nokogiri-xmlsec-instructure 0.11.0 → 0.12.0

data/ext/nokogiri_ext_xmlsec/nokogiri_sign.c

@@ -0,0 +1,271 @@
+#include "xmlsecrb.h"
+
+#include "options.h"
+#include "util.h"
+
+// Appends an xmlsig <dsig:Signature> node to document stored in |self|
+// with a signature based on the given key and cert.
+//
+// Expects a ruby hash for the signing arguments.
+// Hash parameters:
+//   :key - A PEM encoded rsa key for signing.
+//   :cert - The public cert to include with the signature.
+//   :signature_alg - Algorithm identified by the URL fragment. Supported algorithms
+//             taken from http://www.w3.org/TR/xmldsig-core
+//   :digest_alg - Algorithm identified by the URL fragment. Supported algorithms
+//             taken from http://www.w3.org/TR/xmldsig-core
+//  :canon_alg - Algorithm identified by the URL fragment. Supported algorithms
+//             taken from http://www.w3.org/TR/xmldsig-core/#sec-c14nAlg
+//             Default is ExclC14N (exclusive canonicalization).
+//   :name - [optional] String with name of the rsa key.
+//   :uri - [optional] The URI attribute for the <Reference> node in the
+//          signature.
+//   :store_references - [optional] If true, the options hash will be modified,
+//             and this value will be replaced with pre-digest buffer for
+//             debugging purposes
+VALUE sign(VALUE self, VALUE rb_opts) {
+  VALUE rb_exception_result = Qnil;
+  const char* exception_message = NULL;
+
+  xmlDocPtr doc = NULL;
+  xmlNodePtr envelopeNode = NULL;
+  xmlNodePtr signNode = NULL;
+  xmlNodePtr refNode = NULL;
+  xmlNodePtr keyInfoNode = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  char *keyName = NULL;
+  char *certificate = NULL;
+  char *rsaKey = NULL;
+  char *refUri = NULL;
+  unsigned int rsaKeyLength = 0;
+  unsigned int certificateLength = 0;
+  VALUE rb_references = Qnil;
+  int store_references = 0;
+  VALUE rb_pre_digest_buffer_sym, rb_reference, rb_pre_digest_buffer;
+  xmlSecSize pos;
+
+  VALUE rb_rsa_key = rb_hash_aref(rb_opts, ID2SYM(rb_intern("key")));
+  VALUE rb_cert = rb_hash_aref(rb_opts, ID2SYM(rb_intern("cert")));
+  VALUE rb_signature_alg = rb_hash_aref(rb_opts, ID2SYM(rb_intern("signature_alg")));
+  VALUE rb_digest_alg = rb_hash_aref(rb_opts, ID2SYM(rb_intern("digest_alg")));
+  VALUE rb_canon_alg = rb_hash_aref(rb_opts, ID2SYM(rb_intern("canon_alg")));
+  VALUE rb_uri = rb_hash_aref(rb_opts, ID2SYM(rb_intern("uri")));
+  VALUE rb_key_name = rb_hash_aref(rb_opts, ID2SYM(rb_intern("name")));
+  VALUE rb_store_references = rb_hash_aref(rb_opts, ID2SYM(rb_intern("store_references")));
+
+  resetXmlSecError();
+
+  Check_Type(rb_rsa_key, T_STRING);
+  Check_Type(rb_signature_alg, T_STRING);
+  Check_Type(rb_digest_alg, T_STRING);
+
+  rsaKey = RSTRING_PTR(rb_rsa_key);
+  rsaKeyLength = RSTRING_LEN(rb_rsa_key);
+
+  if (!NIL_P(rb_cert)) {
+    Check_Type(rb_cert, T_STRING);
+    certificate = RSTRING_PTR(rb_cert);
+    certificateLength = RSTRING_LEN(rb_cert);
+  }
+  if (!NIL_P(rb_key_name))  {
+    Check_Type(rb_key_name, T_STRING);
+    keyName = StringValueCStr(rb_key_name);
+  }
+  if (!NIL_P(rb_uri)) {
+    Check_Type(rb_uri, T_STRING);
+    refUri = StringValueCStr(rb_uri);
+  }
+  if (!NIL_P(rb_canon_alg)){
+    Check_Type(rb_canon_alg, T_STRING);
+  }
+  switch (TYPE(rb_store_references)) {
+    case T_TRUE:
+      store_references = 1;
+      break;
+    case T_FALSE:
+    case T_NIL:
+      break;
+    default:
+      Check_Type(rb_store_references, T_TRUE);
+      break;
+  }
+
+  xmlSecTransformId canon_algorithm = xmlSecTransformExclC14NId; // default
+  if (!NIL_P(rb_canon_alg)){
+    canon_algorithm = GetCanonicalizationMethod(rb_canon_alg,
+                                                &rb_exception_result, &exception_message);
+    if (canon_algorithm == xmlSecTransformIdUnknown){
+      goto done;
+    }
+  }
+
+  xmlSecTransformId signature_algorithm = GetSignatureMethod(rb_signature_alg,
+      &rb_exception_result, &exception_message);
+  if (signature_algorithm == xmlSecTransformIdUnknown) {
+    // Propagate exception.
+    goto done;
+  }
+
+  Noko_Node_Get_Struct(self, xmlNode, envelopeNode);
+  doc = envelopeNode->doc;
+  // create signature template for enveloped signature.
+  signNode = xmlSecTmplSignatureCreate(doc, canon_algorithm,
+                                       signature_algorithm, NULL);
+  if (signNode == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to create signature template";
+    goto done;
+  }
+
+  // add <dsig:Signature/> node to the doc
+  xmlAddChild(envelopeNode, signNode);
+
+  // add reference
+  xmlSecTransformId digest_algorithm = GetDigestMethod(rb_digest_alg,
+      &rb_exception_result, &exception_message);
+  if (digest_algorithm == xmlSecTransformIdUnknown) {
+    // Propagate exception.
+    goto done;
+  }
+
+  refNode = xmlSecTmplSignatureAddReference(signNode, digest_algorithm,
+                                            NULL, (const xmlChar *)refUri, NULL);
+  if(refNode == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to add reference to signature template";
+    goto done;
+  }
+
+  // add enveloped transform
+  if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to add enveloped transform to reference";
+    goto done;
+  }
+
+  if(xmlSecTmplReferenceAddTransform(refNode, canon_algorithm) == NULL){
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to add canonicalization transform to reference";
+    goto done;
+  }
+
+  // add <dsig:KeyInfo/>
+  keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
+  if(keyInfoNode == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to add key info";
+    goto done;
+  }
+
+  if(certificate) {
+    // add <dsig:X509Data/>
+    if(xmlSecTmplKeyInfoAddX509Data(keyInfoNode) == NULL) {
+      rb_exception_result = rb_eSigningError;
+      exception_message = "failed to add X509Data node";
+      goto done;
+    }
+  }
+
+  if(keyName) {
+    // add <dsig:KeyName/>
+    if(xmlSecTmplKeyInfoAddKeyName(keyInfoNode, NULL) == NULL) {
+      rb_exception_result = rb_eSigningError;
+      exception_message = "failed to add key name";
+      goto done;
+    }
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = createDSigContext(NULL);
+  if(dsigCtx == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to create signature context";
+    goto done;
+  }
+  if (store_references) {
+    dsigCtx->flags |= XMLSEC_DSIG_FLAGS_STORE_SIGNEDINFO_REFERENCES |
+      XMLSEC_DSIG_FLAGS_STORE_MANIFEST_REFERENCES;
+  }
+
+  // load private key, assuming that there is not password
+  dsigCtx->signKey = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)rsaKey,
+                                                  rsaKeyLength,
+                                                  xmlSecKeyDataFormatPem,
+                                                  NULL, // password
+                                                  NULL,
+                                                  NULL);
+  if(dsigCtx->signKey == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to load private key";
+    goto done;
+  }
+  
+  if(keyName) {
+    // set key name
+    if(xmlSecKeySetName(dsigCtx->signKey, (xmlSecByte *)keyName) < 0) {
+      rb_exception_result = rb_eSigningError;
+      exception_message = "failed to set key name";
+      goto done;
+    }
+  }
+
+  if(certificate) {
+    // load certificate and add to the key
+    if(xmlSecCryptoAppKeyCertLoadMemory(dsigCtx->signKey,
+                                        (xmlSecByte *)certificate,
+                                        certificateLength,
+                                        xmlSecKeyDataFormatPem) < 0) {
+      rb_exception_result = rb_eSigningError;
+      exception_message = "failed to load certificate";
+      goto done;
+    }
+  }
+
+  // sign the template
+  if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "signature failed";
+    goto done;
+  }
+  if (store_references) {
+    rb_pre_digest_buffer_sym = ID2SYM(rb_intern("pre_digest_buffer"));
+    rb_references = rb_ary_new2(xmlSecPtrListGetSize(&dsigCtx->signedInfoReferences));
+    rb_hash_aset(rb_opts, ID2SYM(rb_intern("references")), rb_references);
+
+    for(pos = 0; pos < xmlSecPtrListGetSize(&dsigCtx->signedInfoReferences); ++pos) {
+      rb_reference = rb_hash_new();
+      rb_ary_push(rb_references, rb_reference);
+      xmlSecDSigReferenceCtxPtr dsigRefCtx = (xmlSecDSigReferenceCtxPtr)xmlSecPtrListGetItem(&dsigCtx->signedInfoReferences, pos);
+      xmlSecBufferPtr pre_digest_buffer = xmlSecDSigReferenceCtxGetPreDigestBuffer(dsigRefCtx);
+      if (pre_digest_buffer && xmlSecBufferGetData(pre_digest_buffer)) {
+        rb_pre_digest_buffer = rb_str_new((const char *)xmlSecBufferGetData(pre_digest_buffer), xmlSecBufferGetSize(pre_digest_buffer));
+        rb_hash_aset(rb_reference, rb_pre_digest_buffer_sym, rb_pre_digest_buffer);
+      }
+    }
+  }
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  xmlSecErrorsSetCallback(xmlSecErrorsDefaultCallback);
+
+  if(rb_exception_result != Qnil) {
+    // remove the signature node before raising an exception, so that
+    // the document is untouched
+    if (signNode != NULL) {
+      xmlUnlinkNode(signNode);
+      xmlFreeNode(signNode);
+    }
+
+    if (hasXmlSecLastError()) {
+      rb_raise(rb_exception_result, "%s, XmlSec error: %s", exception_message,
+               getXmlSecLastError());
+    } else {
+      rb_raise(rb_exception_result, "%s", exception_message);
+    }
+  }
+
+  return Qnil;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_verify_with.c

@@ -0,0 +1,261 @@
+#include "xmlsecrb.h"
+#include "util.h"
+
+// Constructs a xmlSecKeysMngrPtr and adds all the certs included in |rb_certs|
+// array as trusted certificates.
+static xmlSecKeysMngrPtr createKeyManagerWithRbCertArray(
+    VALUE rb_certs,
+    VALUE* rb_exception_result_out,
+    const char** exception_message_out) {
+  VALUE rb_exception_result = Qnil;
+  const char* exception_message = NULL;
+
+  int i = 0;
+  int numCerts = RARRAY_LEN(rb_certs);
+  xmlSecKeysMngrPtr keyManager = xmlSecKeysMngrCreate();
+  VALUE rb_cert = Qnil;
+  char *cert = NULL;
+  unsigned int certLength = 0;
+  int numSuccessful = 0;
+
+  if (keyManager == NULL) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message = "failed to create keys manager.";
+    goto done;
+  }
+
+  if (xmlSecCryptoAppDefaultKeysMngrInit(keyManager) < 0) {
+    rb_exception_result = rb_eKeystoreError;
+    exception_message = "could not initialize key manager";
+    goto done;
+  }
+
+  for (i = 0; i < numCerts; i++) {
+    rb_cert = RARRAY_PTR(rb_certs)[i];
+    rb_cert = rb_obj_as_string(rb_cert);
+    Check_Type(rb_cert, T_STRING);
+    cert = RSTRING_PTR(rb_cert);
+    certLength = RSTRING_LEN(rb_cert);
+
+    if(xmlSecCryptoAppKeysMngrCertLoadMemory(keyManager,
+                                             (xmlSecByte *)cert,
+                                             certLength,
+                                             xmlSecKeyDataFormatPem,
+                                             xmlSecKeyDataTypeTrusted) < 0) {
+      rb_warn("failed to load certificate at index %d", i);
+    } else {
+      numSuccessful++;
+    }
+  }
+
+  // note, numCerts could be zero, meaning that we should use system SSL certs
+  if (numSuccessful == 0 && numCerts != 0) {
+    rb_exception_result = rb_eKeystoreError;
+    exception_message = "Could not load any of the specified certificates for signature verification";
+    goto done;
+  }
+
+done:
+  if (!NIL_P(rb_exception_result)) {
+    if (keyManager) {
+      xmlSecKeysMngrDestroy(keyManager);
+      keyManager = NULL;
+    }
+  }
+
+  *rb_exception_result_out = rb_exception_result;
+  *exception_message_out = exception_message;
+  return keyManager;
+}
+
+static int addRubyKeyToManager(VALUE rb_key, VALUE rb_value, VALUE rb_manager) {
+  xmlSecKeysMngrPtr keyManager = (xmlSecKeysMngrPtr)rb_manager;
+  char *keyName, *keyData;
+  unsigned int keyDataLength;
+  xmlSecKeyPtr key;
+
+  Check_Type(rb_key, T_STRING);
+  Check_Type(rb_value, T_STRING);
+  keyName = RSTRING_PTR(rb_key);
+  keyData = RSTRING_PTR(rb_value);
+  keyDataLength = RSTRING_LEN(rb_value);
+
+  // load key
+  key = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)keyData,
+                                     keyDataLength,
+                                     xmlSecKeyDataFormatPem,
+                                     NULL, // password
+                                     NULL, NULL);
+  if (key == NULL) {
+    rb_warn("failed to load '%s' public or private pem key", keyName);
+    return ST_CONTINUE;
+  }
+
+  // set key name
+  if (xmlSecKeySetName(key, BAD_CAST keyName) < 0) {
+    rb_warn("failed to set key name for key '%s'", keyName);
+    return ST_CONTINUE;
+  }
+
+  // add key to key manager; from now on the manager is responsible for
+  // destroying the key
+  if (xmlSecCryptoAppDefaultKeysMngrAdoptKey(keyManager, key) < 0) {
+    rb_warn("failed to add key '%s' to key manager", keyName);
+    return ST_CONTINUE;
+  }
+
+  return ST_CONTINUE;
+}
+
+// Constructs a xmlSecKeysMngr and adds all the named to key mappings
+// specified by the |rb_hash| to the key manager.
+//
+// Caller takes ownership. Free with xmlSecKeysMngrDestroy().
+static xmlSecKeysMngrPtr createKeyManagerFromNamedKeys(
+    VALUE rb_hash,
+    VALUE* rb_exception_result_out,
+    const char** exception_message_out) {
+  xmlSecKeysMngrPtr keyManager = xmlSecKeysMngrCreate();
+  if (keyManager == NULL) return NULL;
+  if (xmlSecCryptoAppDefaultKeysMngrInit(keyManager) < 0) {
+    *rb_exception_result_out = rb_eKeystoreError;
+    *exception_message_out = "could not initialize key manager";
+    xmlSecKeysMngrDestroy(keyManager);
+    return NULL;
+  }
+
+  rb_hash_foreach(rb_hash, addRubyKeyToManager, (VALUE)keyManager);
+
+  return keyManager;
+}
+
+VALUE verify_with(VALUE self, VALUE rb_opts) {
+  VALUE rb_exception_result = Qnil;
+  const char* exception_message = NULL;
+
+  xmlNodePtr node = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  xmlSecKeysMngrPtr keyManager = NULL;
+  VALUE rb_certs, rb_cert;
+  VALUE rb_rsa_key;
+  VALUE rb_verification_time, rb_verification_depth, rb_verify_certificates;
+  char *rsa_key = NULL;
+  unsigned int rsa_key_length = 0;
+  VALUE result = Qfalse;
+
+  resetXmlSecError();
+
+  Check_Type(rb_opts, T_HASH);
+  Noko_Node_Get_Struct(self, xmlNode, node);
+
+  // verify start node
+  if(!xmlSecCheckNodeName(node, xmlSecNodeSignature, xmlSecDSigNs)) {
+    rb_exception_result = rb_eVerificationError;
+    exception_message = "Can only verify a Signature node";
+    goto done;
+  }
+
+  rb_certs = rb_hash_aref(rb_opts, ID2SYM(rb_intern("cert")));
+  if (NIL_P(rb_certs)) {
+    rb_certs = rb_hash_aref(rb_opts, ID2SYM(rb_intern("certs")));
+  }
+
+  rb_verification_depth = rb_hash_aref(rb_opts, ID2SYM(rb_intern("verification_depth")));
+  rb_verification_time = rb_hash_aref(rb_opts, ID2SYM(rb_intern("verification_time")));
+  rb_verify_certificates = rb_hash_aref(rb_opts, ID2SYM(rb_intern("verify_certificates")));
+
+  if (!NIL_P(rb_certs)) {
+    if(TYPE(rb_certs) != T_ARRAY) {
+      rb_cert = rb_certs;
+      rb_certs = rb_ary_new();
+      rb_ary_push(rb_certs, rb_cert);
+    }
+
+    keyManager = createKeyManagerWithRbCertArray(rb_certs, &rb_exception_result,
+                                                 &exception_message);
+    if (keyManager == NULL) {
+      // Propagate exception.
+      goto done;
+    }
+  } else if (!NIL_P(rb_rsa_key = rb_hash_aref(rb_opts, ID2SYM(rb_intern("key"))))) {
+    Check_Type(rb_rsa_key,  T_STRING);
+    rsa_key = RSTRING_PTR(rb_rsa_key);
+    rsa_key_length = RSTRING_LEN(rb_rsa_key);
+  } else {
+    keyManager = createKeyManagerFromNamedKeys(rb_opts, &rb_exception_result,
+                                               &exception_message);
+    if (keyManager == NULL) {
+      // Propagate exception.
+      goto done;
+    }
+  }
+
+  // Create signature context.
+  dsigCtx = createDSigContext(keyManager);
+  if(dsigCtx == NULL) {
+    rb_exception_result = rb_eVerificationError;
+    exception_message = "failed to create signature context";
+    goto done;
+  }
+
+  if(!NIL_P(rb_verification_time)) {
+    rb_verification_time = rb_Integer(rb_verification_time);
+    dsigCtx->keyInfoReadCtx.certsVerificationTime = (time_t)NUM2LONG(rb_verification_time);
+  }
+
+  if(rb_verify_certificates == Qfalse) {
+    dsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS;
+  }
+
+  if(!NIL_P(rb_verification_depth)) {
+    rb_verification_depth = rb_Integer(rb_verification_depth);
+    dsigCtx->keyInfoReadCtx.certsVerificationDepth = (time_t)NUM2LONG(rb_verification_depth);
+  }
+
+  if(rsa_key) {
+    // load public key
+    dsigCtx->signKey = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)rsa_key,
+                                                    rsa_key_length,
+                                                    xmlSecKeyDataFormatPem,
+                                                    NULL, // password
+                                                    NULL, NULL);
+    if(dsigCtx->signKey == NULL) {
+      rb_exception_result = rb_eVerificationError;
+      exception_message = "failed to load public pem key";
+      goto done;
+    }
+  }
+
+  // verify signature
+  if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
+    rb_exception_result = rb_eVerificationError;
+    exception_message = "error occurred during signature verification";
+    goto done;
+  }
+      
+  if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
+    result = Qtrue;
+  }    
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  if (keyManager != NULL) {
+    xmlSecKeysMngrDestroy(keyManager);
+  }
+
+  xmlSecErrorsSetCallback(xmlSecErrorsDefaultCallback);
+
+  if(!NIL_P(rb_exception_result)) {
+    if (hasXmlSecLastError()) {
+      rb_raise(rb_exception_result, "%s, XmlSec error: %s", exception_message,
+               getXmlSecLastError());
+    } else {
+      rb_raise(rb_exception_result, "%s", exception_message);
+    }
+  }
+
+  return result;
+}