Be able to register more than 1 Identity Provider x509cert, linked with an specific use (signing or encryption.

Author: pitbulk

README.md

@@ -251,6 +251,31 @@ class SamlController < ApplicationController
   end
 end
 ```
+
+
+## Signature validation
+
+On the ruby-saml toolkit there are different ways to validate the signature of the SAMLResponse:
+- You can provide the IdP x509 public certificate at the 'idp_cert' setting.
+- You can provide the IdP x509 public certificate in fingerprint format using the 'idp_cert_fingerprint' setting parameter and additionally the 'idp_cert_fingerprint_algorithm' parameter.
+
+When validating the signature of redirect binding, the fingerprint is useless and the the certficate of the IdP is required in order to execute the validation.
+You can pass the option :relax_signature_validation to SloLogoutrequest and Logoutresponse if want to avoid signature validation if no certificate of the IdP is provided.
+
+In some scenarios the IdP uses different certificates for signing/encryption, or is under key rollover phase and more than one certificate is published on IdP metadata.
+
+In order to handle that the toolkit offers the 'idp_cert_multi' parameter.
+When used, 'idp_cert' and 'idp_cert_fingerprint' values are ignored.
+
+That 'idp_cert_multi' must be a Hash as follows:
+{
+  :signing => [],
+  :encryption => []
+}
+
+And on 'signing' and 'encryption' arrays, add the different IdP x509 public certificates published on the IdP metadata.
+
+
 ## Metadata Based Configuration
 
 The method above requires a little extra work to manually specify attributes about the IdP.  (And your SP application)  There's an easier method -- use a metadata exchange.  Metadata is just an XML file that defines the capabilities of both the IdP and the SP application.  It also contains the X.509 public

lib/onelogin/ruby-saml/logoutresponse.rb

@@ -27,6 +27,8 @@ class Logoutresponse < SamlMessage
       # @param options   [Hash] Extra parameters. 
       #                    :matches_request_id It will validate that the logout response matches the ID of the request.
       #                    :get_params GET Parameters, including the SAMLResponse
+      #                    :relax_signature_validation to accept signatures if no idp certificate registered on settings
+      #
       # @raise [ArgumentError] if response is nil
       #
       def initialize(response, settings = nil, options = {})
@@ -208,21 +210,42 @@ def validate_signature
         return true unless !options.nil?
         return true unless options.has_key? :get_params
         return true unless options[:get_params].has_key? 'Signature'
-        return true if settings.nil? || settings.get_idp_cert.nil?
-        
+
+        idp_cert = settings.get_idp_cert
+        idp_certs = settings.get_idp_cert_multi
+
+        if idp_cert.nil? && (idp_certs.nil? || idp_certs[:signing].empty?)
+          return options.has_key? :relax_signature_validation
+        end
+
         query_string = OneLogin::RubySaml::Utils.build_query(
           :type        => 'SAMLResponse',
           :data        => options[:get_params]['SAMLResponse'],
           :relay_state => options[:get_params]['RelayState'],
           :sig_alg     => options[:get_params]['SigAlg']
         )
 
-        valid = OneLogin::RubySaml::Utils.verify_signature(
-          :cert         => settings.get_idp_cert,
-          :sig_alg      => options[:get_params]['SigAlg'],
-          :signature    => options[:get_params]['Signature'],
-          :query_string => query_string
-        )
+        if idp_certs.nil? || idp_certs[:signing].empty?
+          valid = OneLogin::RubySaml::Utils.verify_signature(
+            :cert         => settings.get_idp_cert,
+            :sig_alg      => options[:get_params]['SigAlg'],
+            :signature    => options[:get_params]['Signature'],
+            :query_string => query_string
+          )
+        else
+          valid = false
+          idp_certs[:signing].each do |idp_cert|
+            valid = OneLogin::RubySaml::Utils.verify_signature(
+              :cert         => idp_cert,
+              :sig_alg      => options[:get_params]['SigAlg'],
+              :signature    => options[:get_params]['Signature'],
+              :query_string => query_string
+            )
+            if valid
+              break
+            end
+          end
+        end
 
         unless valid
           error_msg = "Invalid Signature on Logout Response"

lib/onelogin/ruby-saml/response.rb

@@ -803,13 +803,27 @@ def validate_signature
           return append_error(error_msg)
         end
 
-        opts = {}
-        opts[:fingerprint_alg] = settings.idp_cert_fingerprint_algorithm
-        opts[:cert] = settings.get_idp_cert
-        fingerprint = settings.get_fingerprint
-
-        unless fingerprint && doc.validate_document(fingerprint, @soft, opts)          
-          return append_error(error_msg)
+        idp_certs = settings.get_idp_cert_multi
+        if idp_certs.nil? || idp_certs[:signing].empty?
+          opts = {}
+          opts[:fingerprint_alg] = settings.idp_cert_fingerprint_algorithm
+          opts[:cert] = settings.get_idp_cert
+          fingerprint = settings.get_fingerprint
+
+          unless fingerprint && doc.validate_document(fingerprint, @soft, opts)          
+            return append_error(error_msg)
+          end
+        else
+          valid = false
+          idp_certs[:signing].each do |idp_cert|
+            valid = doc.validate_document_with_cert(idp_cert)
+            if valid
+              break
+            end
+          end
+          unless valid
+            return append_error(error_msg)
+          end
         end
 
         true

lib/onelogin/ruby-saml/settings.rb

@@ -28,6 +28,7 @@ def initialize(overrides = {})
       attr_accessor :idp_cert
       attr_accessor :idp_cert_fingerprint
       attr_accessor :idp_cert_fingerprint_algorithm
+      attr_accessor :idp_cert_multi
       attr_accessor :idp_attribute_names
       attr_accessor :idp_name_qualifier
       # SP Data
@@ -125,6 +126,32 @@ def get_idp_cert
         OpenSSL::X509::Certificate.new(formatted_cert)
       end
 
+      # @return [Hash with 2 arrays of OpenSSL::X509::Certificate] Build multiple IdP certificates from the settings.
+      #
+      def get_idp_cert_multi
+        return nil if idp_cert_multi.nil? || idp_cert_multi.empty?
+
+        raise ArgumentError.new("Invalid value for idp_cert_multi") if not idp_cert_multi.is_a?(Hash)
+
+        certs = {:signing => [], :encryption => [] }
+
+        if idp_cert_multi.key?(:signing) and not idp_cert_multi[:signing].empty?
+          idp_cert_multi[:signing].each do |idp_cert|
+            formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
+            certs[:signing].push(OpenSSL::X509::Certificate.new(formatted_cert))
+          end
+        end
+
+        if idp_cert_multi.key?(:encryption) and not idp_cert_multi[:encryption].empty?
+          idp_cert_multi[:encryption].each do |idp_cert|
+            formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
+            certs[:encryption].push(OpenSSL::X509::Certificate.new(formatted_cert))
+          end
+        end
+
+        certs
+      end
+
       # @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
       #
       def get_sp_cert

lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -26,6 +26,7 @@ class SloLogoutrequest < SamlMessage
       # @param request [String] A UUEncoded Logout Request from the IdP.
       # @param options [Hash]  :settings to provide the OneLogin::RubySaml::Settings object 
       #                        Or :allowed_clock_drift for the logout request validation process to allow a clock drift when checking dates with
+      #                        Or :relax_signature_validation to accept signatures if no idp certificate registered on settings 
       #
       # @raise [ArgumentError] If Request is nil
       #
@@ -227,7 +228,13 @@ def validate_signature
         return true if options.nil?
         return true unless options.has_key? :get_params
         return true unless options[:get_params].has_key? 'Signature'
-        return true if settings.get_idp_cert.nil?
+
+        idp_cert = settings.get_idp_cert
+        idp_certs = settings.get_idp_cert_multi
+
+        if idp_cert.nil? && (idp_certs.nil? || idp_certs[:signing].empty?)
+          return options.has_key? :relax_signature_validation
+        end
 
         query_string = OneLogin::RubySaml::Utils.build_query(
           :type        => 'SAMLRequest',
@@ -236,12 +243,27 @@ def validate_signature
           :sig_alg     => options[:get_params]['SigAlg']
         )
 
-        valid = OneLogin::RubySaml::Utils.verify_signature(
-          :cert         => settings.get_idp_cert,
-          :sig_alg      => options[:get_params]['SigAlg'],
-          :signature    => options[:get_params]['Signature'],
-          :query_string => query_string
-        )
+        if idp_certs.nil? || idp_certs[:signing].empty?
+          valid = OneLogin::RubySaml::Utils.verify_signature(
+            :cert         => settings.get_idp_cert,
+            :sig_alg      => options[:get_params]['SigAlg'],
+            :signature    => options[:get_params]['Signature'],
+            :query_string => query_string
+          )
+        else
+          valid = false
+          idp_certs[:signing].each do |idp_cert|
+            valid = OneLogin::RubySaml::Utils.verify_signature(
+              :cert         => idp_cert,
+              :sig_alg      => options[:get_params]['SigAlg'],
+              :signature    => options[:get_params]['Signature'],
+              :query_string => query_string
+            )
+            if valid
+              break
+            end
+          end
+        end
 
         unless valid
           return append_error("Invalid Signature on Logout Request")

lib/xml_security.rb

@@ -240,6 +240,31 @@ def validate_document(idp_cert_fingerprint, soft = true, options = {})
       validate_signature(base64_cert, soft)
     end
 
+    def validate_document_with_cert(idp_cert)
+      # get cert from response
+      cert_element = REXML::XPath.first(
+        self,
+        "//ds:X509Certificate",
+        { "ds"=>DSIG }
+      )
+
+      if cert_element
+        base64_cert = cert_element.text
+        cert_text = Base64.decode64(base64_cert)
+        begin
+          cert = OpenSSL::X509::Certificate.new(cert_text)
+        rescue OpenSSL::X509::CertificateError => e
+          return append_error("Certificate Error", soft)
+        end
+
+        # check saml response cert matches provided idp cert
+        if idp_cert.to_pem != cert.to_pem
+          return false
+      end
+        validate_signature(base64_cert, true)
+      end
+    end
+
     def validate_signature(base64_cert, soft = true)
 
       document = Nokogiri::XML(self.to_s) do |config|

test/logoutresponse_test.rb

@@ -223,6 +223,27 @@ class RubySamlTest < Minitest::Test
           settings.idp_cert = ruby_saml_cert_text
         end
 
+        it "return true when no idp_cert is provided and option :relax_signature_validation is present" do
+          settings.idp_cert = nil
+          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+          params['RelayState'] = params[:RelayState]
+          options = {}
+          options[:get_params] = params
+          options[:relax_signature_validation] = true
+          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          assert logoutresponse_sign_test.send(:validate_signature)
+        end
+
+        it "return false when no idp_cert is provided and no option :relax_signature_validation is present" do
+          settings.idp_cert = nil
+          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+          params['RelayState'] = params[:RelayState]
+          options = {}
+          options[:get_params] = params
+          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          assert !logoutresponse_sign_test.send(:validate_signature)
+        end
+
         it "return true when valid RSA_SHA1 Signature" do
           settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
           params['RelayState'] = params[:RelayState]
@@ -262,6 +283,45 @@ class RubySamlTest < Minitest::Test
           assert logoutresponse.errors.include? "Invalid Signature on Logout Response"
         end
       end
+
+      describe "#validate_signature" do
+        let (:params) { OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, random_id, "Custom Logout Message", :RelayState => 'http://example.com') }
+
+        before do
+          settings.soft = true
+          settings.idp_slo_target_url = "http://example.com?field=value"
+          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+          settings.security[:logout_responses_signed] = true
+          settings.security[:embed_sign] = false
+          settings.certificate = ruby_saml_cert_text
+          settings.private_key = ruby_saml_key_text
+          settings.idp_cert = nil
+        end
+
+        it "return true when at least a idp_cert is valid" do
+          params['RelayState'] = params[:RelayState]
+          options = {}
+          options[:get_params] = params
+          settings.idp_cert_multi = {
+            :signing => [ruby_saml_cert_text2, ruby_saml_cert_text],
+            :encryption => []
+          }
+          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          assert logoutresponse_sign_test.send(:validate_signature)
+        end
+
+        it "return false when none cert on idp_cert_multi is valid" do
+          params['RelayState'] = params[:RelayState]
+          options = {}
+          options[:get_params] = params
+          settings.idp_cert_multi = {
+            :signing => [ruby_saml_cert_text2, ruby_saml_cert_text2],
+            :encryption => []
+          }
+          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          assert !logoutresponse_sign_test.send(:validate_signature)
+        end
+      end
     end
   end
 end

test/response_test.rb

@@ -799,6 +799,29 @@ class RubySamlTest < Minitest::Test
        end
     end
 
+    describe "#validate_signature with multiple idp certs" do
+      it "return true when at least a cert on idp_cert_multi is valid" do
+        settings.idp_cert_multi = {
+          :signing => [ruby_saml_cert_text2, ruby_saml_cert_text],
+          :encryption => []
+        }
+        response_valid_signed.settings = settings
+        assert response_valid_signed.send(:validate_signature)
+        assert_empty response_valid_signed.errors
+      end
+
+      it "return false when none cert on idp_cert_multi is valid" do
+        settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint
+        settings.idp_cert_multi = {
+          :signing => [ruby_saml_cert_text2, ruby_saml_cert_text2],
+          :encryption => []
+        }
+        response_valid_signed.settings = settings
+        assert !response_valid_signed.send(:validate_signature)
+        assert_includes response_valid_signed.errors, "Invalid Signature on SAML Response"
+      end
+    end
+
     describe "#validate nameid" do
       it "return false when no nameid element and required by settings" do
         settings.security[:want_name_id] = true