money-nokogiri-xmlsec 0.0.5

data/ext/nokogiri_ext_xmlsec/nokogiri_helpers_set_attribute_id.c

@@ -0,0 +1,43 @@
+#include "xmlsecrb.h"
+
+VALUE set_id_attribute(VALUE self, VALUE rb_attr_name) {
+  xmlNodePtr node;
+  xmlAttrPtr attr;
+  xmlAttrPtr tmp;
+  xmlChar *name;
+  const xmlChar *idName;
+  
+  Data_Get_Struct(self, xmlNode, node);
+  Check_Type(rb_attr_name, T_STRING);
+  idName = (const xmlChar *)RSTRING_PTR(rb_attr_name);
+
+  // find pointer to id attribute
+  attr = xmlHasProp(node, idName);
+  if((attr == NULL) || (attr->children == NULL)) {
+    rb_raise(rb_eRuntimeError, "Can't find attribute to add register as id");
+    return Qfalse;
+  }
+  
+  // get the attribute (id) value
+  name = xmlNodeListGetString(node->doc, attr->children, 1);
+  if(name == NULL) {
+    rb_raise(rb_eRuntimeError, "Attribute %s has no value", idName);
+    return Qfalse;
+  }
+  
+  // check that we don't have that id already registered
+  tmp = xmlGetID(node->doc, name);
+  if(tmp != NULL) {
+    // rb_raise(rb_eRuntimeError, "Attribute %s is already an ID", idName);
+    xmlFree(name);
+    return Qfalse;
+  }
+  
+  // finally register id
+  xmlAddID(NULL, node->doc, name, attr);
+
+  // and do not forget to cleanup
+  xmlFree(name);
+
+  return Qtrue;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_init.c

@@ -0,0 +1,32 @@
+#include "xmlsecrb.h"
+
+VALUE rb_cNokogiri_XML_Document = T_NIL;
+VALUE rb_cNokogiri_XML_Node = T_NIL;
+VALUE rb_eSigningError = T_NIL;
+VALUE rb_eVerificationError = T_NIL;
+VALUE rb_eKeystoreError = T_NIL;
+VALUE rb_eEncryptionError = T_NIL;
+VALUE rb_eDecryptionError = T_NIL;
+
+void Init_Nokogiri_ext() {
+  VALUE XMLSec = rb_define_module("XMLSec");
+  VALUE Nokogiri = rb_define_module("Nokogiri");
+  VALUE Nokogiri_XML = rb_define_module_under(Nokogiri, "XML");
+  rb_cNokogiri_XML_Document = rb_const_get(Nokogiri_XML, rb_intern("Document"));
+  rb_cNokogiri_XML_Node = rb_const_get(Nokogiri_XML, rb_intern("Node"));
+
+  rb_define_method(rb_cNokogiri_XML_Document, "sign_with_key",            sign_with_key, 2);
+  rb_define_method(rb_cNokogiri_XML_Document, "sign_with_certificate",    sign_with_certificate, 5);
+  rb_define_method(rb_cNokogiri_XML_Document, "verify_with_rsa_key",      verify_signature_with_rsa_key, 1);
+  rb_define_method(rb_cNokogiri_XML_Document, "verify_with_named_keys",   verify_signature_with_named_keys, 1);
+  rb_define_method(rb_cNokogiri_XML_Document, "verify_with_certificates", verify_signature_with_certificates, 1);
+  rb_define_method(rb_cNokogiri_XML_Document, "encrypt_with_key",         encrypt_with_key, 2);
+  rb_define_method(rb_cNokogiri_XML_Document, "decrypt_with_key",         decrypt_with_key, 2);
+  rb_define_method(rb_cNokogiri_XML_Node,     "set_id_attribute",         set_id_attribute, 1);
+
+  rb_eSigningError      = rb_define_class_under(XMLSec, "SigningError",      rb_eRuntimeError);
+  rb_eVerificationError = rb_define_class_under(XMLSec, "VerificationError", rb_eRuntimeError);
+  rb_eKeystoreError     = rb_define_class_under(XMLSec, "KeystoreError",     rb_eRuntimeError);
+  rb_eEncryptionError   = rb_define_class_under(XMLSec, "EncryptionError",   rb_eRuntimeError);
+  rb_eDecryptionError   = rb_define_class_under(XMLSec, "DecryptionError",   rb_eRuntimeError);
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_sign_certificate.c

@@ -0,0 +1,143 @@
+#include "xmlsecrb.h"
+
+VALUE sign_with_certificate(VALUE self, VALUE rb_key_name, VALUE rb_rsa_key, VALUE rb_cert, VALUE rb_cert_issuer_name, VALUE rb_cert_serial_number) {
+  xmlDocPtr doc;
+  xmlNodePtr signNode = NULL;
+  xmlNodePtr refNode = NULL;
+  xmlNodePtr keyInfoNode = NULL;
+  xmlNodePtr x509DataNode = NULL;
+  xmlNodePtr issuerSerialNode = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  char *keyName;
+  char *certificate;
+  char *issuerName;
+  char *serialNumber;
+  char *rsaKey;
+  unsigned int rsaKeyLength, certificateLength;
+
+  Data_Get_Struct(self, xmlDoc, doc);
+  rsaKey = RSTRING_PTR(rb_rsa_key);
+  rsaKeyLength = RSTRING_LEN(rb_rsa_key);
+  keyName = RSTRING_PTR(rb_key_name);
+  certificate = RSTRING_PTR(rb_cert);
+  issuerName = RSTRING_PTR(rb_cert_issuer_name);
+  serialNumber = RSTRING_PTR(rb_cert_serial_number);
+  certificateLength = RSTRING_LEN(rb_cert);
+
+  // create signature template for RSA-SHA1 enveloped signature
+  signNode = xmlSecTmplSignatureCreateNsPref(doc, xmlSecTransformInclC14NId,
+                                         xmlSecTransformRsaSha1Id, NULL, "ds");
+  if (signNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to create signature template");
+    goto done;
+  }
+
+  // add <dsig:Signature/> node to the doc
+  xmlAddChild(xmlDocGetRootElement(doc), signNode);
+
+  // add reference
+  refNode = xmlSecTmplSignatureAddReference(signNode, xmlSecTransformSha1Id,
+                                        NULL, "", NULL);
+  if(refNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to add reference to signature template");
+    goto done;
+  }
+
+  // add enveloped transform
+  if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) {
+    rb_raise(rb_eSigningError, "failed to add enveloped transform to reference");
+    goto done;
+  }
+
+  // add c14n transform
+  if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformInclC14NId) == NULL) {
+    rb_raise(rb_eSigningError, "failed to add c14n transform to reference");
+    goto done;
+  }
+
+  // add <dsig:KeyInfo/> and <dsig:X509Data/>
+  keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
+  if(keyInfoNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to add key info");
+    goto done;
+  }
+
+  // add <X509Data/>
+  x509DataNode = xmlSecTmplKeyInfoAddX509Data(keyInfoNode);
+  if(x509DataNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to add X509Data node");
+    goto done;
+  }
+
+  // add <X509Certificate/>
+  if(xmlSecTmplX509DataAddCertificate(x509DataNode) == NULL) {
+    rb_raise(rb_eSigningError, "failed to add X509Certificate node");
+    goto done;
+  }
+
+  // add <X509IssuerSerial/>
+  issuerSerialNode = xmlSecTmplX509DataAddIssuerSerial(x509DataNode);
+  if(issuerSerialNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to add X509IssuerSerial node");
+    goto done;
+  }
+
+  // add <X509IssuerName/>
+  if(xmlSecTmplX509IssuerSerialAddIssuerName(issuerSerialNode, (xmlSecByte *)issuerName) == NULL) {
+    rb_raise(rb_eSigningError, "failed to add X509IssuerName node");
+    goto done;
+  }
+
+  // add <X509SerialNumber/>
+  if(xmlSecTmplX509IssuerSerialAddSerialNumber(issuerSerialNode, (xmlSecByte *)serialNumber) == NULL) {
+    rb_raise(rb_eSigningError, "failed to add X509SerialNumber node");
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = xmlSecDSigCtxCreate(NULL);
+  if(dsigCtx == NULL) {
+    rb_raise(rb_eSigningError, "failed to create signature context");
+    goto done;
+  }
+
+  // load private key, assuming that there is not password
+  dsigCtx->signKey = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)rsaKey,
+                                                  rsaKeyLength,
+                                                  xmlSecKeyDataFormatPem,
+                                                  NULL, // password
+                                                  NULL,
+                                                  NULL);
+  if(dsigCtx->signKey == NULL) {
+    rb_raise(rb_eSigningError, "failed to load private key");
+    goto done;
+  }
+  
+  // load certificate and add to the key
+  if(xmlSecCryptoAppKeyCertLoadMemory(dsigCtx->signKey,
+                                      (xmlSecByte *)certificate,
+                                      certificateLength,
+                                      xmlSecKeyDataFormatPem) < 0) {
+    rb_raise(rb_eSigningError, "failed to load certificate");
+    goto done;
+  }
+
+  // set key name
+  if(xmlSecKeySetName(dsigCtx->signKey, (xmlSecByte *)keyName) < 0) {
+    rb_raise(rb_eSigningError, "failed to set key name");
+    goto done;
+  }
+
+  // sign the template
+  if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
+    rb_raise(rb_eSigningError, "signature failed");
+    goto done;
+  }
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  return T_NIL;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_sign_rsa.c

@@ -0,0 +1,95 @@
+#include "xmlsecrb.h"
+
+// TODO the signature context probably should be a ruby instance variable
+// and separate object, instead of being allocated/freed in each method.
+
+VALUE sign_with_key(VALUE self, VALUE rb_key_name, VALUE rb_rsa_key) {
+  xmlDocPtr doc;
+  xmlNodePtr signNode = NULL;
+  xmlNodePtr refNode = NULL;
+  xmlNodePtr keyInfoNode = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  char *keyName;
+  char *rsaKey;
+  unsigned int rsaKeyLength;
+
+  Data_Get_Struct(self, xmlDoc, doc);
+  rsaKey = RSTRING_PTR(rb_rsa_key);
+  rsaKeyLength = RSTRING_LEN(rb_rsa_key);
+  keyName = RSTRING_PTR(rb_key_name);
+
+  // create signature template for RSA-SHA1 enveloped signature
+  signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId,
+                                         xmlSecTransformRsaSha1Id, NULL);
+  if (signNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to create signature template");
+    goto done;
+  }
+
+  // add <dsig:Signature/> node to the doc
+  xmlAddChild(xmlDocGetRootElement(doc), signNode);
+
+  // add reference
+  refNode = xmlSecTmplSignatureAddReference(signNode, xmlSecTransformSha1Id,
+                                        NULL, NULL, NULL);
+  if(refNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to add reference to signature template");
+    goto done;
+  }
+
+  // add enveloped transform
+  if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) {
+    rb_raise(rb_eSigningError, "failed to add enveloped transform to reference");
+    goto done;
+  }
+
+  // add <dsig:KeyInfo/> and <dsig:KeyName/> nodes to put key name in the signed
+  // document
+  keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
+  if(keyInfoNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to add key info");
+    goto done;
+  }
+  if(xmlSecTmplKeyInfoAddKeyName(keyInfoNode, NULL) == NULL) {
+    rb_raise(rb_eSigningError, "failed to add key name");
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = xmlSecDSigCtxCreate(NULL);
+  if(dsigCtx == NULL) {
+    rb_raise(rb_eSigningError, "failed to create signature context");
+    goto done;
+  }
+
+  // load private key, assuming that there is no password
+  dsigCtx->signKey = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)rsaKey,
+                                                  rsaKeyLength,
+                                                  xmlSecKeyDataFormatPem,
+                                                  NULL, // password
+                                                  NULL,
+                                                  NULL);
+  if(dsigCtx->signKey == NULL) {
+    rb_raise(rb_eSigningError, "failed to load private pem key");
+    goto done;
+  }
+
+  // set key name
+  if(xmlSecKeySetName(dsigCtx->signKey, (xmlSecByte *)keyName) < 0) {
+    rb_raise(rb_eSigningError, "failed to set key name");
+    goto done;
+  }
+
+  // sign the template
+  if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
+    rb_raise(rb_eSigningError, "signature failed");
+    goto done;
+  }
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  return T_NIL;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_verify_signature_certificates.c

@@ -0,0 +1,96 @@
+#include "xmlsecrb.h"
+
+static xmlSecKeysMngrPtr getKeyManager(VALUE rb_certs) {
+  int i, numCerts = RARRAY_LEN(rb_certs);
+  xmlSecKeysMngrPtr keyManager = xmlSecKeysMngrCreate();
+  VALUE rb_cert;
+  char *cert;
+  unsigned int certLength;
+  int numSuccessful = 0;
+
+  if (keyManager == NULL) return NULL;
+
+  if (xmlSecCryptoAppDefaultKeysMngrInit(keyManager) < 0) {
+    rb_raise(rb_eKeystoreError, "could not initialize key manager");
+    xmlSecKeysMngrDestroy(keyManager);
+    return NULL;
+  }
+
+  for (i = 0; i < numCerts; i++) {
+    rb_cert = RARRAY_PTR(rb_certs)[i];
+    Check_Type(rb_cert, T_STRING);
+    cert = RSTRING_PTR(rb_cert);
+    certLength = RSTRING_LEN(rb_cert);
+
+    if(xmlSecCryptoAppKeysMngrCertLoadMemory(keyManager,
+                                             (xmlSecByte *)cert,
+                                             certLength,
+                                             xmlSecKeyDataFormatPem,
+                                             xmlSecKeyDataTypeTrusted) < 0) {
+      rb_warn("failed to load certificate at index %d", i);
+    } else {
+      numSuccessful++;
+    }
+  }
+
+  // note, numCerts could be zero, meaning that we should use system SSL certs
+  if (numSuccessful == 0 && numCerts != 0) {
+    rb_raise(rb_eKeystoreError, "Could not load any of the specified certificates for signature verification");
+    xmlSecKeysMngrDestroy(keyManager);
+    return NULL;
+  }
+
+  return keyManager;
+}
+
+VALUE verify_signature_with_certificates(VALUE self, VALUE rb_certs) {
+  xmlDocPtr doc;
+  xmlNodePtr node = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  xmlSecKeysMngrPtr keyManager = NULL;
+  VALUE result = Qfalse;
+
+  Check_Type(rb_certs, T_ARRAY);
+  Data_Get_Struct(self, xmlDoc, doc);
+
+  // find start node
+  node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
+  if(node == NULL) {
+    rb_raise(rb_eVerificationError, "start node not found");
+    goto done;
+  }
+
+  keyManager = getKeyManager(rb_certs);
+  if (keyManager == NULL) {
+    rb_raise(rb_eKeystoreError, "failed to create key manager");
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = xmlSecDSigCtxCreate(keyManager);
+  if(dsigCtx == NULL) {
+    rb_raise(rb_eVerificationError, "failed to create signature context");
+    goto done;
+  }
+
+  // verify signature
+  if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
+    rb_raise(rb_eVerificationError, "error occurred during signature verification");
+    goto done;
+  }
+      
+  if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
+    result = Qtrue;
+  }    
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  if (keyManager != NULL) {
+    xmlSecKeysMngrDestroy(keyManager);
+  }
+
+  return result;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_verify_signature_named_keys.c

@@ -0,0 +1,106 @@
+#include "xmlsecrb.h"
+
+static int addRubyKeyToManager(VALUE rb_key, VALUE rb_value, VALUE rb_manager) {
+  xmlSecKeysMngrPtr keyManager = (xmlSecKeysMngrPtr)rb_manager;
+  char *keyName, *keyData;
+  unsigned int keyDataLength;
+  xmlSecKeyPtr key;
+
+  Check_Type(rb_key, T_STRING);
+  Check_Type(rb_value, T_STRING);
+  keyName = RSTRING_PTR(rb_key);
+  keyData = RSTRING_PTR(rb_value);
+  keyDataLength = RSTRING_LEN(rb_value);
+
+  // load key
+  key = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)keyData,
+                                     keyDataLength,
+                                     xmlSecKeyDataFormatPem,
+                                     NULL, // password
+                                     NULL, NULL);
+  if (key == NULL) {
+    rb_warn("failed to load '%s' public or private pem key", keyName);
+    return ST_CONTINUE;
+  }
+
+  // set key name
+  if (xmlSecKeySetName(key, BAD_CAST keyName) < 0) {
+    rb_warn("failed to set key name for key '%s'", keyName);
+    return ST_CONTINUE;
+  }
+  
+  // add key to key manager; from now on the manager is responsible for
+  // destroying the key
+  if (xmlSecCryptoAppDefaultKeysMngrAdoptKey(keyManager, key) < 0) {
+    rb_warn("failed to add key '%s' to key manager", keyName);
+    return ST_CONTINUE;
+  }
+
+  return ST_CONTINUE;
+}
+
+static xmlSecKeysMngrPtr getKeyManager(VALUE rb_hash) {
+  xmlSecKeysMngrPtr keyManager = xmlSecKeysMngrCreate();
+  if (keyManager == NULL) return NULL;
+  if (xmlSecCryptoAppDefaultKeysMngrInit(keyManager) < 0) {
+    rb_raise(rb_eKeystoreError, "could not initialize key manager");
+    xmlSecKeysMngrDestroy(keyManager);
+    return NULL;
+  }
+
+  rb_hash_foreach(rb_hash, addRubyKeyToManager, (VALUE)keyManager);
+
+  return keyManager;
+}
+
+VALUE verify_signature_with_named_keys(VALUE self, VALUE rb_hash) {
+  xmlDocPtr doc;
+  xmlNodePtr node = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  xmlSecKeysMngrPtr keyManager = NULL;
+  VALUE result = Qfalse;
+
+  Check_Type(rb_hash, T_HASH);
+  Data_Get_Struct(self, xmlDoc, doc);
+
+  // find start node
+  node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
+  if(node == NULL) {
+    rb_raise(rb_eVerificationError, "start node not found");
+    goto done;
+  }
+
+  keyManager = getKeyManager(rb_hash);
+  if (keyManager == NULL) {
+    rb_raise(rb_eKeystoreError, "failed to create key manager");
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = xmlSecDSigCtxCreate(keyManager);
+  if(dsigCtx == NULL) {
+    rb_raise(rb_eVerificationError, "failed to create signature context");
+    goto done;
+  }
+
+  // verify signature
+  if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
+    rb_raise(rb_eVerificationError, "signature could not be verified");
+    goto done;
+  }
+      
+  if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
+    result = Qtrue;
+  }    
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  if (keyManager != NULL) {
+    xmlSecKeysMngrDestroy(keyManager);
+  }
+
+  return result;
+}