nokogiri-xmlsec-instructure 0.10.3 → 0.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3d80bf299c2e7900122535982dfde8b7b6ab67ea53528b0b055c3758b9b9753f
-  data.tar.gz: 379cbbff6fc67ac23cf9d604d15aea36f79e58418b034dcf5e5b45db3c86a739
+  metadata.gz: 9b9e1360203a6f2ce84bc88abe8d731d657a88a02642d5cc26827f3dac53c6da
+  data.tar.gz: 1d5fa5d3e4570b50716268d2cd65a7159a0170466babb829042169c71c1e20b0
 SHA512:
-  metadata.gz: e87ccfb10dfc8d9afe6964c58f4a56179fde5faa0ab007fb8bb5b62a038d6bc609d7f96efc09fbc394d3e51af568f3134133d87d5a843d6a456fe949dca464c2
-  data.tar.gz: 705acc4113dc8380a29c3ef001a19eceda6a128e9c08441a3ebd9f135452f5d0a22419d8cfdd64f2002841132687f10f84af09fe998d19f701aeff5d4860e21a
+  metadata.gz: 97d2d274344a10a9be1fe7c7c354882ff1d1d1a56ba38cd28c4ba8f2e1f6e64c4aa4f8ac143361fda0187b1ef69ee2ac8cdec0688164c67a83567aab7a1286be
+  data.tar.gz: 477f5c98388d76e02cbdaf913ff21328c3ed397fd5797c363d7dfc5d9641f25657eea0bf0b027ac599d0620976c8e72f12de5c19aa3a0fcb77bc01bf69ff3de9

data/ext/nokogiri_ext_xmlsec/extconf.rb

@@ -1,22 +1,14 @@
-require 'mkmf'
-require 'nokogiri'
+# frozen_string_literal: true
 
-def barf message = 'dependencies not met'
-  raise message
-end
+require "mkmf"
+require "nokogiri"
 
-barf unless have_header('ruby.h')
+abort unless pkg_config("xmlsec1")
+append_cflags("-fvisibility=hidden")
 
-pkg_config('xmlsec1')
-$CFLAGS << " " + `xmlsec1-config  --cflags`.strip
-$CFLAGS << " -fvisibility=hidden"
-
-$CFLAGS << Dir[Gem.loaded_specs['nokogiri'].full_gem_path + "/ext/*"].map { |dir| " -I#{dir}"}.join("")
-
-puts "Cflags: #{$CFLAGS}"
-$libs = `xmlsec1-config  --libs`.strip
+abort unless find_header("nokogiri.h", *Dir["#{Gem.loaded_specs["nokogiri"].full_gem_path}/ext/*"])
 
 # We reference symbols out of nokogiri but don't link directly against it
-$LDFLAGS << ' -Wl,-undefined,dynamic_lookup'
+append_ldflags(["-Wl", "-undefined,dynamic_lookup"])
 
-create_makefile('nokogiri_ext_xmlsec')
+create_makefile("nokogiri_ext_xmlsec")

data/ext/nokogiri_ext_xmlsec/nokogiri_decrypt_with_key.c

@@ -39,6 +39,11 @@ VALUE decrypt_with_key(VALUE self, VALUE rb_key_name, VALUE rb_key) {
   // don't let xmlsec free the node we're looking at out from under us
   encCtx->flags |= XMLSEC_ENC_RETURN_REPLACED_NODE;
 
+  #ifdef XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH
+    // Enable lax key search, since xmlsec 1.3.0
+    encCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH;
+  #endif
+
   // decrypt the data
   if((xmlSecEncCtxDecrypt(encCtx, node) < 0) || (encCtx->result == NULL)) {
     rb_exception_result = rb_eDecryptionError;

data/ext/nokogiri_ext_xmlsec/nokogiri_encrypt_with_key.c

@@ -115,6 +115,11 @@ VALUE encrypt_with_key(VALUE self, VALUE rb_rsa_key_name, VALUE rb_rsa_key,
     goto done;
   }
 
+  #ifdef XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH
+    // Enable lax key search, since xmlsec 1.3.0
+    encCtx->keyInfoWriteCtx.flags |= XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH;
+  #endif
+
   // Generate the symmetric key.
   encCtx->encKey = xmlSecKeyGenerateByName(BAD_CAST options.key_type, options.key_bits,
                                            xmlSecKeyDataTypeSession);
@@ -137,6 +142,10 @@ VALUE encrypt_with_key(VALUE self, VALUE rb_rsa_key_name, VALUE rb_rsa_key,
     }
   }
 
+  // We don't want xmlsec to free the node we're looking at out from under us,
+  // since it's still referenced from a Ruby object.
+  encCtx->flags |= XMLSEC_ENC_RETURN_REPLACED_NODE;
+
   // Set key name.
   if(keyName) {
     if(xmlSecKeySetName(encCtx->encKey, (xmlSecByte *)keyName) < 0) {
@@ -180,6 +189,14 @@ done:
 
   /* cleanup */
   if(encCtx != NULL) {
+    // the replaced node is orphaned, but not freed; let Nokogiri
+    // own it now
+    if (encCtx->replacedNodeList != NULL) {
+      noko_xml_document_pin_node(encCtx->replacedNodeList);
+      // no really, please don't free it
+      encCtx->replacedNodeList = NULL;
+    }
+
     xmlSecEncCtxDestroy(encCtx);
   }
 

data/ext/nokogiri_ext_xmlsec/nokogiri_sign.c

@@ -14,6 +14,9 @@
 //             taken from http://www.w3.org/TR/xmldsig-core
 //   :digest_alg - Algorithm identified by the URL fragment. Supported algorithms
 //             taken from http://www.w3.org/TR/xmldsig-core
+//  :canon_alg - Algorithm identified by the URL fragment. Supported algorithms
+//             taken from http://www.w3.org/TR/xmldsig-core/#sec-c14nAlg
+//             Default is ExclC14N (exclusive canonicalization).
 //   :name - [optional] String with name of the rsa key.
 //   :uri - [optional] The URI attribute for the <Reference> node in the
 //          signature.
@@ -45,6 +48,7 @@ VALUE sign(VALUE self, VALUE rb_opts) {
   VALUE rb_cert = rb_hash_aref(rb_opts, ID2SYM(rb_intern("cert")));
   VALUE rb_signature_alg = rb_hash_aref(rb_opts, ID2SYM(rb_intern("signature_alg")));
   VALUE rb_digest_alg = rb_hash_aref(rb_opts, ID2SYM(rb_intern("digest_alg")));
+  VALUE rb_canon_alg = rb_hash_aref(rb_opts, ID2SYM(rb_intern("canon_alg")));
   VALUE rb_uri = rb_hash_aref(rb_opts, ID2SYM(rb_intern("uri")));
   VALUE rb_key_name = rb_hash_aref(rb_opts, ID2SYM(rb_intern("name")));
   VALUE rb_store_references = rb_hash_aref(rb_opts, ID2SYM(rb_intern("store_references")));
@@ -71,6 +75,9 @@ VALUE sign(VALUE self, VALUE rb_opts) {
     Check_Type(rb_uri, T_STRING);
     refUri = StringValueCStr(rb_uri);
   }
+  if (!NIL_P(rb_canon_alg)){
+    Check_Type(rb_canon_alg, T_STRING);
+  }
   switch (TYPE(rb_store_references)) {
     case T_TRUE:
       store_references = 1;
@@ -83,6 +90,15 @@ VALUE sign(VALUE self, VALUE rb_opts) {
       break;
   }
 
+  xmlSecTransformId canon_algorithm = xmlSecTransformExclC14NId; // default
+  if (!NIL_P(rb_canon_alg)){
+    canon_algorithm = GetCanonicalizationMethod(rb_canon_alg,
+                                                &rb_exception_result, &exception_message);
+    if (canon_algorithm == xmlSecTransformIdUnknown){
+      goto done;
+    }
+  }
+
   xmlSecTransformId signature_algorithm = GetSignatureMethod(rb_signature_alg,
       &rb_exception_result, &exception_message);
   if (signature_algorithm == xmlSecTransformIdUnknown) {
@@ -93,7 +109,7 @@ VALUE sign(VALUE self, VALUE rb_opts) {
   Noko_Node_Get_Struct(self, xmlNode, envelopeNode);
   doc = envelopeNode->doc;
   // create signature template for enveloped signature.
-  signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId,
+  signNode = xmlSecTmplSignatureCreate(doc, canon_algorithm,
                                        signature_algorithm, NULL);
   if (signNode == NULL) {
     rb_exception_result = rb_eSigningError;
@@ -111,6 +127,7 @@ VALUE sign(VALUE self, VALUE rb_opts) {
     // Propagate exception.
     goto done;
   }
+
   refNode = xmlSecTmplSignatureAddReference(signNode, digest_algorithm,
                                             NULL, (const xmlChar *)refUri, NULL);
   if(refNode == NULL) {
@@ -126,7 +143,7 @@ VALUE sign(VALUE self, VALUE rb_opts) {
     goto done;
   }
 
-  if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformExclC14NId) == NULL) {
+  if(xmlSecTmplReferenceAddTransform(refNode, canon_algorithm) == NULL){
     rb_exception_result = rb_eSigningError;
     exception_message = "failed to add canonicalization transform to reference";
     goto done;

data/ext/nokogiri_ext_xmlsec/options.c

@@ -15,8 +15,11 @@ static const char RSA_OAEP_MGF1P[] = "rsa-oaep-mgf1p";
 // Block Encryption Strings.
 static const char TRIPLEDES_CBC[] = "tripledes-cbc";
 static const char AES128_CBC[] = "aes128-cbc";
-static const char AES256_CBC[] = "aes256-cbc";
 static const char AES192_CBC[] = "aes192-cbc";
+static const char AES256_CBC[] = "aes256-cbc";
+static const char GCM128_CBC[] = "aes128-gcm";
+static const char GCM192_CBC[] = "aes192-gcm";
+static const char GCM256_CBC[] = "aes256-gcm";
 
 // Supported signature algorithms taken from #6 of
 // http://www.w3.org/TR/xmldsig-core1/
@@ -44,6 +47,13 @@ static const char DIGEST_SHA256[] = "sha256";
 static const char DIGEST_SHA384[] = "sha384";
 static const char DIGEST_SHA512[] = "sha512";
 
+// Canonicalization algorithms
+// http://www.w3.org/TR/xmldsig-core1/#sec-Canonicalization
+static const char C14N[] = "c14n";
+static const char C14N_WITH_COMMENTS[] = "c14n-with-comments";
+static const char EXCL_C14N[] = "exc-c14n";
+static const char EXCL_C14N_WITH_COMMENTS[] = "exc-c14n-with-comments";
+
 BOOL GetXmlEncOptions(VALUE rb_opts,
                       XmlEncOptions* options,
                       VALUE* rb_exception_result,
@@ -82,6 +92,18 @@ BOOL GetXmlEncOptions(VALUE rb_opts,
     options->block_encryption = xmlSecTransformDes3CbcId;
     options->key_type = "des";
     options->key_bits = 192;
+  } else if (strncmp(GCM256_CBC, blockEncryptionValue, blockEncryptionLen) == 0) {
+    options->block_encryption = xmlSecTransformAes256GcmId;
+    options->key_type = "aes";
+    options->key_bits = 256;
+  } else if (strncmp(GCM128_CBC, blockEncryptionValue, blockEncryptionLen) == 0) {
+    options->block_encryption = xmlSecTransformAes128GcmId;
+    options->key_type = "aes";
+    options->key_bits = 128;
+  } else if (strncmp(GCM192_CBC, blockEncryptionValue, blockEncryptionLen) == 0) {
+    options->block_encryption = xmlSecTransformAes192GcmId;
+    options->key_type = "aes";
+    options->key_bits = 192;
   } else {
     *rb_exception_result = rb_eArgError;
     *exception_message = "Unknown :block_encryption value";
@@ -164,3 +186,24 @@ xmlSecTransformId GetDigestMethod(VALUE rb_digest_alg,
   *exception_message = "Unknown :digest_algorithm";
   return xmlSecTransformIdUnknown;
 }
+
+xmlSecTransformId GetCanonicalizationMethod(VALUE rb_canon_alg,
+                                            VALUE *rb_exception_result,
+                                            const char **exception_message){
+  const char *canonAlgorithm = RSTRING_PTR(rb_canon_alg);
+  unsigned int canonAlgorithmLength = RSTRING_LEN(rb_canon_alg);
+
+  if (strncmp(C14N, canonAlgorithm, canonAlgorithmLength) == 0){
+    return xmlSecTransformInclC14NId;
+  }else if (strncmp(C14N_WITH_COMMENTS, canonAlgorithm, canonAlgorithmLength) == 0){
+    return xmlSecTransformInclC14NWithCommentsId;
+  }else if (strncmp(EXCL_C14N, canonAlgorithm, canonAlgorithmLength) == 0){
+    return xmlSecTransformExclC14NId;
+  } else if (strncmp(EXCL_C14N_WITH_COMMENTS, canonAlgorithm, canonAlgorithmLength) == 0){
+    return xmlSecTransformExclC14NWithCommentsId;
+  }
+
+  *rb_exception_result = rb_eArgError;
+  *exception_message = "Unknown :canon_alg";
+  return xmlSecTransformIdUnknown;
+}

data/ext/nokogiri_ext_xmlsec/options.h

@@ -30,7 +30,9 @@ xmlSecTransformId GetSignatureMethod(VALUE rb_method,
                                      VALUE* rb_exception_result,
                                      const char** exception_message);
 xmlSecTransformId GetDigestMethod(VALUE rb_digest_method,
-                                  VALUE* rb_exception_result,
-                                  const char** exception_message);
-
-#endif  // NOKOGIRI_EXT_XMLSEC_OPTIONS_H
+                                  VALUE *rb_exception_result,
+                                  const char **exception_message);
+xmlSecTransformId GetCanonicalizationMethod(VALUE rb_canonicalization_method,
+                                            VALUE *rb_exception_result,
+                                            const char **exception_message);
+#endif // NOKOGIRI_EXT_XMLSEC_OPTIONS_H

data/lib/nokogiri-xmlsec.rb

@@ -1 +1,3 @@
-require 'xmlsec'
+# frozen_string_literal: true
+
+require "xmlsec"

data/lib/xmlsec/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Xmlsec
-  VERSION = '0.10.3'
+  VERSION = "0.12.0"
 end

data/lib/xmlsec.rb

@@ -1,103 +1,114 @@
+# frozen_string_literal: true
+
 require "xmlsec/version"
-require 'nokogiri'
-require 'nokogiri_ext_xmlsec'
+require "nokogiri"
+require "nokogiri_ext_xmlsec"
 
-class Nokogiri::XML::Document
-  def sign! opts
-    root.sign! opts
-    self
-  end
+module Nokogiri
+  module XML
+    class Document
+      def sign!(opts)
+        root.sign! opts
+        self
+      end
 
-  # Verifies the signature on the current document.
-  #
-  # Returns `true` if the signature is valid, `false` otherwise.
-  # 
-  # Examples:
-  #
-  #     # Try to validate with the given public or private key
-  #     doc.verify_with key: 'rsa-key'
-  #
-  #     # Try to validate with a set of keys. It will try to match
-  #     # based on the contents of the `KeyName` element.
-  #     doc.verify_with({
-  #       'key-name'         => 'x509 certificate',
-  #       'another-key-name' => 'rsa-public-key'
-  #     })
-  #     
-  #     # Try to validate with a trusted certificate
-  #     doc.verify_with(cert: 'certificate')
-  #
-  #     # Try to validate with a set of certificates, any one of which
-  #     # can match
-  #     doc.verify_with(certs: ['cert1', 'cert2'])
-  #
-  #     # Validate the signature, checking the certificate validity as of
-  #     # a certain time (anything that's convertible to an integer, such as a Time)
-  #     doc.verify_with(cert: 'certificate', verification_time: message_creation_timestamp)
-  #
-  #     # Validate the signature, but don't validate that the certificate is valid,
-  #     # or has a full trust chain
-  #     doc.verify_with(cert: 'certificate', verify_certificates: false)
-  #
-  def verify_with opts_or_keys
-    first_signature = root.at_xpath("//ds:Signature", 'ds' => "http://www.w3.org/2000/09/xmldsig#")
-    raise XMLSec::VerificationError("start node not found") unless first_signature
+      # Verifies the signature on the current document.
+      #
+      # Returns `true` if the signature is valid, `false` otherwise.
+      #
+      # Examples:
+      #
+      #     # Try to validate with the given public or private key
+      #     doc.verify_with key: 'rsa-key'
+      #
+      #     # Try to validate with a set of keys. It will try to match
+      #     # based on the contents of the `KeyName` element.
+      #     doc.verify_with({
+      #       'key-name'         => 'x509 certificate',
+      #       'another-key-name' => 'rsa-public-key'
+      #     })
+      #
+      #     # Try to validate with a trusted certificate
+      #     doc.verify_with(cert: 'certificate')
+      #
+      #     # Try to validate with a set of certificates, any one of which
+      #     # can match
+      #     doc.verify_with(certs: ['cert1', 'cert2'])
+      #
+      #     # Validate the signature, checking the certificate validity as of
+      #     # a certain time (anything that's convertible to an integer, such as a Time)
+      #     doc.verify_with(cert: 'certificate', verification_time: message_creation_timestamp)
+      #
+      #     # Validate the signature, but don't validate that the certificate is valid,
+      #     # or has a full trust chain
+      #     doc.verify_with(cert: 'certificate', verify_certificates: false)
+      #
+      def verify_with(opts_or_keys)
+        first_signature = root.at_xpath("//ds:Signature", "ds" => "http://www.w3.org/2000/09/xmldsig#")
+        raise XMLSec::VerificationError("start node not found") unless first_signature
 
-    first_signature.verify_with(opts_or_keys)
-  end
+        first_signature.verify_with(opts_or_keys)
+      end
 
-  # Attempts to verify the signature of this document using only certificates
-  # installed on the system. This is equivalent to calling
-  # `verify_with certificates: []` (that is, an empty array).
-  #
-  def verify_signature
-    verify_with(certs: [])
-  end
+      # Attempts to verify the signature of this document using only certificates
+      # installed on the system. This is equivalent to calling
+      # `verify_with certificates: []` (that is, an empty array).
+      #
+      def verify_signature
+        verify_with(certs: [])
+      end
 
-  # Encrypts the current document, then returns it.
-  #
-  # Examples:
-  # 
-  #     # encrypt with a public key and optional key name
-  #     doc.encrypt! key: 'public-key', name: 'name'
-  #
-  def encrypt!(key:, name: nil, **opts)
-    root.encrypt_with(key: key, name: name, **opts)
-    self
-  end
+      # Encrypts the current document, then returns it.
+      #
+      # Examples:
+      #
+      #     # encrypt with a public key and optional key name
+      #     doc.encrypt! key: 'public-key', name: 'name'
+      #
+      def encrypt!(key:, name: nil, **)
+        root.encrypt_with(key:, name:, **)
+        self
+      end
 
-  # Decrypts the current document, then returns it.
-  #
-  # Examples:
-  #
-  #     # decrypt with a specific private key
-  #     doc.decrypt! key: 'private-key'
-  #     # pass the key as an OpenSSL PKey object
-  #     doc.decrypt! key: OpenSSL::PKey.read('private-key')
-  #
-  def decrypt! opts
-    first_encrypted_node = root.at_xpath("//xenc:EncryptedData", 'xenc' => "http://www.w3.org/2001/04/xmlenc#")
-    raise XMLSec::DecryptionError("start node not found") unless first_encrypted_node
+      # Decrypts the current document, then returns it.
+      #
+      # Examples:
+      #
+      #     # decrypt with a specific private key
+      #     doc.decrypt! key: 'private-key'
+      #     # pass the key as an OpenSSL PKey object
+      #     doc.decrypt! key: OpenSSL::PKey.read('private-key')
+      #
+      def decrypt!(opts)
+        first_encrypted_node = root.at_xpath("//xenc:EncryptedData", "xenc" => "http://www.w3.org/2001/04/xmlenc#")
+        raise XMLSec::DecryptionError("start node not found") unless first_encrypted_node
 
-    first_encrypted_node.decrypt_with opts
-    self
+        first_encrypted_node.decrypt_with opts
+        self
+      end
+    end
   end
 end
 
-class Nokogiri::XML::Node
-  def encrypt_with(key:, name: nil, **opts)
-    raise ArgumentError("public :key is required for encryption") unless key
-    encrypt_with_key(name, key, opts)
-  end
+module Nokogiri
+  module XML
+    class Node
+      def encrypt_with(key:, name: nil, **opts)
+        raise ArgumentError("public :key is required for encryption") unless key
+
+        encrypt_with_key(name, key, opts)
+      end
 
-  def decrypt_with(opts)
-    raise 'inadequate options specified for decryption' unless opts[:key]
+      def decrypt_with(opts)
+        raise "inadequate options specified for decryption" unless opts[:key]
 
-    parent = self.parent
-    previous = self.previous
-    key = opts[:key]
-    key = key.to_pem if key.respond_to?(:to_pem)
-    decrypt_with_key(opts[:name].to_s, key)
-    previous ? previous.next : parent.children.first
+        parent = self.parent
+        previous = self.previous
+        key = opts[:key]
+        key = key.to_pem if key.respond_to?(:to_pem)
+        decrypt_with_key(opts[:name].to_s, key)
+        previous ? previous.next : parent.children.first
+      end
+    end
   end
 end