Changes on empty URI of Signature reference management

Author: pitbulk

lib/xml_security.rb

@@ -278,12 +278,6 @@ def validate_signature(base64_cert, soft = true)
       noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
       noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
 
-      # Handle when no URI
-      # noko_signed_info_reference_element_uri_attr = noko_signed_info_element.at_xpath('./ds:Reference', 'ds' => DSIG).attributes["URI"]
-      # if (noko_signed_info_reference_element_uri_attr.value.empty?)
-      #   noko_signed_info_reference_element_uri_attr.value = "##{document.root.attribute('ID')}"
-      # end
-
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
       noko_sig_element.remove
 
@@ -294,8 +288,8 @@ def validate_signature(base64_cert, soft = true)
       ref = REXML::XPath.first(sig_element, "//ds:Reference", {"ds"=>DSIG})
       uri = ref.attributes.get_attribute("URI").value
 
-      hashed_element = uri.empty? ? document : document.at_xpath("//*[@ID=$uri]", nil, { 'uri' => uri[1..-1] })
-      # hashed_element = document.at_xpath("//*[@ID=$uri]", nil, { 'uri' => uri[1..-1] })
+      hashed_element = document.at_xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+      
       canon_algorithm = canon_algorithm REXML::XPath.first(
         ref,
         '//ds:CanonicalizationMethod',
@@ -350,7 +344,7 @@ def extract_signed_element_id
       return nil if reference_element.nil?
 
       sei = reference_element.attribute("URI").value[1..-1]
-      sei.nil? ? self.root.attribute("ID") : sei
+      sei.nil? ? reference_element.parent.parent.parent.attribute("ID").value : sei
     end
 
     def extract_inclusive_namespaces

test/response_test.rb

@@ -389,14 +389,12 @@ class RubySamlTest < Minitest::Test
         end
 
         it "return true when a nil URI is given in the ds:Reference" do
-
-          response_without_reference_uri.stubs(:conditions).returns(nil)
           settings.idp_cert = ruby_saml_cert_text
           response_without_reference_uri.settings = settings
-          assert response_without_reference_uri.is_valid?
-          assert_empty response.errors
+          response_without_reference_uri.stubs(:conditions).returns(nil)
+          response_without_reference_uri.is_valid?
           assert_empty response_without_reference_uri.errors
-          assert 'saml@user.com', response.attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']
+          assert 'saml@user.com', response_without_reference_uri.attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']
         end
       end
     end