nokogiri-xmlsec-instructure 0.9.4

data/lib/xmlsec/version.rb

@@ -0,0 +1,3 @@
+module Xmlsec
+  VERSION = '0.9.4'
+end

data/nokogiri-xmlsec-instructure.gemspec

@@ -0,0 +1,39 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'xmlsec/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "nokogiri-xmlsec-instructure"
+  spec.version       = Xmlsec::VERSION
+  spec.authors       = ["Albert J. Wong", "Cody Cutrer"]
+  spec.email         = ["awong.dev@gmail.com", "cody@instructure.com"]
+  spec.description   = %q{Adds support to Ruby for encrypting, decrypting,
+    signing and validating the signatures of XML documents, according to the
+    [XML Encryption Syntax and Processing](http://www.w3.org/TR/xmlenc-core/)
+    standard, and the [XML Signature Syntax and Processing](http://www.w3.org/TR/xmldsig-core/)
+    standard by wrapping around the [xmlsec](http://www.aleksey.com/xmlsec) C
+    library and adding relevant methods to `Nokogiri::XML::Document`.
+    Implementation is based off nokogiri-xmlsec by Colin MacKenzie IV with
+    very heavy modifications.}
+  spec.summary       = %q{Wrapper around http://www.aleksey.com/xmlsec to
+    support XML encryption, decryption, signing and signature validation in
+    Ruby}
+  spec.homepage      = "https://github.com/instructure/nokogiri-xmlsec-instructure"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+  spec.extensions = %w{ext/nokogiri_ext_xmlsec/extconf.rb}
+
+  spec.add_dependency 'nokogiri'
+  
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rake-compiler"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "guard-rspec"
+  spec.add_development_dependency "guard-rake"
+end

data/spec/fixtures/cert/server.crt

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICLzCCAZgCCQCVuhhQ38rw0TANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJV
+UzEQMA4GA1UECAwHR2VvcmdpYTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTAgFw0xMzA1MjUxODQwMDRa
+GA8zMDEyMDkyNTE4NDAwNFowWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3Jn
+aWExITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAwwO
+d3d3Lmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALE4oSql
+eymfHtzOeY86WyvfsjZmaz2XnIo9dzZsK71yMEKkgvXQnnYy9pK0NaYcG0B0hcii
+3fqGBiHMkZY2BOGWwCC/wOmJCzLq9q6caPWUs71Zko+h59LaqV93vzDmZaXYfFoQ
+gSVEWpEpCSo560x0mSuLnJYdQQzZ/L6xvxZ1AgMBAAEwDQYJKoZIhvcNAQEFBQAD
+gYEATyK/RlfpohUVimgFkycTF2hyusjctseXoZDCctgg/STMsL8iA0P9YB6k91GC
+kWpwevuiwarD1MfSUV6goPINFkIBvfK+5R9lpHaTqqs615z8T9R5VJgaLcFe3tWd
+7oq3V2q5Nl6MrZfXj2N07qe6/9zfdauxYO26vAEKCvIkbMo=
+-----END CERTIFICATE-----

data/spec/fixtures/cert/server.csr

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBmzCCAQQCAQAwWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExITAf
+BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAwwOd3d3Lmdv
+b2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALE4oSqleymfHtzO
+eY86WyvfsjZmaz2XnIo9dzZsK71yMEKkgvXQnnYy9pK0NaYcG0B0hcii3fqGBiHM
+kZY2BOGWwCC/wOmJCzLq9q6caPWUs71Zko+h59LaqV93vzDmZaXYfFoQgSVEWpEp
+CSo560x0mSuLnJYdQQzZ/L6xvxZ1AgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQB6
+8K0q16EAkGoYLFHvVHxpqk+annbB8ZqpbV43T12Ngx7KiMsdTjrgho0lP/OllHcr
+3vQ0yHnI1K1EeV9Q+/lXqaRl9ws3PL1QMOFm4XD1uIEPG+umRYgrjuZhFab+2Zfs
+rgyILF2yRSy0oVeTBxVK5igV6qYcXFFBRIj7nnV8Jg==
+-----END CERTIFICATE REQUEST-----

data/spec/fixtures/cert/server.key.decrypted

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQCxOKEqpXspnx7cznmPOlsr37I2Zms9l5yKPXc2bCu9cjBCpIL1
+0J52MvaStDWmHBtAdIXIot36hgYhzJGWNgThlsAgv8DpiQsy6vaunGj1lLO9WZKP
+oefS2qlfd78w5mWl2HxaEIElRFqRKQkqOetMdJkri5yWHUEM2fy+sb8WdQIDAQAB
+AoGAB1d8PcMLPicsZSNcn9VgD4o93MkTakLMpmFzfdqvWTLQ0wHztvFEj0r/Mgar
+Lk19x4bMQAqXPZitylqqMVndi9U8squvAvkZcgYL57MNQRgmLtjSMfk4wCY9ieDa
+newt4cP7nGN/ZkU5R0lRMGExKSrMZW8HAkK4WJpbfnOpwGECQQDkoggBRH4aFlaj
+Xhw+mSIxOpmzFBhXZ0z+bvoCipPKIhbnwKt0dupn0xAwatNmakBt0p46SFOgW8QQ
+TV51G/bdAkEAxm8yEod77IM6bhLL+3h/nsGOGsA0xs22U6FBrz34Nvd4gwmICMcF
+t4P3iHYzJfUt+Z2zv5ucX2tuD4uoWsqIeQJAercdZNDGfmoPBpC0yESZPaMebCgV
+CJTBlq8qMcL/oDa75Jhdbp2FI0T+I36zCP1up4OsucuoVyHqEnX0hRcFYQJAD3Nz
+E6xHAviI4S9HgNI2JbduiDi1I1G7Q7HHuox5ulX0pUdlt0E/+bUl3hNOEkOQC+Ky
+r1W/jFKCJGW8ey1QCQJAYDh1BmlLswafEnkNmwydNz4gVflHJvsF8A1c2wJVytkT
+3HVWvwOAfcumDNDNkSUJ+0DQs17qgOMCDwFgFzUb+Q==
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/cert/server.key.encrypted

@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,6F8CC52C2E211FF4
+
+T5g21oYrsS435g2GRNBFs+IwpKYAsF0RDt9SNuCXp6hD2MbcF3q8Su/wvj9inAZi
+S7V8Qp8mmBsjo+vh0oTggVFmk7/fyTAa6ltQL+1UH7b8vecgGFKSBV8TG3+k9S4C
+ZgXyR9pTgzQx+8M5LrnOnM8fpf638xouHvMo7zTFPhimehIMrMcXAyRZaRfcDhlg
+YR+JRvSa0Q9vxhsC19fjfnlU7FdV8B9Ypo/+23TNmKpfU99oV6oPNoiWzkziKtvZ
+mwYjrYw6r91ANFCRIux5+CjfOqVxissxzmZ5vyV89LoXjLAEDVmv2vJ+8w2b8zAN
+FAXtcx74MutSQQBrG4xffwwRJwf0uPhzMohRoiholOoaMFSOFBasA+phn7hr7m9a
+JWj4icCRVZlm+rztbbiapBUtm4ER1tdBGr84TgqasM5CK/qhXt9CCnUBRaimIwad
+9dib2jnkzuqlyrdzLyaFU0IRSq+GQAK7sgya/V2q96lWdzejMGx/07hL6lvPY/h7
+o8puMwpCK4XKYantqXL26oCxSgcrlA2nlR+SfmRKhwDwy8rPsTBm55BxwGr8Jj+9
+6bY6VOR+vZkjSVDKNBOq8gUJvPksQV0CK0eSgPTli0ncCInzFPeLGISIa90rFD7I
+97w/ZzTywVnTWO9DhedliwqDSOOYTdVoRfygQfpaFoa1aqR9tKWoc30kbqXvgvUR
+mlDwiY1zxpKsTHKu7omf0bp5m8dlW4EarWgTsTRQ8EOHoIucgjdaSxPEDDi8WGOW
+Nbqb2ZZz7wsIL71XgC13A+va1C0F709PK/Xnd5IwRf8=
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/hate.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE FrackinDocType [
+ <!ELEMENT i-hate-xml (#PCDATA)>
+ <!ATTLIST i-hate-xml ur_id_for_intra_doc_ref_test ID #IMPLIED>
+ ]>
+<i-hate-xml ur_id_for_intra_doc_ref_test="some_frackin_id">
+</i-hate-xml>

data/spec/fixtures/pwned.xml

@@ -0,0 +1 @@
+<pwned id="iminurdocreadinurfilez" />

data/spec/fixtures/rsa.pem

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQC15La+LSmHNUs/yqzSuzKdBUED1OfaOZpBp8zxAAQy7VlTrqRh
+/eiJH3VSeRRZEygORvtLgi/teF2P+z/mfJ6IHIdCdkn8MF4CCCQKkjm7JKRrKfK5
+fOUp1NZF22oP8x0L4j67NYCtR9F6KIkV5A6FPAZGI8nsHnyJzRwqmG2xbQIDAQAB
+AoGBAJDT2UW3g/dqUc4rPExWTUiFJG0+mpVBhDd+ukmyL6W1Iojk53I2z25PJAVU
+7wS1ohEsJ27J7Aty6Vx5Ozn0Q+zYVaKRSxcazNeGbwS0UaGrN0lMvWDs7RmVGCdx
+bI2LUTQ88Bl94dW4QObAub+wMOL6xmVEVrJssZnm+CIqS2UBAkEA49QDNB//oHmi
+iqD4SFotE8Lz80qBGHN15YIm80TKUR2k1LusZl6R5+2nYTF2vPsG+HGXPbkGhqTn
+JL9GMBv7TQJBAMxinne8+bKTvOl/hhdAohFs7aHUBZhZOEuXIf1jYENASk2weYC6
+95SlHvWcwPHfqVbpwt83sGL8aDm8CCPYPqECQQDEFRQQx72GC0oG0FYAR4RmbrLx
+YN1NAwqkVmlZlIogWEgmQ8Q0cw5Ws+cMMrtEGTU9nN4TZGymc8TwjqNFAsA9AkEA
+ol8Cp/uQn6cxIIt4Gsb1OkTAcJ0BKOxQhfT2QtiNJEBSB3BYxsVCZWvcsaGrwzw9
+yteBQlZ6odkGcD+Kc/eaoQJAH+0a7jlHDu2VCHI63OiNZQJ8J9oxaPvWZyKYSaCO
+iGvon/Z6KGQhXMedPDaCH7UjeMle5AVhjSrSvF6OglgZ9g==
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/rsa.pub

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC15La+LSmHNUs/yqzSuzKdBUED
+1OfaOZpBp8zxAAQy7VlTrqRh/eiJH3VSeRRZEygORvtLgi/teF2P+z/mfJ6IHIdC
+dkn8MF4CCCQKkjm7JKRrKfK5fOUp1NZF22oP8x0L4j67NYCtR9F6KIkV5A6FPAZG
+I8nsHnyJzRwqmG2xbQIDAQAB
+-----END PUBLIC KEY-----

data/spec/fixtures/sign2-doc.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0"?>
+<Envelope xmlns="urn:envelope">
+  <Data>
+  Hello, World!
+  </Data>
+</Envelope>

data/spec/fixtures/sign2-result.xml

@@ -0,0 +1,25 @@
+<?xml version="1.0"?>
+<Envelope xmlns="urn:envelope">
+  <Data>
+  Hello, World!
+  </Data>
+<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+<SignedInfo>
+<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+<Reference>
+<Transforms>
+<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+</Transforms>
+<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+<DigestValue>Gx8CGUsbi2qvBLd15VCmwELbDMND8F4vY3jPOc7/FJ0=</DigestValue>
+</Reference>
+</SignedInfo>
+<SignatureValue>T2c7nqOw55P8hcP1qhvfPCwOSEAuo8HstZf9shlrggcarxfgWTKhA6UdrF4McfrS
+XtcgHA7zy0Yzd2cgeGkKA2jgI+9QRhoQsifOMuI55sE5r+fpBs+goaxC57gmcBXj
+XnuwIiWf7nfpF4hYZ841HzYd2HcpQKPTdbhvZUprvx8=</SignatureValue>
+<KeyInfo>
+<KeyName>test</KeyName>
+</KeyInfo>
+</Signature></Envelope>

data/spec/fixtures/sign3-result.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0"?>
+<Envelope xmlns="urn:envelope">
+  <Data>
+  Hello, World!
+  </Data>
+<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+<SignedInfo>
+<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+<Reference>
+<Transforms>
+<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+</Transforms>
+<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+<DigestValue>Gx8CGUsbi2qvBLd15VCmwELbDMND8F4vY3jPOc7/FJ0=</DigestValue>
+</Reference>
+</SignedInfo>
+<SignatureValue>TGJ9fCzjppp3LgG4fiBJx+0R34wRa7il9XKKZ+kkOAdKkcW0PIAYKmjn0Tn8krGd
+Gw6qtFFqjdohXfhkKmajXAFunEtd3J0kHFkf3obIwRB1qdsYmKXVFxUx3GqcIlph
+vt9v/9FC12JAxwAiJXHuY2xN5uo3xSDER4+tCCy3/AI=</SignatureValue>
+<KeyInfo>
+<X509Data>
+<X509Certificate>MIICLzCCAZgCCQCVuhhQ38rw0TANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJV
+UzEQMA4GA1UECAwHR2VvcmdpYTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTAgFw0xMzA1MjUxODQwMDRa
+GA8zMDEyMDkyNTE4NDAwNFowWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3Jn
+aWExITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAwwO
+d3d3Lmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALE4oSql
+eymfHtzOeY86WyvfsjZmaz2XnIo9dzZsK71yMEKkgvXQnnYy9pK0NaYcG0B0hcii
+3fqGBiHMkZY2BOGWwCC/wOmJCzLq9q6caPWUs71Zko+h59LaqV93vzDmZaXYfFoQ
+gSVEWpEpCSo560x0mSuLnJYdQQzZ/L6xvxZ1AgMBAAEwDQYJKoZIhvcNAQEFBQAD
+gYEATyK/RlfpohUVimgFkycTF2hyusjctseXoZDCctgg/STMsL8iA0P9YB6k91GC
+kWpwevuiwarD1MfSUV6goPINFkIBvfK+5R9lpHaTqqs615z8T9R5VJgaLcFe3tWd
+7oq3V2q5Nl6MrZfXj2N07qe6/9zfdauxYO26vAEKCvIkbMo=</X509Certificate>
+</X509Data>
+</KeyInfo>
+</Signature></Envelope>

data/spec/lib/nokogiri/xml/document/encryption_and_decryption_spec.rb

@@ -0,0 +1,34 @@
+require 'spec_helper'
+
+describe "encryption and decryption:" do
+  subject do
+    Nokogiri::XML(fixture('sign2-doc.xml'))
+  end
+
+  [ 'aes128-cbc', 'aes192-cbc', 'aes256-cbc', 'tripledes-cbc' ].each do |block_encryption|
+    [ 'rsa-1_5', 'rsa-oaep-mgf1p' ].each do |key_transport|
+      describe "encrypting with an RSA public key with #{block_encryption} #{key_transport}" do
+        before do
+          @original = subject.to_s
+          subject.encrypt!(
+            key: fixture('rsa.pub'), name: 'test',
+            block_encryption: block_encryption, key_transport: key_transport)
+        end
+
+        # it generates a new key every time so will never match the fixture
+        specify { expect(subject.to_s == @original).to be_falsey }
+        specify { expect(subject.to_s =~ /Hello.*World/i).to be_falsey }
+        # specify { subject.to_s.should == fixture('encrypt2-result.xml') }
+
+        describe 'decrypting with the RSA private key' do
+          before do
+            subject.decrypt! key: fixture('rsa.pem')
+          end
+
+          specify { expect(subject.to_s == fixture('sign2-doc.xml')).to be_truthy }
+        end
+      end
+    end
+  end
+
+end

data/spec/lib/nokogiri/xml/document/signing_and_verifying_spec.rb

@@ -0,0 +1,122 @@
+require 'spec_helper'
+
+describe "signing and verifying signatures:" do
+  subject do
+    Nokogiri::XML(fixture('sign2-doc.xml'))
+  end
+
+  describe 'signing a document with an RSA key' do
+    before { subject.sign! key: fixture('rsa.pem'), name: 'test',
+             signature_alg: 'rsa-sha256', digest_alg: 'sha256'
+    }
+
+    it 'should produce a signed document' do
+      expect(subject.to_s).to eql(fixture('sign2-result.xml'))
+    end
+
+    describe 'verifying the document with a single public key' do
+      it 'should be valid' do
+        expect(subject.verify_with(key: fixture('rsa.pub'))).to be_truthy
+      end
+    end
+
+    describe 'verifying the document with a set of keys' do
+      it 'should be valid' do
+        expect(subject.verify_with({
+          'test' => fixture('rsa.pub')
+        })).to be_truthy
+      end
+    end
+  end
+
+  describe 'signing a document with an RSA key and X509 certificate' do
+    before do
+      subject.sign! key: fixture('cert/server.key.decrypted'),
+                    cert: fixture('cert/server.crt'),
+                    signature_alg: 'rsa-sha256',
+                    digest_alg: 'sha256'
+    end
+
+    it 'should produce a signed document' do
+      expect(subject.to_s).to eql(fixture('sign3-result.xml'))
+    end
+
+    describe 'verifying the document with an array of X509 certificates' do
+      specify do
+        expect(subject.verify_with(cert: [fixture('cert/server.crt')])).to be_truthy
+      end
+
+      it 'should verify using system certificates' do
+        pending("Testing system certs requires admin privs. Read exception message in code.")
+        unless subject.verify_signature
+          raise <<-end_error
+            Could not use system certificates to verify the signature.
+            Note that this may not be a failing spec. You should copy
+            or symlink the file `spec/fixtures/cert/server.crt` into
+            the directory shown by running `openssl version -d`. After
+            doing so, run `sudo c_rehash CERT_PATH`, where
+            CERT_PATH is the same directory you copied the certificate
+            into (/usr/lib/ssl/certs by default on Ubuntu). After doing
+            that, run this spec again and see if it passes.
+          end_error
+        end
+      end
+    end
+
+    describe 'verifying the document with one X509 certificate' do
+      specify do
+        expect(subject.verify_with(cert: fixture('cert/server.crt'))).to be_truthy
+      end
+    end
+  end
+  describe 'test all signature algorithms' do
+    [ 'rsa-sha1', 'rsa-sha224', 'rsa-sha256', 'rsa-sha384', 'rsa-sha512' ].each do |signature_algorithm|
+      specify "All RSA signatures work with cert signing" do
+        subject.sign! key: fixture('cert/server.key.decrypted'),
+          cert: fixture('cert/server.crt'),
+          signature_alg: signature_algorithm,
+          digest_alg: 'sha256'
+      end
+      specify "All RSA signatures work with bare key signing" do
+        subject.sign! key: fixture('cert/server.key.decrypted'),
+          name: 'test',
+          signature_alg: signature_algorithm,
+          digest_alg: 'sha256'
+      end
+    end
+    [ 'ecdsa-sha1', 'ecdsa-sha224', 'ecdsa-sha256', 'ecdsa-sha384', 'ecdsa-sha512', 'dsa-sha1', 'dsa-sha256' ].each do |signature_algorithm|
+      specify "All non-RSA signatures work with cert signing" do
+        pending("use the right key type")
+        subject.sign! key: fixture('cert/server.key.decrypted'),
+          name: 'test',
+          cert: fixture('cert/server.crt'),
+          signature_alg: signature_algorithm,
+          digest_alg: 'sha256'
+      end
+      specify "All non-RSA signatures work with bare key" do
+        pending("use the right key type")
+        subject.sign! key: fixture('cert/server.key.decrypted'),
+          name: 'test',
+          signature_alg: signature_algorithm,
+          digest_alg: 'sha256'
+      end
+    end
+  end
+  describe 'test all digest algorithms' do
+    [ 'sha1', 'sha224', 'sha256', 'sha384', 'sha512' ].each do |digest_algorithm|
+      specify "All digests with cert" do
+        subject.sign! key: fixture('cert/server.key.decrypted'),
+          name: 'test',
+          cert: fixture('cert/server.crt'),
+          signature_alg: 'rsa-sha256',
+          digest_alg: digest_algorithm
+      end
+      specify "All digests with bare key" do
+        subject.sign! key: fixture('cert/server.key.decrypted'),
+          name: 'test',
+          signature_alg: 'rsa-sha256',
+          digest_alg: digest_algorithm
+      end
+    end
+  end
+end

data/spec/lib/nokogiri/xml/document/unsafe_xml_spec.rb

@@ -0,0 +1,61 @@
+require 'spec_helper'
+
+describe "unsafe xml guards:" do
+  context "XML Signature URI" do
+    it "does not allow file path URIs in signing references" do
+      doc = Nokogiri::XML(fixture('hate.xml'))
+      expect{
+        doc.sign!(cert: fixture('cert/server.crt'),
+                  key: fixture('cert/server.key.decrypted'),
+                  name: 'test',
+                  signature_alg: 'rsa-sha256',
+                  digest_alg: 'sha256',
+                  uri: "#{fixture_path("pwned.xml")}")}.to raise_error(
+          XMLSec::SigningError, /error=33:invalid URI type/)
+    end
+
+    it "does not allow file:// URIs in signing references" do
+      doc = Nokogiri::XML(fixture('hate.xml'))
+      expect{
+        doc.sign!(cert: fixture('cert/server.crt'),
+                  key: fixture('cert/server.key.decrypted'),
+                  name: 'test',
+                  signature_alg: 'rsa-sha256',
+                  digest_alg: 'sha256',
+                  uri: "file://#{fixture_path("pwned.xml")}")}.to raise_error(
+          XMLSec::SigningError, /error=33:invalid URI type/)
+    end
+
+    it "does not allow network URIs in signing references" do
+      doc = Nokogiri::XML(fixture('hate.xml'))
+      expect{
+        doc.sign!(cert: fixture('cert/server.crt'),
+                  key: fixture('cert/server.key.decrypted'),
+                  name: 'test',
+                  signature_alg: 'rsa-sha256',
+                  digest_alg: 'sha256',
+                  uri: "http://www.w3.org/2001/XMLSchema.xsd")}.to raise_error(
+          XMLSec::SigningError, /error=33:invalid URI type/)
+    end
+
+    it "does allow empty signing references" do
+      doc = Nokogiri::XML(fixture('hate.xml'))
+      doc.sign!(cert: fixture('cert/server.crt'),
+                key: fixture('cert/server.key.decrypted'),
+                name: 'test',
+                signature_alg: 'rsa-sha256',
+                digest_alg: 'sha256',
+                uri: "")
+    end
+
+    it "does allow same document signing references" do
+      doc = Nokogiri::XML(fixture('hate.xml'))
+      doc.sign!(cert: fixture('cert/server.crt'),
+                key: fixture('cert/server.key.decrypted'),
+                name: 'test',
+                signature_alg: 'rsa-sha256',
+                digest_alg: 'sha256',
+                uri: "#some_frackin_id")
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,10 @@
+require 'rspec'
+require 'xmlsec'
+
+def fixture_path(filename)
+  File.join(File.expand_path('../fixtures', __FILE__), filename)
+end
+
+def fixture(path)
+  File.read fixture_path(path)
+end