nokogiri-xmlsec-me-harder 0.9.0

data/ext/nokogiri_ext_xmlsec/nokogiri_helpers_set_attribute_id.c

@@ -0,0 +1,76 @@
+#include "xmlsecrb.h"
+#include "util.h"
+
+VALUE set_id_attribute(VALUE self, VALUE rb_attr_name) {
+  VALUE rb_exception_result = Qnil;
+  const char* exception_message = NULL;
+
+  xmlNodePtr node = NULL;
+  xmlAttrPtr attr = NULL;
+  xmlAttrPtr tmp = NULL;
+  xmlChar *name = NULL;
+  char *idName = NULL;
+  char *exception_attribute_arg = NULL;
+  
+  resetXmlSecError();
+
+  Data_Get_Struct(self, xmlNode, node);
+  Check_Type(rb_attr_name, T_STRING);
+  idName = StringValueCStr(rb_attr_name);
+
+  // find pointer to id attribute
+  attr = xmlHasProp(node, (const xmlChar* )idName);
+  if((attr == NULL) || (attr->children == NULL)) {
+    rb_exception_result = rb_eRuntimeError;
+    exception_message = "Can't find attribute to add register as id";
+    goto done;
+  }
+  
+  // get the attribute (id) value
+  name = xmlNodeListGetString(node->doc, attr->children, 1);
+  if(name == NULL) {
+    rb_exception_result = rb_eRuntimeError;
+    exception_message = "has no value";
+    exception_attribute_arg = idName;
+    goto done;
+  }
+  
+  // check that we don't have that id already registered
+  tmp = xmlGetID(node->doc, name);
+  if(tmp != NULL) {
+    rb_exception_result = rb_eRuntimeError;
+    exception_message = "is already an ID";
+    exception_attribute_arg = idName;
+    goto done;
+  }
+  
+  // finally register id
+  xmlAddID(NULL, node->doc, name, attr);
+
+done:
+  // and do not forget to cleanup
+  if (name) {
+    xmlFree(name);
+  }
+
+  if(rb_exception_result != Qnil) {
+    if (exception_attribute_arg) {
+      if (hasXmlSecLastError()) {
+        rb_raise(rb_exception_result, "Attribute %s %s, XmlSec error: %s",
+            exception_attribute_arg, exception_message, getXmlSecLastError());
+      } else {
+        rb_raise(rb_exception_result, "Attribute %s %s",
+            exception_attribute_arg, exception_message);
+      }
+    } else {
+      if (hasXmlSecLastError()) {
+        rb_raise(rb_exception_result, "%s, XmlSec error: %s", exception_message,
+                 getXmlSecLastError());
+      } else {
+        rb_raise(rb_exception_result, "%s", exception_message);
+      }
+    }
+  }
+
+  return Qtrue;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_init.c

@@ -0,0 +1,32 @@
+#include "xmlsecrb.h"
+
+VALUE rb_cNokogiri_XML_Document = Qnil;
+VALUE rb_cNokogiri_XML_Node = Qnil;
+VALUE rb_eSigningError = Qnil;
+VALUE rb_eVerificationError = Qnil;
+VALUE rb_eKeystoreError = Qnil;
+VALUE rb_eEncryptionError = Qnil;
+VALUE rb_eDecryptionError = Qnil;
+
+void Init_Nokogiri_ext() {
+  VALUE XMLSec = rb_define_module("XMLSec");
+  VALUE Nokogiri = rb_define_module("Nokogiri");
+  VALUE Nokogiri_XML = rb_define_module_under(Nokogiri, "XML");
+  rb_cNokogiri_XML_Document = rb_const_get(Nokogiri_XML, rb_intern("Document"));
+  rb_cNokogiri_XML_Node = rb_const_get(Nokogiri_XML, rb_intern("Node"));
+
+  rb_define_method(rb_cNokogiri_XML_Document, "sign_with_key",            sign_with_key, 1);
+  rb_define_method(rb_cNokogiri_XML_Document, "sign_with_certificate",    sign_with_certificate, 1);
+  rb_define_method(rb_cNokogiri_XML_Document, "verify_with_rsa_key",      verify_signature_with_rsa_key, 1);
+  rb_define_method(rb_cNokogiri_XML_Document, "verify_with_named_keys",   verify_signature_with_named_keys, 1);
+  rb_define_method(rb_cNokogiri_XML_Document, "verify_with_certificates", verify_signature_with_certificates, 1);
+  rb_define_method(rb_cNokogiri_XML_Document, "encrypt_with_key",         encrypt_with_key, 3);
+  rb_define_method(rb_cNokogiri_XML_Document, "decrypt_with_key",         decrypt_with_key, 2);
+  rb_define_method(rb_cNokogiri_XML_Node,     "set_id_attribute",         set_id_attribute, 1);
+
+  rb_eSigningError      = rb_define_class_under(XMLSec, "SigningError",      rb_eRuntimeError);
+  rb_eVerificationError = rb_define_class_under(XMLSec, "VerificationError", rb_eRuntimeError);
+  rb_eKeystoreError     = rb_define_class_under(XMLSec, "KeystoreError",     rb_eRuntimeError);
+  rb_eEncryptionError   = rb_define_class_under(XMLSec, "EncryptionError",   rb_eRuntimeError);
+  rb_eDecryptionError   = rb_define_class_under(XMLSec, "DecryptionError",   rb_eRuntimeError);
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_sign_certificate.c

@@ -0,0 +1,186 @@
+#include "xmlsecrb.h"
+
+#include "options.h"
+#include "util.h"
+
+// Appends an xmlsig <dsig:Signature> node to document stored in |self|
+// with a signature based on the given key and cert.
+//
+// Expects a ruby hash for the signing arguments.
+// Hash parameters:
+//   :key - A PEM encoded rsa key for signing.
+//   :cert - The public cert to include with the signature.
+//   :signature_alg - Algorithm identified by the URL fragment. Supported algorithms
+//             taken from http://www.w3.org/TR/xmldsig-core
+//   :digest_alg - Algorithm identified by the URL fragment. Supported algorithms
+//             taken from http://www.w3.org/TR/xmldsig-core
+//   :name - [optional] String with name of the rsa key.
+//   :uri - [optional] The URI attribute for the <Reference> node in the
+//          signature.
+VALUE sign_with_certificate(VALUE self, VALUE rb_opts) {
+  VALUE rb_exception_result = Qnil;
+  const char* exception_message = NULL;
+
+  xmlDocPtr doc = NULL;
+  xmlNodePtr signNode = NULL;
+  xmlNodePtr refNode = NULL;
+  xmlNodePtr keyInfoNode = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  char *keyName = "";
+  char *certificate = NULL;
+  char *rsaKey = NULL;
+  char *refUri = NULL;
+  unsigned int rsaKeyLength = 0;
+  unsigned int certificateLength = 0;
+
+  resetXmlSecError();
+
+  VALUE rb_rsa_key = rb_hash_aref(rb_opts, ID2SYM(rb_intern("key")));
+  VALUE rb_cert = rb_hash_aref(rb_opts, ID2SYM(rb_intern("cert")));
+  VALUE rb_signature_alg = rb_hash_aref(rb_opts, ID2SYM(rb_intern("signature_alg")));
+  VALUE rb_digest_alg = rb_hash_aref(rb_opts, ID2SYM(rb_intern("digest_alg")));
+  VALUE rb_uri = rb_hash_aref(rb_opts, ID2SYM(rb_intern("uri")));
+  VALUE rb_key_name = rb_hash_aref(rb_opts, ID2SYM(rb_intern("name")));
+
+  Check_Type(rb_rsa_key, T_STRING);
+  Check_Type(rb_cert, T_STRING);
+  Check_Type(rb_signature_alg, T_STRING);
+  Check_Type(rb_digest_alg, T_STRING);
+
+  rsaKey = RSTRING_PTR(rb_rsa_key);
+  rsaKeyLength = RSTRING_LEN(rb_rsa_key);
+  certificate = RSTRING_PTR(rb_cert);
+  certificateLength = RSTRING_LEN(rb_cert);
+
+  if (!NIL_P(rb_key_name))  {
+    Check_Type(rb_key_name, T_STRING);
+    keyName = StringValueCStr(rb_key_name);
+  }
+  if (!NIL_P(rb_uri)) {
+    Check_Type(rb_uri, T_STRING);
+    refUri = StringValueCStr(rb_uri);
+  }
+
+  Data_Get_Struct(self, xmlDoc, doc);
+  xmlSecTransformId signature_algorithm = GetSignatureMethod(rb_signature_alg,
+      &rb_exception_result, &exception_message);
+  if (signature_algorithm == xmlSecTransformIdUnknown) {
+    // Propagate exception.
+    goto done;
+  }
+
+  // create signature template for enveloped signature.
+  signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId,
+                                       signature_algorithm, NULL);
+  if (signNode == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to create signature template";
+    goto done;
+  }
+
+  // add <dsig:Signature/> node to the doc
+  xmlAddChild(xmlDocGetRootElement(doc), signNode);
+
+  // add reference
+  xmlSecTransformId digest_algorithm = GetDigestMethod(rb_digest_alg,
+      &rb_exception_result, &exception_message);
+  if (digest_algorithm == xmlSecTransformIdUnknown) {
+    // Propagate exception.
+    goto done;
+  }
+  refNode = xmlSecTmplSignatureAddReference(signNode, digest_algorithm,
+                                            NULL, (const xmlChar *)refUri, NULL);
+  if(refNode == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to add reference to signature template";
+    goto done;
+  }
+
+  // add enveloped transform
+  if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to add enveloped transform to reference";
+    goto done;
+  }
+
+  if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformExclC14NId) == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to add canonicalization transform to reference";
+    goto done;
+  }
+
+  // add <dsig:KeyInfo/> and <dsig:X509Data/>
+  keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
+  if(keyInfoNode == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to add key info";
+    goto done;
+  }
+  
+  if(xmlSecTmplKeyInfoAddX509Data(keyInfoNode) == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to add X509Data node";
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = createDSigContext(NULL);
+  if(dsigCtx == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to create signature context";
+    goto done;
+  }
+
+  // load private key, assuming that there is not password
+  dsigCtx->signKey = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)rsaKey,
+                                                  rsaKeyLength,
+                                                  xmlSecKeyDataFormatPem,
+                                                  NULL, // password
+                                                  NULL,
+                                                  NULL);
+  if(dsigCtx->signKey == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to load private key";
+    goto done;
+  }
+  
+  // load certificate and add to the key
+  if(xmlSecCryptoAppKeyCertLoadMemory(dsigCtx->signKey,
+                                      (xmlSecByte *)certificate,
+                                      certificateLength,
+                                      xmlSecKeyDataFormatPem) < 0) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to load certificate";
+    goto done;
+  }
+
+  // set key name
+  if(xmlSecKeySetName(dsigCtx->signKey, (xmlSecByte *)keyName) < 0) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to set key name";
+    goto done;
+  }
+
+  // sign the template
+  if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "signature failed";
+    goto done;
+  }
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  if(rb_exception_result != Qnil) {
+    if (hasXmlSecLastError()) {
+      rb_raise(rb_exception_result, "%s, XmlSec error: %s", exception_message,
+               getXmlSecLastError());
+    } else {
+      rb_raise(rb_exception_result, "%s", exception_message);
+    }
+  }
+
+  return Qnil;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_sign_rsa.c

@@ -0,0 +1,167 @@
+#include "xmlsecrb.h"
+
+#include "options.h"
+#include "util.h"
+
+// Appends an xmlsig <dsig:Signature> node to document stored in |self|
+// with a signature based on the given bare rsa key and keyname.
+//
+// Expects a ruby hash for the signing arguments.
+// Hash parameters:
+//   :key_name - String with name of the rsa key. May be the empty string.
+//   :rsa_key - A PEM encoded rsa key for signing.
+//   :signature_alg - Algorithm identified by the URL fragment. Supported algorithms
+//             taken from http://www.w3.org/TR/xmldsig-core
+//   :digest_alg - Algorithm identified by the URL fragment. Supported algorithms
+//             taken from http://www.w3.org/TR/xmldsig-core
+//   :ref_uri - [optional] The URI attribute for the <Reference> node in the
+//             signature.
+VALUE sign_with_key(VALUE self, VALUE rb_opts) {
+  VALUE rb_exception_result = Qnil;
+  const char* exception_message = NULL;
+
+  xmlDocPtr doc = NULL;
+  xmlNodePtr signNode = NULL;
+  xmlNodePtr refNode = NULL;
+  xmlNodePtr keyInfoNode = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  char *keyName = NULL;
+  char *rsaKey = NULL;
+  char *refUri = NULL;
+  unsigned int rsaKeyLength = 0;
+
+  resetXmlSecError();
+
+  VALUE rb_key_name = rb_hash_aref(rb_opts, ID2SYM(rb_intern("name")));
+  VALUE rb_rsa_key = rb_hash_aref(rb_opts, ID2SYM(rb_intern("key")));
+  VALUE rb_signature_alg = rb_hash_aref(rb_opts, ID2SYM(rb_intern("signature_alg")));
+  VALUE rb_digest_alg = rb_hash_aref(rb_opts, ID2SYM(rb_intern("digest_alg")));
+  VALUE rb_uri = rb_hash_aref(rb_opts, ID2SYM(rb_intern("uri")));
+
+  Check_Type(rb_rsa_key,  T_STRING);
+  Check_Type(rb_key_name, T_STRING);
+  Check_Type(rb_signature_alg, T_STRING);
+  Check_Type(rb_digest_alg, T_STRING);
+
+  rsaKey = RSTRING_PTR(rb_rsa_key);
+  rsaKeyLength = RSTRING_LEN(rb_rsa_key);
+  keyName = StringValueCStr(rb_key_name);
+
+  if (!NIL_P(rb_uri)) {
+    Check_Type(rb_uri, T_STRING);
+    refUri = StringValueCStr(rb_uri);
+  }
+
+  Data_Get_Struct(self, xmlDoc, doc);
+  xmlSecTransformId signature_algorithm = GetSignatureMethod(rb_signature_alg,
+      &rb_exception_result, &exception_message);
+  if (signature_algorithm == xmlSecTransformIdUnknown) {
+    // Propagate exception.
+    goto done;
+  }
+
+  // create signature template for enveloped signature
+  signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId,
+                                       signature_algorithm, NULL);
+  if (signNode == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to create signature template";
+    goto done;
+  }
+
+  // add <dsig:Signature/> node to the doc
+  xmlAddChild(xmlDocGetRootElement(doc), signNode);
+
+  // add reference
+  xmlSecTransformId digest_algorithm = GetDigestMethod(rb_digest_alg,
+      &rb_exception_result, &exception_message);
+  if (digest_algorithm == xmlSecTransformIdUnknown) {
+    // Propagate exception.
+    goto done;
+  }
+  refNode = xmlSecTmplSignatureAddReference(signNode, digest_algorithm,
+                                            NULL, (const xmlChar *)refUri, NULL);
+  if(refNode == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to add reference to signature template";
+    goto done;
+  }
+
+  // add enveloped transform
+  if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to add enveloped transform to reference";
+    goto done;
+  }
+
+  if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformExclC14NId) == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to add canonicalization transform to reference";
+    goto done;
+  }
+
+  // add <dsig:KeyInfo/> and <dsig:KeyName/> nodes to put key name in the signed
+  // document
+  keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
+  if(keyInfoNode == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to add key info";
+    goto done;
+  }
+  if(xmlSecTmplKeyInfoAddKeyName(keyInfoNode, NULL) == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to add key name";
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = createDSigContext(NULL);
+  if(dsigCtx == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to create signature context";
+    goto done;
+  }
+
+  // load private key, assuming that there is no password
+  dsigCtx->signKey = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)rsaKey,
+                                                  rsaKeyLength,
+                                                  xmlSecKeyDataFormatPem,
+                                                  NULL, // password
+                                                  NULL,
+                                                  NULL);
+  if(dsigCtx->signKey == NULL) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to load private pem key";
+    goto done;
+  }
+
+  // set key name
+  if(xmlSecKeySetName(dsigCtx->signKey, (xmlSecByte *)keyName) < 0) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "failed to set key name";
+    goto done;
+  }
+
+  // sign the template
+  if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
+    rb_exception_result = rb_eSigningError;
+    exception_message = "signature failed";
+    goto done;
+  }
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  if(rb_exception_result != Qnil) {
+    if (hasXmlSecLastError()) {
+      rb_raise(rb_exception_result, "%s, XmlSec error: %s", exception_message,
+               getXmlSecLastError());
+    } else {
+      rb_raise(rb_exception_result, "%s", exception_message);
+    }
+  }
+
+  return Qnil;
+}