nokogiri-xmlsec-me-harder 0.9.0

data/ext/nokogiri_ext_xmlsec/nokogiri_verify_signature_certificates.c

@@ -0,0 +1,138 @@
+#include "xmlsecrb.h"
+#include "util.h"
+
+// Constructs a xmlSecKeysMngrPtr and adds all the certs included in |rb_certs|
+// array as trusted certificates.
+static xmlSecKeysMngrPtr createKeyManagerWithRbCertArray(
+    VALUE rb_certs,
+    VALUE* rb_exception_result_out,
+    const char** exception_message_out) {
+  VALUE rb_exception_result = Qnil;
+  const char* exception_message = NULL;
+
+  int i = 0;
+  int numCerts = RARRAY_LEN(rb_certs);
+  xmlSecKeysMngrPtr keyManager = xmlSecKeysMngrCreate();
+  VALUE rb_cert = Qnil;
+  char *cert = NULL;
+  unsigned int certLength = 0;
+  int numSuccessful = 0;
+
+  if (keyManager == NULL) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message = "failed to create keys manager.";
+    goto done;
+  }
+
+  if (xmlSecCryptoAppDefaultKeysMngrInit(keyManager) < 0) {
+    rb_exception_result = rb_eKeystoreError;
+    exception_message = "could not initialize key manager";
+    goto done;
+  }
+
+  for (i = 0; i < numCerts; i++) {
+    rb_cert = RARRAY_PTR(rb_certs)[i];
+    Check_Type(rb_cert, T_STRING);
+    cert = RSTRING_PTR(rb_cert);
+    certLength = RSTRING_LEN(rb_cert);
+
+    if(xmlSecCryptoAppKeysMngrCertLoadMemory(keyManager,
+                                             (xmlSecByte *)cert,
+                                             certLength,
+                                             xmlSecKeyDataFormatPem,
+                                             xmlSecKeyDataTypeTrusted) < 0) {
+      rb_warn("failed to load certificate at index %d", i);
+    } else {
+      numSuccessful++;
+    }
+  }
+
+  // note, numCerts could be zero, meaning that we should use system SSL certs
+  if (numSuccessful == 0 && numCerts != 0) {
+    rb_exception_result = rb_eKeystoreError;
+    exception_message = "Could not load any of the specified certificates for signature verification";
+    goto done;
+  }
+
+done:
+  if (rb_exception_result != Qnil) {
+    if (keyManager) {
+      xmlSecKeysMngrDestroy(keyManager);
+      keyManager = NULL;
+    }
+  }
+
+  *rb_exception_result_out = rb_exception_result;
+  *exception_message_out = exception_message;
+  return keyManager;
+}
+
+VALUE verify_signature_with_certificates(VALUE self, VALUE rb_certs) {
+  VALUE rb_exception_result = Qnil;
+  const char* exception_message = NULL;
+
+  xmlDocPtr doc = NULL;
+  xmlNodePtr node = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  xmlSecKeysMngrPtr keyManager = NULL;
+  VALUE result = Qfalse;
+
+  resetXmlSecError();
+
+  Check_Type(rb_certs, T_ARRAY);
+  Data_Get_Struct(self, xmlDoc, doc);
+
+  // find start node
+  node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
+  if(node == NULL) {
+    rb_exception_result = rb_eVerificationError;
+    exception_message = "start node not found";
+    goto done;
+  }
+
+  keyManager = createKeyManagerWithRbCertArray(rb_certs, &rb_exception_result,
+                                               &exception_message);
+  if (keyManager == NULL) {
+    // Propagate exception.
+    goto done;
+  }
+
+  // Create signature context.
+  dsigCtx = createDSigContext(keyManager);
+  if(dsigCtx == NULL) {
+    rb_exception_result = rb_eVerificationError;
+    exception_message = "failed to create signature context";
+    goto done;
+  }
+
+  // verify signature
+  if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
+    rb_exception_result = rb_eVerificationError;
+    exception_message = "error occurred during signature verification";
+    goto done;
+  }
+      
+  if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
+    result = Qtrue;
+  }    
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  if (keyManager != NULL) {
+    xmlSecKeysMngrDestroy(keyManager);
+  }
+
+  if(rb_exception_result != Qnil) {
+    if (hasXmlSecLastError()) {
+      rb_raise(rb_exception_result, "%s, XmlSec error: %s", exception_message,
+               getXmlSecLastError());
+    } else {
+      rb_raise(rb_exception_result, "%s", exception_message);
+    }
+  }
+
+  return result;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_verify_signature_named_keys.c

@@ -0,0 +1,133 @@
+#include "xmlsecrb.h"
+#include "util.h"
+
+static int addRubyKeyToManager(VALUE rb_key, VALUE rb_value, VALUE rb_manager) {
+  xmlSecKeysMngrPtr keyManager = (xmlSecKeysMngrPtr)rb_manager;
+  char *keyName, *keyData;
+  unsigned int keyDataLength;
+  xmlSecKeyPtr key;
+
+  Check_Type(rb_key, T_STRING);
+  Check_Type(rb_value, T_STRING);
+  keyName = RSTRING_PTR(rb_key);
+  keyData = RSTRING_PTR(rb_value);
+  keyDataLength = RSTRING_LEN(rb_value);
+
+  // load key
+  key = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)keyData,
+                                     keyDataLength,
+                                     xmlSecKeyDataFormatPem,
+                                     NULL, // password
+                                     NULL, NULL);
+  if (key == NULL) {
+    rb_warn("failed to load '%s' public or private pem key", keyName);
+    return ST_CONTINUE;
+  }
+
+  // set key name
+  if (xmlSecKeySetName(key, BAD_CAST keyName) < 0) {
+    rb_warn("failed to set key name for key '%s'", keyName);
+    return ST_CONTINUE;
+  }
+  
+  // add key to key manager; from now on the manager is responsible for
+  // destroying the key
+  if (xmlSecCryptoAppDefaultKeysMngrAdoptKey(keyManager, key) < 0) {
+    rb_warn("failed to add key '%s' to key manager", keyName);
+    return ST_CONTINUE;
+  }
+
+  return ST_CONTINUE;
+}
+
+// Constructs a xmlSecKeysMngr and adds all the named to key mappings
+// specified by the |rb_hash| to the key manager.
+//
+// Caller takes ownership. Free with xmlSecKeysMngrDestroy().
+static xmlSecKeysMngrPtr createKeyManagerFromNamedKeys(
+    VALUE rb_hash,
+    VALUE* rb_exception_result_out,
+    const char** exception_message_out) {
+  xmlSecKeysMngrPtr keyManager = xmlSecKeysMngrCreate();
+  if (keyManager == NULL) return NULL;
+  if (xmlSecCryptoAppDefaultKeysMngrInit(keyManager) < 0) {
+    *rb_exception_result_out = rb_eKeystoreError;
+    *exception_message_out = "could not initialize key manager";
+    xmlSecKeysMngrDestroy(keyManager);
+    return NULL;
+  }
+
+  rb_hash_foreach(rb_hash, addRubyKeyToManager, (VALUE)keyManager);
+
+  return keyManager;
+}
+
+VALUE verify_signature_with_named_keys(VALUE self, VALUE rb_hash) {
+  VALUE rb_exception_result = Qnil;
+  const char* exception_message = NULL;
+
+  xmlDocPtr doc = NULL;
+  xmlNodePtr node = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  xmlSecKeysMngrPtr keyManager = NULL;
+  VALUE result = Qfalse;
+
+  resetXmlSecError();
+
+  Check_Type(rb_hash, T_HASH);
+  Data_Get_Struct(self, xmlDoc, doc);
+
+  // find start node
+  node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
+  if(node == NULL) {
+    rb_exception_result = rb_eVerificationError;
+    exception_message = "start node not found";
+    goto done;
+  }
+
+  keyManager = createKeyManagerFromNamedKeys(rb_hash, &rb_exception_result,
+                                             &exception_message);
+  if (keyManager == NULL) {
+    // Propagate exception.
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = createDSigContext(keyManager);
+  if(dsigCtx == NULL) {
+    rb_exception_result = rb_eVerificationError;
+    exception_message = "failed to create signature context";
+    goto done;
+  }
+
+  // verify signature
+  if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
+    rb_exception_result = rb_eVerificationError;
+    exception_message = "signature could not be verified";
+    goto done;
+  }
+      
+  if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
+    result = Qtrue;
+  }    
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  if (keyManager != NULL) {
+    xmlSecKeysMngrDestroy(keyManager);
+  }
+
+  if(rb_exception_result != Qnil) {
+    if (hasXmlSecLastError()) {
+      rb_raise(rb_exception_result, "%s, XmlSec error: %s", exception_message,
+               getXmlSecLastError());
+    } else {
+      rb_raise(rb_exception_result, "%s", exception_message);
+    }
+  }
+
+  return result;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_verify_signature_rsa.c

@@ -0,0 +1,76 @@
+#include "xmlsecrb.h"
+#include "util.h"
+
+VALUE verify_signature_with_rsa_key(VALUE self, VALUE rb_rsa_key) {
+  VALUE rb_exception_result = Qnil;
+  const char* exception_message = NULL;
+
+  xmlDocPtr doc = NULL;
+  xmlNodePtr node = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  char *rsa_key = NULL;
+  unsigned int rsa_key_length = 0;
+  VALUE result = Qfalse;
+
+  resetXmlSecError();
+
+  Data_Get_Struct(self, xmlDoc, doc);
+  Check_Type(rb_rsa_key,  T_STRING);
+  rsa_key = RSTRING_PTR(rb_rsa_key);
+  rsa_key_length = RSTRING_LEN(rb_rsa_key);
+
+  // find start node
+  node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
+  if(node == NULL) {
+    rb_exception_result = rb_eVerificationError;
+    exception_message = "start node not found";
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = createDSigContext(NULL);
+  if(dsigCtx == NULL) {
+    rb_exception_result = rb_eVerificationError;
+    exception_message = "failed to create signature context";
+    goto done;
+  }
+
+  // load public key
+  dsigCtx->signKey = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)rsa_key,
+                                                  rsa_key_length,
+                                                  xmlSecKeyDataFormatPem,
+                                                  NULL, // password
+                                                  NULL, NULL);
+  if(dsigCtx->signKey == NULL) {
+    rb_exception_result = rb_eVerificationError;
+    exception_message = "failed to load public pem key";
+    goto done;
+  }
+
+  // verify signature
+  if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
+    rb_exception_result = rb_eVerificationError;
+    exception_message = "signature could not be verified";
+    goto done;
+  }
+      
+  if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
+    result = Qtrue;
+  }    
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  if(rb_exception_result != Qnil) {
+    if (hasXmlSecLastError()) {
+      rb_raise(rb_exception_result, "%s, XmlSec error: %s", exception_message,
+               getXmlSecLastError());
+    } else {
+      rb_raise(rb_exception_result, "%s", exception_message);
+    }
+  }
+
+  return result;
+}

data/ext/nokogiri_ext_xmlsec/options.c

@@ -0,0 +1,166 @@
+#include "options.h"
+
+#include "common.h"
+
+#if (XMLSEC_VERSION_MAJOR > 1) || (XMLSEC_VERSION_MAJOR == 1 && (XMLSEC_VERSION_MINOR > 2 || (XMLSEC_VERSION_MINOR == 2 && XMLSEC_VERSION_SUBMINOR >= 20)))
+# define HAS_ECDSA 1
+#else
+# define HAS_ECDSA 0
+#endif
+
+// Key Transport Strings.
+static const char RSA1_5[] = "rsa-1_5";
+static const char RSA_OAEP_MGF1P[] = "rsa-oaep-mgf1p";
+
+// Block Encryption Strings.
+static const char TRIPLEDES_CBC[] = "tripledes-cbc";
+static const char AES128_CBC[] = "aes128-cbc";
+static const char AES256_CBC[] = "aes256-cbc";
+static const char AES192_CBC[] = "aes192-cbc";
+
+// Supported signature algorithms taken from #6 of
+// http://www.w3.org/TR/xmldsig-core1/
+static const char RSA_SHA1[] = "rsa-sha1";
+static const char RSA_SHA224[] = "rsa-sha224";
+static const char RSA_SHA256[] = "rsa-sha256";
+static const char RSA_SHA384[] = "rsa-sha384";
+static const char RSA_SHA512[] = "rsa-sha512";
+static const char DSA_SHA1[] = "dsa-sha1";
+
+#if HAS_ECDSA
+static const char ECDSA_SHA1[] = "ecdsa-sha1";
+static const char ECDSA_SHA224[] = "ecdsa-sha224";
+static const char ECDSA_SHA256[] = "ecdsa-sha256";
+static const char ECDSA_SHA384[] = "ecdsa-sha384";
+static const char ECDSA_SHA512[] = "ecdsa-sha512";
+static const char DSA_SHA256[] = "dsa-sha256";
+#endif  // HAS_ECDSA
+
+// Supported digest algorithms taken from #6 of
+// http://www.w3.org/TR/xmldsig-core1/
+static const char DIGEST_SHA1[] = "sha1";
+static const char DIGEST_SHA224[] = "sha224";
+static const char DIGEST_SHA256[] = "sha256";
+static const char DIGEST_SHA384[] = "sha384";
+static const char DIGEST_SHA512[] = "sha512";
+
+BOOL GetXmlEncOptions(VALUE rb_opts,
+                      XmlEncOptions* options,
+                      VALUE* rb_exception_result,
+                      const char** exception_message) {
+  VALUE rb_block_encryption = rb_hash_aref(rb_opts, ID2SYM(rb_intern("block_encryption")));
+  VALUE rb_key_transport = rb_hash_aref(rb_opts, ID2SYM(rb_intern("key_transport")));
+  memset(options, 0, sizeof(XmlEncOptions));
+
+  if (NIL_P(rb_block_encryption) ||
+      TYPE(rb_block_encryption) != T_STRING ||
+      NIL_P(rb_key_transport) ||
+      TYPE(rb_key_transport) != T_STRING) {
+    *rb_exception_result = rb_eArgError;
+    *exception_message = "Must supply :block_encryption & :key_transport";
+    return FALSE;
+  }
+
+  char* blockEncryptionValue = RSTRING_PTR(rb_block_encryption);
+  int blockEncryptionLen = RSTRING_LEN(rb_block_encryption);
+  char* keyTransportValue = RSTRING_PTR(rb_key_transport);
+  int keyTransportLen = RSTRING_LEN(rb_key_transport);
+
+  if (strncmp(AES256_CBC, blockEncryptionValue, blockEncryptionLen) == 0) {
+    options->block_encryption = xmlSecTransformAes256CbcId;
+    options->key_type = "aes";
+    options->key_bits = 256;
+  } else if (strncmp(AES128_CBC, blockEncryptionValue, blockEncryptionLen) == 0) {
+    options->block_encryption = xmlSecTransformAes128CbcId;
+    options->key_type = "aes";
+    options->key_bits = 128;
+  } else if (strncmp(AES192_CBC, blockEncryptionValue, blockEncryptionLen) == 0) {
+    options->block_encryption = xmlSecTransformAes192CbcId;
+    options->key_type = "aes";
+    options->key_bits = 192;
+  } else if (strncmp(TRIPLEDES_CBC, blockEncryptionValue, blockEncryptionLen) == 0) {
+    options->block_encryption = xmlSecTransformDes3CbcId;
+    options->key_type = "des";
+    options->key_bits = 192;
+  } else {
+    *rb_exception_result = rb_eArgError;
+    *exception_message = "Unknown :block_encryption value";
+    return FALSE;
+  }
+
+  if (strncmp(RSA1_5, keyTransportValue, keyTransportLen) == 0) {
+    options->key_transport = xmlSecTransformRsaPkcs1Id;
+  } else if (strncmp(RSA_OAEP_MGF1P, keyTransportValue, keyTransportLen) == 0) {
+    options->key_transport = xmlSecTransformRsaOaepId;
+  } else {
+    *rb_exception_result = rb_eArgError;
+    *exception_message = "Unknown :key_transport value";
+    return FALSE;
+  }
+
+  return TRUE;
+}
+
+xmlSecTransformId GetSignatureMethod(VALUE rb_signature_alg,
+                                     VALUE* rb_exception_result,
+                                     const char** exception_message) {
+  const char* signatureAlgorithm = RSTRING_PTR(rb_signature_alg);
+  unsigned int signatureAlgorithmLength = RSTRING_LEN(rb_signature_alg);
+
+  if (strncmp(RSA_SHA1, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformRsaSha1Id;
+  } else if (strncmp(RSA_SHA224, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformRsaSha224Id;
+  } else if (strncmp(RSA_SHA256, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformRsaSha256Id;
+  } else if (strncmp(RSA_SHA384, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformRsaSha384Id;
+  } else if (strncmp(RSA_SHA512, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformRsaSha512Id;
+
+  }
+#if HAS_ECDSA
+  else if (strncmp(ECDSA_SHA1, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformEcdsaSha1Id;
+  } else if (strncmp(ECDSA_SHA224, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformEcdsaSha224Id;
+  } else if (strncmp(ECDSA_SHA256, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformEcdsaSha256Id;
+  } else if (strncmp(ECDSA_SHA384, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformEcdsaSha384Id;
+  } else if (strncmp(ECDSA_SHA512, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformEcdsaSha512Id;
+  } else if (strncmp(DSA_SHA1, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformDsaSha1Id;
+  } else if (strncmp(DSA_SHA256, signatureAlgorithm, signatureAlgorithmLength) == 0) {
+    return xmlSecTransformDsaSha256Id;
+  }
+#endif  // HAS_ECDSA
+
+  *rb_exception_result = rb_eArgError;
+  *exception_message = "Unknown :signature_alg";
+  return xmlSecTransformIdUnknown;
+}
+
+xmlSecTransformId GetDigestMethod(VALUE rb_digest_alg,
+                                  VALUE* rb_exception_result,
+                                  const char** exception_message) {
+  const char* digestAlgorithm = RSTRING_PTR(rb_digest_alg);
+  unsigned int digestAlgorithmLength = RSTRING_LEN(rb_digest_alg);
+
+  if (strncmp(DIGEST_SHA1, digestAlgorithm, digestAlgorithmLength) == 0) {
+    return xmlSecTransformSha1Id;
+  } else if (strncmp(DIGEST_SHA224, digestAlgorithm, digestAlgorithmLength) == 0) {
+    return xmlSecTransformSha224Id;
+  } else if (strncmp(DIGEST_SHA256, digestAlgorithm, digestAlgorithmLength) == 0) {
+    return xmlSecTransformSha256Id;
+  } else if (strncmp(DIGEST_SHA384, digestAlgorithm, digestAlgorithmLength) == 0) {
+    return xmlSecTransformSha384Id;
+  } else if (strncmp(DIGEST_SHA512, digestAlgorithm, digestAlgorithmLength) == 0) {
+    return xmlSecTransformSha512Id;
+  }
+
+  *rb_exception_result = rb_eArgError;
+  *exception_message = "Unknown :digest_algorithm";
+  return xmlSecTransformIdUnknown;
+}