nokogiri-xmlsec-me-harder 0.9.0

data/ext/nokogiri_ext_xmlsec/options.h

@@ -0,0 +1,36 @@
+#ifndef NOKOGIRI_EXT_XMLSEC_OPTIONS_H
+#define NOKOGIRI_EXT_XMLSEC_OPTIONS_H
+
+#include "common.h"
+
+#include <ruby.h>
+#include <xmlsec/crypto.h>
+
+typedef struct {
+  // From :block_encryption
+  xmlSecTransformId block_encryption;
+  const char* key_type;
+  int key_bits;
+
+  // From :key_transport
+  xmlSecTransformId key_transport;
+} XmlEncOptions;
+
+// Supported algorithms taken from #5.1 of
+// http://www.w3.org/TR/xmlenc-core
+//
+// For options, only use the URL fragment (stuff post #)
+// since that's unique enough and it removes a lot of typing.
+BOOL GetXmlEncOptions(VALUE rb_opts, XmlEncOptions* options,
+                      VALUE* rb_exception_result,
+                      const char** exception_message);
+
+// XML DSIG helpers.
+xmlSecTransformId GetSignatureMethod(VALUE rb_method,
+                                     VALUE* rb_exception_result,
+                                     const char** exception_message);
+xmlSecTransformId GetDigestMethod(VALUE rb_digest_method,
+                                  VALUE* rb_exception_result,
+                                  const char** exception_message);
+
+#endif  // NOKOGIRI_EXT_XMLSEC_OPTIONS_H

data/ext/nokogiri_ext_xmlsec/shutdown.c

@@ -0,0 +1,12 @@
+#include "xmlsecrb.h"
+
+/* not actually called anywhere right now, but here for posterity */
+void Shutdown_xmlsecrb() {
+  xmlSecCryptoShutdown();
+  xmlSecCryptoAppShutdown();
+  xmlSecShutdown();
+  xsltCleanupGlobals();
+  #ifndef XMLSEC_NO_XSLT
+    xsltCleanupGlobals();            
+  #endif /* XMLSEC_NO_XSLT */
+}

data/ext/nokogiri_ext_xmlsec/util.c

@@ -0,0 +1,139 @@
+#include "util.h"
+
+#include <xmlsec/errors.h>
+
+xmlSecKeysMngrPtr createKeyManagerWithSingleKey(
+    char* keyStr,
+    unsigned int keyLength,
+    char *keyName,
+    VALUE* rb_exception_result_out,
+    const char** exception_message_out) {
+  VALUE rb_exception_result = Qnil;
+  const char* exception_message = NULL;
+  xmlSecKeysMngrPtr mngr = NULL;
+  xmlSecKeyPtr key = NULL;
+  
+  /* create and initialize keys manager, we use a simple list based
+   * keys manager, implement your own xmlSecKeysStore klass if you need
+   * something more sophisticated 
+   */
+  mngr = xmlSecKeysMngrCreate();
+  if(mngr == NULL) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message = "failed to create keys manager.";
+    goto done;
+  }
+  if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message = "failed to initialize keys manager.";
+    goto done;
+  }    
+  
+  /* load private RSA key */
+  key = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)keyStr,
+                                     keyLength,
+                                     xmlSecKeyDataFormatPem,
+                                     NULL, // the key file password
+                                     NULL, // the key password callback
+                                     NULL);// the user context for password callback
+  if(key == NULL) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message = "failed to load rsa key";
+    goto done;
+  }
+
+  if(xmlSecKeySetName(key, BAD_CAST keyName) < 0) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message = "failed to set key name";
+    goto done;
+  }
+
+  /* add key to keys manager, from now on keys manager is responsible 
+   * for destroying key 
+   */
+  if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message = "failed to add key to keys manager";
+    goto done;
+  }
+
+done:
+  if(rb_exception_result != Qnil) {
+    if (key) {
+      xmlSecKeyDestroy(key);
+    }
+
+    if (mngr) {
+      xmlSecKeysMngrDestroy(mngr);
+      mngr = NULL;
+    }
+  }
+
+  *rb_exception_result_out = rb_exception_result;
+  *exception_message_out = exception_message;
+  return mngr;
+}
+
+xmlSecDSigCtxPtr createDSigContext(xmlSecKeysMngrPtr keyManager) {
+  xmlSecDSigCtxPtr dsigCtx = xmlSecDSigCtxCreate(keyManager);
+  if (!dsigCtx) {
+    return NULL;
+  }
+
+  // Restrict ReferenceUris to same document or empty to avoid XXE attacks.
+  dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty |
+                                  xmlSecTransformUriTypeSameDocument;
+
+  return dsigCtx;
+}
+
+#define ERROR_STACK_SIZE      4096
+static char g_errorStack[ERROR_STACK_SIZE];
+static size_t g_errorStackPos;
+
+char* getXmlSecLastError() {
+  return g_errorStack;
+}
+
+int hasXmlSecLastError() {
+  return g_errorStack[0] != '\0';
+}
+
+void resetXmlSecError() {
+  g_errorStack[0] = '\0';
+  g_errorStackPos = 0;
+}
+
+void storeErrorCallback(const char *file,
+                        int line,
+                        const char *func,
+                        const char *errorObject,
+                        const char *errorSubject,
+                        int reason,
+                        const char *msg) {
+  int i = 0;
+  const char* error_msg = NULL;
+  int amt = 0;
+  if (g_errorStackPos >= ERROR_STACK_SIZE) {
+    // Just bail. Earlier errors are more interesting usually anyway.
+    return;
+  }
+
+  for(i = 0; (i < XMLSEC_ERRORS_MAX_NUMBER) && (xmlSecErrorsGetMsg(i) != NULL); ++i) {
+    if(xmlSecErrorsGetCode(i) == reason) {
+      error_msg = xmlSecErrorsGetMsg(i);
+      break;
+    }
+  }
+
+  amt = snprintf(
+      &g_errorStack[g_errorStackPos],
+      ERROR_STACK_SIZE - g_errorStackPos,
+      "func=%s:file=%s:line=%d:obj=%s:subj=%s:error=%d:%s:%s\n",
+      func, file, line, errorObject, errorSubject, reason,
+      error_msg ? error_msg : "", msg);
+
+  if (amt > 0) {
+    g_errorStackPos += amt;
+  }
+}

data/ext/nokogiri_ext_xmlsec/util.h

@@ -0,0 +1,42 @@
+#ifndef NOKOGIRI_EXT_XMLSEC_UTIL_H
+#define NOKOGIRI_EXT_XMLSEC_UTIL_H
+
+#include "xmlsecrb.h"
+
+// Constructs a xmlSecKeysMngr and adds the given named key to the manager.
+//
+// Caller takes ownership. Free with xmlSecKeysMngrDestroy().
+xmlSecKeysMngrPtr createKeyManagerWithSingleKey(
+    char* keyStr,
+    unsigned int keyLength,
+    char *keyName,
+    VALUE* rb_exception_result_out,
+    const char** exception_message_out);
+
+// Creates a xmlSecDSigCtx with defaults locked down to prevent XXE.
+//
+// Caller takes ownership of the context. Free with xmlSecDSigCtxDestroy().
+xmlSecDSigCtxPtr createDSigContext(xmlSecKeysMngrPtr keyManager);
+
+// Retrieves the recorded error strings from libxmlsec1. Ensure resetXmlSecError()
+// is called at the start of the range of error collection.
+char* getXmlSecLastError();
+
+// Reset the recording of errors. After this getXmlSecLastError() will return
+// an empty string. Call at the start of a logical interaction with libxmlsec.
+void resetXmlSecError();
+
+// Return false if there are no errors. If false, getXmlSecLastError() will
+// return an empty string.
+int hasXmlSecLastError();
+
+// Error reporting hooks to redirect Xmlsec1 library errors away from stdout.
+void storeErrorCallback(const char *file,
+                        int line,
+                        const char *func,
+                        const char *errorObject,
+                        const char *errorSubject,
+                        int reason,
+                        const char *msg);
+
+#endif  // NOKOGIRI_EXT_XMLSEC_UTIL_H

data/ext/nokogiri_ext_xmlsec/xmlsecrb.h

@@ -0,0 +1,44 @@
+#ifndef NOKOGIRI_EXT_XMLSEC_XMLSECRB_H
+#define NOKOGIRI_EXT_XMLSEC_XMLSECRB_H
+
+#include "common.h"
+
+#include <ruby.h>
+
+#include <libxml/tree.h>
+#include <libxml/xmlmemory.h>
+#include <libxml/parser.h>
+#include <libxml/xmlstring.h>
+
+#include <libxslt/xslt.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/xmltree.h>
+#include <xmlsec/xmldsig.h>
+#include <xmlsec/xmlenc.h>
+#include <xmlsec/templates.h>
+#include <xmlsec/crypto.h>
+
+// TODO(awong): Support non-gcc and non-clang compilers.
+#define EXTENSION_EXPORT __attribute__((visibility("default")))
+
+VALUE sign_with_key(VALUE self, VALUE rb_opts);
+VALUE sign_with_certificate(VALUE self, VALUE rb_opts);
+VALUE verify_signature_with_rsa_key(VALUE self, VALUE rb_rsa_key);
+VALUE verify_signature_with_named_keys(VALUE self, VALUE rb_keys);
+VALUE verify_signature_with_certificates(VALUE self, VALUE rb_certs);
+VALUE encrypt_with_key(VALUE self, VALUE rb_rsa_key_name, VALUE rb_rsa_key,
+                       VALUE rb_opts);
+VALUE decrypt_with_key(VALUE self, VALUE rb_key_name, VALUE rb_key);
+VALUE set_id_attribute(VALUE self, VALUE rb_attr_name);
+
+void Init_Nokogiri_ext(void);
+
+extern VALUE rb_cNokogiri_XML_Document;
+extern VALUE rb_eSigningError;
+extern VALUE rb_eVerificationError;
+extern VALUE rb_eKeystoreError;
+extern VALUE rb_eEncryptionError;
+extern VALUE rb_eDecryptionError;
+
+#endif // NOKOGIRI_EXT_XMLSEC_XMLSECRB_H

data/lib/nokogiri-xmlsec.rb

@@ -0,0 +1 @@
+require 'xmlsec'

data/lib/xmlsec.rb

@@ -0,0 +1,104 @@
+require "xmlsec/version"
+require 'nokogiri'
+require 'nokogiri_ext_xmlsec'
+
+class Nokogiri::XML::Document
+  # Signs this document, and then returns it.
+  #
+  # Examples:
+  #
+  #     doc.sign! key: 'rsa-private-key'
+  #     doc.sign! key: 'rsa-private-key', name: 'key-name'
+  #     doc.sign! cert: 'x509 certificate', key: 'cert private key'
+  #     doc.sign! cert: 'x509 certificate', key: 'cert private key',
+  #               name: 'key-name'
+  def sign! opts
+    if opts.has_key? :cert
+      raise "need a private :key" unless opts[:key]
+      sign_with_certificate opts
+    elsif opts[:key]
+      sign_with_key opts
+    else
+      raise "No private :key was given"
+    end
+    self
+  end
+
+  # Verifies the signature on the current document.
+  #
+  # Returns `true` if the signature is valid, `false` otherwise.
+  # 
+  # Examples:
+  #
+  #     # Try to validate with the given public or private key
+  #     doc.verify_with key: 'rsa-key'
+  #
+  #     # Try to validate with a set of keys. It will try to match
+  #     # based on the contents of the `KeyName` element.
+  #     doc.verify_with({
+  #       'key-name'         => 'x509 certificate',
+  #       'another-key-name' => 'rsa-public-key'
+  #     })
+  #     
+  #     # Try to validate with a trusted certificate
+  #     doc.verify_with(x509: 'certificate')
+  #
+  #     # Try to validate with a set of certificates, any one of which
+  #     # can match
+  #     doc.verify_with(x509: ['cert1', 'cert2'])
+  #
+  # You can also use `:cert` or `:certificate` or `:certs` or
+  # `:certificates` as aliases for `:x509`.
+  #
+  def verify_with opts_or_keys
+    if (certs = opts_or_keys[:cert]) ||
+       (certs = opts_or_keys[:certs])
+      certs = [certs] unless certs.kind_of?(Array)
+      verify_with_certificates certs
+    elsif opts_or_keys[:key]
+      verify_with_rsa_key opts_or_keys[:key]
+    else
+      verify_with_named_keys opts_or_keys
+    end
+  end
+
+  # Attempts to verify the signature of this document using only certificates
+  # installed on the system. This is equivalent to calling
+  # `verify_with certificates: []` (that is, an empty array).
+  #
+  def verify_signature
+    verify_with_certificates []
+  end
+
+  # Encrypts the current document, then returns it.
+  #
+  # Examples:
+  # 
+  #     # encrypt with a public key and optional key name
+  #     doc.encrypt! key: 'public-key', name: 'name'
+  #
+  def encrypt! opts
+    if opts[:key]
+      encrypt_with_key opts[:name].to_s, opts[:key], opts.select { |key, _| key != :key && key != :name }
+    else
+      raise "public :key is required for encryption"
+    end
+    self
+  end
+
+  # Decrypts the current document, then returns it.
+  #
+  # Examples:
+  #
+  #     # decrypt with a specific private key
+  #     doc.decrypt! key: 'private-key'
+  #
+  def decrypt! opts
+    if opts[:key]
+      decrypt_with_key opts[:name].to_s, opts[:key]
+    else
+      raise 'inadequate options specified for decryption'
+    end
+    self
+  end
+end

data/lib/xmlsec/version.rb

@@ -0,0 +1,3 @@
+module Xmlsec
+  VERSION = '0.9.0'
+end

data/nokogiri-xmlsec-me-harder.gemspec

@@ -0,0 +1,39 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'xmlsec/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "nokogiri-xmlsec-me-harder"
+  spec.version       = Xmlsec::VERSION
+  spec.authors       = ["Albert J. Wong"]
+  spec.email         = ["awong.dev@gmail.com"]
+  spec.description   = %q{Adds support to Ruby for encrypting, decrypting,
+    signing and validating the signatures of XML documents, according to the
+    [XML Encryption Syntax and Processing](http://www.w3.org/TR/xmlenc-core/)
+    standard, by wrapping around the [xmlsec](http://www.aleksey.com/xmlsec) C
+    library and adding relevant methods to `Nokogiri::XML::Document`.
+    Implementation is based off nokogiri-xmlsec by
+    "Colin MacKenzie IV" <inisterchipmunk@gmail.com> with heavy modifications
+    and some API changes.}
+  spec.summary       = %q{Wrapper around http://www.aleksey.com/xmlsec to
+    support XML encryption, decryption, signing and signature validation in
+    Ruby}
+  spec.homepage      = "https://github.com/omb-awong/xmlsec"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+  spec.extensions = %w{ext/nokogiri_ext_xmlsec/extconf.rb}
+
+  spec.add_dependency 'nokogiri'
+  
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rake-compiler"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "guard-rspec"
+  spec.add_development_dependency "guard-rake"
+end

data/spec/fixtures/cert/server.crt

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICLzCCAZgCCQCVuhhQ38rw0TANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJV
+UzEQMA4GA1UECAwHR2VvcmdpYTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTAgFw0xMzA1MjUxODQwMDRa
+GA8zMDEyMDkyNTE4NDAwNFowWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3Jn
+aWExITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAwwO
+d3d3Lmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALE4oSql
+eymfHtzOeY86WyvfsjZmaz2XnIo9dzZsK71yMEKkgvXQnnYy9pK0NaYcG0B0hcii
+3fqGBiHMkZY2BOGWwCC/wOmJCzLq9q6caPWUs71Zko+h59LaqV93vzDmZaXYfFoQ
+gSVEWpEpCSo560x0mSuLnJYdQQzZ/L6xvxZ1AgMBAAEwDQYJKoZIhvcNAQEFBQAD
+gYEATyK/RlfpohUVimgFkycTF2hyusjctseXoZDCctgg/STMsL8iA0P9YB6k91GC
+kWpwevuiwarD1MfSUV6goPINFkIBvfK+5R9lpHaTqqs615z8T9R5VJgaLcFe3tWd
+7oq3V2q5Nl6MrZfXj2N07qe6/9zfdauxYO26vAEKCvIkbMo=
+-----END CERTIFICATE-----