Merge pull request #747 from johnnyshields/v2.x-remove-crypto-namespace

v2.x - Replace RubySaml::XML::Crypto namespace with RubySaml::XML

Author: pitbulk

README.md

@@ -585,8 +585,8 @@ to specify different certificates for each function.
 You may also globally set the SP signature and digest method, to be used in SP signing (functions 1 and 2 above):
 
 ```ruby
-settings.security[:digest_method]    = RubySaml::XML::Crypto::SHA1
-settings.security[:signature_method] = RubySaml::XML::Crypto::RSA_SHA1
+settings.security[:digest_method]    = RubySaml::XML::SHA1
+settings.security[:signature_method] = RubySaml::XML::RSA_SHA1
 ```
 
 #### Signing SP Metadata

UPGRADING.md

@@ -32,13 +32,13 @@ as before. This alias will be removed in RubySaml version `2.1.0`.
 
 ### Root "XMLSecurity" namespace changed to "RubySaml::XML"
 
-RubySaml version `2.0.0` changes the namespace `RubySaml::XML::` to `RubySaml::XML::`. Please search your
-codebase for `RubySaml::XML::` and replace it as appropriate. In addition, you must replace direct usage of
+RubySaml version `2.0.0` changes the namespace `XMLSecurity::` to `RubySaml::XML::`. Please search your
+codebase for `XMLSecurity::` and replace it as appropriate. In addition, you must replace direct usage of
 `require 'xml_security'` with `require 'ruby_saml/xml'`.
 
-For backward compatibility, the alias `XMLSecurity = RubySaml::XML` has been set, so `RubySaml::XML::` will still work
-as before. In addition, a shim file has been added so that `require 'xml_security'` continues to work.
-These aliases will be removed in RubySaml version `2.1.0`.
+For backward compatibility, if the constant `XMLSecurity` is not already defined by another gem, it will
+be aliased to `RubySaml::XML`. In addition, a shim file has been added so that `require 'xml_security'`
+continues to work. These aliases will be removed in RubySaml version `2.1.0`.
 
 ### Security: Change default hashing algorithm to SHA-256 (was SHA-1)
 
@@ -54,9 +54,9 @@ you may set `RubySaml::Settings` as follows:
 
 ```ruby
 # Preserve RubySaml 1.x insecure SHA-1 behavior
-settings.idp_cert_fingerprint_algorithm = RubySaml::XML::Crypto::SHA1
-settings.security[:digest_method] = RubySaml::XML::Crypto::SHA1
-settings.security[:signature_method] = RubySaml::XML::Crypto::RSA_SHA1
+settings.idp_cert_fingerprint_algorithm = RubySaml::XML::SHA1
+settings.security[:digest_method] = RubySaml::XML::SHA1
+settings.security[:signature_method] = RubySaml::XML::RSA_SHA1
 ```
 
 ### Behavior change of double_quote_xml_attribute_values setting

lib/ruby_saml/authrequest.rb

@@ -74,7 +74,7 @@ def create_params(settings, params={})
           relay_state: relay_state,
           sig_alg: params['SigAlg']
         )
-        sign_algorithm = RubySaml::XML::Crypto.hash_algorithm(settings.get_sp_signature_method)
+        sign_algorithm = RubySaml::XML.hash_algorithm(settings.get_sp_signature_method)
         signature = sp_signing_key.sign(sign_algorithm.new, url_string)
         params['Signature'] = encode(signature)
       end

lib/ruby_saml/idp_metadata_parser.rb

@@ -393,12 +393,12 @@ def certificates
 
       # @return [String|nil] the fingerpint of the X509Certificate if it exists
       #
-      def fingerprint(certificate, fingerprint_algorithm = RubySaml::XML::Crypto::SHA256)
+      def fingerprint(certificate, fingerprint_algorithm = RubySaml::XML::SHA256)
         return unless certificate
 
         cert = OpenSSL::X509::Certificate.new(Base64.decode64(certificate))
 
-        fingerprint_alg = RubySaml::XML::Crypto.hash_algorithm(fingerprint_algorithm).new
+        fingerprint_alg = RubySaml::XML.hash_algorithm(fingerprint_algorithm).new
         fingerprint_alg.hexdigest(cert.to_der).upcase.scan(/../).join(":")
       end
 

lib/ruby_saml/logoutrequest.rb

@@ -72,7 +72,7 @@ def create_params(settings, params={})
           relay_state: relay_state,
           sig_alg: params['SigAlg']
         )
-        sign_algorithm = RubySaml::XML::Crypto.hash_algorithm(settings.get_sp_signature_method)
+        sign_algorithm = RubySaml::XML.hash_algorithm(settings.get_sp_signature_method)
         signature = settings.get_sp_signing_key.sign(sign_algorithm.new, url_string)
         params['Signature'] = encode(signature)
       end

lib/ruby_saml/settings.rb

@@ -126,7 +126,7 @@ def get_fingerprint
       idp_cert_fingerprint || begin
         idp_cert = get_idp_cert
         if idp_cert
-          fingerprint_alg = RubySaml::XML::Crypto.hash_algorithm(idp_cert_fingerprint_algorithm).new
+          fingerprint_alg = RubySaml::XML.hash_algorithm(idp_cert_fingerprint_algorithm).new
           fingerprint_alg.hexdigest(idp_cert.to_der).upcase.scan(/../).join(":")
         end
       end
@@ -226,7 +226,7 @@ def get_binding(value)
     DEFAULTS = {
       assertion_consumer_service_binding: Utils::BINDINGS[:post],
       single_logout_service_binding: Utils::BINDINGS[:redirect],
-      idp_cert_fingerprint_algorithm: RubySaml::XML::Crypto::SHA256,
+      idp_cert_fingerprint_algorithm: RubySaml::XML::SHA256,
       message_max_bytesize: 250_000,
       soft: true,
       security: {
@@ -237,8 +237,8 @@ def get_binding(value)
         want_assertions_encrypted: false,
         want_name_id: false,
         metadata_signed: false,
-        digest_method: RubySaml::XML::Crypto::SHA256,
-        signature_method: RubySaml::XML::Crypto::RSA_SHA256,
+        digest_method: RubySaml::XML::SHA256,
+        signature_method: RubySaml::XML::RSA_SHA256,
         check_idp_cert_expiration: false,
         check_sp_cert_expiration: false,
         strict_audience_validation: false,
@@ -301,7 +301,7 @@ def get_sp_signature_method
       key_alg = 'ECDSA' if key_alg.casecmp('EC') == 0
 
       begin
-        RubySaml::XML::Crypto.const_get("#{key_alg}_#{hash_alg}".upcase)
+        RubySaml::XML.const_get("#{key_alg}_#{hash_alg}".upcase)
       rescue NameError
         raise ArgumentError.new("Unsupported signature method#{" for #{key_alg_real} key" if key_alg_real}: #{sig_alg}")
       end
@@ -313,7 +313,7 @@ def get_sp_digest_method
       alg = digest_alg.to_s.match(/(?:\A|#)(sha\d+)\z/i)[1]
 
       begin
-        RubySaml::XML::Crypto.const_get(alg.upcase)
+        RubySaml::XML.const_get(alg.upcase)
       rescue NameError
         raise ArgumentError.new("Unsupported digest method: #{digest_alg}")
       end

lib/ruby_saml/slo_logoutresponse.rb

@@ -80,7 +80,7 @@ def create_params(settings, request_id = nil, logout_message = nil, params = {},
           relay_state: relay_state,
           sig_alg: params['SigAlg']
         )
-        sign_algorithm = RubySaml::XML::Crypto.hash_algorithm(settings.get_sp_signature_method)
+        sign_algorithm = RubySaml::XML.hash_algorithm(settings.get_sp_signature_method)
         signature = sp_signing_key.sign(sign_algorithm.new, url_string)
         params['Signature'] = encode(signature)
       end

lib/ruby_saml/utils.rb

@@ -226,7 +226,7 @@ def escape_request_param(param, lowercase_url_encoding)
     #
     def verify_signature(params)
       cert, sig_alg, signature, query_string = params.values_at(:cert, :sig_alg, :signature, :query_string)
-      signature_algorithm = RubySaml::XML::Crypto.hash_algorithm(sig_alg)
+      signature_algorithm = RubySaml::XML.hash_algorithm(sig_alg)
       cert.public_key.verify(signature_algorithm.new, Base64.decode64(signature), query_string)
     end
 

lib/ruby_saml/xml.rb

@@ -1,9 +1,116 @@
 # frozen_string_literal: true
 
-require 'ruby_saml/xml/crypto'
+require 'rexml/element'
+require 'openssl'
+require 'nokogiri'
+require 'digest/sha1'
+require 'digest/sha2'
+
+module RubySaml
+  # Utility module for working with XML.
+  module XML
+    extend self
+
+    # XML constants
+    #
+    # @api private
+    C14N          = 'http://www.w3.org/2001/10/xml-exc-c14n#'
+    DSIG          = 'http://www.w3.org/2000/09/xmldsig#'
+    RSA_SHA1      = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+    RSA_SHA224    = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224'
+    RSA_SHA256    = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
+    RSA_SHA384    = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
+    RSA_SHA512    = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
+    DSA_SHA1      = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
+    DSA_SHA256    = 'http://www.w3.org/2009/xmldsig11#dsa-sha256'
+    ECDSA_SHA1    = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1'
+    ECDSA_SHA224  = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224'
+    ECDSA_SHA256  = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256'
+    ECDSA_SHA384  = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384'
+    ECDSA_SHA512  = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512'
+    SHA1          = 'http://www.w3.org/2000/09/xmldsig#sha1'
+    SHA224        = 'http://www.w3.org/2001/04/xmldsig-more#sha224'
+    SHA256        = 'http://www.w3.org/2001/04/xmlenc#sha256'
+    SHA384        = 'http://www.w3.org/2001/04/xmldsig-more#sha384'
+    SHA512        = 'http://www.w3.org/2001/04/xmlenc#sha512'
+    ENVELOPED_SIG = 'http://www.w3.org/2000/09/xmldsig#enveloped-signature'
+
+    NOKOGIRI_OPTIONS = Nokogiri::XML::ParseOptions::STRICT |
+                       Nokogiri::XML::ParseOptions::NONET
+
+    # Find XML canonicalization algorithm
+    #
+    # @api private
+    def canon_algorithm(element, default: true)
+      case get_algorithm_attr(element)
+      when %r{\Ahttp://www\.w3\.org/TR/2001/REC-xml-c14n-20010315#?(?:WithComments)?\z}i
+        Nokogiri::XML::XML_C14N_1_0
+      when %r{\Ahttp://www\.w3\.org/2006/12/xml-c14n11#?(?:WithComments)?\z}i
+        Nokogiri::XML::XML_C14N_1_1
+      when %r{\Ahttp://www\.w3\.org/2001/10/xml-exc-c14n#?(?:WithComments)?\z}i
+        Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+      else
+        Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0 if default
+      end
+    end
+
+    # Find XML signature algorithm
+    #
+    # @api private
+    def signature_algorithm(element)
+      alg = get_algorithm_attr(element)
+      match_data = alg&.downcase&.match(/(?:\A|#)(rsa|dsa|ecdsa)-(sha\d+)\z/i) || {}
+      key_alg  = match_data[1]
+      hash_alg = match_data[2]
+
+      key = case key_alg
+            when 'rsa'   then OpenSSL::PKey::RSA
+            when 'dsa'   then OpenSSL::PKey::DSA
+            when 'ecdsa' then OpenSSL::PKey::EC
+            else # rubocop:disable Lint/DuplicateBranch
+              # TODO: raise ArgumentError.new("Invalid key algorithm: #{alg}")
+              OpenSSL::PKey::RSA
+            end
+
+      [key, hash_algorithm(hash_alg)]
+    end
+
+    # Find XML digest hashing algorithm
+    #
+    # @api private
+    def hash_algorithm(element)
+      alg = get_algorithm_attr(element)
+      hash_alg = alg&.downcase&.match(/(?:\A|[#-])(sha\d+)\z/i)&.[](1)
+
+      case hash_alg
+      when 'sha1' then OpenSSL::Digest::SHA1
+      when 'sha224' then OpenSSL::Digest::SHA224
+      when 'sha256' then OpenSSL::Digest::SHA256
+      when 'sha384' then OpenSSL::Digest::SHA384
+      when 'sha512' then OpenSSL::Digest::SHA512
+      else # rubocop:disable Lint/DuplicateBranch
+        # TODO: raise ArgumentError.new("Invalid hash algorithm: #{alg}")
+        OpenSSL::Digest::SHA256
+      end
+    end
+
+    private
+
+    def get_algorithm_attr(element)
+      if element.is_a?(Nokogiri::XML::Element)
+        element['Algorithm']
+      elsif element.is_a?(REXML::Element)
+        element.attribute('Algorithm').value
+      elsif element
+        element
+      end
+    end
+  end
+end
+
 require 'ruby_saml/xml/base_document'
 require 'ruby_saml/xml/document'
 require 'ruby_saml/xml/signed_document'
 
 # @deprecated This alias adds compatibility with v1.x and will be removed in v2.1.0
-XMLSecurity = RubySaml::XML
+XMLSecurity = RubySaml::XML unless defined?(XMLSecurity)

lib/ruby_saml/xml/base_document.rb

@@ -7,29 +7,26 @@
 require 'openssl'
 require 'digest/sha1'
 require 'digest/sha2'
-require 'ruby_saml/xml/crypto'
 
 module RubySaml
   module XML
     class BaseDocument < REXML::Document
       # TODO: This affects the global state
       REXML::Security.entity_expansion_limit = 0
 
-      # @deprecated Constants moved to Crypto module
-      C14N = RubySaml::XML::Crypto::C14N
-      DSIG = RubySaml::XML::Crypto::DSIG
-
-      NOKOGIRI_OPTIONS = Nokogiri::XML::ParseOptions::STRICT |
-                         Nokogiri::XML::ParseOptions::NONET
+      # @deprecated Constants moved to RubySaml::XML module
+      C14N = RubySaml::XML::C14N
+      DSIG = RubySaml::XML::DSIG
+      NOKOGIRI_OPTIONS = RubySaml::XML::NOKOGIRI_OPTIONS
 
       # @deprecated Remove in v2.1.0
       def canon_algorithm(algorithm)
-        RubySaml::XML::Crypto.canon_algorithm(algorithm)
+        RubySaml::XML.canon_algorithm(algorithm)
       end
 
       # @deprecated Remove in v2.1.0
       def algorithm(algorithm)
-        RubySaml::XML::Crypto.hash_algorithm(algorithm)
+        RubySaml::XML.hash_algorithm(algorithm)
       end
     end
   end