`Saml::Elements::KeyInfo.key_name` being automatically generated

[lawliet89]

In the initializer for Saml::Elements::KeyInfo, the key_name attribute is automatically generated.

When we try to do the following where the key defined in the IdP metadata has no ds:KeyName assigned:

saml_response = Saml::Response.new(...)
artifact_response = Saml::ArtifactResponse.new(status_value: Saml::TopLevelCodes::SUCCESS,
                                             issuer: 'https://idp.example.com',
                                             destination: 'https://sp.example.com/acs')
artifact_response.response = saml_response

artifact_resolution_url = Saml.provider( 'https://idp.example.com').artifact_resolution_service_url
stub_request(:post, artifact_resolution_url).to_return(body: Saml::Util.sign_xml(artifact_response, :soap))
request = ... # A mock request object with SAMLart set to some arbitrary value
Saml::Bindings::HTTPArtifact.resolve(request, artifact_resolution_url)

Then we will get a SignatureInvalid error. This is because in Saml::Provider.verify, it tries to find a key with the ID generated during the signing, but this key in the IdP metadata has no name and is thus not found. Thus the call certificate(key_name).public_key.verify(digest_method(signature_algorithm).new, signature, data) in Saml::Provider.verify fails because certificate(key_name) returns nil.

[benoist]

I've created a pull request, I think that would solve your problem.

[lawliet89]

The metadata I am using has two separate keys for encryption and signing, so #114 won't fix the issue I have because key_name_or_use_specified? would return true.

Is a key name required for a key? From my understanding (which might be wrong!) it is not mandatory. Also, if I were to have a name for my key in the metadata, wouldn't the initializer for Saml::Elements::KeyInfo generate a wrong name?

[benoist]

if you have 2 certificates that you use for different cases then you should specify the "use". You don't have to name them.

[lawliet89]

I have specified "use' for both keys, but the library will not find the
correct key to verify signature in this case because it doesn't have a name
but has a use defined.

I'm not sure how I should proceed.

[benoist]

I've updated the PR, you can now disable keyname generation and the key lookup also works in your case

[lawliet89]

Thanks for the new configuration option. It works well.

[benoist]

Good 👍 I've created gem version 2.20.6