Rails saml how to decrypt xml?
I am doing AUTHENTIFICATION SAML and when I got the xml part of it will be encrypted. This is the part I need (contains name, email, etc.)
To do this, I have the private key to decrypt it, but I don't know how.
I'm here:
response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
response.settings = set_settings
doc = Nokogiri::XML(response.response)
document = XMLSecurity::Document.new(doc)
### NOT USED HERE
formated_cert = OneLogin::RubySaml::Utils.format_cert(CONFIG_CERTIFICATE)
cert = OpenSSL::X509::Certificate.new(formated_cert)
formated_private_key = OneLogin::RubySaml::Utils.format_private_key(CONFIG_PRIVATE_KEY)
private_key = OpenSSL::PKey::RSA.new(formated_private_key)
### NOT USED HERE
ret = doument.decrypt!(settings) rescue nil # PROBLEME HERE, DONT WORK
def set_settings
settings = OneLogin::RubySaml::Settings.new
...
settings.security[:digest_method] = XMLSecurity::Document::SHA1
settings.security[:signature_method] = XMLSecurity::Document::SHA1
...
settings.certificate = CONFIG_CERTIFICATE
settings.private_key = CONFIG_PRIVATE_KEY
end
and so ret
it is considered decrypted xml which I can use but it always stays on nil
( rescue nil
to avoid 500)
I am using OneLogin::RubySaml
andXMLSecurity
but i have no idea what i did wrong,
anyone?
source to share
Finally I managed to fix the problem: Here's the solution:
response.settings = saml_settings
enc_key = REXML::XPath.first(response.document, "//xenc:EncryptedKey//xenc:CipherData/xenc:CipherValue").text
enc_value = REXML::XPath.first(response.document, "//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue").text
private_key = OpenSSL::PKey::RSA.new(CONFIG_PRIVATE_KEY)
data_key = private_key.private_decrypt(Base64.decode64(enc_key), OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
actual_output = decrypt_cipher_data(data_key, enc_value)
clean_output = actual_output.slice(0..(actual_output.index('</Assertion>') + '</Assertion>'.length-1))
so clean_output
is the final xml extension ready to use
source to share
Because I can't comment on your @ReggieB question, here's where @ F4ke's source answers, I think https://gist.github.com/sheeley/7044243
For the decryption part
def decrypt_cipher_data(key_cipher, cipher_data)
cipher_data_str = Base64.decode64(cipher_data)
mcrypt_iv = cipher_data_str[0..15]
cipher_data_str = cipher_data_str[16..-1]
cipher = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
cipher.decrypt
cipher.padding = 0
cipher.key = key_cipher
cipher.iv = mcrypt_iv
result = cipher.update(cipher_data_str)
result << cipher.final
end
enc_key = REXML::XPath.first(response.document, "//xenc:EncryptedKey//xenc:CipherData/xenc:CipherValue").text
enc_value = REXML::XPath.first(response.document, "//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue").text
private_key = OpenSSL::PKey::RSA.new(CONFIG_PRIVATE_KEY)
data_key = private_key.private_decrypt(Base64.decode64(enc_key), OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
actual_output = decrypt_cipher_data(data_key, enc_value)
clean_output = actual_output.slice(0..(actual_output.index('</Assertion>') + '</Assertion>'.length-1))
source to share