From 8a6b1ddf1ca76ebf878fc34110c408f21327ce25 Mon Sep 17 00:00:00 2001
From: Tobias Amft <tobias.amft@invision.de>
Date: Tue, 8 Oct 2024 09:14:26 +0200
Subject: [PATCH] Return original certificate and key from Utils build
 functions

Return the original certificate from Utils.build_cert_object when an
instance of OpenSSL::X509::Certificate is given. And return the original
key from Utils.build_private_key_object when an instance of
OpenSSL::PKey::PKey is given.
---
 lib/ruby_saml/settings.rb | 20 +++++++++-----------
 lib/ruby_saml/utils.rb    |  2 ++
 test/utils_test.rb        | 12 ++++++++++++
 3 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/lib/ruby_saml/settings.rb b/lib/ruby_saml/settings.rb
index 96a0d21e..30462074 100644
--- a/lib/ruby_saml/settings.rb
+++ b/lib/ruby_saml/settings.rb
@@ -374,12 +374,16 @@ def get_all_sp_certs
     # Validate certificate, certificate_new, private_key, and sp_cert_multi params.
     def validate_sp_certs_params!
       has_multi = sp_cert_multi && !sp_cert_multi.empty?
-      has_pk = private_key && !private_key.empty?
-      if has_multi && (cert?(certificate) || cert?(certificate_new) || has_pk)
+      if has_multi && (cert?(certificate) || cert?(certificate_new) || pk?)
         raise ArgumentError.new("Cannot specify both sp_cert_multi and certificate, certificate_new, private_key parameters")
       end
     end
 
+    # Check if private key exists and is not empty
+    def pk?
+      private_key && !private_key.empty?
+    end
+
     # Check if a certificate is present.
     def cert?(cert)
       return true if cert.is_a?(OpenSSL::X509::Certificate)
@@ -392,14 +396,14 @@ def get_sp_certs_single
       certs = { :signing => [], :encryption => [] }
 
       sp_key = RubySaml::Utils.build_private_key_object(private_key)
-      cert = build_cert_object(certificate)
+      cert = RubySaml::Utils.build_cert_object(certificate)
       if cert || sp_key
         ary = [cert, sp_key].freeze
         certs[:signing] << ary
         certs[:encryption] << ary
       end
 
-      cert_new = build_cert_object(certificate_new)
+      cert_new = RubySaml::Utils.build_cert_object(certificate_new)
       if cert_new
         ary = [cert_new, sp_key].freeze
         certs[:signing] << ary
@@ -434,7 +438,7 @@ def get_sp_certs_multi
           end
 
           certs[type] << [
-            build_cert_object(cert),
+            RubySaml::Utils.build_cert_object(cert),
             RubySaml::Utils.build_private_key_object(key)
           ].freeze
         end
@@ -443,11 +447,5 @@ def get_sp_certs_multi
       certs.each { |_, ary| ary.freeze }
       certs
     end
-
-    def build_cert_object(cert)
-      return cert if cert.is_a?(OpenSSL::X509::Certificate)
-
-      OneLogin::RubySaml::Utils.build_cert_object(cert)
-    end
   end
 end
diff --git a/lib/ruby_saml/utils.rb b/lib/ruby_saml/utils.rb
index fa71174f..ee7c5e7f 100644
--- a/lib/ruby_saml/utils.rb
+++ b/lib/ruby_saml/utils.rb
@@ -119,6 +119,7 @@ def format_private_key(key, multi: false)
     # @param pem [String] The original certificate
     # @return [OpenSSL::X509::Certificate] The certificate object
     def build_cert_object(pem)
+      return pem if pem.is_a?(OpenSSL::X509::Certificate)
       return unless (pem = PemFormatter.format_cert(pem, multi: false))
 
       OpenSSL::X509::Certificate.new(pem)
@@ -129,6 +130,7 @@ def build_cert_object(pem)
     # @param pem [String] The original private key.
     # @return [OpenSSL::PKey::PKey] The private key object.
     def build_private_key_object(pem)
+      return pem if pem.is_a?(OpenSSL::PKey::PKey)
       return unless (pem = PemFormatter.format_private_key(pem, multi: false))
 
       error = nil
diff --git a/test/utils_test.rb b/test/utils_test.rb
index 028ab069..69d6e864 100644
--- a/test/utils_test.rb
+++ b/test/utils_test.rb
@@ -156,6 +156,11 @@ def result(duration, reference = 0)
       end
     end
 
+    it 'returns the original certificate when an OpenSSL::X509::Certificate is given' do
+      certificate = OpenSSL::X509::Certificate.new
+      assert_same certificate, RubySaml::Utils.build_cert_object(certificate)
+    end
+
     it 'returns nil for nil certificate string' do
       assert_nil RubySaml::Utils.build_cert_object(nil)
     end
@@ -180,6 +185,13 @@ def result(duration, reference = 0)
       end
     end
 
+    [OpenSSL::PKey::RSA, OpenSSL::PKey::DSA, OpenSSL::PKey::EC].each do |key_class|
+      it 'returns the original private key when an instance of OpenSSL::PKey::PKey is given' do
+        private_key = key_class.new
+        assert_same private_key, RubySaml::Utils.build_private_key_object(private_key)
+      end
+    end
+
     it 'returns nil for nil private key string' do
       assert_nil RubySaml::Utils.build_private_key_object(nil)
     end