Class: Identizer::Saml::Encryptor

Inherits:

Object

Object
Identizer::Saml::Encryptor

show all

Defined in:: lib/identizer/saml/encryptor.rb

Overview

XML-Encryption of a (signed) SAML Assertion into an <EncryptedAssertion>: AES-256-CBC for the assertion, RSA-OAEP key transport of the AES key under the SP’s certificate. Decryptable by standard SPs (validated with ruby-saml).

Constant Summary collapse

XENC =

"http://www.w3.org/2001/04/xmlenc#"

AES256_CBC =

"#{XENC}aes256-cbc".freeze

RSA_OAEP =

"#{XENC}rsa-oaep-mgf1p".freeze

Instance Method Summary collapse

#encrypt!(assertion) ⇒ Object

Replaces ‘assertion` in its document with an <EncryptedAssertion> node.
#initialize(certificate) ⇒ Encryptor constructor

A new instance of Encryptor.

Constructor Details

#initialize(certificate) ⇒ `Encryptor`

Returns a new instance of Encryptor.



17
18
19

# File 'lib/identizer/saml/encryptor.rb', line 17

def initialize(certificate)
  @certificate = certificate
end

Instance Method Details

#encrypt!(assertion) ⇒ `Object`

Replaces ‘assertion` in its document with an <EncryptedAssertion> node.

# File 'lib/identizer/saml/encryptor.rb', line 22

def encrypt!(assertion)
  document = assertion.document
  plaintext = assertion.to_xml(save_with: Nokogiri::XML::Node::SaveOptions::AS_XML)

  cipher = OpenSSL::Cipher.new("aes-256-cbc").encrypt
  key = cipher.random_key
  iv = cipher.random_iv
  ciphertext = cipher.update(plaintext) + cipher.final

  encrypted = encrypted_assertion_node(
    document,
    cipher_value: Base64.strict_encode64(iv + ciphertext),
    encrypted_key: Base64.strict_encode64(transport_key(key)),
    certificate: Base64.strict_encode64(@certificate.to_der)
  )
  assertion.replace(encrypted)
  encrypted
end