Skip to content

Commit

Permalink
Fix expiry issues
Browse files Browse the repository at this point in the history
  • Loading branch information
johnnyshields committed Nov 25, 2023
1 parent 3c6cb0e commit d1900f9
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 11 deletions.
11 changes: 7 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -760,11 +760,14 @@ settings.sp_cert_multi = {
Note the following:
- You may re-use the same certificate and/or private key for both signing and encryption.
- When signing, Ruby SAML will use the first non-expired SP certificate in the
`sp_cert_multi[:signing]` array.
- When signing, Ruby SAML will use the first SP certificate in the `sp_cert_multi[:signing]`
array. This will be the first active/non-expired certificate in the array if
`settings.security[:check_sp_cert_expiration]` is true.
- The IdP may encrypt with any of the SP certificates in the `sp_cert_multi[:encryption]`
array. When decrypting, Ruby SAML attempt to decrypt with all non-expired SP certificates
until the decryption is successful.
array. When decrypting, Ruby SAML attempt to decrypt with each SP private key in
`sp_cert_multi[:encryption]` until the decryption is successful. This will skip
private keys for inactive/expired certificates if `settings.security[:check_sp_cert_expiration]`
is true.
#### Audience Validation
Expand Down
17 changes: 10 additions & 7 deletions lib/onelogin/ruby-saml/settings.rb
Original file line number Diff line number Diff line change
Expand Up @@ -215,12 +215,12 @@ def get_sp_certs
def get_sp_signing_pair
pairs = get_sp_certs[:signing]
return if pairs.empty?
# puts pairs.inspect
pair = pairs.detect { |cert, _| true } # cert && OneLogin::RubySaml::Utils.is_cert_active(cert) }
# puts pair.inspect
if security[:check_sp_cert_expiration] && !pair
raise OneLogin::RubySaml::ValidationError.new("The SP certificate expired.")
end

return pairs.first unless security[:check_sp_cert_expiration]

pair = pairs.detect { |cert, _| cert && OneLogin::RubySaml::Utils.is_cert_active(cert) }
raise OneLogin::RubySaml::ValidationError.new("The SP certificate expired.") unless pair

pair
end

Expand All @@ -245,7 +245,10 @@ def get_sp_signing_key
# @return [Array<OpenSSL::PKey::RSA>] The SP decryption keys.
def get_sp_decryption_keys
get_sp_certs[:encryption].map do |cert, private_key|
private_key if !cert || OneLogin::RubySaml::Utils.is_cert_active(cert)
next if security[:check_sp_cert_expiration] &&
cert && !OneLogin::RubySaml::Utils.is_cert_active(cert)

private_key
end.compact
end

Expand Down

0 comments on commit d1900f9

Please sign in to comment.