saml::Kit::ServiceProviderMetadata do
       expect(subject.errors[:metadata]).to include("invalid signature.")
     end
   end
+
+  describe "#matches?" do
+    subject { described_class::Builder.new.build }
+
+    it 'returns true when the fingerprint matches one of the signing certificates' do
+      certificate = Hash.from_xml(subject.to_xml)['EntityDescriptor']['Signature']['KeyInfo']['X509Data']['X509Certificate']
+      fingerprint = Saml::Kit::Fingerprint.new(certificate)
+      expect(subject.matches?(fingerprint)).to be_truthy
+    end
+
+    it 'returns false when the fingerprint does not match one of the signing certificates' do
+      certificate, _ = Saml::Kit::SelfSignedCertificate.new('password').create
+      fingerprint = Saml::Kit::Fingerprint.new(certificate)
+      expect(subject.matches?(fingerprint)).to be_falsey
+    end
+  end
 end