nemid 0.1.0

data/lib/nemid/errors/capp.rb

@@ -0,0 +1,105 @@
+module NemID
+  module Errors
+    class CAPPError < ResponseError
+      def initialize(msg='')
+        super(msg)
+      end
+    end
+
+    class CAPP001Error < CAPPError 
+      def initialize
+        @da = "Nøgleappen kunne ikke blive indskrevet på grund af krænkelse af app'ens begrænsede identites type."
+        @en = "The code app could not be enrolled due to violation of the app's restricted identity type."
+        super
+      end
+    end
+
+    class CAPP002Error < CAPPError
+      def initialize
+        @da = "Din nøgleapp kunne ikke blive indskrevet på grund af krænkelse af suspensionsreglerne."
+        @en = "Your code app could not be enrolled due to violation of the suspension rules."
+        super
+      end
+    end
+    
+    class CAPP003Error < CAPPError
+      def initialize
+        @da = "Din nøgleapp kunne ikke blive indskrevet på grund af, at dens app id ikke er i en aktiv status."
+        @en = "Your code app could not be enrolled due to its app id is not in status active."
+        super
+      end
+    end
+    
+    class CAPP004Error < CAPPError
+      def initialize
+        @da = "Din nøgleapp er suspenderet eller spærret. Prøv at opdatere din nøgleapp."
+        @en = "Your code app is suspended or revoked. Please try and update your code app."
+        super
+      end
+    end
+    
+    class CAPP006Error < CAPPError
+      def initialize
+        @da = "Din nøgleapp kunne ikke blive aktiveret, da den ikke kunne blive fundet for brugeren der loggede ind."
+        @en = "Your code app could not be activated as it could not be found for the user who logged in."
+        super
+      end
+    end
+    
+    class CAPP007Error < CAPPError
+      def initialize
+        @da = "Din nøgleapp kunne ikke blive aktiveret, da den ikke har den korrekte status (VALIDATIONS_MISSING)."
+        @en = "Your code app could not be activated as it did not have the correct status (VALIDATION_MISSING)."
+        super
+      end
+    end
+    
+    class CAPP008Error < CAPPError
+      def initialize
+        @da = "Din nøgleapp kunne ikke blive aktiveret, da venteperioden ikke er uløbet."
+        @en = "Your code app could not be activated as the waiting period has not expired."
+        super
+      end
+    end
+    
+    class CAPP009Error < CAPPError
+      def initialize
+        @da = "Din nøgleapp kunne ikke blive aktiveret, da venteperioden ikke er uløbet."
+        @en = "Your code app could not be activated as the waiting period has not expired."
+        super
+      end
+    end
+    
+    class CAPP010Error < CAPPError
+      def initialize
+        @da = "Nulstilling af din nøgeleapps pin kunne ikke blive fuldført, da din nøgleapp ikke er i en aktiv status."
+        @en = "The reset of your code app pin could not be done as the code app is not in status active."
+        super
+      end
+    end
+    
+    class CAPP011Error < CAPPError
+      def initialize
+        @da = "Valideringen af admin action challenge fejlede."
+        @en = "The validation of the admin action challenge failed."
+        super
+      end
+    end
+    
+    class CAPP012Error < CAPPError
+      def initialize
+        @da = "Din nøgleapp kunne ikke blive indskrefvet, da dens app id ikke eksisterer."
+        @en = "Your code app could not be enrolled as the code app id does not exist."
+        super
+      end
+    end
+    
+    class CAPP013Error < CAPPError
+      def initialize
+        @da = "Din nøgleapp kunne ikke blive indskrevet på grund af forkert software fingeraftryk eller manglende whitelist af software fingeraftryk."
+        @en = "Your code app could not be enrolled due to incorrect software fingerprint or missing whitelist of software fingerprint"
+        super
+      end
+    end
+  end
+end

data/lib/nemid/errors/lib.rb

@@ -0,0 +1,19 @@
+module NemID
+  module Errors
+    class LIBError < ResponseError
+      def initialize(msg='')
+        super(msg)
+      end
+    end
+
+    class LIB002Error < LIBError
+      def initialize
+        @da = "Der er opstået en teknisk fejl på grund af netværksproblemer. Forsøg igen. " \
+        "Kontakt support, hvis problemet fortsætter."
+        @en = "A technical error has occurred due to network issues. Please try again. " \
+        "Contact support if the problem persists"
+        super
+      end
+    end
+  end
+end

data/lib/nemid/errors/lock.rb

@@ -0,0 +1,48 @@
+module NemID
+  module Errors
+    class LOCKError < ResponseError
+      DA_SUPPORT_URL = '[https://www.nemid.nu/dk-da/support/faa_hjaelp_til_nemid/kontakt/]'
+      EN_SUPPORT_URL = '[https://www.nemid.nu/dk-en/support/contact/]'
+
+      def initialize(msg='')
+        super(msg)
+      end
+    end
+
+    class LOCK001Error < LOCKError
+      def initialize
+        @da = "Du har angivet forkert bruger-id eller adgangskode for mange gange. " \
+        "NemID er nu spærret i 8 timer, hvorefter du kan forsøge igen Har du " \
+        "glemt din adgangskode kan du finde hjælp her #{DA_SUPPORT_URL}. " 
+        @en = "You have used the wrong user ID or password too many times. " \
+        "Your NemID is now blocked for 8 hours after which you can try again. " \
+        "If you have forgotten your password you can find support here " \
+        "#{EN_SUPPORT_URL}"
+        super
+      end
+    end
+
+    class LOCK002Error < LOCKError
+      def initialize
+        @da = "Du har angivet en forkert adgangskode for mange gange. " \
+        "Dit NemID er spærret. Kontakt NemID support for at få adgang til dit " \
+        "NemID igen. #{DA_SUPPORT_URL}"
+        @en = "You have used a wrong password too many times. Your NemID is " \
+        "blocked and cannot be used. To get help with this problem, Please contact " \
+        "NemID support. #{EN_SUPPORT_URL}"
+        super
+      end
+    end
+
+    class LOCK003Error < LOCKError
+      def initialize
+        @da = "Du har angivet forkert NemID nøgle for mange gange. " \
+        "Dit NemID er spærret. Kontakt NemID support for at få adgang til dit " \
+        "NemID igen.#{DA_SUPPORT_URL}"
+        @en = "You have entered a wrong NemID key too many times. Your NemID is " \
+        "blocked and cannot be used.  Please contact NemID support. #{EN_SUPPORT_URL}"
+        super
+      end
+    end
+  end
+end

data/lib/nemid/errors/oces.rb

@@ -0,0 +1,85 @@
+module NemID
+  module Errors
+    class OCESError < ResponseError
+      def initialize(msg='')
+        super(msg)
+      end
+    end
+
+    class OCES001Error < OCESError
+      def initialize
+        @da = "Du har kun NemID til netbank. Ønsker du at bruge NemID til andre " \
+        "hjemmesider, skal du tilknytte en offentlig digital signatur til dit NemID. " \
+        "[https://service.nemid.nu/dk-da/bestil_nemid/bestil_offentlig_digital_signatur_til_dit_nemid/]."
+        @en = "You only have NemID for online banking. If you wish to use NemID for " \
+        "other public or private services, you must affiliate a public digital " \
+        "signature to your NemID " \
+        "[https://service.nemid.nu/dk-da/bestil_nemid/bestil_offentlig_digital_signatur_til_dit_nemid/]"
+        super
+      end
+    end
+    
+    class OCES002Error < OCESError
+      def initialize
+        @da = "Ønsker du at bruge NemID til andet end netbank, skal du først " \
+        "tilknytte en offentlig digital signatur. Det kan du gøre ved at lave en " \
+        "almindelig NemID bestilling. " \
+        "Bestil NemID [https://service.nemid.nu/dk-da/bestil_nemid/]."
+        @en = "If you wish to use NemID for other services than online banking, " \
+        "you have to affiliate a public digital signature to your NemID. " \
+        "You can do this by starting the regular NemID order flow, which will " \
+        "then order the needed public digital signature. " \
+        "Request NemID [https://service.nemid.nu/dk-da/bestil_nemid/]"
+        super
+      end
+    end
+    
+    class OCES003Error < OCESError
+      def initialize
+        @da = "Der er ikke tilknyttet en offentlig digital signatur til " \
+        "det NemID du har forsøgt at logge på med. Hvis du tidligere har logget " \
+        "ind hos os med NemID, kan fejlen skyldes, at du har flere NemID, og har " \
+        "brugt et andet end normalt."
+        @en = "You have attempted to log on using a NemID with no public " \
+        "digital signature. If you previously have logged on to our service " \
+        "using your NemID, the error can be due to having more than one NemID and " \
+        "having used a different NemID than normally."
+        super
+      end
+    end
+
+    class OCES004Error < OCESError
+      def initialize
+        @da = "Du kan kun bruge dette NemID til netbank."
+        @en = "You can only use this NemID for your online banking service."
+        super
+      end
+    end
+
+    class OCES005Error < OCESError
+      def initialize(msg="The service provider is advised to perform a reload of " \
+        "the client so the user can try again. Also, if the problem persists, refer to Support.")
+        @da = "Udstedelsen af din offentlige digitale signatur mislykkedes. "  \
+        "Forsøg venligst igen. Hvis problemet fortsætter, kontakt NemID support " \
+        "[https://www.nemid.nu/dk-da/support/faa_hjaelp_til_nemid/kontakt/]"
+        @en = "Issuing your public digital signature failed. Please try again. " \
+        "If the problem persists contact NemID support " \
+        "[https://www.nemid.nu/dk-en/support/contact/]"
+        super
+      end
+    end
+
+    class OCES006Error < OCESError
+      def initialize
+        @da = "Du har ikke en aktiv offentlig digital signatur tilknyttet " \
+        "NemID i øjeblikket. Ved bestilling af NemID vil du blive tilbudt at knytte " \
+        "en signatur til dit nuværende NemID. Bestil NemID [https://service.nemid.nu/dk-da/bestil_nemid/]."
+        @en = "You currently don’t have an active public digital signature " \
+        "(OCES certificate) affiliated with your NemID. To get this, start the regular " \
+        "NemID order flow after which you will be asked to affiliate a public " \
+        "digital signature with your current NemID. Request NemID [https://service.nemid.nu/dk-da/bestil_nemid/]"
+        super  
+      end
+    end
+  end
+end

data/lib/nemid/errors/srv.rb

@@ -0,0 +1,72 @@
+module NemID
+  module Errors
+    class SRVError < ResponseError
+      def initialize(msg='')
+        @da = "Der er opstået en teknisk fejl. Forsøg igen. " \
+        "Kontakt support, hvis problemet fortsætter."
+        @en = "A technical error has occurred. Please try again. " \
+        "Contact support if the problem persists. "
+        super(msg)
+      end
+    end
+
+    class SRV001Error < SRVError; end
+
+    class SRV002Error < SRVError; end
+
+    class SRV003Error < SRVError; end
+
+    class SRV004Error < SRVError
+      def initialize
+        super
+        @da = "Der er opstået en teknisk fejl. Kontakt NemID support " \
+        "[https://www.nemid.nu/dk-da/support/faa_hjaelp_til_nemid/kontakt/]."
+        @en = "A technical error has occurred. Please contact NemID support. " \
+        "[https://www.nemid.nu/dk-en/support/contact/]"
+      end
+    end
+
+    class SRV005Error < SRVError; end
+
+    class SRV006Error < SRVError
+      def initialize
+        super
+        @da = "Tidsgrænse er overskredet. Forsøg venligst igen."
+        @en = "Time limit exceeded. Please try again."
+      end
+    end
+
+    class SRV007Error < SRVError
+      def initialize
+        super
+        @da = "Opdater venligst til nyeste version af appen."
+        @en = "Please update to the most recent version of the app."
+      end
+    end
+
+    class SRV008Error < SRVError
+      def initialize(msg='Fix the integration issue.')
+        super
+        @da = "Der er opstået en teknisk fejl. Kontakt support."
+        @en = "A technical error has occurred. Contact support."
+      end
+    end
+
+    class SRV010Error < SRVError
+      def initialize(msg="There could be a problem with the enrollment of the " \
+        "Service Provider’s VOCES certificate or its validity. Contact NemID for support.")
+        super
+      end
+    end
+
+    class SRV011Error < SRVError
+      def initialize(msg="Fix the integration issue. The value specified in the " \
+        "TRANSACTION_CONTEXT parameter to the JS Client was longer than the " \
+        "allowed 100 characters.")
+        super
+        @da = "Der er opstået en teknisk fejl. Kontakt support."
+        @en = "A technical error has occurred. Contact support."
+      end
+    end
+  end
+end

data/lib/nemid/errors/validation.rb

@@ -0,0 +1,31 @@
+module NemID
+  module Errors
+    class ResponseValidationError < ResponseError ; end
+
+    class InvalidSignature < ResponseValidationError
+      def initialize(
+        msg = "Invalid signature in the XML Document. Data might be altered."
+      )
+      super(msg)
+      end
+    end
+
+    class InvalidCertificateChain < ResponseValidationError
+      def initialize(msg = "Invalid certificate chain.")
+        super(msg)
+      end
+    end
+
+    class UserCertificateExpired < ResponseValidationError
+      def initialize(msg = "User certificate has expired.")
+        super(msg)
+      end
+    end
+
+    class UserCertificateRevoked < ResponseValidationError
+      def initialize(msg = "User certificate has been revoked by CA.")
+        super(msg)
+      end
+    end
+  end
+end

data/lib/nemid/ocsp.rb

@@ -0,0 +1,81 @@
+require_relative 'ocsp/errors'
+require 'net/http'
+require 'uri'
+
+module NemID
+  module OCSP
+    def self.request subject:, issuer:, ca:
+      digest = OpenSSL::Digest::SHA1.new
+      certificate_id = OpenSSL::OCSP::CertificateId.new(subject, issuer, digest)
+
+      request = OpenSSL::OCSP::Request.new
+      request.add_certid(certificate_id)
+      request.add_nonce
+      
+      ocsp_uris = subject.ocsp_uris
+      ocsp_uri = URI ocsp_uris[0]
+
+      http_response = Net::HTTP.start ocsp_uri.hostname do |http|
+        http.post ocsp_uri.path, request.to_der,
+        'content-type' => 'application/ocsp-request'
+      end
+
+      response = OpenSSL::OCSP::Response.new http_response.body
+      response_basic = response.basic
+
+      response_has_valid_signature?(response_basic, subject, issuer, ca)
+
+      single_response = response_basic.find_response(certificate_id)
+
+      response_has_status_and_is_valid?(single_response)
+
+      raise NonceError if request.check_nonce(response_basic) == 0
+
+      return cert_status(single_response)
+    end
+
+    private
+    
+    # Returns +true+ if the certificate has been revoked or its unknown, 
+    # +false+ otherwise.
+    def self.cert_status(single_response)
+      case single_response.cert_status
+      when OpenSSL::OCSP::V_CERTSTATUS_GOOD
+        return false
+      when OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+        return true
+      when OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
+        return true
+      end
+    end
+
+    def self.check_validity(single_response)
+      unless single_response.check_validity
+        raise InvalidUpdateError
+      end
+      
+      return true
+    end
+
+    def self.response_has_status_and_is_valid?(single_response)
+      unless single_response
+        raise NoStatusError
+      end
+
+      return check_validity(single_response)
+    end
+
+    def self.response_has_valid_signature?(response_basic, subject, issuer, ca)
+      store = OpenSSL::X509::Store.new
+      store.add_cert(subject)
+      store.add_cert(issuer)
+      store.add_cert(ca)
+
+      unless response_basic.verify [], store then
+        raise InvalidSignatureError
+      end
+
+      return true
+    end
+  end
+end