Clever Geek Handbook

Rails saml how to decrypt xml?

I am doing AUTHENTIFICATION SAML and when I got the xml part of it will be encrypted. This is the part I need (contains name, email, etc.)

To do this, I have the private key to decrypt it, but I don't know how.

I'm here:

    response  =  OneLogin::RubySaml::Response.new(params[:SAMLResponse])
    response.settings = set_settings
    doc = Nokogiri::XML(response.response)
    document = XMLSecurity::Document.new(doc)
    ### NOT USED HERE
    formated_cert = OneLogin::RubySaml::Utils.format_cert(CONFIG_CERTIFICATE)
    cert = OpenSSL::X509::Certificate.new(formated_cert)
    formated_private_key = OneLogin::RubySaml::Utils.format_private_key(CONFIG_PRIVATE_KEY)
    private_key = OpenSSL::PKey::RSA.new(formated_private_key)
    ### NOT USED HERE
   ret = doument.decrypt!(settings) rescue nil # PROBLEME HERE, DONT WORK


 def set_settings
  settings = OneLogin::RubySaml::Settings.new
  ...
 settings.security[:digest_method]    = XMLSecurity::Document::SHA1
 settings.security[:signature_method] = XMLSecurity::Document::SHA1   
  ...
  settings.certificate = CONFIG_CERTIFICATE
  settings.private_key = CONFIG_PRIVATE_KEY

end

and so ret

it is considered decrypted xml which I can use but it always stays on nil

( rescue nil

to avoid 500)

I am using OneLogin::RubySaml

andXMLSecurity

but i have no idea what i did wrong,

anyone?

+3


source to share


2 answers


Finally I managed to fix the problem: Here's the solution:

  response.settings = saml_settings

  enc_key = REXML::XPath.first(response.document, "//xenc:EncryptedKey//xenc:CipherData/xenc:CipherValue").text
  enc_value = REXML::XPath.first(response.document, "//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue").text
  private_key = OpenSSL::PKey::RSA.new(CONFIG_PRIVATE_KEY)
  data_key = private_key.private_decrypt(Base64.decode64(enc_key), OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)

  actual_output = decrypt_cipher_data(data_key, enc_value)


 clean_output = actual_output.slice(0..(actual_output.index('</Assertion>') + '</Assertion>'.length-1))


so clean_output

is the final xml extension ready to use

0


source


Because I can't comment on your @ReggieB question, here's where @ F4ke's source answers, I think https://gist.github.com/sheeley/7044243

For the decryption part



def decrypt_cipher_data(key_cipher, cipher_data)
    cipher_data_str = Base64.decode64(cipher_data)
    mcrypt_iv = cipher_data_str[0..15]
    cipher_data_str = cipher_data_str[16..-1]
    cipher = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
    cipher.decrypt
    cipher.padding = 0
    cipher.key = key_cipher
    cipher.iv = mcrypt_iv
    result = cipher.update(cipher_data_str)
    result << cipher.final
end

enc_key = REXML::XPath.first(response.document, "//xenc:EncryptedKey//xenc:CipherData/xenc:CipherValue").text
enc_value = REXML::XPath.first(response.document, "//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue").text
private_key = OpenSSL::PKey::RSA.new(CONFIG_PRIVATE_KEY)
data_key = private_key.private_decrypt(Base64.decode64(enc_key), OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)

actual_output = decrypt_cipher_data(data_key, enc_value) 
clean_output = actual_output.slice(0..(actual_output.index('</Assertion>') + '</Assertion>'.length-1))
0


source






More articles:


All Articles