pitbulk
commented
1 month ago certificate and private_key are related with the SP.
In order to validate the SAMLResponse, you need to provide the idp_certificate.
Open tobiasamft opened 2 months ago
pitbulk
commented
1 month ago certificate and private_key are related with the SP.
In order to validate the SAMLResponse, you need to provide the idp_certificate.
tobiasamft
commented
1 month ago In order to validate the SAMLResponse, you need to provide the idp_certificate.
Correct, but this does not seem to be the issue here. I've just realized that there actually was a related change introduced with 1.17.0 (sorry, haven't seen this earlier).
The real issue here is that I'm passing an instance of OpenSSL::X509::Certificate to the Settings (instead of plain cert). This was possible with 1.16.0 and there are some checks in the code that accept either OpenSSL::X509::Certificate or String.
Now with 1.17.0, OpenSSL::X509::Certificate can't be used anymore because #673 has introduced this check : cert = certificate && !certificate.empty? which works for String only.
Question is: should settings.certificate accept both, OpenSSL::X509::Certificate and String? Or should it just accept String?
pitbulk
commented
1 month ago @tobiasamft , Can you check if this change solves your issue?
def validate_sp_certs_params!
multi = sp_cert_multi && !sp_cert_multi.empty?
cert = certificate if certificate && (certificate.is_a?(OpenSSL::X509::Certificate) || !certificate.empty?)
cert_new = certificate_new if certificate_new && (certificate_new.is_a?(OpenSSL::X509::Certificate) || !certificate_new.empty?)
pk = private_key if private_key && (private_key.is_a?(OpenSSL::PKey::RSA) || !private_key.empty?)
if multi && (cert || cert_new || pk)
raise ArgumentError.new("Cannot specify both sp_cert_multi and certificate, certificate_new, private_key parameters")
end
endWorks partially, then you have another issue with utils.rb line 151:
# Given a certificate string, return an OpenSSL::X509::Certificate object.
#
# @param cert [String] The original certificate
# @return [OpenSSL::X509::Certificate] The certificate object
#
def self.build_cert_object(cert)
return nil if cert.nil? || cert.empty?
OpenSSL::X509::Certificate.new(format_cert(cert))
endThere might be additional methods with this problem.
tobiasamft
commented
1 month ago If you want to support both, OpenSSL::X509::Certificate and String, I could try to support with a PR.
pitbulk
commented
1 month ago Ok please, send that PR and will review it. If it was working in the past, it makes sense to keep it.
cc @johnnyshields
tobiasamft
commented
1 month ago Finally found some time to open PR #726.
Hi, I'm observing the following error after updating ruby-saml from 1.16.0 to 1.17.0:
I've tested the following code snippet:
I've used the certificate, key, and xml from this repo to test it:
(My assumption is that ruby-saml.crt and ruby-saml.key have been used for encryption, otherwise I would get another error with version 1.16.0 like
OpenSSL::PKey::PKeyError: EVP_PKEY_decrypt: failed to decrypt)Any idea why this fails after updating from 1.16.0 to 1.17.0? Code in settings.rb hasn't been changed with the new version. With version 1.16.0, a valid response is rendered. I've tested with Ruby 3.3.4 and 3.3.5.