Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: handnot2/esaml
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: main
Choose a base ref
...
head repository: pepsico-ecommerce/esaml
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: main
Choose a head ref
Able to merge. These branches can be automatically merged.
  • 7 commits
  • 10 files changed
  • 3 contributors

Commits on Oct 17, 2019

  1. Copy the full SHA
    6f111db View commit details

Commits on Feb 25, 2020

  1. Copy the full SHA
    0c6f3c3 View commit details
  2. Copy the full SHA
    659ed8e View commit details
  3. Support RetrievalMethod in KeyInfo

    Some Identity Providers use https://www.w3.org/TR/xmldsig-core1/#sec-RetrievalMethod
    to deliver the encrypted key inside the same document but not inlined into KeyInfo.
    RumataEstor committed Feb 25, 2020
    Copy the full SHA
    b4faf38 View commit details

Commits on Jun 3, 2021

  1. Copy the full SHA
    b967dae View commit details

Commits on Sep 2, 2021

  1. Merge pull request #31 from DubberSoftware/feature/retrieval-method

    Find encrypted key referenced using RetrievalMethod
    superhawk610 committed Sep 2, 2021
    Copy the full SHA
    2e7e9d9 View commit details
  2. Merge pull request #34 from Bluetab/otp24

    Support OTP 24
    
    `crypto:block_decrypt` was [deprecated](https://erlang.org/doc/apps/crypto/new_api.html#the-old-api)
    in OTP 23 and has been removed in OTP 24. This PR uses the
    [new API](https://erlang.org/doc/apps/crypto/new_api.html#the-new-api).
    superhawk610 committed Sep 2, 2021
    Copy the full SHA
    c11721a View commit details
Showing with 271 additions and 12 deletions.
  1. +0 −1 .travis.yml
  2. +1 −1 include/esaml.hrl
  3. BIN rebar
  4. BIN rebar3
  5. +47 −10 src/esaml_sp.erl
  6. +27 −0 test/esaml_sp.crt
  7. +51 −0 test/esaml_sp.key
  8. +35 −0 test/esaml_sp_inline.xml
  9. +37 −0 test/esaml_sp_local.xml
  10. +73 −0 test/esaml_sp_test.erl
1 change: 0 additions & 1 deletion .travis.yml
Original file line number Diff line number Diff line change
@@ -3,5 +3,4 @@ otp_release:
- 21.0
- 20.3
- 19.3
- 18.3
script: rebar3 do compile, eunit
2 changes: 1 addition & 1 deletion include/esaml.hrl
Original file line number Diff line number Diff line change
@@ -107,7 +107,7 @@
idp_signs_envelopes = true :: boolean(),
idp_signs_logout_requests = true :: boolean(),
sp_sign_metadata = false :: boolean(),
trusted_fingerprints = [] :: [string() | binary()],
trusted_fingerprints = [] :: [string() | binary()] | any,
metadata_uri = "" :: string(),
consume_uri = "" :: string(),
logout_uri :: string() | undefined,
Binary file removed rebar
Binary file not shown.
Binary file added rebar3
Binary file not shown.
57 changes: 47 additions & 10 deletions src/esaml_sp.erl
Original file line number Diff line number Diff line change
@@ -146,7 +146,10 @@ generate_metadata(SP = #esaml_sp{org = Org, tech = Tech}) ->
-spec setup(esaml:sp()) -> esaml:sp().
setup(SP = #esaml_sp{trusted_fingerprints = FPs, metadata_uri = MetaURI,
consume_uri = ConsumeURI}) ->
Fingerprints = esaml_util:convert_fingerprints(FPs),
Fingerprints = case FPs of
any -> any;
_ -> esaml_util:convert_fingerprints(FPs)
end,
case MetaURI of "" -> error("must specify metadata URI"); _ -> ok end,
case ConsumeURI of "" -> error("must specify consume URI"); _ -> ok end,
if (SP#esaml_sp.key =:= undefined) andalso (SP#esaml_sp.sp_sign_requests) ->
@@ -299,19 +302,53 @@ decrypt_assertion(Xml, #esaml_sp{key = PrivateKey}) ->
[EncryptedData] = xmerl_xpath:string("./xenc:EncryptedData", Xml, [{namespace, XencNs}]),
[#xmlText{value = CipherValue64}] = xmerl_xpath:string("xenc:CipherData/xenc:CipherValue/text()", EncryptedData, [{namespace, XencNs}]),
CipherValue = base64:decode(CipherValue64),
SymmetricKey = decrypt_key_info(EncryptedData, PrivateKey),
EncryptedKey = get_encrypted_key(EncryptedData, Xml),
SymmetricKey = decrypt_key(EncryptedKey, PrivateKey),
[#xmlAttribute{value = Algorithm}] = xmerl_xpath:string("./xenc:EncryptionMethod/@Algorithm", EncryptedData, [{namespace, XencNs}]),
AssertionXml = block_decrypt(Algorithm, SymmetricKey, CipherValue),
{Assertion, _} = xmerl_scan:string(AssertionXml, [{namespace_conformant, true}]),
Assertion.


decrypt_key_info(EncryptedData, Key) ->
DsNs = [{"ds", 'http://www.w3.org/2000/09/xmldsig#'}],
get_encrypted_key(EncryptedData, Xml) ->
Ns = [{namespace, [
{"ds", 'http://www.w3.org/2000/09/xmldsig#'},
{"xenc", 'http://www.w3.org/2001/04/xmlenc#'}
]}],
[KeyInfo] = xmerl_xpath:string("./ds:KeyInfo", EncryptedData, Ns),
case xmerl_xpath:string("./xenc:EncryptedKey", KeyInfo, Ns) of
[EncryptedKey] ->
EncryptedKey;
[] ->
retrieve_encrypted_key(KeyInfo, Xml, Ns)
end.


retrieve_encrypted_key(KeyInfo, Xml, Ns) ->
[#xmlAttribute{value = URI}] = xmerl_xpath:string("./ds:RetrievalMethod/@URI", KeyInfo, Ns),
case URI of
"#" ++ Id ->
[EncryptedKey] = xmerl_xpath:string("//xenc:EncryptedKey[@Id='" ++ Id ++ "']", Xml, Ns),
EncryptedKey;
_ ->
case application:get_env(esaml, retrieve_remote_key, fun default_retrieve_remote_key/1) of
Fun when is_function(Fun, 1) ->
Fun(URI);

{M, F, A} ->
erlang:apply(M, F, [URI | A])
end
end.


default_retrieve_remote_key(_URI) ->
error("Retrieval of remote encrypted keys is not configured").


decrypt_key(EncryptedKey, Key) ->
XencNs = [{"xenc", 'http://www.w3.org/2001/04/xmlenc#'}],
[KeyInfo] = xmerl_xpath:string("./ds:KeyInfo", EncryptedData, [{namespace, DsNs}]),
[#xmlAttribute{value = Algorithm}] = xmerl_xpath:string("./xenc:EncryptedKey/xenc:EncryptionMethod/@Algorithm", KeyInfo, [{namespace, XencNs}]),
[#xmlText{value = CipherValue64}] = xmerl_xpath:string("./xenc:EncryptedKey/xenc:CipherData/xenc:CipherValue/text()", KeyInfo, [{namespace, XencNs}]),
[#xmlAttribute{value = Algorithm}] = xmerl_xpath:string("./xenc:EncryptionMethod/@Algorithm", EncryptedKey, [{namespace, XencNs}]),
[#xmlText{value = CipherValue64}] = xmerl_xpath:string("./xenc:CipherData/xenc:CipherValue/text()", EncryptedKey, [{namespace, XencNs}]),
CipherValue = base64:decode(CipherValue64),
decrypt(CipherValue, Algorithm, Key).

@@ -334,18 +371,18 @@ block_decrypt("http://www.w3.org/2009/xmlenc11#aes128-gcm", SymmetricKey, Cipher
%% IV: 12 bytes and Tag data: 16 bytes
EncryptedDataSize = byte_size(CipherValue) - 12 - 16,
<<IV:12/binary, EncryptedData:EncryptedDataSize/binary, Tag:16/binary>> = CipherValue,
DecryptedData = crypto:block_decrypt(aes_gcm, SymmetricKey, IV, {<<>>, EncryptedData, Tag}),
DecryptedData = crypto:crypto_one_time_aead(aes_128_gcm, SymmetricKey, IV, EncryptedData, <<>>, Tag, false),
binary_to_list(DecryptedData);

block_decrypt("http://www.w3.org/2001/04/xmlenc#aes128-cbc", SymmetricKey, CipherValue) ->
<<IV:16/binary, EncryptedData/binary>> = CipherValue,
DecryptedData = crypto:block_decrypt(aes_cbc128, SymmetricKey, IV, EncryptedData),
DecryptedData = crypto:crypto_one_time(aes_128_cbc, SymmetricKey, IV, EncryptedData, false),
IsPadding = fun(X) -> X < 16 end,
lists:reverse(lists:dropwhile(IsPadding, lists:reverse(binary_to_list(DecryptedData))));

block_decrypt("http://www.w3.org/2001/04/xmlenc#aes256-cbc", SymmetricKey, CipherValue) ->
<<IV:16/binary, EncryptedData/binary>> = CipherValue,
DecryptedData = crypto:block_decrypt(aes_cbc256, SymmetricKey, IV, EncryptedData),
DecryptedData = crypto:crypto_one_time(aes_256_cbc, SymmetricKey, IV, EncryptedData, false),
IsPadding = fun(X) -> X < 16 end,
lists:reverse(lists:dropwhile(IsPadding, lists:reverse(binary_to_list(DecryptedData)))).

27 changes: 27 additions & 0 deletions test/esaml_sp.crt
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE-----
MIIEpDCCAowCCQCSdHd01QFuCDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjAwMjI1MDA0OTIxWhcNMzAwMjIyMDA0OTIxWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC7
b8IfFHfFveaO0OWOzt7xCMqIAhtB8RDuesmTlQLP6rIysz3jUXr/1VLjl2y5/YCJ
83Nl3DUSkQLNuksdBnuQyDD6AsOyS9iU6yzrcPCalRSzOeDXthklX5hvkbPykM0v
AvFUvjO7Vbjsp9UsuLhCVn9djSRxyaDCBZsLUXrDamIlpltqG+/3kltUp76gr8S7
+0Htjnwh1X+oCzfpCkQBjDJlszAilyZChZhHDR3o9QHeAfno7eMy+XT/DaXt4ERS
ypij0m1RZjB55ceKjOqT6CtfPXsFWzPwcC1Kh0kQbdi8YY/pNSxZhiqcA50f+iut
7Pm6+CpntrZ3VWlC6tcU7pVf4XZZpjRU8eb7L9OTsnnaDONT6h4jc6WMiIyrf2cU
7gBCrOlRT0TOeWbuvrtCy9PZg/pZwDUJlgwFhKMFN3XuVkDWrNwxdNIXrwwc04Bf
sQAztqBaAkD1HqMmQZq4GrGGA1+cS4QFZCiyifUo+3T12DdCICSXMtvpgUGMgVDP
u5c7MaSWNVYD4oSJv1kPQQexG1SrP8qymg1lwXf3smcgxmBF01zY+fhapr817kvl
oE+SwVq1hwSFRaPgIG7+8WhTSYilwXoFBK3ZaM5NzOu7T7zp24C/73M43NR8p5AA
rD9Qb5YmeyuQrs0UXhWBkaFDCmE5C/E+kMN3pmt6KQIDAQABMA0GCSqGSIb3DQEB
CwUAA4ICAQBmmqqHl5DwnlcNabYjNQYuCcRE0s9FX5xy1pY/JkG6H85/pWTuxBDa
CWTtYXpXg+LRv6o2Y6mRLFNNZsyo+Ypuis0hvu5j5NmjDHvhuUjLyw3HtMOvlEqu
tcBpdTczLOAXe5ntzL76Tf5IdnvPItqjIjfzbJJfx9pV77SJbtusILIrJEFTHTcO
cC5Yg8nJP1Zhy7J8rAZdSCrKxaDjcEet79QMJfE0wx7gM0yASCHMGb9v/eT2iugb
ZNj0R5CuTQXbILCo3dvd3T0eqmnsjkbRLN/pVYCPEbtQGcA7k3wAMarlHGcIfH1i
DqB3up/cH0W4N1XYpWYSxwDOPR6gURyZarGAlSqBk9b3rc80UTetiZX9D9F4r83z
rwjD4oiIBSKchpPTn2sEv//4DeKLRa/Q1QvLdMHInf5iPmsA12r0VywNLXGw/c55
M29z/m9QqCfeZ/SvFZhqvHS5lRMuzIbPE+kpNerBOjXI7YHE5+TkTOfjsDhNim8B
o1UDCnpdNJzK5COJ+zJW0AtCVsIWqgCaUA3TeWk7V9o8FGx5OueiGJbVF4rXaUhW
s94wDvnv/fgvGcJtzSrDorLN0lT4AMQvajoSzeaxkNSSykl2Un1J9HmJdiwYAx24
Mf7cpkaGeVa/zoFDd78YQdheuV8w7kHzmZmYodQ9Va7ASsDMe8chLA==
-----END CERTIFICATE-----
51 changes: 51 additions & 0 deletions test/esaml_sp.key
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEAu2/CHxR3xb3mjtDljs7e8QjKiAIbQfEQ7nrJk5UCz+qyMrM9
41F6/9VS45dsuf2AifNzZdw1EpECzbpLHQZ7kMgw+gLDskvYlOss63DwmpUUszng
17YZJV+Yb5Gz8pDNLwLxVL4zu1W47KfVLLi4QlZ/XY0kccmgwgWbC1F6w2piJaZb
ahvv95JbVKe+oK/Eu/tB7Y58IdV/qAs36QpEAYwyZbMwIpcmQoWYRw0d6PUB3gH5
6O3jMvl0/w2l7eBEUsqYo9JtUWYweeXHiozqk+grXz17BVsz8HAtSodJEG3YvGGP
6TUsWYYqnAOdH/orrez5uvgqZ7a2d1VpQurXFO6VX+F2WaY0VPHm+y/Tk7J52gzj
U+oeI3OljIiMq39nFO4AQqzpUU9Eznlm7r67QsvT2YP6WcA1CZYMBYSjBTd17lZA
1qzcMXTSF68MHNOAX7EAM7agWgJA9R6jJkGauBqxhgNfnEuEBWQoson1KPt09dg3
QiAklzLb6YFBjIFQz7uXOzGkljVWA+KEib9ZD0EHsRtUqz/KspoNZcF397JnIMZg
RdNc2Pn4Wqa/Ne5L5aBPksFatYcEhUWj4CBu/vFoU0mIpcF6BQSt2WjOTczru0+8
6duAv+9zONzUfKeQAKw/UG+WJnsrkK7NFF4VgZGhQwphOQvxPpDDd6ZreikCAwEA
AQKCAgBxpTlWDtrwEkwQm6gUBmo2StZB0MUmHjvd3KULznV+Cxcwlm0XvveM1pMD
W3SY8JNXET0OrY2gTDwe8K1KU/vntPm9HJ/7IvGWmWEK/9diYrHCWX1yTP7CIkwS
mY05rYI61tXsQ8ap9zfAhaJDE1zlG/ztg/5s34uRGEUBf82nXoFTwqH6nCXLPfoS
QgLa+reWIqm+l328Je7YvLSRn5/MMGz+LL8queqAuu+xZMqVzLftG9Wi3Vm8NnQx
kNzide/3Is+ZxKRzjjomLqPl5br1IvfpLyXAAaRkTB+p6IzsYS3gSmcvRwY04ZxE
LAzArrZ9Jgnky0MqzyWjBS5lXG47PzkGKXWOuLN+0PB9PbCFdQalv716U8BltZPM
nKbbPAAPf9hn5zDaF9aH8yrULt9DxIXEz2THZ4uVL5GjX3U7IUQNLIBe6cavADdT
hA42gmv5bhR11mCeBBRRrvkBG0bxz/O7VXkNnBCAiRE/+DZqH/ivY7o94JcJBtNj
IQ+f42IV0KnAI58fwYklefYeNEQQl9pG8Ztun1WReEEKKIY00+iB4y3COYjxKAM7
J3ALMYXo20EhHhYDtRbx1rAvmh5d3k6WCubU3ntvyqe7AnudZgcylVtX9fWoX+OU
vsbUisCZkyQR0Z9V6qLCi9YK0qkHfvhye+aBjYG8jt7Oltf2YQKCAQEA9zpE4QnP
arTGlbH1p6yCV12cssMXqELzkd86kF0nvPTnuINu40y61x3Dp6dvP7FpASQBxLeZ
q89PBrsKlsM2JkR9el16FquXAjif4QYzNH13Fn7bbzxQQAO0wbg/kcoa5OCRxhGo
ZWjL3bBvBMTFdVSOA2oD/DiHDfYi9uMZTVqXBTSoby68BfqpX8UVRDh/pd/BEZfF
6EQYpZbQ6KSpWPPPRnz6tApK8M/3JPVafA1+MCLPaRNdKAbBmzuyZs8BPN9HCf3N
Hnmm4ZBayux8I9Ah4dG0fMZ6XcSTzZgOMzLirMQHBLQA/xZ0Z44aO/fuUp0/jK9i
igBIDw2T9QOIdwKCAQEAwhZeJHpnMkIfkmFbnZuUcDcgMNJLF8goyE3bUjQ0oILn
lCrhSy3EpRdtTThqWpPOiBZLyEUg/7XlD2a2EIFe37hHrL6koEFzslBcKE9xoazq
MCPTY9nUpGHpL/UN1Gh4XblhCHKT8xtMU8tW/jc6giPPtTJ1EFtT7ugVDx5hJQCf
+zGoEAh2WPGmqsV78F3Pl/5aPL9RGDUcd/pAQm3J+wvJ0nUeB32S0qbL287+iPdD
Z3Ond3dRSkFJ8WqPe2Cl9CijxEdHT45SCZsc7xEVA1M1DSPD6/aIbrZlwMTWPwm/
tPg9XzpVqXwoS9RMLkESjOSq9/EK5ehyC2d2L25aXwKCAQBNRrxi7xMTUoBEKEUV
7Rksv8kMI2kQoiTKMtF2cHfMW2zWwtZ1W/WG6fnPPMnMSeL9hUi8OXtiNcGI5AwS
ReB2I7BpADD6RxZDjnmC99InlRQVRv/GDD81UzM73iCYrGito/hMxhYx5IjcuZpq
Dit+WjitnoSyYOTuG0KgkynEgQ11hhkj76K757brhYn5MgPMUF1j52HoEOj3UWXp
YhbBBCyE5uniPtlf3lFtDvgCkKEh4K+eM3xJ15rKr+U6t3e2lD/7QobMANCF7v5C
MZs4AoWktUzKN6vmBV0BxYaiwEQUJo3fDXjGQzmNaOCQYBXxYs+LZQLTCfV8Jw1Z
Z4pPAoIBACJqXvUu8z+ZNAn704gF/3NKgx3FHGWyK3EhRSO1eCOCMtg2Jk7zZaw0
lEAeIdW/4d6FvZhckbZmJaDugJg6qH0ZKzR5da2pDX/v+fd35tlZVQmGQMSy6p7f
cb78QCCLCdTsu0UJNCzmiUlOhDV9y5UqDnm94b4tw5tYceuFYopyKuwa6Qc2yO2K
pBgh/pEnwVjdVFjzP8kAGfU4Xc6psygd9gKom9OOM8vAoeNvN/lHhx9ABdEMSlDV
dOwnDhw9jg/WaPuz+/Qic2+anq3RpJ07UuvqjKI5zAV9uFtPTAJPkzvezNsm9+ue
xXJ0ybFl/okXPy3KAzmzVw2ooe9VLRcCggEAJ8z3IxZ6HKDcf5No8hkFr6SN2nqg
hs0Hnfr6rkGeuJLFbpkfwMZmK+Qj4E8xkU+zfKNueE0UjzWI4i+xTyUfDK17G5w7
Oyi9HXlfzPLNnuLQ7yQ+iCtxFIl3EMunEuhwHxgbj284mxSPrvuJNssWIuTXSXQu
w4MFqwUv/PIHW/cWRCfQc6GTLmOAeUs+d87BAeYP7/m1owCs+sCCgzppNS4cN3n4
jFRcM2VE6NIBu3AigRI7tAzeb+YOz++I125NfD4tQbrB0LWeYjFhrYHQ36axuiW3
oI4Cbn7hbCARCNmjO5+EDi3t25A7O4mqTwbXXalrJqiKsVyR9Mi3JYbn8Q==
-----END RSA PRIVATE KEY-----
Loading