Merge pull request #64 from waterkip/bug-61

Fix SAML metadata signing

Author: timlegge

.gitignore

@@ -22,3 +22,5 @@ xt/testapp/sign-nopw-cert-dsa.pem
 xt/testapp/sign-private-dsa.pem
 Release-*
 xt/testapp/IdPs/*/*
+/Net-SAML2-*/**
+/Net-SAML2-*.tar.gz

Makefile.PL

@@ -24,6 +24,7 @@ my %WriteMakefileArgs = (
     "DateTime" => 0,
     "DateTime::Format::XSD" => 0,
     "DateTime::HiRes" => 0,
+    "Digest::MD5" => 0,
     "Exporter" => 0,
     "File::Slurper" => 0,
     "HTTP::Request::Common" => 0,
@@ -68,7 +69,7 @@ my %WriteMakefileArgs = (
     "URI::URL" => 0,
     "XML::LibXML::XPathContext" => 0
   },
-  "VERSION" => "0.55",
+  "VERSION" => "0.56",
   "test" => {
     "TESTS" => "t/*.t t/author/*.t"
   }
@@ -84,6 +85,7 @@ my %FallbackPrereqs = (
   "DateTime" => 0,
   "DateTime::Format::XSD" => 0,
   "DateTime::HiRes" => 0,
+  "Digest::MD5" => 0,
   "Exporter" => 0,
   "File::Slurper" => 0,
   "HTTP::Request::Common" => 0,

README

@@ -2,7 +2,7 @@ NAME
     Net::SAML2 - SAML2 bindings and protocol implementation
 
 VERSION
-    version 0.55
+    version 0.56
 
 SYNOPSIS
       See TUTORIAL.md for implementation documentation and

cpanfile

@@ -8,6 +8,7 @@ requires "Crypt::OpenSSL::X509" => "0";
 requires "DateTime" => "0";
 requires "DateTime::Format::XSD" => "0";
 requires "DateTime::HiRes" => "0";
+requires "Digest::MD5" => "0";
 requires "Exporter" => "0";
 requires "File::Slurper" => "0";
 requires "HTTP::Request::Common" => "0";

lib/Net/SAML2/SP.pm

@@ -28,6 +28,8 @@ Net::SAML2::SP - SAML Service Provider object
 use Crypt::OpenSSL::X509;
 use XML::Generator;
 
+use Digest::MD5 ();
+
 use Net::SAML2::Binding::POST;
 use Net::SAML2::Binding::Redirect;
 use Net::SAML2::Binding::SOAP;
@@ -327,14 +329,15 @@ sub generate_metadata {
     return $x->EntityDescriptor(
         $md,
         {
-            entityID => $self->id },
+            entityID => $self->id,
+            ID       => $self->generate_sp_desciptor_id(),
+        },
         $x->SPSSODescriptor(
             $md,
             { AuthnRequestsSigned => $self->authnreq_signed,
               WantAssertionsSigned => $self->want_assertions_signed,
               errorURL => $self->url . $self->error_url,
               protocolSupportEnumeration => 'urn:oasis:names:tc:SAML:2.0:protocol',
-              ID => $self->generate_sp_desciptor_id(),
             },
             $x->KeyDescriptor(
                 $md,
@@ -348,7 +351,12 @@ sub generate_metadata {
                             $ds,
                             $self->_cert_text,
                         )
-                    )
+                    ),
+                    $x->KeyName(
+                     $ds,
+                     Digest::MD5::md5_hex($self->_cert_text)
+                    ),
+
                 )
             ),
             $x->SingleLogoutService(
@@ -438,6 +446,8 @@ sub metadata {
             sig_hash    => 'sha256',
             digest_hash => 'sha256',
             x509        => 1,
+            ns          => { md => 'urn:oasis:names:tc:SAML:2.0:metadata' },
+            id_attr     => '/md:EntityDescriptor[@ID]',
         }
     );
     return $signer->sign($metadata);

t/02-create-sp.t

@@ -11,9 +11,8 @@ my $xpath = get_xpath(
     ds => 'http://www.w3.org/2000/09/xmldsig#'
 );
 
-my $nodes = $xpath->findnodes('//md:EntityDescriptor/md:SPSSODescriptor');
-is($nodes->size, 1, "We have one PSSODescriptor");
-my $node = $nodes->get_node(1);
+my $node
+    = get_single_node_ok($xpath, '//md:EntityDescriptor/md:SPSSODescriptor');
 ok(!$node->getAttribute('WantAssertionsSigned'),
     'Wants assertions to be signed');
 ok(
@@ -37,54 +36,129 @@ if (is(@ssos, 2, "Got two assertionConsumerService(s)")) {
     );
 }
 
+get_single_node_ok($xpath, '//ds:Signature');
+
+{
+    my $sp    = net_saml2_sp(sign_metadata => 0);
+    my $xpath = get_xpath(
+        $sp->metadata,
+        md => 'urn:oasis:names:tc:SAML:2.0:metadata',
+        ds => 'http://www.w3.org/2000/09/xmldsig#'
+    );
+
+    my $nodes = $xpath->findnodes('//ds:Signature');
+    is($nodes->size(), 0, "We don't have any ds:Signature present");
+
+}
+
 {
     my $sp = Net::SAML2::SP->new(
-        id               => 'http://localhost:3000',
-        url              => 'http://localhost:3000',
-        cert             => 't/sign-nopw-cert.pem',
-        key              => 't/sign-nopw-cert.pem',
-        cacert           => 't/cacert.pem',
-        org_name         => 'Test',
-        org_display_name => 'Test',
+        id     => 'Some entity ID',
+        url    => 'http://localhost:3000',
+        cert   => 't/sign-nopw-cert.pem',
+        key    => 't/sign-nopw-cert.pem',
+        cacert => 't/cacert.pem',
+
+        org_name         => 'Net::SAML2::SP',
+        org_display_name => 'Net::SAML2::SP testsuite',
         org_contact      => 'test@example.com',
+
         org_url          => 'http://www.example.com',
         slo_url_soap     => '/slo-soap',
         slo_url_redirect => '/sls-redirect-response',
         slo_url_post     => '/sls-post-response',
         acs_url_post     => '/consumer-post',
         acs_url_artifact => '/consumer-artifact',
-        org_name         => 'Net::SAML2 Saml2Test',
-        org_display_name => 'Saml2Test app for Net::SAML2',
-        org_contact      => 'saml2test@example.com',
         error_url        => '/error',
     );
 
-    my $xpath = get_xpath($sp->metadata,
-        md => 'urn:oasis:names:tc:SAML:2.0:metadata');
-    my $nodes = $xpath->findnodes('//md:EntityDescriptor/md:SPSSODescriptor');
-    is($nodes->size, 1, "We have one PSSODescriptor");
-    my $node = $nodes->get_node(1);
-    ok($node->getAttribute('WantAssertionsSigned'),
-        'Wants assertions to be signed');
-    ok(
-        $node->getAttribute('AuthnRequestsSigned'),
-        '.. and also authn requests to be signed'
-    );
-}
-
-$nodes = $xpath->findnodes('//ds:Signature');
-is($nodes->size(), 1, "We have a signed metadata document ds:Signature present");
-
-{
-    my $sp = net_saml2_sp(sign_metadata => 0);
     my $xpath = get_xpath(
         $sp->metadata,
         md => 'urn:oasis:names:tc:SAML:2.0:metadata',
         ds => 'http://www.w3.org/2000/09/xmldsig#'
     );
 
-    my $nodes = $xpath->findnodes('//ds:Signature');
-    is($nodes->size(), 0, "We don't have any ds:Signature present");
+    my $node = get_single_node_ok($xpath, '/md:EntityDescriptor');
+    is(
+        $node->getAttribute('entityID'),
+        'Some entity ID',
+        '.. has the correct entity ID'
+    );
+
+    ok($node->getAttribute('ID'), '.. has an ID');
+
+    {
+        # Test ContactPerson
+        my $node = get_single_node_ok($xpath, '/node()/md:ContactPerson');
+        my $p    = $node->nodePath();
+
+        my $company = get_single_node_ok($xpath, "$p/md:Company");
+        is(
+            $company->textContent,
+            'Net::SAML2::SP testsuite',
+            "Got the correct company name for the contact person"
+        );
+
+        my $email = get_single_node_ok($xpath, "$p/md:EmailAddress");
+        is($email->textContent, 'test@example.com',
+            ".. and the correct email");
+    }
+
+    {
+        # Test Organisation
+        my $node = get_single_node_ok($xpath, '/node()/md:Organization');
+        my $p    = $node->nodePath();
+
+        my $name = get_single_node_ok($xpath, "$p/md:OrganizationName");
+        is($name->textContent, 'Net::SAML2::SP',
+            "Got the correct company name");
+
+        my $display_name
+            = get_single_node_ok($xpath, "$p/md:OrganizationDisplayName");
+        is(
+            $display_name->textContent,
+            'Net::SAML2::SP testsuite',
+            ".. and the correct display name"
+        );
+
+        my $url = get_single_node_ok($xpath, "$p/md:OrganizationURL");
+        is($url->textContent, 'http://www.example.com',
+            ".. and the correct URI");
+    }
+
+    {
+        # Test SPSSODescriptor
+        my $node = get_single_node_ok($xpath, '/node()/md:SPSSODescriptor');
+        is($node->getAttribute('AuthnRequestsSigned'),
+            '1', '.. and authn request needs signing');
+        is($node->getAttribute('WantAssertionsSigned'),
+            '1', '.. as does assertions');
+        is($node->getAttribute('errorURL'),
+            'http://localhost:3000/error', 'Got the correct error URI');
+
+        my $p = $node->nodePath();
+
+        my $kd = get_single_node_ok($xpath, "$p/md:KeyDescriptor");
+
+        is($kd->getAttribute('use'),
+            "signing", "Key descriptor is there for signing only");
+
+        my $ki = get_single_node_ok($xpath, $kd->nodePath() . "/ds:KeyInfo");
+
+        my $cert = get_single_node_ok($xpath,
+            $ki->nodePath() . "/ds:X509Data/ds:X509Certificate");
+        ok($cert->textContent, "And we have the certificate data");
+
+        my $keyname
+            = get_single_node_ok($xpath, $ki->nodePath() . "/ds:KeyName");
+        ok($keyname->textContent, "... and we have a key name");
+    }
+
+}
+
+{
+    # Test Signature
+    my $node = get_single_node_ok($xpath, '/node()/ds:Signature');
 
 }
 

t/lib/Test/Net/SAML2/Util.pm

@@ -10,6 +10,7 @@ our @EXPORT = qw(
     get_xpath
     test_xml_attribute_ok
     test_xml_value_ok
+    get_single_node_ok
     net_saml2_sp
     looks_like_a_cert
     net_saml2_binding_redirect_request
@@ -216,6 +217,14 @@ sub get_xpath {
     return $xp;
 }
 
+sub get_single_node_ok {
+    my $xpc = shift;
+    my $xpath = shift;
+    my $nodes = $xpc->findnodes($xpath);
+    is($nodes->size, 1, "Got 1 node for $xpath");
+    return $nodes->get_node(1);
+}
+
 sub test_xml_attribute_ok {
     my ($xpath, $search, $value) = @_;