Be able to register future SP x509cert on the settings and publish it on SP metadata

pitbulk · pitbulk · commit e4621b619d2a · 2017-04-19T12:54:58.000+02:00
diff --git a/README.md b/README.md
@@ -453,6 +453,12 @@ The Service Provider will decrypt the EncryptedAssertion with its private key.
 
 Notice that this toolkit uses 'settings.certificate' and 'settings.private_key' for the sign and decrypt processes.
 
+
+## Key rollover
+
+If you plan to update the SP x509cert and privateKey you can define the parameter 'certificate_new' at the settings and that new SP public certificate will be published on the SP metadata so Identity Providers can read them and get ready for rollover.
+
+
 ## Single Log Out
 
 The Ruby Toolkit supports SP-initiated Single Logout and IdP-Initiated Single Logout.
@@ -583,6 +589,7 @@ class SamlController < ApplicationController
 end
 ```
 
+
 ## Clock Drift
 
 Server clocks tend to drift naturally. If during validation of the response you get the error "Current time is earlier than NotBefore condition", this may be due to clock differences between your system and that of the Identity Provider.
diff --git a/lib/onelogin/ruby-saml/metadata.rb b/lib/onelogin/ruby-saml/metadata.rb
@@ -33,21 +33,26 @@ def generate(settings, pretty_print=false)
         }
 
         # Add KeyDescriptor if messages will be signed / encrypted
+        # with SP certificate, and new SP certificate if any
         cert = settings.get_sp_cert
-        if cert
-          cert_text = Base64.encode64(cert.to_der).gsub("\n", '')
-          kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
-          ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
-          xd = ki.add_element "ds:X509Data"
-          xc = xd.add_element "ds:X509Certificate"
-          xc.text = cert_text
+        cert_new = settings.get_sp_cert_new
 
-          if settings.security[:want_assertions_encrypted]
-            kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
-            ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
-            xd2 = ki2.add_element "ds:X509Data"
-            xc2 = xd2.add_element "ds:X509Certificate"
-            xc2.text = cert_text
+        for sp_cert in [cert, cert_new]
+          if sp_cert
+            cert_text = Base64.encode64(sp_cert.to_der).gsub("\n", '')
+            kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
+            ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+            xd = ki.add_element "ds:X509Data"
+            xc = xd.add_element "ds:X509Certificate"
+            xc.text = cert_text
+
+            if settings.security[:want_assertions_encrypted]
+              kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
+              ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+              xd2 = ki2.add_element "ds:X509Data"
+              xc2 = xd2.add_element "ds:X509Certificate"
+              xc2.text = cert_text
+            end
           end
         end
 
diff --git a/lib/onelogin/ruby-saml/settings.rb b/lib/onelogin/ruby-saml/settings.rb
@@ -46,6 +46,7 @@ def initialize(overrides = {})
       attr_accessor :attributes_index
       attr_accessor :force_authn
       attr_accessor :certificate
+      attr_accessor :certificate_new
       attr_accessor :private_key
       attr_accessor :authn_context
       attr_accessor :authn_context_comparison
@@ -133,6 +134,15 @@ def get_sp_cert
         OpenSSL::X509::Certificate.new(formatted_cert)
       end
 
+      # @return [OpenSSL::X509::Certificate|nil] Build the New SP certificate from the settings (previously format it)
+      #
+      def get_sp_cert_new
+        return nil if certificate_new.nil? || certificate_new.empty?
+
+        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate_new)
+        OpenSSL::X509::Certificate.new(formatted_cert)
+      end
+
       # @return [OpenSSL::PKey::RSA] Build the SP private from the settings (previously format it)
       #
       def get_sp_key
diff --git a/test/certificates/ruby-saml-2.crt b/test/certificates/ruby-saml-2.crt
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICVDCCAb2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBHMQswCQYDVQQGEwJ1czEQ
+MA4GA1UECAwHZXhhbXBsZTEQMA4GA1UECgwHZXhhbXBsZTEUMBIGA1UEAwwLZXhh
+bXBsZS5jb20wHhcNMTcwNDA3MDgzMDAzWhcNMjcwNDA1MDgzMDAzWjBHMQswCQYD
+VQQGEwJ1czEQMA4GA1UECAwHZXhhbXBsZTEQMA4GA1UECgwHZXhhbXBsZTEUMBIG
+A1UEAwwLZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKhP
+S4/0azxbQekHHewQGKD7Pivr3CDpsrKxY3xlVanxj427OwzOb5KUVzsDEazumt6s
+ZFY8HfidsjXY4EYA4ZzyL7ciIAR5vlAsIYN9nJ4AwVDnN/RjVwj+TN6BqWPLpVIp
+Hc6Dl005HyE0zJnk1DZDn2tQVrIzbD3FhCp7YeotAgMBAAGjUDBOMB0GA1UdDgQW
+BBRYZx4thASfNvR/E7NsCF2IaZ7wIDAfBgNVHSMEGDAWgBRYZx4thASfNvR/E7Ns
+CF2IaZ7wIDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBACz4aobx9aG3
+kh+rNyrlgM3K6dYfnKG1/YH5sJCAOvg8kDr0fQAQifH8lFVWumKUMoAe0bFTfwWt
+p/VJ8MprrEJth6PFeZdczpuv+fpLcNj2VmNVJqvQYvS4m36OnBFh1QFZW8UrbFIf
+dtm2nuZ+twSKqfKwjLdqcoX0p39h7Uw/
+-----END CERTIFICATE-----
diff --git a/test/metadata_test.rb b/test/metadata_test.rb
@@ -128,8 +128,6 @@ class MetadataTest < Minitest::Test
 
         it "generates Service Provider Metadata with AuthnRequestsSigned" do
           assert_equal "true", spsso_descriptor.attribute("AuthnRequestsSigned").value
-          assert_equal ruby_saml_cert.to_der, cert.to_der
-
           assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
         end
       end
@@ -141,6 +139,7 @@ class MetadataTest < Minitest::Test
 
         it "generates Service Provider Metadata with X509Certificate for encrypt" do
           assert_equal 2, key_descriptors.length
+
           assert_equal "encryption", key_descriptors[1].attribute("use").value
 
           assert_equal 2, cert_nodes.length
@@ -150,6 +149,75 @@ class MetadataTest < Minitest::Test
       end
     end
 
+    describe "with a future SP certificate" do
+      let(:key_descriptors) do
+        REXML::XPath.match(
+          xml_doc,
+          "//md:KeyDescriptor",
+          "md" => "urn:oasis:names:tc:SAML:2.0:metadata"
+        )
+      end
+      let(:cert_nodes) do
+        REXML::XPath.match(
+          xml_doc,
+          "//md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+          "md" => "urn:oasis:names:tc:SAML:2.0:metadata",
+          "ds" => "http://www.w3.org/2000/09/xmldsig#"
+        )
+      end
+
+      before do
+        settings.certificate = ruby_saml_cert_text
+        settings.certificate_new = ruby_saml_cert_text2
+      end
+
+      it "generates Service Provider Metadata with 2 X509Certificate for sign" do
+        assert_equal 2, key_descriptors.length
+        assert_equal "signing", key_descriptors[0].attribute("use").value
+        assert_equal "signing", key_descriptors[1].attribute("use").value
+
+        cert = OpenSSL::X509::Certificate.new(Base64.decode64(cert_nodes[0].text))
+        cert_new = OpenSSL::X509::Certificate.new(Base64.decode64(cert_nodes[1].text))
+
+        assert_equal 2, cert_nodes.length
+        assert_equal ruby_saml_cert.to_der, cert.to_der
+        assert_equal ruby_saml_cert2.to_der, cert_new.to_der
+
+        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+      end
+
+      describe "and signed authentication requests" do
+        before do
+          settings.security[:authn_requests_signed] = true
+        end
+
+        it "generates Service Provider Metadata with AuthnRequestsSigned" do
+          assert_equal "true", spsso_descriptor.attribute("AuthnRequestsSigned").value
+          assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+        end
+      end
+
+      describe "and encrypted assertions" do
+        before do
+          settings.security[:want_assertions_encrypted] = true
+        end
+
+        it "generates Service Provider Metadata with X509Certificate for encrypt" do
+          assert_equal 4, key_descriptors.length
+          assert_equal "signing", key_descriptors[0].attribute("use").value
+          assert_equal "encryption", key_descriptors[1].attribute("use").value
+          assert_equal "signing", key_descriptors[2].attribute("use").value
+          assert_equal "encryption", key_descriptors[3].attribute("use").value
+
+          assert_equal 4, cert_nodes.length
+          assert_equal cert_nodes[0].text, cert_nodes[1].text
+          assert_equal cert_nodes[2].text, cert_nodes[3].text
+          assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+        end
+      end
+
+    end
+
     describe "when attribute service is configured with multiple attribute values" do
       let(:attr_svc)  { REXML::XPath.first(xml_doc, "//md:AttributeConsumingService") }
       let(:req_attr)  { REXML::XPath.first(xml_doc, "//md:RequestedAttribute") }
diff --git a/test/settings_test.rb b/test/settings_test.rb
@@ -152,6 +152,35 @@ class SettingsTest < Minitest::Test
 
     end
 
+    describe "#get_sp_cert_new" do
+      it "returns nil when the cert is an empty string" do
+        @settings = OneLogin::RubySaml::Settings.new
+        @settings.certificate_new = ""
+        assert_nil @settings.get_sp_cert_new
+      end
+
+      it "returns nil when the cert is nil" do
+        @settings = OneLogin::RubySaml::Settings.new
+        @settings.certificate_new = nil
+        assert_nil @settings.get_sp_cert_new
+      end
+
+      it "returns the certificate when it is valid" do
+        @settings = OneLogin::RubySaml::Settings.new
+        @settings.certificate_new = ruby_saml_cert_text
+        assert @settings.get_sp_cert_new.kind_of? OpenSSL::X509::Certificate
+      end
+
+      it "raises when the certificate is not valid" do
+        # formatted but invalid cert
+        @settings.certificate_new = read_certificate("formatted_certificate")
+        assert_raises(OpenSSL::X509::CertificateError) {
+          @settings.get_sp_cert_new
+        }
+      end
+
+    end
+
     describe "#get_sp_key" do
       it "returns nil when the private key is an empty string" do
         @settings = OneLogin::RubySaml::Settings.new
diff --git a/test/test_helper.rb b/test/test_helper.rb
@@ -188,6 +188,10 @@ def ruby_saml_cert
     @ruby_saml_cert ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text)
   end
 
+  def ruby_saml_cert2
+    @ruby_saml_cert2 ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text2)
+  end
+
   def ruby_saml_cert_fingerprint
     @ruby_saml_cert_fingerprint ||= Digest::SHA1.hexdigest(ruby_saml_cert.to_der).scan(/../).join(":")
   end
@@ -196,6 +200,10 @@ def ruby_saml_cert_text
     read_certificate("ruby-saml.crt")
   end
 
+  def ruby_saml_cert_text2
+    read_certificate("ruby-saml-2.crt")
+  end
+
   def ruby_saml_key
     @ruby_saml_key ||= OpenSSL::PKey::RSA.new(ruby_saml_key_text)
   end
