nemid 0.1.0

data/lib/nemid/ocsp/errors.rb

@@ -0,0 +1,29 @@
+module NemID
+  module OCSP
+    class Error < StandardError ; end
+    
+    class InvalidSignatureError < Error
+      def initialize(msg='Response is not signed by a trusted certificate')
+        super(msg)
+      end
+    end
+
+    class NoStatusError < Error
+      def initialize(msg='basic_response does not have the status for the certificate')
+        super(msg)
+      end
+    end
+
+    class InvalidUpdateError < Error
+      def initialize(msg='this_update is in the future or next_update time has passed')
+        super(msg)
+      end
+    end
+
+    class NonceError < Error
+      def initialize(msg='Nonces both present and not equal')
+        super(msg)
+      end
+    end
+  end
+end

data/lib/nemid/pid_cpr.rb

@@ -0,0 +1,68 @@
+require 'savon'
+
+module NemID
+  class PIDCPR
+    PID_SERVICE_URL = 'https://pidws.pp.certifikat.dk/pid_serviceprovider_server/pidws'
+
+    def initialize(spid, cert, pass)
+      @crypto = NemID::Crypto.new(cert, pass)
+      @spid = spid
+    end
+
+=begin
+    STATUS CODE RESPONSES:
+    O = OK (”OK", "OK") 
+    1 = NO_MATCH ("CPR svarer ikke til PID", "CPR does not match PID")
+    2 = NO_PID ("PID eksisterer ikke", "PID doesn't exist") 
+    4 = NO_PID_IN_CERTIFICATE ("PID kunne ikke findes i certifikatet", "No PID in certificate") 
+    8 = NOT_AUTHORIZED_FOR_CPR_LOOKUP ("Der er ikke rettighed til at foretage CPR opslag", "Caller not authorized for CPR lookup") 
+    16 = BRUTE_FORCE_ATTEMPT_DETECTED ("Forsøg på systematisk søgning på CPR", "Brute force attempt detected") 
+    17 = NOT_AUTHORIZED_FOR_SERVICE_LOOKUP ( "Der er ikke rettighed til at foretage opslag på service", "Caller not authorized for service lookup") 
+    4096 = NOT_PID_SERVICE_REQUEST ("Modtaget message ikke pidCprRequest eller pidCprServerStatus", "Non request XML received") 
+    8192 = XML_PARSE_ERROR ("XML pakke kan ikke parses", "Non parsable XML received") 
+    8193 = XML_VERSION_NOT_SUPPORTED ("Version er ikke understøttet", "Version not supported") 
+    8194 = PID_DOES_NOT_MATCH_BASE64_CERTIFICATE ("PID stemmer med ikke med certifikat", "PID does not match certifikat") 
+    8195 = MISSING_CLIENT_CERT ("Klient certifikat ikke præsenteret", "No client certificate presented") 
+    16384 = INTERNAL_ERROR ("Intern DanID fejl", "Internal DanID error")
+=end
+    def match pid:, cpr:
+      response = soap_client.call(:pid,
+        message: build_soap_message(pid: pid, cpr: cpr)
+      )
+    
+      result = response.to_hash[:pid_response][:result][:pid_reply]
+      
+      if result[:status_code] == "0"
+        true
+      else
+        false
+      end
+    end
+
+    private
+    def build_soap_message pid:, cpr:
+      {
+        :pIDRequests => {
+          :PIDRequest => {
+            PID: pid,
+            CPR: cpr,
+            serviceId: @spid,
+          }
+        }
+      }
+    end
+
+    def soap_client
+      options = {
+        :wsdl => "#{PID_SERVICE_URL}?WSDL",
+        :soap_version => 1,
+        :endpoint => PID_SERVICE_URL,
+        :convert_request_keys_to => :none,
+        :ssl_cert => @crypto.get_certificate,
+        :ssl_cert_key => @crypto.get_key,
+        :headers => { 'SOAPAction' => ''}
+      }
+      return Savon.client(options)
+    end
+  end 
+end

data/lib/nemid/version.rb

@@ -0,0 +1,3 @@
+module NemID
+  VERSION = "0.1.0"
+end

data/lib/nemid/xmldsig.rb

@@ -0,0 +1,35 @@
+require 'xmldsig'
+
+module NemID
+  module XMLDSig
+    NAMESPACES = {
+      'ds' => 'http://www.w3.org/2000/09/xmldsig#',
+      'openoces' => 'http://www.openoces.org/2006/07/signature#',
+      "ec"  => "http://www.w3.org/2001/10/xml-exc-c14n#",
+      "wsu" => "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+    }
+    
+    # The "referenced_node" method needs to be overridden since NemID uses 
+    # "Id" (as opposed to ID or wsu:Id) as the attribute name in the "Signature" 
+    # element of the XML document.
+    Xmldsig::Reference.class_eval do
+      def referenced_node
+        if reference_uri && reference_uri != ""
+          id = reference_uri[1..-1]
+          if ref = document.dup.at_xpath("//*[@ID='#{id}' or @Id='#{id}' or @wsu:Id='#{id}']", NAMESPACES)
+            ref
+          else
+            raise(
+                ReferencedNodeNotFound,
+                "Could not find the referenced node #{id}'"
+            )
+          end
+        else
+          document.dup.root
+        end
+      end
+    end
+  end
+end
+
+require_relative "xmldsig/document"

data/lib/nemid/xmldsig/document.rb

@@ -0,0 +1,75 @@
+require 'nokogiri'
+
+module NemID
+  module XMLDSig
+    class Document < Xmldsig::SignedDocument
+      def initialize(document, options = {})
+        super
+        @store = OpenSSL::X509::Store.new
+        @user_certificate = nil
+        extract_and_store_certificates
+      end
+
+      def extract_pid_or_rid
+        return @user_certificate.subject.to_a.assoc("serialNumber")[1]
+      end
+
+      def get_user_certificate
+        return @user_certificate
+      end
+
+      def user_certificate_expired?
+        @user_certificate.not_after < Time.now.utc
+      end
+
+      def user_certificate_revoked?
+        ocsp.request(
+          subject: @user_certificate,
+          issuer: @intermediate_cert,
+          ca: @root_cert
+        )
+      rescue NemID::OCSP::Error
+        return true
+      end
+
+      def validate_certificate_chain
+        @store.verify(@user_certificate)
+      end
+      
+      def validate_signature
+        validate(@user_certificate)
+      end
+      
+      private
+      def certificates
+        xpath = '//ds:KeyInfo/ds:X509Data/ds:X509Certificate'
+        document.xpath(xpath, NAMESPACES).each
+      end
+
+      def extract_and_store_certificates
+        certificates.each do |element|
+          cert = x509_certificate(Base64.decode64(element.text))
+          cert_key_usage = cert.find_extension('keyUsage').value
+          
+          if (cert_key_usage =~ /Digital Signature/)
+            @user_certificate = cert
+          elsif cert.issuer.cmp(cert.subject) == 0
+            @root_cert = cert
+            @store.add_cert(cert)
+          else
+            @intermediate_cert = cert
+            @store.add_cert(cert)
+          end
+        end
+      end
+
+      def ocsp
+        @ocsp ||= NemID::OCSP
+      end
+
+      def x509_certificate(raw)
+        OpenSSL::X509::Certificate.new(raw)
+      end
+    end
+  end
+end

data/nemid.gemspec

@@ -0,0 +1,32 @@
+require_relative 'lib/nemid/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "nemid"
+  spec.version       = NemID::VERSION
+  spec.authors       = ["David Cabeza"]
+  spec.email         = ["david@meew.dk"]
+
+  spec.summary       = %q{Ruby gem that makes it easy to integrate the NemID JavaScript client}
+  #spec.description   = %q{TODO: Write a longer description or delete this line.}
+  spec.homepage      = "https://github.com/davideluque/nemid"
+  spec.license       = "MIT"
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.5.0")
+
+  spec.add_dependency 'openssl', '~> 2.2', '>= 2.2.0'
+  spec.add_dependency 'savon', '~> 2.12.0', '>=2.12.0'
+  spec.add_dependency 'xmldsig', '~> 0.6.6', '>= 0.6.6'
+
+  spec.metadata["allowed_push_host"] = "https://rubygems.org"
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/davideluque/nemid"
+  #spec.metadata["changelog_uri"] = "TODO: Put your gem's CHANGELOG.md URL here."
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+end

metadata

@@ -0,0 +1,139 @@
+--- !ruby/object:Gem::Specification
+name: nemid
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- David Cabeza
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2020-09-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: openssl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.0
+- !ruby/object:Gem::Dependency
+  name: savon
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.12.0
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.12.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.12.0
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.12.0
+- !ruby/object:Gem::Dependency
+  name: xmldsig
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.6.6
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.6.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.6.6
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.6.6
+description: 
+email:
+- david@meew.dk
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- CODE_OF_CONDUCT.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/nemid.rb
+- lib/nemid/authentication.rb
+- lib/nemid/authentication/params.rb
+- lib/nemid/authentication/response.rb
+- lib/nemid/crypto.rb
+- lib/nemid/errors.rb
+- lib/nemid/errors/app.rb
+- lib/nemid/errors/auth.rb
+- lib/nemid/errors/can.rb
+- lib/nemid/errors/capp.rb
+- lib/nemid/errors/lib.rb
+- lib/nemid/errors/lock.rb
+- lib/nemid/errors/oces.rb
+- lib/nemid/errors/srv.rb
+- lib/nemid/errors/validation.rb
+- lib/nemid/ocsp.rb
+- lib/nemid/ocsp/errors.rb
+- lib/nemid/pid_cpr.rb
+- lib/nemid/version.rb
+- lib/nemid/xmldsig.rb
+- lib/nemid/xmldsig/document.rb
+- nemid.gemspec
+homepage: https://github.com/davideluque/nemid
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://github.com/davideluque/nemid
+  source_code_uri: https://github.com/davideluque/nemid
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key: 
+specification_version: 4
+summary: Ruby gem that makes it easy to integrate the NemID JavaScript client
+test_files: []