nokogiri-xmlsec-instructure 0.9.4

data/ext/nokogiri_ext_xmlsec/options.c

@@ -0,0 +1,166 @@
+#include "options.h"
+
+#include "common.h"
+
+#if (XMLSEC_VERSION_MAJOR > 1) || (XMLSEC_VERSION_MAJOR == 1 && (XMLSEC_VERSION_MINOR > 2 || (XMLSEC_VERSION_MINOR == 2 && XMLSEC_VERSION_SUBMINOR >= 20)))
+# define HAS_ECDSA 1
+#else
+# define HAS_ECDSA 0
+#endif
+
+// Key Transport Strings.
+static const char RSA1_5[] = "rsa-1_5";
+static const char RSA_OAEP_MGF1P[] = "rsa-oaep-mgf1p";
+
+// Block Encryption Strings.
+static const char TRIPLEDES_CBC[] = "tripledes-cbc";
+static const char AES128_CBC[] = "aes128-cbc";
+static const char AES256_CBC[] = "aes256-cbc";
+static const char AES192_CBC[] = "aes192-cbc";
+
+// Supported signature algorithms taken from #6 of
+// http://www.w3.org/TR/xmldsig-core1/
+static const char RSA_SHA1[] = "rsa-sha1";
+static const char RSA_SHA224[] = "rsa-sha224";
+static const char RSA_SHA256[] = "rsa-sha256";
+static const char RSA_SHA384[] = "rsa-sha384";
+static const char RSA_SHA512[] = "rsa-sha512";
+static const char DSA_SHA1[] = "dsa-sha1";
+
+#if HAS_ECDSA
+static const char ECDSA_SHA1[] = "ecdsa-sha1";
+static const char ECDSA_SHA224[] = "ecdsa-sha224";
+static const char ECDSA_SHA256[] = "ecdsa-sha256";
+static const char ECDSA_SHA384[] = "ecdsa-sha384";
+static const char ECDSA_SHA512[] = "ecdsa-sha512";
+static const char DSA_SHA256[] = "dsa-sha256";
+#endif  // HAS_ECDSA
+
+// Supported digest algorithms taken from #6 of
+// http://www.w3.org/TR/xmldsig-core1/
+static const char DIGEST_SHA1[] = "sha1";
+static const char DIGEST_SHA224[] = "sha224";
+static const char DIGEST_SHA256[] = "sha256";
+static const char DIGEST_SHA384[] = "sha384";
+static const char DIGEST_SHA512[] = "sha512";
+
+BOOL GetXmlEncOptions(VALUE rb_opts,
+                      XmlEncOptions* options,
+                      VALUE* rb_exception_result,
+                      const char** exception_message) {
+  VALUE rb_block_encryption = rb_hash_aref(rb_opts, ID2SYM(rb_intern("block_encryption")));
+  VALUE rb_key_transport = rb_hash_aref(rb_opts, ID2SYM(rb_intern("key_transport")));
+  memset(options, 0, sizeof(XmlEncOptions));
+
+  if (NIL_P(rb_block_encryption) ||
+      TYPE(rb_block_encryption) != T_STRING ||
+      NIL_P(rb_key_transport) ||
+      TYPE(rb_key_transport) != T_STRING) {
+    *rb_exception_result = rb_eArgError;
+    *exception_message = "Must supply :block_encryption & :key_transport";
+    return FALSE;
+  }
+
+  char* blockEncryptionValue = RSTRING_PTR(rb_block_encryption);
+  int blockEncryptionLen = RSTRING_LEN(rb_block_encryption);
+  char* keyTransportValue = RSTRING_PTR(rb_key_transport);
+  int keyTransportLen = RSTRING_LEN(rb_key_transport);
+
+  if (strncmp(AES256_CBC, blockEncryptionValue, blockEncryptionLen) == 0) {
+    options->block_encryption = xmlSecTransformAes256CbcId;
+    options->key_type = "aes";
+    options->key_bits = 256;
+  } else if (strncmp(AES128_CBC, blockEncryptionValue, blockEncryptionLen) == 0) {
+    options->block_encryption = xmlSecTransformAes128CbcId;
+    options->key_type = "aes";
+    options->key_bits = 128;
+  } else if (strncmp(AES192_CBC, blockEncryptionValue, blockEncryptionLen) == 0) {
+    options->block_encryption = xmlSecTransformAes192CbcId;
+    options->key_type = "aes";
+    options->key_bits = 192;
+  } else if (strncmp(TRIPLEDES_CBC, blockEncryptionValue, blockEncryptionLen) == 0) {
+    options->block_encryption = xmlSecTransformDes3CbcId;
+    options->key_type = "des";
+    options->key_bits = 192;
+  } else {
+    *rb_exception_result = rb_eArgError;
+    *exception_message = "Unknown :block_encryption value";
+    return FALSE;
+  }
+
+  if (strncmp(RSA1_5, keyTransportValue, keyTransportLen) == 0) {
+    options->key_transport = xmlSecTransformRsaPkcs1Id;
+  } else if (strncmp(RSA_OAEP_MGF1P, keyTransportValue, keyTransportLen) == 0) {
+    options->key_transport = xmlSecTransformRsaOaepId;
+  } else {
+    *rb_exception_result = rb_eArgError;
+    *exception_message = "Unknown :key_transport value";
+    return FALSE;
+  }
+
+  return TRUE;
+}
+
+xmlSecTransformId GetSignatureMethod(VALUE rb_signature_alg,
+                                     VALUE* rb_exception_result,
+                                     const char** exception_message) {
+  const char* signatureAlgorithm = RSTRING_PTR(rb_signature_alg);
+  unsigned int signatureAlgorithmLength = RSTRING_LEN(rb_signature_alg);
+
+  if (strncmp(RSA_SHA1, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformRsaSha1Id;
+  } else if (strncmp(RSA_SHA224, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformRsaSha224Id;
+  } else if (strncmp(RSA_SHA256, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformRsaSha256Id;
+  } else if (strncmp(RSA_SHA384, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformRsaSha384Id;
+  } else if (strncmp(RSA_SHA512, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformRsaSha512Id;
+
+  }
+#if HAS_ECDSA
+  else if (strncmp(ECDSA_SHA1, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformEcdsaSha1Id;
+  } else if (strncmp(ECDSA_SHA224, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformEcdsaSha224Id;
+  } else if (strncmp(ECDSA_SHA256, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformEcdsaSha256Id;
+  } else if (strncmp(ECDSA_SHA384, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformEcdsaSha384Id;
+  } else if (strncmp(ECDSA_SHA512, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformEcdsaSha512Id;
+  } else if (strncmp(DSA_SHA1, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformDsaSha1Id;
+  } else if (strncmp(DSA_SHA256, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformDsaSha256Id;
+  }
+#endif  // HAS_ECDSA
+
+  *rb_exception_result = rb_eArgError;
+  *exception_message = "Unknown :signature_alg";
+  return xmlSecTransformIdUnknown;
+}
+
+xmlSecTransformId GetDigestMethod(VALUE rb_digest_alg,
+                                  VALUE* rb_exception_result,
+                                  const char** exception_message) {
+  const char* digestAlgorithm = RSTRING_PTR(rb_digest_alg);
+  unsigned int digestAlgorithmLength = RSTRING_LEN(rb_digest_alg);
+
+  if (strncmp(DIGEST_SHA1, digestAlgorithm, digestAlgorithmLength) == 0) {
+    return xmlSecTransformSha1Id;
+  } else if (strncmp(DIGEST_SHA224, digestAlgorithm, digestAlgorithmLength) == 0) {
+    return xmlSecTransformSha224Id;
+  } else if (strncmp(DIGEST_SHA256, digestAlgorithm, digestAlgorithmLength) == 0) {
+    return xmlSecTransformSha256Id;
+  } else if (strncmp(DIGEST_SHA384, digestAlgorithm, digestAlgorithmLength) == 0) {
+    return xmlSecTransformSha384Id;
+  } else if (strncmp(DIGEST_SHA512, digestAlgorithm, digestAlgorithmLength) == 0) {
+    return xmlSecTransformSha512Id;
+  }
+
+  *rb_exception_result = rb_eArgError;
+  *exception_message = "Unknown :digest_algorithm";
+  return xmlSecTransformIdUnknown;
+}

data/ext/nokogiri_ext_xmlsec/options.h

@@ -0,0 +1,36 @@
+#ifndef NOKOGIRI_EXT_XMLSEC_OPTIONS_H
+#define NOKOGIRI_EXT_XMLSEC_OPTIONS_H
+
+#include "common.h"
+
+#include <ruby.h>
+#include <xmlsec/crypto.h>
+
+typedef struct {
+  // From :block_encryption
+  xmlSecTransformId block_encryption;
+  const char* key_type;
+  int key_bits;
+
+  // From :key_transport
+  xmlSecTransformId key_transport;
+} XmlEncOptions;
+
+// Supported algorithms taken from #5.1 of
+// http://www.w3.org/TR/xmlenc-core
+//
+// For options, only use the URL fragment (stuff post #)
+// since that's unique enough and it removes a lot of typing.
+BOOL GetXmlEncOptions(VALUE rb_opts, XmlEncOptions* options,
+                      VALUE* rb_exception_result,
+                      const char** exception_message);
+
+// XML DSIG helpers.
+xmlSecTransformId GetSignatureMethod(VALUE rb_method,
+                                     VALUE* rb_exception_result,
+                                     const char** exception_message);
+xmlSecTransformId GetDigestMethod(VALUE rb_digest_method,
+                                  VALUE* rb_exception_result,
+                                  const char** exception_message);
+
+#endif  // NOKOGIRI_EXT_XMLSEC_OPTIONS_H

data/ext/nokogiri_ext_xmlsec/shutdown.c

@@ -0,0 +1,12 @@
+#include "xmlsecrb.h"
+
+/* not actually called anywhere right now, but here for posterity */
+void Shutdown_xmlsecrb() {
+  xmlSecCryptoShutdown();
+  xmlSecCryptoAppShutdown();
+  xmlSecShutdown();
+  xsltCleanupGlobals();
+  #ifndef XMLSEC_NO_XSLT
+    xsltCleanupGlobals();            
+  #endif /* XMLSEC_NO_XSLT */
+}

data/ext/nokogiri_ext_xmlsec/util.c

@@ -0,0 +1,139 @@
+#include "util.h"
+
+#include <xmlsec/errors.h>
+
+xmlSecKeysMngrPtr createKeyManagerWithSingleKey(
+    char* keyStr,
+    unsigned int keyLength,
+    char *keyName,
+    VALUE* rb_exception_result_out,
+    const char** exception_message_out) {
+  VALUE rb_exception_result = Qnil;
+  const char* exception_message = NULL;
+  xmlSecKeysMngrPtr mngr = NULL;
+  xmlSecKeyPtr key = NULL;
+  
+  /* create and initialize keys manager, we use a simple list based
+   * keys manager, implement your own xmlSecKeysStore klass if you need
+   * something more sophisticated 
+   */
+  mngr = xmlSecKeysMngrCreate();
+  if(mngr == NULL) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message = "failed to create keys manager.";
+    goto done;
+  }
+  if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message = "failed to initialize keys manager.";
+    goto done;
+  }    
+  
+  /* load private RSA key */
+  key = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)keyStr,
+                                     keyLength,
+                                     xmlSecKeyDataFormatPem,
+                                     NULL, // the key file password
+                                     NULL, // the key password callback
+                                     NULL);// the user context for password callback
+  if(key == NULL) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message = "failed to load rsa key";
+    goto done;
+  }
+
+  if(xmlSecKeySetName(key, BAD_CAST keyName) < 0) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message = "failed to set key name";
+    goto done;
+  }
+
+  /* add key to keys manager, from now on keys manager is responsible 
+   * for destroying key 
+   */
+  if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message = "failed to add key to keys manager";
+    goto done;
+  }
+
+done:
+  if(rb_exception_result != Qnil) {
+    if (key) {
+      xmlSecKeyDestroy(key);
+    }
+
+    if (mngr) {
+      xmlSecKeysMngrDestroy(mngr);
+      mngr = NULL;
+    }
+  }
+
+  *rb_exception_result_out = rb_exception_result;
+  *exception_message_out = exception_message;
+  return mngr;
+}
+
+xmlSecDSigCtxPtr createDSigContext(xmlSecKeysMngrPtr keyManager) {
+  xmlSecDSigCtxPtr dsigCtx = xmlSecDSigCtxCreate(keyManager);
+  if (!dsigCtx) {
+    return NULL;
+  }
+
+  // Restrict ReferenceUris to same document or empty to avoid XXE attacks.
+  dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty |
+                                  xmlSecTransformUriTypeSameDocument;
+
+  return dsigCtx;
+}
+
+#define ERROR_STACK_SIZE      4096
+static char g_errorStack[ERROR_STACK_SIZE];
+static size_t g_errorStackPos;
+
+char* getXmlSecLastError() {
+  return g_errorStack;
+}
+
+int hasXmlSecLastError() {
+  return g_errorStack[0] != '\0';
+}
+
+void resetXmlSecError() {
+  g_errorStack[0] = '\0';
+  g_errorStackPos = 0;
+}
+
+void storeErrorCallback(const char *file,
+                        int line,
+                        const char *func,
+                        const char *errorObject,
+                        const char *errorSubject,
+                        int reason,
+                        const char *msg) {
+  int i = 0;
+  const char* error_msg = NULL;
+  int amt = 0;
+  if (g_errorStackPos >= ERROR_STACK_SIZE) {
+    // Just bail. Earlier errors are more interesting usually anyway.
+    return;
+  }
+
+  for(i = 0; (i < XMLSEC_ERRORS_MAX_NUMBER) && (xmlSecErrorsGetMsg(i) != NULL); ++i) {
+    if(xmlSecErrorsGetCode(i) == reason) {
+      error_msg = xmlSecErrorsGetMsg(i);
+      break;
+    }
+  }
+
+  amt = snprintf(
+      &g_errorStack[g_errorStackPos],
+      ERROR_STACK_SIZE - g_errorStackPos,
+      "func=%s:file=%s:line=%d:obj=%s:subj=%s:error=%d:%s:%s\n",
+      func, file, line, errorObject, errorSubject, reason,
+      error_msg ? error_msg : "", msg);
+
+  if (amt > 0) {
+    g_errorStackPos += amt;
+  }
+}

data/ext/nokogiri_ext_xmlsec/util.h

@@ -0,0 +1,42 @@
+#ifndef NOKOGIRI_EXT_XMLSEC_UTIL_H
+#define NOKOGIRI_EXT_XMLSEC_UTIL_H
+
+#include "xmlsecrb.h"
+
+// Constructs a xmlSecKeysMngr and adds the given named key to the manager.
+//
+// Caller takes ownership. Free with xmlSecKeysMngrDestroy().
+xmlSecKeysMngrPtr createKeyManagerWithSingleKey(
+    char* keyStr,
+    unsigned int keyLength,
+    char *keyName,
+    VALUE* rb_exception_result_out,
+    const char** exception_message_out);
+
+// Creates a xmlSecDSigCtx with defaults locked down to prevent XXE.
+//
+// Caller takes ownership of the context. Free with xmlSecDSigCtxDestroy().
+xmlSecDSigCtxPtr createDSigContext(xmlSecKeysMngrPtr keyManager);
+
+// Retrieves the recorded error strings from libxmlsec1. Ensure resetXmlSecError()
+// is called at the start of the range of error collection.
+char* getXmlSecLastError();
+
+// Reset the recording of errors. After this getXmlSecLastError() will return
+// an empty string. Call at the start of a logical interaction with libxmlsec.
+void resetXmlSecError();
+
+// Return false if there are no errors. If false, getXmlSecLastError() will
+// return an empty string.
+int hasXmlSecLastError();
+
+// Error reporting hooks to redirect Xmlsec1 library errors away from stdout.
+void storeErrorCallback(const char *file,
+                        int line,
+                        const char *func,
+                        const char *errorObject,
+                        const char *errorSubject,
+                        int reason,
+                        const char *msg);
+
+#endif  // NOKOGIRI_EXT_XMLSEC_UTIL_H

data/ext/nokogiri_ext_xmlsec/xmlsecrb.h

@@ -0,0 +1,42 @@
+#ifndef NOKOGIRI_EXT_XMLSEC_XMLSECRB_H
+#define NOKOGIRI_EXT_XMLSEC_XMLSECRB_H
+
+#include "common.h"
+
+#include <ruby.h>
+
+#include <libxml/tree.h>
+#include <libxml/xmlmemory.h>
+#include <libxml/parser.h>
+#include <libxml/xmlstring.h>
+
+#include <libxslt/xslt.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/xmltree.h>
+#include <xmlsec/xmldsig.h>
+#include <xmlsec/xmlenc.h>
+#include <xmlsec/templates.h>
+#include <xmlsec/crypto.h>
+
+// TODO(awong): Support non-gcc and non-clang compilers.
+#define EXTENSION_EXPORT __attribute__((visibility("default")))
+
+VALUE sign(VALUE self, VALUE rb_opts);
+VALUE verify_with(VALUE self, VALUE rb_opts);
+VALUE encrypt_with_key(VALUE self, VALUE rb_rsa_key_name, VALUE rb_rsa_key,
+                       VALUE rb_opts);
+VALUE decrypt_with_key(VALUE self, VALUE rb_key_name, VALUE rb_key);
+VALUE set_id_attribute(VALUE self, VALUE rb_attr_name);
+VALUE get_id(VALUE self, VALUE rb_id);
+
+void Init_Nokogiri_ext(void);
+
+extern VALUE rb_cNokogiri_XML_Document;
+extern VALUE rb_eSigningError;
+extern VALUE rb_eVerificationError;
+extern VALUE rb_eKeystoreError;
+extern VALUE rb_eEncryptionError;
+extern VALUE rb_eDecryptionError;
+
+#endif // NOKOGIRI_EXT_XMLSEC_XMLSECRB_H

data/lib/nokogiri-xmlsec.rb

@@ -0,0 +1 @@
+require 'xmlsec'

data/lib/xmlsec.rb

@@ -0,0 +1,102 @@
+require "xmlsec/version"
+require 'nokogiri'
+require 'nokogiri_ext_xmlsec'
+
+class Nokogiri::XML::Document
+  def sign! opts
+    root.sign! opts
+    self
+  end
+
+  # Verifies the signature on the current document.
+  #
+  # Returns `true` if the signature is valid, `false` otherwise.
+  # 
+  # Examples:
+  #
+  #     # Try to validate with the given public or private key
+  #     doc.verify_with key: 'rsa-key'
+  #
+  #     # Try to validate with a set of keys. It will try to match
+  #     # based on the contents of the `KeyName` element.
+  #     doc.verify_with({
+  #       'key-name'         => 'x509 certificate',
+  #       'another-key-name' => 'rsa-public-key'
+  #     })
+  #     
+  #     # Try to validate with a trusted certificate
+  #     doc.verify_with(cert: 'certificate')
+  #
+  #     # Try to validate with a set of certificates, any one of which
+  #     # can match
+  #     doc.verify_with(certs: ['cert1', 'cert2'])
+  #
+  #     # Validate the signature, checking the certificate validity as of
+  #     # a certain time (anything that's convertible to an integer, such as a Time)
+  #     doc.verify_with(cert: 'certificate', verification_time: message_creation_timestamp)
+  #
+  #     # Validate the signature, but don't validate that the certificate is valid,
+  #     # or has a full trust chain
+  #     doc.verify_with(cert: 'certificate', verify_certificates: false)
+  #
+  def verify_with opts_or_keys
+    first_signature = root.at_xpath("//ds:Signature", 'ds' => "http://www.w3.org/2000/09/xmldsig#")
+    raise XMLSec::VerificationError("start node not found") unless first_signature
+
+    first_signature.verify_with(opts_or_keys)
+  end
+
+  # Attempts to verify the signature of this document using only certificates
+  # installed on the system. This is equivalent to calling
+  # `verify_with certificates: []` (that is, an empty array).
+  #
+  def verify_signature
+    verify_with(certs: [])
+  end
+
+  # Encrypts the current document, then returns it.
+  #
+  # Examples:
+  # 
+  #     # encrypt with a public key and optional key name
+  #     doc.encrypt! key: 'public-key', name: 'name'
+  #
+  def encrypt! opts
+    if opts[:key]
+      encrypt_with_key opts[:name].to_s, opts[:key], opts.select { |key, _| key != :key && key != :name }
+    else
+      raise "public :key is required for encryption"
+    end
+    self
+  end
+
+  # Decrypts the current document, then returns it.
+  #
+  # Examples:
+  #
+  #     # decrypt with a specific private key
+  #     doc.decrypt! key: 'private-key'
+  #     # pass the key as an OpenSSL PKey object
+  #     doc.decrypt! key: OpenSSL::PKey.read('private-key')
+  #
+  def decrypt! opts
+    first_encrypted_node = root.at_xpath("//xenc:EncryptedData", 'xenc' => "http://www.w3.org/2001/04/xmlenc#")
+    raise XMLSec::DecryptionError("start node not found") unless first_encrypted_node
+
+    first_encrypted_node.decrypt_with opts
+    self
+  end
+end
+
+class Nokogiri::XML::Node
+  def decrypt_with(opts)
+    raise 'inadequate options specified for decryption' unless opts[:key]
+
+    parent = self.parent
+    previous = self.previous
+    key = opts[:key]
+    key = key.to_pem if key.respond_to?(:to_pem)
+    decrypt_with_key(opts[:name].to_s, key)
+    previous ? previous.next : parent.children.first
+  end
+end