Allow SP certificates to be OpenSSL::X509::Certificate

lib/ruby_saml/settings.rb

@@ -373,15 +373,24 @@ def get_all_sp_certs
 
     # Validate certificate, certificate_new, private_key, and sp_cert_multi params.
     def validate_sp_certs_params!
-      multi    = sp_cert_multi   && !sp_cert_multi.empty?
-      cert     = certificate     && !certificate.empty?
-      cert_new = certificate_new && !certificate_new.empty?
-      pk       = private_key     && !private_key.empty?
-      if multi && (cert || cert_new || pk)
+      has_multi = sp_cert_multi && !sp_cert_multi.empty?
+      if has_multi && (cert?(certificate) || cert?(certificate_new) || pk?)
         raise ArgumentError.new("Cannot specify both sp_cert_multi and certificate, certificate_new, private_key parameters")
       end
     end
 
+    # Check if private key exists and is not empty
+    def pk?
+      private_key && !private_key.empty?
+    end
+
+    # Check if a certificate is present.
+    def cert?(cert)
+      return true if cert.is_a?(OpenSSL::X509::Certificate)
+
+      cert && !cert.empty?
+    end
+
     # Get certs from certificate, certificate_new, and private_key parameters.
     def get_sp_certs_single
       certs = { :signing => [], :encryption => [] }

lib/ruby_saml/utils.rb

@@ -119,6 +119,7 @@ def format_private_key(key, multi: false)
     # @param pem [String] The original certificate
     # @return [OpenSSL::X509::Certificate] The certificate object
     def build_cert_object(pem)
+      return pem if pem.is_a?(OpenSSL::X509::Certificate)
       return unless (pem = PemFormatter.format_cert(pem, multi: false))
 
       OpenSSL::X509::Certificate.new(pem)
@@ -129,6 +130,7 @@ def build_cert_object(pem)
     # @param pem [String] The original private key.
     # @return [OpenSSL::PKey::PKey] The private key object.
     def build_private_key_object(pem)
+      return pem if pem.is_a?(OpenSSL::PKey::PKey)
       return unless (pem = PemFormatter.format_private_key(pem, multi: false))
 
       error = nil

test/settings_test.rb

@@ -515,6 +515,47 @@ class SettingsTest < Minitest::Test
         end
       end
 
+      it "handles OpenSSL::X509::Certificate objects for single case" do
+        @settings.certificate = OpenSSL::X509::Certificate.new(cert_text1)
+        @settings.private_key = key_text1
+
+        actual = @settings.get_sp_certs
+        expected = [[cert_text1, key_text1]]
+        assert_equal [:signing, :encryption], actual.keys
+        assert_equal expected, actual[:signing].map {|ary| ary.map(&:to_pem) }
+        assert_equal expected, actual[:encryption].map {|ary| ary.map(&:to_pem) }
+      end
+
+      it "handles OpenSSL::X509::Certificate objects for single case with new cert" do
+        @settings.certificate = cert_text1
+        @settings.certificate_new = OpenSSL::X509::Certificate.new(cert_text2)
+        @settings.private_key = key_text1
+
+        actual = @settings.get_sp_certs
+        expected = [[cert_text1, key_text1], [cert_text2, key_text1]]
+        assert_equal [:signing, :encryption], actual.keys
+        assert_equal expected, actual[:signing].map {|ary| ary.map(&:to_pem) }
+        assert_equal expected, actual[:encryption].map {|ary| ary.map(&:to_pem) }
+      end
+
+      it "handles OpenSSL::X509::Certificate objects for multi case" do
+        x509_certificate1 = OpenSSL::X509::Certificate.new(cert_text1)
+        x509_certificate2 = OpenSSL::X509::Certificate.new(cert_text2)
+        @settings.sp_cert_multi = {
+          signing: [{ certificate: x509_certificate1, private_key: key_text1 },
+                    { certificate: cert_text2, private_key: key_text1 }],
+          encryption: [{ certificate: x509_certificate2, private_key: key_text1 },
+                       { certificate: cert_text3, private_key: key_text2 }]
+        }
+
+        actual = @settings.get_sp_certs
+        expected_signing = [[cert_text1, key_text1], [cert_text2, key_text1]]
+        expected_encryption = [[cert_text2, key_text1], [cert_text3, key_text2]]
+        assert_equal [:signing, :encryption], actual.keys
+        assert_equal expected_signing, actual[:signing].map {|ary| ary.map(&:to_pem) }
+        assert_equal expected_encryption, actual[:encryption].map {|ary| ary.map(&:to_pem) }
+      end
+
       it "sp_cert_multi allows sending only signing" do
         @settings.sp_cert_multi = {
           signing: [{ certificate: cert_text1, private_key: key_text1 },

test/utils_test.rb

@@ -156,6 +156,11 @@ def result(duration, reference = 0)
       end
     end
 
+    it 'returns the original certificate when an OpenSSL::X509::Certificate is given' do
+      certificate = OpenSSL::X509::Certificate.new
+      assert_same certificate, RubySaml::Utils.build_cert_object(certificate)
+    end
+
     it 'returns nil for nil certificate string' do
       assert_nil RubySaml::Utils.build_cert_object(nil)
     end
@@ -180,6 +185,13 @@ def result(duration, reference = 0)
       end
     end
 
+    [OpenSSL::PKey::RSA, OpenSSL::PKey::DSA, OpenSSL::PKey::EC].each do |key_class|
+      it 'returns the original private key when an instance of OpenSSL::PKey::PKey is given' do
+        private_key = key_class.new
+        assert_same private_key, RubySaml::Utils.build_private_key_object(private_key)
+      end
+    end
+
     it 'returns nil for nil private key string' do
       assert_nil RubySaml::Utils.build_private_key_object(nil)
     end