Rename RequestDocument by Document, Fix algorithm mapping

Author: pitbulk

lib/onelogin/ruby-saml/authrequest.rb

@@ -33,12 +33,12 @@ def create_params(settings, params={})
  request_params = {"SAMLRequest" => base64_request}
 
  if settings.security[:authn_requests_signed] && !settings.security[:embeed_sign] && settings.private_key
- params['SigAlg'] = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+ params['SigAlg'] = XMLSecurity::Document::SHA1
  url_string = "SAMLRequest=#{CGI.escape(base64_request)}"
  url_string += "&RelayState=#{CGI.escape(params['RelayState'])}" if params['RelayState']
  url_string += "&SigAlg=#{CGI.escape(params['SigAlg'])}"
  private_key = settings.get_sp_key()
- signature = private_key.sign(OpenSSL::Digest::SHA1.new, url_string)
+ signature = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
  params['Signature'] = encode(signature)
  end
 
@@ -53,7 +53,7 @@ def create_authentication_xml_doc(settings)
  uuid = "_" + UUID.new.generate
  time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
  # Create AuthnRequest root element using REXML
- request_doc = XMLSecurity::RequestDocument.new
+ request_doc = XMLSecurity::Document.new
  request_doc.uuid = uuid
 
  root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }

lib/onelogin/ruby-saml/logoutrequest.rb

@@ -31,7 +31,7 @@ def create_unauth_xml_doc(settings, params)
 
  time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
 
- request_doc = XMLSecurity::RequestDocument.new
+ request_doc = XMLSecurity::Document.new
  root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
  root.attributes['ID'] = @uuid
  root.attributes['IssueInstant'] = time

lib/onelogin/ruby-saml/settings.rb

@@ -103,8 +103,8 @@ def get_sp_key
  :authn_requests_signed => false,
  :logout_requests_signed => false,
  :embeed_sign => false,
- :digest_method => "SHA1",
- :signature_method => "SHA1"
+ :digest_method => XMLSecurity::Document::SHA1,
+ :signature_method => XMLSecurity::Document::SHA1
  },
  :double_quote_xml_attribute_values => false,
  }

lib/xml_security.rb

@@ -35,8 +35,8 @@ module XMLSecurity
 
  class BaseDocument < REXML::Document
 
- C14N = "http://www.w3.org/2001/10/xml-exc-c14n#"
- DSIG = "http://www.w3.org/2000/09/xmldsig#"
+ C14N  = "http://www.w3.org/2001/10/xml-exc-c14n#"
+ DSIG  = "http://www.w3.org/2000/09/xmldsig#"
 
  def canon_algorithm(element)
  algorithm = element
@@ -70,12 +70,11 @@ def algorithm(element)
 
  end
 
- class RequestDocument < BaseDocument
-
- SHA1 = "http://www.w3.org/2000/09/xmldsig#sha1"
- SHA256 = "http://www.w3.org/2000/09/xmldsig#sha256"
- SHA384 = "http://www.w3.org/2000/09/xmldsig#sha384"
- SHA512 = "http://www.w3.org/2000/09/xmldsig#sha512"
+ class Document < BaseDocument
+ SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+ SHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+ SHA384 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
+ SHA512 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
  ENVELOPED_SIG = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
  INC_PREFIX_LIST = "#default samlp saml ds xs xsi"
 
@@ -97,7 +96,6 @@ class RequestDocument < BaseDocument
  #<Object />
  #</Signature>
  def sign_document(private_key, certificate, signature_method = SHA1, digest_method = SHA1)
-
  noko = Nokogiri.parse(self.to_s)
  canon_doc = noko.canonicalize(canon_algorithm(C14N))
 

test/request_test.rb

@@ -156,9 +156,30 @@ class RequestTest < Test::Unit::TestCase
  params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
  request_xml = Base64.decode64(params["SAMLRequest"])
  assert_match %r[<SignatureValue>([a-zA-Z0-9/+=]+)</SignatureValue>], request_xml
+ request_xml =~ /<SignatureMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/
+ request_xml =~ /<DigestMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/
+ end
+
+ should "create a signed request with 256 digest and signature methods" do
+ settings = OneLogin::RubySaml::Settings.new
+ settings.compress_request = false
+ settings.idp_sso_target_url = "http://example.com?field=value"
+ settings.security[:authn_requests_signed] = true
+ settings.security[:embeed_sign] = true
+ settings.security[:signature_method] = XMLSecurity::Document::SHA256
+ settings.security[:digest_method] = XMLSecurity::Document::SHA512
+ settings.certificate = ruby_saml_cert_text
+ settings.private_key = ruby_saml_key_text
+
+ params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
+ request_xml = Base64.decode64(params["SAMLRequest"])
+ assert_match %r[<SignatureValue>([a-zA-Z0-9/+=]+)</SignatureValue>], request_xml
+ request_xml =~ /<SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'\/>/
+ request_xml =~ /<DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha512'\/>/
  end
  end
 
+
  context "when the settings indicate to sign the request" do
  should "create a signature parameter" do
  settings = OneLogin::RubySaml::Settings.new
@@ -167,12 +188,20 @@ class RequestTest < Test::Unit::TestCase
  settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
  settings.security[:authn_requests_signed] = true
  settings.security[:embeed_sign] = false
+ settings.security[:signature_method] = XMLSecurity::Document::SHA1
  settings.certificate = ruby_saml_cert_text
  settings.private_key = ruby_saml_key_text
 
  params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
  assert params['Signature']
- assert params['SigAlg'] == 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+ assert params['SigAlg'] == XMLSecurity::Document::SHA1
+
+ # signature_method only affects the embedeed signature
+ settings.security[:signature_method] = XMLSecurity::Document::SHA256
+ params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
+ assert params['Signature']
+ assert params['SigAlg'] == XMLSecurity::Document::SHA1
+
  end
 
  end