eet_signer 1.5.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e069ff06ff3147ba7f9520b38827bf504a40421f
+  data.tar.gz: 5f6e4549a1253d3c2424ca42223cb36554595a9e
+SHA512:
+  metadata.gz: cee8321399e31116b5bea49e1cde1466c30e983b3dbee449dd6cf63667857f16151a5fefd668c0eb503cdee4e27d436b598766391fd49a1d59614154f8704a36
+  data.tar.gz: 50f2844ea8a306237e5d8ece4023259fe7fe3db4a362c47e48c613a57ac37965f5c9e3b8a12403739f4880c251f257e7ef570488d96049b62cbf9da88059ef14

data/CHANGELOG.md

@@ -0,0 +1,48 @@
+## 1.5.0 (2017-01-23)
+
+- Add posibility to disable noblanks method in Signer initialization (#16, @bpietraga)
+- Minimum ruby version is now 2.1
+
+## 1.4.3 (2015-10-28)
+
+- Fixed Issuer Name node (#8, @tiagocasanovapt)
+
+## 1.4.2 (2014-11-30)
+
+- Fixed behaviour on XMLs that already contains nested signatures somewhere
+
+## 1.4.1 (2014-09-09)
+
+- Changed method of getting GOST R 34.11-94 digest algorithm to more short and generic (and working in Ubuntu 14.04 and other OS)
+
+## 1.4.0 (2014-06-24)
+
+- Support signing and digesting with inclusive namespaces (#5, @Envek)
+
+## 1.3.1 (2014-06-24)
+
+- Fix namespace issue for SecurityTokenReference tag (#4, #@Envek)
+
+## 1.3.0 (2014-06-16)
+
+- Allow to sign with other digest algorithms - SHA1, SHA256, and GOST R 34.11-94 (#3, @Envek)
+
+## 1.2.1 (2014-05-14)
+
+- Fix canonicalization: should be without comments (#2, @Envek)
+
+## 1.2.0 (2014-05-06)
+
+- Id and attribute namespace preserving when digesting the nodes (#1, @Envek)
+
+## 1.1.1 (2013-04-03)
+
+- Allow to sign using enveloped-signature
+
+## 1.1.0 (2012-06-21)
+
+- Allow to sign XML documents without SOAP
+
+## 1.0.0 (2012-05-03)
+
+- Allow to sign SOAP documents

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012 Edgars Beigarts
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,25 @@
+# Signer
+
+This is a fork of original [Signer](https://badge.fury.io/rb/signer.svg) gem with applied patch for explicit signature namespaces.
+
+## Why?
+
+We needed the explicit namespaces feature for other gems and it's much easier to do so with normal ruby gem rather than github fork.
+
+## Installation
+
+```bash
+gem install eet_signer
+```
+
+## Usage
+
+For usage please see original gem's documentation. This gem should be rebased with the original gem at regularly.
+
+### Explicit signature namespaces
+
+If you need `Signature` tags to be in explicit namespace (say, `<ds:Signature>`) instead of to be in implicit default namespace you can specify next option:
+
+```ruby
+signer.ds_namespace_prefix = 'ds'
+```

data/lib/signer/digester.rb

@@ -0,0 +1,69 @@
+require 'openssl'
+
+class Signer
+
+  # Digest algorithms supported "out of the box"
+  DIGEST_ALGORITHMS = {
+    # SHA 1
+    sha1: {
+      name: 'SHA1',
+      id: 'http://www.w3.org/2000/09/xmldsig#sha1',
+      digester: lambda { OpenSSL::Digest::SHA1.new },
+    },
+    # SHA 256
+    sha256: {
+        name: 'SHA256',
+        id: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
+        digester: lambda { OpenSSL::Digest::SHA256.new },
+    },
+    # GOST R 34-11 94
+    gostr3411: {
+      name: 'GOST R 34.11-94',
+      id: 'http://www.w3.org/2001/04/xmldsig-more#gostr3411',
+      digester: lambda { OpenSSL::Digest.new('md_gost94') },
+    },
+  }
+
+  # Class that holds +OpenSSL::Digest+ instance with some meta information for digesting in XML.
+  class Digester
+
+    # You may pass either a one of +:sha1+, +:sha256+ or +:gostr3411+ symbols
+    # or +Hash+ with keys +:id+ with a string, which will denote algorithm in XML Reference tag
+    # and +:digester+ with instance of class with interface compatible with +OpenSSL::Digest+ class.
+    def initialize(algorithm)
+      if algorithm.kind_of? Symbol
+        @digest_info = DIGEST_ALGORITHMS[algorithm].dup
+        @digest_info[:digester] = @digest_info[:digester].call
+        @symbol = algorithm
+      else
+        @digest_info = algorithm
+      end
+    end
+
+    attr_reader :symbol
+
+    # Digest
+    def digest(message)
+      self.digester.digest(message)
+    end
+
+    alias call digest
+
+    # Returns +OpenSSL::Digest+ (or derived class) instance
+    def digester
+      @digest_info[:digester].reset
+    end
+
+    # Human-friendly name
+    def digest_name
+      @digest_info[:name]
+    end
+
+    # XML-friendly name (for specifying in XML +DigestMethod+ node +Algorithm+ attribute)
+    def digest_id
+      @digest_info[:id]
+    end
+
+  end
+
+end

data/lib/signer/version.rb

@@ -0,0 +1,3 @@
+class Signer
+  VERSION = '1.5.0'
+end

data/lib/signer.rb

@@ -0,0 +1,336 @@
+require "nokogiri"
+require "base64"
+require "digest/sha1"
+require "openssl"
+
+require "signer/digester"
+require "signer/version"
+
+class Signer
+  attr_accessor :document, :private_key, :signature_algorithm_id, :ds_namespace_prefix
+  attr_reader :cert
+  attr_writer :security_node, :signature_node, :security_token_id
+
+  WSU_NAMESPACE = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
+  WSSE_NAMESPACE = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
+  DS_NAMESPACE = 'http://www.w3.org/2000/09/xmldsig#'
+
+  def initialize(document, noblanks: true)
+    self.document = Nokogiri::XML(document.to_s) do |config|
+      config.noblanks if noblanks
+    end
+    self.digest_algorithm = :sha1
+    self.set_default_signature_method!
+  end
+
+  def to_xml
+    document.to_xml(:save_with => 0)
+  end
+
+  # Return symbol name for supported digest algorithms and string name for custom ones.
+  def digest_algorithm
+    @digester.symbol || @digester.digest_name
+  end
+
+  # Allows to change algorithm for node digesting (default is SHA1).
+  #
+  # You may pass either a one of +:sha1+, +:sha256+ or +:gostr3411+ symbols
+  # or +Hash+ with keys +:id+ with a string, which will denote algorithm in XML Reference tag
+  # and +:digester+ with instance of class with interface compatible with +OpenSSL::Digest+ class.
+  def digest_algorithm=(algorithm)
+    @digester = Signer::Digester.new(algorithm)
+  end
+
+  # Return symbol name for supported digest algorithms and string name for custom ones.
+  def signature_digest_algorithm
+    @sign_digester.symbol || @sign_digester.digest_name
+  end
+
+  # Allows to change digesting algorithm for signature creation. Same as +digest_algorithm=+
+  def signature_digest_algorithm=(algorithm)
+    @sign_digester = Signer::Digester.new(algorithm)
+  end
+
+  # Receives certificate for signing and tries to guess a digest algorithm for signature creation.
+  #
+  # Will change +signature_digest_algorithm+ and +signature_algorithm_id+ for known certificate types and reset to defaults for others.
+  def cert=(certificate)
+    @cert = certificate
+    # Try to guess a digest algorithm for signature creation
+    case @cert.signature_algorithm
+      when 'GOST R 34.11-94 with GOST R 34.10-2001'
+        self.signature_digest_algorithm = :gostr3411
+        self.signature_algorithm_id = 'http://www.w3.org/2001/04/xmldsig-more#gostr34102001-gostr3411'
+      # Add clauses for other types of keys that require other digest algorithms and identifiers
+      else # most common 'sha1WithRSAEncryption' type included here
+        self.set_default_signature_method! # Reset any changes as they can become malformed
+    end
+  end
+
+  def security_token_id
+    @security_token_id ||= "uuid-639b8970-7644-4f9e-9bc4-9c2e367808fc-1"
+  end
+
+  def security_node
+    @security_node ||= document.xpath('//wsse:Security', wsse: WSSE_NAMESPACE).first
+  end
+
+  def canonicalize(node = document, inclusive_namespaces=nil)
+    node.canonicalize(Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0, inclusive_namespaces, nil) # The last argument should be exactly +nil+ to remove comments from result
+  end
+
+  # <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+  def signature_node
+    @signature_node ||= begin
+      @signature_node = security_node.at_xpath('ds:Signature', ds: DS_NAMESPACE)
+      unless @signature_node
+        @signature_node = Nokogiri::XML::Node.new('Signature', document)
+        set_namespace_for_node(@signature_node, DS_NAMESPACE, ds_namespace_prefix)
+        security_node.add_child(@signature_node)
+      end
+      @signature_node
+    end
+  end
+
+  # <SignedInfo>
+  #   <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+  #   <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  #   ...
+  # </SignedInfo>
+  def signed_info_node
+    node = signature_node.at_xpath('ds:SignedInfo', ds: DS_NAMESPACE)
+    unless node
+      node = Nokogiri::XML::Node.new('SignedInfo', document)
+      signature_node.add_child(node)
+      set_namespace_for_node(node, DS_NAMESPACE, ds_namespace_prefix)
+      canonicalization_method_node = Nokogiri::XML::Node.new('CanonicalizationMethod', document)
+      canonicalization_method_node['Algorithm'] = 'http://www.w3.org/2001/10/xml-exc-c14n#'
+      node.add_child(canonicalization_method_node)
+      set_namespace_for_node(canonicalization_method_node, DS_NAMESPACE, ds_namespace_prefix)
+      signature_method_node = Nokogiri::XML::Node.new('SignatureMethod', document)
+      signature_method_node['Algorithm'] = self.signature_algorithm_id
+      node.add_child(signature_method_node)
+      set_namespace_for_node(signature_method_node, DS_NAMESPACE, ds_namespace_prefix)
+    end
+    node
+  end
+
+  # <o:BinarySecurityToken u:Id="" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
+  #   ...
+  # </o:BinarySecurityToken>
+  # <SignedInfo>
+  #   ...
+  # </SignedInfo>
+  # <KeyInfo>
+  #   <o:SecurityTokenReference>
+  #     <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-639b8970-7644-4f9e-9bc4-9c2e367808fc-1"/>
+  #   </o:SecurityTokenReference>
+  # </KeyInfo>
+  def binary_security_token_node
+    node = document.at_xpath('wsse:BinarySecurityToken', wsse: WSSE_NAMESPACE)
+    unless node
+      node = Nokogiri::XML::Node.new('BinarySecurityToken', document)
+      node['ValueType']    = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'
+      node['EncodingType'] = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'
+      node.content = Base64.encode64(cert.to_der).gsub("\n", '')
+      signature_node.add_previous_sibling(node)
+      wsse_ns = namespace_prefix(node, WSSE_NAMESPACE, 'wsse')
+      wsu_ns = namespace_prefix(node, WSU_NAMESPACE, 'wsu')
+      node["#{wsu_ns}:Id"] = security_token_id
+      key_info_node = Nokogiri::XML::Node.new('KeyInfo', document)
+      security_token_reference_node = Nokogiri::XML::Node.new("#{wsse_ns}:SecurityTokenReference", document)
+      key_info_node.add_child(security_token_reference_node)
+      set_namespace_for_node(key_info_node, DS_NAMESPACE, ds_namespace_prefix)
+      reference_node = Nokogiri::XML::Node.new("#{wsse_ns}:Reference", document)
+      reference_node['ValueType'] = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'
+      reference_node['URI'] = "##{security_token_id}"
+      security_token_reference_node.add_child(reference_node)
+      signed_info_node.add_next_sibling(key_info_node)
+    end
+    node
+  end
+
+  # <KeyInfo>
+  #   <X509Data>
+  #     <X509IssuerSerial>
+  #       <X509IssuerName>System.Security.Cryptography.X509Certificates.X500DistinguishedName</X509IssuerName>
+  #       <X509SerialNumber>13070789</X509SerialNumber>
+  #     </X509IssuerSerial>
+  #     <X509Certificate>MIID+jCCAuKgAwIBAgIEAMdxxTANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJTRTEeMBwGA1UEChMVTm9yZGVhIEJhbmsgQUIgKHB1YmwpMScwJQYDVQQDEx5Ob3JkZWEgcm9sZS1jZXJ0aWZpY2F0ZXMgQ0EgMDExFDASBgNVBAUTCzUxNjQwNi0wMTIwMB4XDTA5MDYxMTEyNTAxOVoXDTExMDYxMTEyNTAxOVowcjELMAkGA1UEBhMCU0UxIDAeBgNVBAMMF05vcmRlYSBEZW1vIENlcnRpZmljYXRlMRQwEgYDVQQEDAtDZXJ0aWZpY2F0ZTEUMBIGA1UEKgwLTm9yZGVhIERlbW8xFTATBgNVBAUTDDAwOTU1NzI0Mzc3MjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwcgz5AzbxTbsCE51No7fPnSqmQBIMW9OiPkiHotwYQTl+H9qwDvQRyBqHN26tnw7hNvEShd1ZRGUg4drMEXDV5CmKqsAevs9lauWDaHnGKPNHZJ1hNNYXHwymksEz5zMnG8eqRdhb4vOV2FzreJeYpsgx31Bv0aTofHcHVz4uGcCAwEAAaOCASAwggEcMAkGA1UdEwQCMAAwEQYDVR0OBAoECEj6Y9/vU03WMBMGA1UdIAQMMAowCAYGKoVwRwEDMBMGA1UdIwQMMAqACEIFjfLBeTpRMDcGCCsGAQUFBwEBBCswKTAnBggrBgEFBQcwAYYbaHR0cDovL29jc3Aubm9yZGVhLnNlL1JDQTAxMA4GA1UdDwEB/wQEAwIGQDCBiAYDVR0fBIGAMH4wfKB6oHiGdmxkYXA6Ly9sZGFwLm5iLnNlL2NuPU5vcmRlYSUyMHJvbGUtY2VydGlmaWNhdGVzJTIwQ0ElMjAwMSxvPU5vcmRlYSUyMEJhbmslMjBBQiUyMChwdWJsKSxjPVNFP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3QwDQYJKoZIhvcNAQEFBQADggEBAEXUv87VpHk51y3TqkMb1MYDqeKvQRE1cNcvhEJhIzdDpXMA9fG0KqvSTT1e0ZI2r78mXDvtTZnpic44jX2XMSmKO6n+1taAXq940tJUhF4arYMUxwDKOso0Doanogug496gipqMlpLgvIhGt06sWjNrvHzp2eGydUFdCsLr2ULqbDcut7g6eMcmrsnrOntjEU/J3hO8gyCeldJ+fI81qarrK/I0MZLR5LWCyVG/SKduoxHLX7JohsbIGyK1qAh9fi8l6X1Rcu80v5inpu71E/DnjbkAZBo7vsj78zzdk7KNliBIqBcIszdJ3dEHRWSI7FspRxyiR0NDm4lpyLwFtfw=</X509Certificate>
+  #   </X509Data>
+  # </KeyInfo>
+  def x509_data_node
+    issuer_name_node   = Nokogiri::XML::Node.new('X509IssuerName', document)
+    issuer_name_node.content = cert.issuer.to_s[1..-1].gsub(/\//, ',')
+
+    issuer_number_node = Nokogiri::XML::Node.new('X509SerialNumber', document)
+    issuer_number_node.content = cert.serial
+
+    issuer_serial_node = Nokogiri::XML::Node.new('X509IssuerSerial', document)
+    issuer_serial_node.add_child(issuer_name_node)
+    issuer_serial_node.add_child(issuer_number_node)
+
+    cetificate_node    = Nokogiri::XML::Node.new('X509Certificate', document)
+    cetificate_node.content = Base64.encode64(cert.to_der).gsub("\n", '')
+
+    data_node          = Nokogiri::XML::Node.new('X509Data', document)
+    data_node.add_child(issuer_serial_node)
+    data_node.add_child(cetificate_node)
+
+    key_info_node      = Nokogiri::XML::Node.new('KeyInfo', document)
+    key_info_node.add_child(data_node)
+
+    signed_info_node.add_next_sibling(key_info_node)
+
+    set_namespace_for_node(key_info_node, DS_NAMESPACE, ds_namespace_prefix)
+    set_namespace_for_node(data_node, DS_NAMESPACE, ds_namespace_prefix)
+    set_namespace_for_node(issuer_serial_node, DS_NAMESPACE, ds_namespace_prefix)
+    set_namespace_for_node(cetificate_node, DS_NAMESPACE, ds_namespace_prefix)
+    set_namespace_for_node(issuer_name_node, DS_NAMESPACE, ds_namespace_prefix)
+    set_namespace_for_node(issuer_number_node, DS_NAMESPACE, ds_namespace_prefix)
+
+    data_node
+  end
+
+  ##
+  # Digests some +target_node+, which integrity you wish to track. Any changes in digested node will invalidate signed message.
+  # All digest should be calculated **before** signing.
+  #
+  # Available options:
+  # * [+:id+]                   Id for the node, if you don't want to use automatically calculated one
+  # * [+:inclusive_namespaces+] Array of namespace prefixes which definitions should be added to node during canonicalization
+  # * [+:enveloped+]
+  #
+  # Example of XML that will be inserted in message for call like <tt>digest!(node, inclusive_namespaces: ['soap'])</tt>:
+  #
+  #   <Reference URI="#_0">
+  #     <Transforms>
+  #       <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+  #         <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap" />
+  #       </Transform>
+  #     </Transforms>
+  #     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+  #     <DigestValue>aeqXriJuUCk4tPNPAGDXGqHj6ao=</DigestValue>
+  #   </Reference>
+
+  def digest!(target_node, options = {})
+    wsu_ns = namespace_prefix(target_node, WSU_NAMESPACE)
+    current_id = target_node["#{wsu_ns}:Id"]  if wsu_ns
+    id = options[:id] || current_id || "_#{Digest::SHA1.hexdigest(target_node.to_s)}"
+    if id.to_s.size > 0
+      wsu_ns ||= namespace_prefix(target_node, WSU_NAMESPACE, 'wsu')
+      target_node["#{wsu_ns}:Id"] = id.to_s
+    end
+    target_canon = canonicalize(target_node, options[:inclusive_namespaces])
+    target_digest = Base64.encode64(@digester.digest(target_canon)).strip
+
+    reference_node = Nokogiri::XML::Node.new('Reference', document)
+    reference_node['URI'] = id.to_s.size > 0 ? "##{id}" : ""
+    signed_info_node.add_child(reference_node)
+    set_namespace_for_node(reference_node, DS_NAMESPACE, ds_namespace_prefix)
+
+    transforms_node = Nokogiri::XML::Node.new('Transforms', document)
+    reference_node.add_child(transforms_node)
+    set_namespace_for_node(transforms_node, DS_NAMESPACE, ds_namespace_prefix)
+
+    transform_node = Nokogiri::XML::Node.new('Transform', document)
+    set_namespace_for_node(transform_node, DS_NAMESPACE, ds_namespace_prefix)
+    if options[:enveloped]
+      transform_node['Algorithm'] = 'http://www.w3.org/2000/09/xmldsig#enveloped-signature'
+    else
+      transform_node['Algorithm'] = 'http://www.w3.org/2001/10/xml-exc-c14n#'
+    end
+    if options[:inclusive_namespaces]
+      inclusive_namespaces_node = Nokogiri::XML::Node.new('ec:InclusiveNamespaces', document)
+      inclusive_namespaces_node.add_namespace_definition('ec', transform_node['Algorithm'])
+      inclusive_namespaces_node['PrefixList'] = options[:inclusive_namespaces].join(' ')
+      transform_node.add_child(inclusive_namespaces_node)
+    end
+    transforms_node.add_child(transform_node)
+
+    digest_method_node = Nokogiri::XML::Node.new('DigestMethod', document)
+    digest_method_node['Algorithm'] = @digester.digest_id
+    reference_node.add_child(digest_method_node)
+    set_namespace_for_node(digest_method_node, DS_NAMESPACE, ds_namespace_prefix)
+
+    digest_value_node = Nokogiri::XML::Node.new('DigestValue', document)
+    digest_value_node.content = target_digest
+    reference_node.add_child(digest_value_node)
+    set_namespace_for_node(digest_value_node, DS_NAMESPACE, ds_namespace_prefix)
+    self
+  end
+
+  ##
+  # Sign document with provided certificate, private key and other options
+  #
+  # This should be very last action before calling +to_xml+, all the required nodes should be digested with +digest!+ **before** signing.
+  #
+  # Available options:
+  # * [+:security_token+]       Serializes certificate in DER format, encodes it with Base64 and inserts it within +<BinarySecurityToken>+ tag
+  # * [+:issuer_serial+]
+  # * [+:inclusive_namespaces+] Array of namespace prefixes which definitions should be added to signed info node during canonicalization
+
+  def sign!(options = {})
+    if options[:security_token]
+      binary_security_token_node
+    end
+
+    if options[:issuer_serial]
+      x509_data_node
+    end
+
+    if options[:inclusive_namespaces]
+      c14n_method_node = signed_info_node.at_xpath('ds:CanonicalizationMethod', ds: DS_NAMESPACE)
+      inclusive_namespaces_node = Nokogiri::XML::Node.new('ec:InclusiveNamespaces', document)
+      inclusive_namespaces_node.add_namespace_definition('ec', c14n_method_node['Algorithm'])
+      inclusive_namespaces_node['PrefixList'] = options[:inclusive_namespaces].join(' ')
+      c14n_method_node.add_child(inclusive_namespaces_node)
+    end
+
+    signed_info_canon = canonicalize(signed_info_node, options[:inclusive_namespaces])
+
+    signature = private_key.sign(@sign_digester.digester, signed_info_canon)
+    signature_value_digest = Base64.encode64(signature).gsub("\n", '')
+
+    signature_value_node = Nokogiri::XML::Node.new('SignatureValue', document)
+    signature_value_node.content = signature_value_digest
+    signed_info_node.add_next_sibling(signature_value_node)
+    set_namespace_for_node(signature_value_node, DS_NAMESPACE, ds_namespace_prefix)
+    self
+  end
+
+  protected
+
+  # Reset digest algorithm for signature creation and signature algorithm identifier
+  def set_default_signature_method!
+    self.signature_digest_algorithm = :sha1
+    self.signature_algorithm_id = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+  end
+
+  ##
+  # Searches in namespaces, defined on +target_node+ or its ancestors,
+  # for the +namespace+ with given URI and returns its prefix.
+  #
+  # If there is no such namespace and +desired_prefix+ is specified,
+  # adds such a namespace to +target_node+ with +desired_prefix+
+
+  def namespace_prefix(target_node, namespace, desired_prefix = nil)
+    ns = target_node.namespaces.key(namespace)
+    if ns
+      ns.match(/(?:xmlns:)?(.*)/) && $1
+    elsif desired_prefix
+      target_node.add_namespace_definition(desired_prefix, namespace)
+      desired_prefix
+    end
+  end
+
+  ##
+  # Searches for namespace with given +href+ within +node+ ancestors and assigns it to this node.
+  # If there is no such namespace, it will create it with +desired_prefix+ if present or as default namespace otherwise.
+  # In most cases you should insert +node+ in the document tree before calling this method to avoid duplicating namespace definitions
+  def set_namespace_for_node(node, href, desired_prefix = nil)
+    return node.namespace if node.namespace && node.namespace.href == href # This node already in target namespace, done
+    namespace = node.namespace_scopes.find { |ns| ns.href == href }
+    node.namespace = namespace || node.add_namespace_definition(desired_prefix, href)
+  end
+end

data/spec/fixtures/cert.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsDCCAhmgAwIBAgIJAOUHvh4oho0tMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTIwNTAzMTMxODIyWhcNMTMwNTAzMTMxODIyWjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQCvK5hMPv/R5IFmwWyJOyEaFUrF/ZsmN+Gip8hvR6rLP3YPNx9iFYvPcZllFmuV
+wyaz7YT2N5BsqTwLdyi5v4HY4fUtuz0p8jIPoSd6dfDvcnSpf4QLTOgOaL3ciPEb
+gDHH2tnIksukoWzqCYva+qFZ74NFl19swXotW9fA4Jzs4QIDAQABo4GnMIGkMB0G
+A1UdDgQWBBRU1WEHDnP8Hr7ZulxrSzEwOcYpMzB1BgNVHSMEbjBsgBRU1WEHDnP8
+Hr7ZulxrSzEwOcYpM6FJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
+U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAOUHvh4o
+ho0tMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEASY/9SAOK57q9mGnN
+JJeyDbmyGrAHSJTod646xTHYkMvhUqwHyk9PTr5bdfmswpmyVn+AQ43U2tU5vnpT
+BmKpHWD2+HSHgGa92mMLrfBOd8EBZ329NL3N2HDPIaHr4NPGyhNrSK3QVOnAq2D0
+jlyrGYJlLli1NxHiBz7FCEJaVI8=
+-----END CERTIFICATE-----

data/spec/fixtures/input_1.xml

@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:wsurandom="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
+  <s:Header>
+    <a:Action s:mustUnderstand="1">http://tempuri.org/IDocumentService/SearchDocuments</a:Action>
+    <a:MessageID>urn:uuid:30db5d4f-ab84-46be-907c-be690a92979b</a:MessageID>
+    <a:ReplyTo>
+      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
+    </a:ReplyTo>
+    <To xmlns="http://www.w3.org/2005/08/addressing" xmlns:a="http://www.w3.org/2003/05/soap-envelope" a:mustUnderstand="1">http://tempuri.org/PublicServices/Test/1.0.12/PublicServices/DocumentService.svc</To>
+    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
+      <wsurandom:Timestamp>
+        <wsurandom:Created>2012-05-02T18:17:14.467Z</wsurandom:Created>
+        <wsurandom:Expires>2012-05-02T18:22:14.467Z</wsurandom:Expires>
+      </wsurandom:Timestamp>
+    </wsse:Security>
+  </s:Header>
+  <s:Body>
+    <SearchDocuments xmlns="http://tempuri.org/">
+      <searchCriteria xmlns:b="http://schemas.datacontract.org/2004/07/BusinessLogic.Data.Documents.Integration" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
+        <b:RegistrationNo>1</b:RegistrationNo>
+      </searchCriteria>
+    </SearchDocuments>
+  </s:Body>
+</s:Envelope>

data/spec/fixtures/input_2.xml

@@ -0,0 +1,7 @@
+<ApplicationRequest xmlns="http://bxd.fi/xmldata/">
+  <CustomerId>679155330</CustomerId>
+  <Command>GetUserInfo</Command>
+  <Timestamp>2010-05-10T13:22:19.847+03:00</Timestamp>
+  <Environment>PRODUCTION</Environment>
+  <SoftwareId>Petri</SoftwareId>
+</ApplicationRequest>

data/spec/fixtures/input_3_c14n_comments.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0"?>
+<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
+  <s:Header>
+    <a:Action s:mustUnderstand="1">http://tempuri.org/IDocumentService/SearchDocuments</a:Action>
+    <a:MessageID>urn:uuid:30db5d4f-ab84-46be-907c-be690a92979b</a:MessageID>
+    <To xmlns="http://www.w3.org/2005/08/addressing" xmlns:a="http://www.w3.org/2003/05/soap-envelope" a:mustUnderstand="1">http://tempuri.org/PublicServices/Test/1.0.12/PublicServices/DocumentService.svc</To>
+    <o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
+      <u:Timestamp>
+        <u:Created>2012-05-02T18:17:14.467Z</u:Created>
+        <u:Expires>2012-05-02T18:22:14.467Z</u:Expires>
+      </u:Timestamp>
+    </o:Security>
+  </s:Header>
+  <s:Body>
+    <SearchDocuments xmlns="http://tempuri.org/">
+      <searchCriteria xmlns:b="http://schemas.datacontract.org/2004/07/BusinessLogic.Data.Documents.Integration" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
+        <!-- This comment shouldn't affect digest value for digested node -->
+        <b:RegistrationNo>1</b:RegistrationNo>
+      </searchCriteria>
+    </SearchDocuments>
+  </s:Body>
+</s:Envelope>

data/spec/fixtures/input_4_with_nested_signatures.xml

@@ -0,0 +1,25 @@
+<?xml version="1.0"?>
+<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:wsurandom="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <s:Header>
+    <a:Action s:mustUnderstand="1">http://tempuri.org/IDocumentService/SearchDocuments</a:Action>
+    <a:MessageID>urn:uuid:30db5d4f-ab84-46be-907c-be690a92979b</a:MessageID>
+    <a:ReplyTo>
+      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
+    </a:ReplyTo>
+    <To xmlns="http://www.w3.org/2005/08/addressing" xmlns:a="http://www.w3.org/2003/05/soap-envelope" a:mustUnderstand="1">http://tempuri.org/PublicServices/Test/1.0.12/PublicServices/DocumentService.svc</To>
+    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
+      <wsurandom:Timestamp>
+        <wsurandom:Created>2012-05-02T18:17:14.467Z</wsurandom:Created>
+        <wsurandom:Expires>2012-05-02T18:22:14.467Z</wsurandom:Expires>
+      </wsurandom:Timestamp>
+    </wsse:Security>
+  </s:Header>
+  <s:Body>
+    <SearchDocuments xmlns="http://tempuri.org/">
+      <searchCriteria xmlns:b="http://schemas.datacontract.org/2004/07/BusinessLogic.Data.Documents.Integration" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
+        <b:RegistrationNo>1</b:RegistrationNo>
+      </searchCriteria>
+      <ds:Signature />
+    </SearchDocuments>
+  </s:Body>
+</s:Envelope>

data/spec/fixtures/key.pem

@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,D53BEDA3FEA82258
+
+a9x4N5JZ6qwza28OAEBWyS4s4GysgbiJf11wX2e1Ol/rHt9/PGvZCK9PSyW/haRn
+l5iT95n8Ohyr16Ngx/p02Jq3TEbs/Jsxz7+z55R5E3LvGKGZIB8Yh8dvI4ArzPsK
+QiwoegJnSWdTQnfybbbpv+11RrKtb1/H0/i9fIHDJUhch9HwNn/yZGs9uYRxVBGe
+OFLAdnCB+JG5Q5p24aWeYEWQLbYB69uc9kiV60qgfp4ZxRgdeU55eLZe48d9clG7
+8vFAjM3+Q5WcgAgthKgD2HbjgcQ11WIZyHsshRvdWukk7iir7ogbOR/20sIWc+mY
+hVdWfctYfWuheq7qwAfbvc8gSpgBRMziSI+5dFF4Ge80ahy7sxdlWJ4zNrqzTEIf
+5CyN2cC6h8fbJ95bifJFUIKDi+rpkmFtnW4eh11BOL6vYlSFaL35Kw2teRmFCk6M
+iBmIStavcfVj61ZClla3Xso5gl8Ei8EGBSuSSLT1Uq3WJ6eLh5JWkpV3+mir1HWO
+vNIl6L4zm2kngwL73NFeG7ZFMTv2yAuif3Hpr3akZudp/+qDcIcnqnmY47HsOtOb
+ArLwBalIu4zsKF5IzqGiZ6tbMgRHDbLw/HAuuYHlJF5TeMDqnQFGi09LpO6IHPBh
+ZqVKuZ1LVLgCRpvkW12z0sxfByFHKK6RvgPgR9tPdVmCBJLwCbLa7AqNDVrJNe6q
+OEwp95+7OTx1b7jVXiZ3wO0XpPWKAMXWAEGDd9YeNVdfXPgypSe4p/wJgtoCiPtz
+Mm0NNYkrl2J/brj2jd5WRk6D2BWxf6pQKULzovTCX04pNxfLBBXBlQ==
+-----END RSA PRIVATE KEY-----