class OneLogin::RubySaml::Utils

SAML2 Auxiliary class

Constants

DSIG
XENC

Public Class Methods

build_query(params) click to toggle source

Build the Query String signature that will be used in the HTTP-Redirect binding to generate the Signature @param params [Hash] Parameters to build the Query String @option params [String] :type 'SAMLRequest' or 'SAMLResponse' @option params [String] :data Base64 encoded SAMLRequest or SAMLResponse @option params [String] :relay_state The RelayState parameter @option params [String] :sig_alg The SigAlg parameter @return [String] The Query String

# File lib/onelogin/ruby-saml/utils.rb, line 62
def self.build_query(params)
  type, data, relay_state, sig_alg = [:type, :data, :relay_state, :sig_alg].map { |k| params[k]}

  url_string = "#{type}=#{CGI.escape(data)}"
  url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
  url_string << "&SigAlg=#{CGI.escape(sig_alg)}"
end
decrypt_data(encrypted_node, private_key) click to toggle source

Obtains the decrypted string from an Encrypted node element in XML @param encrypted_node [REXML::Element] The Encrypted element @param private_key [OpenSSL::PKey::RSA] The Service provider private key @return [String] The decrypted data

# File lib/onelogin/ruby-saml/utils.rb, line 105
def self.decrypt_data(encrypted_node, private_key)
  encrypt_data = REXML::XPath.first(
    encrypted_node,
    "./xenc:EncryptedData",
    { 'xenc' => XENC }
  )
  symmetric_key = retrieve_symmetric_key(encrypt_data, private_key)
  cipher_value = REXML::XPath.first(
    encrypt_data,
    "//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue",
    { 'xenc' => XENC }
  )
  node = Base64.decode64(cipher_value.text)
  encrypt_method = REXML::XPath.first(
    encrypt_data,
    "//xenc:EncryptedData/xenc:EncryptionMethod",
    { 'xenc' => XENC }
  )
  algorithm = encrypt_method.attributes['Algorithm']
  retrieve_plaintext(node, symmetric_key, algorithm)
end
format_cert(cert) click to toggle source

Return a properly formatted x509 certificate

@param cert [String] The original certificate @return [String] The formatted certificate

# File lib/onelogin/ruby-saml/utils.rb, line 23
def self.format_cert(cert)
  # don't try to format an encoded certificate or if is empty or nil
  return cert if cert.nil? || cert.empty? || cert.match(/\x0d/)

  cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "")
  cert = cert.gsub(/[\n\r\s]/, "")
  cert = cert.scan(/.{1,64}/)
  cert = cert.join("\n")
  "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----"
end
format_private_key(key) click to toggle source

Return a properly formatted private key

@param key [String] The original private key @return [String] The formatted private key

# File lib/onelogin/ruby-saml/utils.rb, line 39
def self.format_private_key(key)
  # don't try to format an encoded private key or if is empty
  return key if key.nil? || key.empty? || key.match(/\x0d/)

  # is this an rsa key?
  rsa_key = key.match("RSA PRIVATE KEY")
  key = key.gsub(/\-{5}\s?(BEGIN|END)( RSA)? PRIVATE KEY\s?\-{5}/, "")
  key = key.gsub(/[\n\r\s]/, "")
  key = key.scan(/.{1,64}/)
  key = key.join("\n")
  key_label = rsa_key ? "RSA PRIVATE KEY" : "PRIVATE KEY"
  "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----"
end
retrieve_plaintext(cipher_text, symmetric_key, algorithm) click to toggle source

Obtains the deciphered text @param cipher_text [String] The ciphered text @param symmetric_key [String] The symetric key used to encrypt the text @param algorithm [String] The encrypted algorithm @return [String] The deciphered text

# File lib/onelogin/ruby-saml/utils.rb, line 158
def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
  case algorithm
    when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt
    when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
    when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
    when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
    when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
    when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
  end

  if cipher
    iv_len = cipher.iv_len
    data = cipher_text[iv_len..-1]
    cipher.padding, cipher.key, cipher.iv = 0, symmetric_key, cipher_text[0..iv_len-1]
    assertion_plaintext = cipher.update(data)
    assertion_plaintext << cipher.final
  elsif rsa
    rsa.private_decrypt(cipher_text)
  elsif oaep
    oaep.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
  else
    cipher_text
  end
end
retrieve_symmetric_key(encrypt_data, private_key) click to toggle source

Obtains the symmetric key from the EncryptedData element @param encrypt_data [REXML::Element] The EncryptedData element @param private_key [OpenSSL::PKey::RSA] The Service provider private key @return [String] The symmetric key

# File lib/onelogin/ruby-saml/utils.rb, line 131
def self.retrieve_symmetric_key(encrypt_data, private_key)
  encrypted_key = REXML::XPath.first(
    encrypt_data,
    "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey or \
     //xenc:EncryptedKey[@Id=substring-after(//xenc:EncryptedData/ds:KeyInfo/ds:RetrievalMethod/@URI, '#')]",
    { "ds" => DSIG, "xenc" => XENC }
  )
  encrypted_symmetric_key_element = REXML::XPath.first(
    encrypted_key,
    "./xenc:CipherData/xenc:CipherValue",
    { "ds" => DSIG, "xenc" => XENC }
  )
  cipher_text = Base64.decode64(encrypted_symmetric_key_element.text)
  encrypt_method = REXML::XPath.first(
    encrypted_key,
    "./xenc:EncryptionMethod",
    {"ds" => DSIG,  "xenc" => XENC }
  )
  algorithm = encrypt_method.attributes['Algorithm']
  retrieve_plaintext(cipher_text, private_key, algorithm)
end
status_error_msg(error_msg, status_code = nil, status_message = nil) click to toggle source

Build the status error message @param status_code [String] StatusCode value @param status_message [Strig] StatusMessage value @return [String] The status error message

# File lib/onelogin/ruby-saml/utils.rb, line 88
def self.status_error_msg(error_msg, status_code = nil, status_message = nil)
  unless status_code.nil?
    printable_code = status_code.split(':').last
    error_msg << ', was ' + printable_code
  end

  unless status_message.nil?
    error_msg << ' -> ' + status_message
  end

  error_msg
end
uuid() click to toggle source
# File lib/onelogin/ruby-saml/utils.rb, line 183
def self.uuid
  RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
end
verify_signature(params) click to toggle source

Validate the Signature parameter sent on the HTTP-Redirect binding @param params [Hash] Parameters to be used in the validation process @option params [OpenSSL::X509::Certificate] cert The Identity provider public certtificate @option params [String] sig_alg The SigAlg parameter @option params [String] signature The Signature parameter (base64 encoded) @option params [String] query_string The full GET Query String to be compared @return [Boolean] True if the Signature is valid, False otherwise

# File lib/onelogin/ruby-saml/utils.rb, line 78
def self.verify_signature(params)
  cert, sig_alg, signature, query_string = [:cert, :sig_alg, :signature, :query_string].map { |k| params[k]}
  signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(sig_alg)
  return cert.public_key.verify(signature_algorithm.new, Base64.decode64(signature), query_string)
end