Merge pull request #57 from timlegge/encrypted-assertions

Initial Working EncryptedAssertion support

Author: timlegge

Makefile.PL

@@ -41,8 +41,10 @@ my %WriteMakefileArgs = (
     "URI" => 0,
     "URI::Encode" => 0,
     "URI::QueryParam" => 0,
+    "XML::Enc" => "0.03",
     "XML::Generator" => 0,
     "XML::LibXML" => 0,
+    "XML::LibXML::XPathContext" => 0,
     "XML::Sig" => "0.52",
     "XML::Writer" => "0.625",
     "base" => 0,
@@ -66,7 +68,7 @@ my %WriteMakefileArgs = (
     "URI::URL" => 0,
     "XML::LibXML::XPathContext" => 0
   },
-  "VERSION" => "0.53",
+  "VERSION" => "0.54",
   "test" => {
     "TESTS" => "t/*.t t/author/*.t"
   }
@@ -111,6 +113,7 @@ my %FallbackPrereqs = (
   "URI::Encode" => 0,
   "URI::QueryParam" => 0,
   "URI::URL" => 0,
+  "XML::Enc" => "0.03",
   "XML::Generator" => 0,
   "XML::LibXML" => 0,
   "XML::LibXML::XPathContext" => 0,

README

@@ -2,7 +2,7 @@ NAME
     Net::SAML2 - SAML2 bindings and protocol implementation
 
 VERSION
-    version 0.53
+    version 0.54
 
 SYNOPSIS
       See TUTORIAL.md for implementation documentation and

cpanfile

@@ -25,8 +25,10 @@ requires "MooseX::Types::URI" => "0";
 requires "URI" => "0";
 requires "URI::Encode" => "0";
 requires "URI::QueryParam" => "0";
+requires "XML::Enc" => "0.03";
 requires "XML::Generator" => "0";
 requires "XML::LibXML" => "0";
+requires "XML::LibXML::XPathContext" => "0";
 requires "XML::Sig" => "0.52";
 requires "XML::Writer" => "0.625";
 requires "base" => "0";

dist.ini

@@ -50,9 +50,52 @@ copy = cpanfile, Makefile.PL, README
 [AutoPrereqs]
 skip = Saml2Test
 
-[Prereqs]
+[Prereqs / RuntimeRequires]
 Crypt::OpenSSL::Bignum = 0
+Crypt::OpenSSL::Random = 0
+Crypt::OpenSSL::RSA = 0
+Crypt::OpenSSL::Verify = 0
+Crypt::OpenSSL::X509 = 0
+DateTime = 0
+DateTime::Format::XSD = 0
+DateTime::HiRes = 0
+Exporter = 0
+File::Slurper = 0
+HTTP::Request::Common = 0
+IO::Compress::RawDeflate = 0
+IO::Uncompress::RawInflate = 0
+List::Util = 0
+LWP::Protocol::https = 0
+LWP::UserAgent = 0
+MIME::Base64 = 0
+Moose = 0
+Moose::Role = 0
+MooseX::Types::Common::String = 0
+MooseX::Types::DateTime = 0
+MooseX::Types::URI = 0
+namespace::autoclean = 0
+URI = 0
+URI::Encode = 0
+URI::QueryParam = 0
+XML::Enc = 0.05
+XML::Generator = 0
+XML::LibXML = 0
+XML::LibXML::XPathContext = 0
 XML::Sig = 0.52
+XML::Writer = 0.625
+
+[Prereqs / TestRequires]
+Import::Into = 0
+Path::Tiny = 0
+URI::URL = 0
+Test::Deep = 0
+Test::Exception = 0
+Test::Fatal = 0
+Test::Lib = 0
+Test::More = 0
+Test::NoTabs = 0
+Test::Pod = 1.14
+Test::Pod::Coverage = 1.04
 
 [MetaJSON]
 [MetaProvides::Package]

lib/Net/SAML2.pm

@@ -71,7 +71,9 @@ Net::SAML2 - SAML bindings and protocol implementation
 
         if ($ret) {
                 my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
-                        xml => decode_base64($saml_response)
+                        xml         => decode_base64($saml_response),
+                        key_file    => "SP-Private-Key.pem",    # Required for EncryptedAssertions
+                        cacert      => "IdP-cacert.pem",        # Required for EncryptedAssertions
                 );
 
                 # ...
@@ -102,6 +104,9 @@ Identity Providers (IdPs).  It has been tested against:
 
 =item PingIdentity
 
+Version 0.54 and newer support EncryptedAssertions.  No changes required to existing
+SP applications if EncryptedAssertions are not in use.
+
 =back
 
 =head1 MAJOR CAVEATS

lib/Net/SAML2/Protocol/Assertion.pm

@@ -8,6 +8,8 @@ use DateTime;
 use DateTime::HiRes;
 use DateTime::Format::XSD;
 use Net::SAML2::XML::Util qw/ no_comments /;
+use Net::SAML2::XML::Sig;
+use XML::Enc;
 use XML::LibXML;
 
 with 'Net::SAML2::Role::ProtocolMessage';
@@ -55,6 +57,22 @@ Arguments:
 
 XML data
 
+=item B<key_file>
+
+Optional but Required handling Encrypted Assertions.
+
+path to the SP's private key file that matches the SP's public certificate
+used by the IdP to Encrypt the response (or parts of the response)
+
+=item B<cacert>
+
+path to the CA certificate for verification.  Optional: This is only used for
+validating the certificate provided for a signed Assertion that was found
+when the EncryptedAssertion is decrypted.
+
+While optional it is recommended for ensuring that the Assertion in an
+EncryptedAssertion is properly validated.
+
 =back
 
 =cut
@@ -63,12 +81,50 @@ sub new_from_xml {
     my($class, %args) = @_;
 
     my $dom = no_comments($args{xml});
+    my $key_file = $args{key_file};
+    my $cacert = $args{cacert};
 
     my $xpath = XML::LibXML::XPathContext->new($dom);
     $xpath->registerNs('saml',  'urn:oasis:names:tc:SAML:2.0:assertion');
     $xpath->registerNs('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol');
+    $xpath->registerNs('xenc', 'http://www.w3.org/2001/04/xmlenc#');
 
     my $attributes = {};
+
+    if ($xpath->findnodes('//saml:EncryptedAssertion')) {
+        if ( ! defined $key_file) {
+            die "Encrypted Assertions require key_file";
+        }
+        my $decrypted;
+        my $enc = XML::Enc->new(
+                        { key => $key_file , no_xml_declaration => 1 }, );
+        $decrypted  = $enc->decrypt($dom->toString());
+        $dom        = XML::LibXML->load_xml(string => $decrypted);
+        $xpath      = XML::LibXML::XPathContext->new($dom);
+        $xpath->registerNs('saml',  'urn:oasis:names:tc:SAML:2.0:assertion');
+        $xpath->registerNs('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol');
+        $xpath->registerNs('xenc', 'http://www.w3.org/2001/04/xmlenc#');
+
+        my $xml_opts->{ no_xml_declaration } = 1;
+
+        my $assert = $xpath->findnodes('//saml:Assertion')->[0];
+        if (defined $assert) {
+            my $x   = Net::SAML2::XML::Sig->new($xml_opts);
+            my $ret = $x->verify($assert->serialize);
+            die "Decrypted Assertion signature check failed" unless $ret;
+
+            if ($cacert) {
+                my $cert = $x->signer_cert
+                    or die "Certificate not provided and not in SAML Response, cannot validate";
+
+                my $ca = Crypt::OpenSSL::Verify->new($cacert, { strict_certs => 0, });
+                if (! $ca->verify($cert)) {
+                    die "Decrypted Assertion - Unable to verify signer cert with cacert: $cert->subject";
+                }
+            }
+        }
+    }
+
     for my $node (
         $xpath->findnodes('//saml:Assertion/saml:AttributeStatement/saml:Attribute'))
     {

t/16-encrypted-assertion.t

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCyQKPgDZkeGGfl
+cbPjYDUmmtYVWVbukAceIDeudd6Izqzm3WEN8O5rzEtoJeDouZGhKdUERS7eqLTp
+26pmVOGkexKME03zJtg0BU7o0Xo9VjH0h9XqDiXFRD1su9wegVckVV90I28fJ1Yd
+aJOjoU2rjcGT6qMbMNundc6mvJBpOqK5nH7LpELhgK8aTCjajTDH7Cvdh2OFAB/9
+b7T4GepD7Gc0i4VF4MPX0K7LglAnJ9nxQQUdiI+ZZG8IcYFALInKaiqLsVuZ0jlu
+KrDa9Pt6Uv5pOfpeaJn4hWqcdAfQ/TKvG/QzZkaqIASNC2zBN0Zd9lcWj04S8PeX
+rDMIPvP2iHddzJElC0fSACy7nkRo+W2SVMqKTGiRejPPpjXfFVkdjp7st5Gk1gke
+UHn73oLNL7H4Lbdfsx7DM6aqtPVATBVD4kbYUQwwv9C4c/bDMZdo8TF5FGJpVMuJ
+eTybe/8zsqfvWYD3a/iM/NmhcT0cjENaRgRcYR3ZAAFksoo9bXo85ojuvyFoU2tz
+v5j7kHMi/yM03IK11kdSc9MXx1HzMeGHSzLiXjwf+k3EajbVKOJa09yisA+FRbDa
+OFpbUYmBQp29AQrawNOo8S/9BuAZBc98rJm6TLIHivGv4/Jl7qpw2Xgnx4q7bINS
+xqu2scf9hR/iZAdbgaUSsqElW8mvhwIDAQABAoICAQCbBD//v5OjapIgJavNV4Oh
+mRII6vMA8NxfxKDn5bWrwCD5fRjEaPzPXpFNd3OKsKcHQzvvRMMn/AupPNGJwNOi
+mS1eCAPIK8XmJ5+iNVpbMTSsdd0AeWE7lsbcYttg5BaGkIA8nfwrWag4VxPeP48u
+XE82dd127hx4G6mls2LbQJT3WjOioa1QMvsUoZr9xb/gfXEAbJeNuLgZTSZShScH
+/vUZ6yPxyzBF5UO91AwkoTGV73elYXeQbJlq/FrtFk6Wa5Gofoss0HgFaLb5FAgH
+L1n05OjpZYpRaKV4fie2Bhwn0OWkNZPKq6GJj5/6wDk/ydWe1u2M52ZKzwRqbWT3
+U9BHZy903PfZrRS1b2ZZiweJECYZkkiNCgLtnyaVJHbBlCLJZhK3AbYzE0944NR1
+eEvFyeNRbslBkE5mmDtjrygIWcgmNkNp8LzWH5u2vEcSuYo3mkdSz8Q4md56veKL
+Ve9QRrUE6QY4YI1kAtutN7iCWL82T9VEsb/nasORVdJOEXIdxOyenc1gBUwvNQlC
+DB64noG/KAVutapEvhPV/do4BuW/fImhrkwC+tsAyr3DAW3PVUAM8jEY1JCTItg/
+BaHs219tQfV8i1iqVoJtz+RxaridlC1LaOsrq2zyA/5ykQIeruUyD+BN7FTalEqX
+T1poibwLVGXK2tvQjCvAIQKCAQEA1+6qM9xPCsvQwAzAF2wJGw/1xWrNmKCNA8HY
+U1Y5cgM+V1dnkdhoWmhnyvEMgPUWiAMXACRDxl0cpHuV13pmFSVp8eiJT+ovqp38
+4XfoE0QsVt05SV2FiTb1UzX+0OpXJA8UpaSciaS/itKXNwJjIWKuvEd0dh86gon8
+th1Fa03edXIpsV27i5yKAQyDv404sIbM5YWXSQ62zvIC3TdVzoMAjZoLHLxNXMfN
+cfSP9cXLWXNZ/Gjznyfz6VnbwkpTKHUDYxR1+WuFp5cNMvCg49qCzvimKz0KytkM
+FEIqwra8OUgYKIdMBu3gnxTLAXV7kGIFHis5Q7zejA6+xJGZ/wKCAQEA01QW20UA
+WQWHZTvPj71gCHmaejHjGHnItifWM5n6u6wDelkKMlhBbkzLpNAJrS0q40qY9kSR
++/ZWMhm0HG+GUzxkYgrH7ZrGsvF25GOSYUCZxFcZzM15rauFSiJeMjHvcmwWzSuQ
+OjKqWk/29PpN0SelysC1y3uTawC6746X3KRscGMtVmAdK4GOyxj78DrpTcELzG7H
+YwFm1a6A2TZrCZ/F+EJ5AnwVqvIlZqyHDuEHUgSqnbdJQt0dTCp2Ci2uVz3xENT7
+R9bR8GVR0pEGe3CAO/a5nEGTwFz3CjHNHuyIx7rGbcaj4cut+zL1UFafs0fnXp2T
+2lkTFHC7zqwaeQKCAQEAvk/SYMzeOVSzUmCqeLo2OEzTv0BHnip6voH9iE2paawk
+KNSXKrrCFlSIjhvvekUIq62VewF7Xnw4P1vRD84H5MFJ4/Sf+PgdNNHzzEBjIX/n
+WFO4JsovZGU0yTcAs96mGNjVyLwRX1r9mnvK3KfU+NrByJ1trqINbnnxagzYXx+N
+XpPU3UcQgZbhJtWB1LTB7wuP0Qbx9Gjsg+5WyeP4U3+wYB0RiC0KPii3EKWMr/+5
+HsiE2esiNPcAiX0yK8ZYDoM7Dfs9kyvJ65A9CNV95/Rxb7tEsT0mouuzMrOyflSS
+BiZdbHL6dez4GR05YrrJwdIyUomj+eifeG+SgSsWvwKCAQEAmsUB/FJ7n7bh4y07
+pRzfgTV2AjoZBKrkaSuhv6bsr5eZ8HfXdOmX+ez6U9kczRzARTgz8GBlve86T3Tt
+qMmwybL4HamhpI1vKkyXc0rNQLZsJxRXS9vMWnm8o3+qFv7lS5qH1HksJsNGaeAY
+kG/kn+J2lJgwTDdTztD5F0sKQ0iUNnccFB9OHbfD2VCR6u1qQky4lF8pXYQASUyF
+Bw/IsoK2HUypjT1NLSYsaBbAzw/VKadLQTijyflgZJDQZEHyZehybY5d/c4BcRrz
+ItCdu7e34rKeWybXy9EKCAhTHmvC/Ov4ORt6mHpwEAHREaZvTYDCnVOwngAQbi7m
+DMWUmQKCAQBnQ1cU00VvqKqQMGBef1VFGdOZprk7LLzFmp+aTxLEQH5Rwla8vUNV
+1YcjcOoinSfGjn9LIT2iQLnqn8CBP6DxJNf3sWQ34eslI1Go4kOru0q80DtKoEox
+cJ6BvYoM3DDvyKeuvV7G3IQQP39audRO31cKgdXeiTAu4jl2mn6BVHvoHWYurfpq
+LKhLT3jN2psBwS8onwmgQ/lZgKe/oksCwslyKAx24TCn+xgF6holkl8U10LtfWWO
+Xt29A0SPd67621gO7FJ0J/RiqjFCFHPyxiH19rPwcjS9/pvyTl72+Nf7QEIukJSe
+GH7LFqPBJcO0cWiRKpb2IHyGiMFO/lwQ
+-----END PRIVATE KEY-----

t/encrypted-sign-private.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICnTCCAYUCBgF5YqtQBTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdGb3N3
+aWtpMB4XDTIxMDUxMjIyMTkyNFoXDTMxMDUxMjIyMjEwNFowEjEQMA4GA1UEAwwH
+Rm9zd2lraTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJMGG6jrdadw
+/6rnOAGmNtmdIZy116JyocKlsoxg+iQTlRI2e3gelsiOW7rXNIYHH/f4ozQ8F4ba
+7GxJMNWlrDJFN23Dij521PVqJHsu3ZA8JOP+txMCN22zhCO6OYiWx5P9wm7zWVcf
+g3sS9564LQ4M7JBQ8tDYxY9RLCDR+sNNd0hWm6SrkEyghqbcxNY+rgXfxLBK5eGX
+yX1Zk0NLA5XqRg5a8BDz1oUZ6O4c21tVOvV8vqCUtcnx3hWxcBgXizW8pkSQpQiQ
+96zXquAvDwkLtYnQLV5GQlt6c414A7U4dsAZZCc490rqncfsjDfbFMzj89s/WCtF
+DOzSa163pqECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAPpeGsBOJN3xGUvtxJqPM
+2ja3g7G7LiOJGvzZSIOFr50baebsoJNRwL2GDfYUTM1SWDz4UHnGebsme5TTmzjV
+O3YEvnOMTtVC6/fYYdouAqIJ+cTmmF3Cxd/tOr5fkaPscB0x0+zqWqgBZLo0FVEC
+DMt+DYk1HaQJPxsAXGahUmIIpfIKO7AUx5tD74PR8XeHWyL0w8jg1h8nVtc49P7h
+08SzmSFY0phJ9plLpSubCsd/1KMPOJ0Dh7kYEaOJOOWwjLggiho5N4KBytpts6HI
+jmPlKvV7UJEAmQykuhO6PyFfGjwXxpYRTtGa3fZQqu6BztRHDSZQfc+K08VTmAjr
+iw==
+-----END CERTIFICATE-----

t/keycloak-cacert.pem

@@ -143,7 +143,9 @@ post '/consumer-post' => sub {
 
     if ($ret) {
         my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
-            xml => decode_base64(params->{SAMLResponse})
+            xml         => decode_base64(params->{SAMLResponse}),
+            key_file    => config->{key},
+            cacert      => config->{cacert},
         );
 
         template 'user', { assertion => $assertion };