nokogiri-xmlsec-me-harder 0.9.1 → 0.9.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 818ee85467c194244bf1d1edb85ef9517bf5b9ea
-  data.tar.gz: 35efec57db945b9f1e4cd8ce68f46861f7d51753
+  metadata.gz: 4adbd4c650866b34094b2fa5e2dba632405ec1ad
+  data.tar.gz: fe55cb91ae8d76a9d0708e56b912f7d96e7432cc
 SHA512:
-  metadata.gz: 83da2b119f79759178bd4de9680dfefad1d7152abc341c4f8eb25a1cf44311fcb0626c4de55a73c742c1e2b19e426059eff8de1293e2256bdd2643594abfd0e5
-  data.tar.gz: f9e5ff73c6c7f25d60edb7bdd2b827cf202c81c2315c0aa9419397da03d387b4d977a8714706cf0e7c4967fd5297026fe112d712cacbf3bb23b507763635f2f8
+  metadata.gz: b944b6c83a4983e7ef565a3dad2607152c88575ab12e272c339b394b394c53155e02b932cc26cf06f485bf289589a9d395042450009f3e57b92aee45058910bc
+  data.tar.gz: 3d0f2c65bcbdd39a037f9cda8f62c13958570a915d5f7bf423afe63b34da4ed0c77842c604d8bc923d2914ea7a026a7f1f48df64b39a17e515e91510f248b572

data/README.md

@@ -40,17 +40,17 @@ then returns itself.
     doc = Nokogiri::XML("<doc><greeting>Hello, World!</greeting></doc>")
 
     # Sign the document with a certificate, a key, and a key name
-    doc.sign! certificate: 'certificate data',
+    doc.sign! cert: 'certificate data',
               key: 'private key data',
-              name: 'private key name'
+              name: 'private key name',
+              digest_alg: 'sha256',
+              signature_alg: 'rsa-sha256'
 
-You only need one of `certificate` or `key`, but you can pass both. If you do,
-the certificate will be included as part of the signature, so that it can be
-later verified by certificate instead of by key.
+If you pass `cert`, the certificate will be included as part of the signature,
+so that it can be later verified by certificate instead of by key.
 
-The `name` is implicitly converted into a string. Thus it is effectively
-optional, since `nil` converts to `""`, and its value only matters if you plan
-to verify the signature with any of a set of keys, as in the following example:
+`name` can be used to verify the signature with any of a set of keys, as in the
+following example:
 
 ### Signature verification
 
@@ -73,11 +73,11 @@ same key, you can do it like so, effectively ignoring the `name` value:
 Finally, you can also verify with a certificate:
 
     # Verify the document's signature with a single certificate
-    doc.verify_with certificate: 'certificate data'
+    doc.verify_with cert: 'certificate data'
 
     # Verify the document's signature with multiple certificates. Any one match
     # will pass verification.
-    doc.verify_with certificates: [ 'cert1', 'cert2', 'cert3' ]
+    doc.verify_with certs: [ 'cert1', 'cert2', 'cert3' ]
 
 If the certificate has been installed to your system certificates, then you can
 verify signatures like so:
@@ -111,8 +111,9 @@ Following is a list of limitations and/or issues I know about, but have no
 immediate plan to resolve. This is probably because I haven't needed the
 functionality, and no one has sent a pull request. (Hint, hint!)
 
-- Currently, it is not possible to operate on individual XML nodes. The
+- Currently, it is not possible to encrypt/decrypt individual XML nodes. The
   `nokogiri-xmlsec` operations must be performed on the entire document.
+  You _can_ sign an individual node.
 
 ## Contributing
 

data/ext/nokogiri_ext_xmlsec/nokogiri_init.c

@@ -15,8 +15,7 @@ void Init_Nokogiri_ext() {
   rb_cNokogiri_XML_Document = rb_const_get(Nokogiri_XML, rb_intern("Document"));
   rb_cNokogiri_XML_Node = rb_const_get(Nokogiri_XML, rb_intern("Node"));
 
-  rb_define_method(rb_cNokogiri_XML_Document, "sign_with_key",            sign_with_key, 1);
-  rb_define_method(rb_cNokogiri_XML_Document, "sign_with_certificate",    sign_with_certificate, 1);
+  rb_define_method(rb_cNokogiri_XML_Node,     "sign!",                    sign, 1);
   rb_define_method(rb_cNokogiri_XML_Document, "verify_with_rsa_key",      verify_signature_with_rsa_key, 1);
   rb_define_method(rb_cNokogiri_XML_Document, "verify_with_named_keys",   verify_signature_with_named_keys, 1);
   rb_define_method(rb_cNokogiri_XML_Document, "verify_with_certificates", verify_signature_with_certificates, 1);

data/ext/nokogiri_ext_xmlsec/{nokogiri_sign_certificate.c → nokogiri_sign.c}

@@ -17,16 +17,17 @@
 //   :name - [optional] String with name of the rsa key.
 //   :uri - [optional] The URI attribute for the <Reference> node in the
 //          signature.
-VALUE sign_with_certificate(VALUE self, VALUE rb_opts) {
+VALUE sign(VALUE self, VALUE rb_opts) {
   VALUE rb_exception_result = Qnil;
   const char* exception_message = NULL;
 
   xmlDocPtr doc = NULL;
+  xmlNodePtr envelopeNode = NULL;
   xmlNodePtr signNode = NULL;
   xmlNodePtr refNode = NULL;
   xmlNodePtr keyInfoNode = NULL;
   xmlSecDSigCtxPtr dsigCtx = NULL;
-  char *keyName = "";
+  char *keyName = NULL;
   char *certificate = NULL;
   char *rsaKey = NULL;
   char *refUri = NULL;
@@ -43,15 +44,17 @@ VALUE sign_with_certificate(VALUE self, VALUE rb_opts) {
   VALUE rb_key_name = rb_hash_aref(rb_opts, ID2SYM(rb_intern("name")));
 
   Check_Type(rb_rsa_key, T_STRING);
-  Check_Type(rb_cert, T_STRING);
   Check_Type(rb_signature_alg, T_STRING);
   Check_Type(rb_digest_alg, T_STRING);
 
   rsaKey = RSTRING_PTR(rb_rsa_key);
   rsaKeyLength = RSTRING_LEN(rb_rsa_key);
-  certificate = RSTRING_PTR(rb_cert);
-  certificateLength = RSTRING_LEN(rb_cert);
 
+  if (!NIL_P(rb_cert)) {
+    Check_Type(rb_cert, T_STRING);
+    certificate = RSTRING_PTR(rb_cert);
+    certificateLength = RSTRING_LEN(rb_cert);
+  }
   if (!NIL_P(rb_key_name))  {
     Check_Type(rb_key_name, T_STRING);
     keyName = StringValueCStr(rb_key_name);
@@ -61,7 +64,6 @@ VALUE sign_with_certificate(VALUE self, VALUE rb_opts) {
     refUri = StringValueCStr(rb_uri);
   }
 
-  Data_Get_Struct(self, xmlDoc, doc);
   xmlSecTransformId signature_algorithm = GetSignatureMethod(rb_signature_alg,
       &rb_exception_result, &exception_message);
   if (signature_algorithm == xmlSecTransformIdUnknown) {
@@ -69,6 +71,8 @@ VALUE sign_with_certificate(VALUE self, VALUE rb_opts) {
     goto done;
   }
 
+  Data_Get_Struct(self, xmlNode, envelopeNode);
+  doc = envelopeNode->doc;
   // create signature template for enveloped signature.
   signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId,
                                        signature_algorithm, NULL);
@@ -79,7 +83,7 @@ VALUE sign_with_certificate(VALUE self, VALUE rb_opts) {
   }
 
   // add <dsig:Signature/> node to the doc
-  xmlAddChild(xmlDocGetRootElement(doc), signNode);
+  xmlAddChild(envelopeNode, signNode);
 
   // add reference
   xmlSecTransformId digest_algorithm = GetDigestMethod(rb_digest_alg,
@@ -109,18 +113,30 @@ VALUE sign_with_certificate(VALUE self, VALUE rb_opts) {
     goto done;
   }
 
-  // add <dsig:KeyInfo/> and <dsig:X509Data/>
+  // add <dsig:KeyInfo/>
   keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
   if(keyInfoNode == NULL) {
     rb_exception_result = rb_eSigningError;
     exception_message = "failed to add key info";
     goto done;
   }
-  
-  if(xmlSecTmplKeyInfoAddX509Data(keyInfoNode) == NULL) {
-    rb_exception_result = rb_eSigningError;
-    exception_message = "failed to add X509Data node";
-    goto done;
+
+  if(certificate) {
+    // add <dsig:X509Data/>
+    if(xmlSecTmplKeyInfoAddX509Data(keyInfoNode) == NULL) {
+      rb_exception_result = rb_eSigningError;
+      exception_message = "failed to add X509Data node";
+      goto done;
+    }
+  }
+
+  if(keyName) {
+    // add <dsig:KeyName/>
+    if(xmlSecTmplKeyInfoAddKeyName(keyInfoNode, NULL) == NULL) {
+      rb_exception_result = rb_eSigningError;
+      exception_message = "failed to add key name";
+      goto done;
+    }
   }
 
   // create signature context, we don't need keys manager in this example
@@ -144,21 +160,25 @@ VALUE sign_with_certificate(VALUE self, VALUE rb_opts) {
     goto done;
   }
   
-  // load certificate and add to the key
-  if(xmlSecCryptoAppKeyCertLoadMemory(dsigCtx->signKey,
-                                      (xmlSecByte *)certificate,
-                                      certificateLength,
-                                      xmlSecKeyDataFormatPem) < 0) {
-    rb_exception_result = rb_eSigningError;
-    exception_message = "failed to load certificate";
-    goto done;
+  if(keyName) {
+    // set key name
+    if(xmlSecKeySetName(dsigCtx->signKey, (xmlSecByte *)keyName) < 0) {
+      rb_exception_result = rb_eSigningError;
+      exception_message = "failed to set key name";
+      goto done;
+    }
   }
 
-  // set key name
-  if(xmlSecKeySetName(dsigCtx->signKey, (xmlSecByte *)keyName) < 0) {
-    rb_exception_result = rb_eSigningError;
-    exception_message = "failed to set key name";
-    goto done;
+  if(certificate) {
+    // load certificate and add to the key
+    if(xmlSecCryptoAppKeyCertLoadMemory(dsigCtx->signKey,
+                                        (xmlSecByte *)certificate,
+                                        certificateLength,
+                                        xmlSecKeyDataFormatPem) < 0) {
+      rb_exception_result = rb_eSigningError;
+      exception_message = "failed to load certificate";
+      goto done;
+    }
   }
 
   // sign the template
@@ -174,6 +194,13 @@ done:
   }
 
   if(rb_exception_result != Qnil) {
+    // remove the signature node before raising an exception, so that
+    // the document is untouched
+    if (signNode != NULL) {
+      xmlUnlinkNode(signNode);
+      xmlFreeNode(signNode);
+    }
+
     if (hasXmlSecLastError()) {
       rb_raise(rb_exception_result, "%s, XmlSec error: %s", exception_message,
                getXmlSecLastError());

data/ext/nokogiri_ext_xmlsec/xmlsecrb.h

@@ -22,8 +22,7 @@
 // TODO(awong): Support non-gcc and non-clang compilers.
 #define EXTENSION_EXPORT __attribute__((visibility("default")))
 
-VALUE sign_with_key(VALUE self, VALUE rb_opts);
-VALUE sign_with_certificate(VALUE self, VALUE rb_opts);
+VALUE sign(VALUE self, VALUE rb_opts);
 VALUE verify_signature_with_rsa_key(VALUE self, VALUE rb_rsa_key);
 VALUE verify_signature_with_named_keys(VALUE self, VALUE rb_keys);
 VALUE verify_signature_with_certificates(VALUE self, VALUE rb_certs);

data/lib/xmlsec.rb

@@ -3,24 +3,8 @@ require 'nokogiri'
 require 'nokogiri_ext_xmlsec'
 
 class Nokogiri::XML::Document
-  # Signs this document, and then returns it.
-  #
-  # Examples:
-  #
-  #     doc.sign! key: 'rsa-private-key'
-  #     doc.sign! key: 'rsa-private-key', name: 'key-name'
-  #     doc.sign! cert: 'x509 certificate', key: 'cert private key'
-  #     doc.sign! cert: 'x509 certificate', key: 'cert private key',
-  #               name: 'key-name'
   def sign! opts
-    if opts.has_key? :cert
-      raise "need a private :key" unless opts[:key]
-      sign_with_certificate opts
-    elsif opts[:key]
-      sign_with_key opts
-    else
-      raise "No private :key was given"
-    end
+    root.sign! opts
     self
   end
 

data/lib/xmlsec/version.rb

@@ -1,3 +1,3 @@
 module Xmlsec
-  VERSION = '0.9.1'
+  VERSION = '0.9.2'
 end

data/spec/lib/nokogiri/xml/document/signing_and_verifying_spec.rb

@@ -32,7 +32,6 @@ describe "signing and verifying signatures:" do
   describe 'signing a document with an RSA key and X509 certificate' do
     before do
       subject.sign! key: fixture('cert/server.key.decrypted'),
-                    name: 'test',
                     cert: fixture('cert/server.crt'),
                     signature_alg: 'rsa-sha256',
                     digest_alg: 'sha256'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: nokogiri-xmlsec-me-harder
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.9.2
 platform: ruby
 authors:
 - Albert J. Wong
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-10-20 00:00:00.000000000 Z
+date: 2015-03-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -139,8 +139,7 @@ files:
 - ext/nokogiri_ext_xmlsec/nokogiri_encrypt_with_key.c
 - ext/nokogiri_ext_xmlsec/nokogiri_helpers_set_attribute_id.c
 - ext/nokogiri_ext_xmlsec/nokogiri_init.c
-- ext/nokogiri_ext_xmlsec/nokogiri_sign_certificate.c
-- ext/nokogiri_ext_xmlsec/nokogiri_sign_rsa.c
+- ext/nokogiri_ext_xmlsec/nokogiri_sign.c
 - ext/nokogiri_ext_xmlsec/nokogiri_verify_signature_certificates.c
 - ext/nokogiri_ext_xmlsec/nokogiri_verify_signature_named_keys.c
 - ext/nokogiri_ext_xmlsec/nokogiri_verify_signature_rsa.c

data/ext/nokogiri_ext_xmlsec/nokogiri_sign_rsa.c

@@ -1,167 +0,0 @@
-#include "xmlsecrb.h"
-
-#include "options.h"
-#include "util.h"
-
-// Appends an xmlsig <dsig:Signature> node to document stored in |self|
-// with a signature based on the given bare rsa key and keyname.
-//
-// Expects a ruby hash for the signing arguments.
-// Hash parameters:
-//   :key_name - String with name of the rsa key. May be the empty string.
-//   :rsa_key - A PEM encoded rsa key for signing.
-//   :signature_alg - Algorithm identified by the URL fragment. Supported algorithms
-//             taken from http://www.w3.org/TR/xmldsig-core
-//   :digest_alg - Algorithm identified by the URL fragment. Supported algorithms
-//             taken from http://www.w3.org/TR/xmldsig-core
-//   :ref_uri - [optional] The URI attribute for the <Reference> node in the
-//             signature.
-VALUE sign_with_key(VALUE self, VALUE rb_opts) {
-  VALUE rb_exception_result = Qnil;
-  const char* exception_message = NULL;
-
-  xmlDocPtr doc = NULL;
-  xmlNodePtr signNode = NULL;
-  xmlNodePtr refNode = NULL;
-  xmlNodePtr keyInfoNode = NULL;
-  xmlSecDSigCtxPtr dsigCtx = NULL;
-  char *keyName = NULL;
-  char *rsaKey = NULL;
-  char *refUri = NULL;
-  unsigned int rsaKeyLength = 0;
-
-  resetXmlSecError();
-
-  VALUE rb_key_name = rb_hash_aref(rb_opts, ID2SYM(rb_intern("name")));
-  VALUE rb_rsa_key = rb_hash_aref(rb_opts, ID2SYM(rb_intern("key")));
-  VALUE rb_signature_alg = rb_hash_aref(rb_opts, ID2SYM(rb_intern("signature_alg")));
-  VALUE rb_digest_alg = rb_hash_aref(rb_opts, ID2SYM(rb_intern("digest_alg")));
-  VALUE rb_uri = rb_hash_aref(rb_opts, ID2SYM(rb_intern("uri")));
-
-  Check_Type(rb_rsa_key,  T_STRING);
-  Check_Type(rb_key_name, T_STRING);
-  Check_Type(rb_signature_alg, T_STRING);
-  Check_Type(rb_digest_alg, T_STRING);
-
-  rsaKey = RSTRING_PTR(rb_rsa_key);
-  rsaKeyLength = RSTRING_LEN(rb_rsa_key);
-  keyName = StringValueCStr(rb_key_name);
-
-  if (!NIL_P(rb_uri)) {
-    Check_Type(rb_uri, T_STRING);
-    refUri = StringValueCStr(rb_uri);
-  }
-
-  Data_Get_Struct(self, xmlDoc, doc);
-  xmlSecTransformId signature_algorithm = GetSignatureMethod(rb_signature_alg,
-      &rb_exception_result, &exception_message);
-  if (signature_algorithm == xmlSecTransformIdUnknown) {
-    // Propagate exception.
-    goto done;
-  }
-
-  // create signature template for enveloped signature
-  signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId,
-                                       signature_algorithm, NULL);
-  if (signNode == NULL) {
-    rb_exception_result = rb_eSigningError;
-    exception_message = "failed to create signature template";
-    goto done;
-  }
-
-  // add <dsig:Signature/> node to the doc
-  xmlAddChild(xmlDocGetRootElement(doc), signNode);
-
-  // add reference
-  xmlSecTransformId digest_algorithm = GetDigestMethod(rb_digest_alg,
-      &rb_exception_result, &exception_message);
-  if (digest_algorithm == xmlSecTransformIdUnknown) {
-    // Propagate exception.
-    goto done;
-  }
-  refNode = xmlSecTmplSignatureAddReference(signNode, digest_algorithm,
-                                            NULL, (const xmlChar *)refUri, NULL);
-  if(refNode == NULL) {
-    rb_exception_result = rb_eSigningError;
-    exception_message = "failed to add reference to signature template";
-    goto done;
-  }
-
-  // add enveloped transform
-  if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) {
-    rb_exception_result = rb_eSigningError;
-    exception_message = "failed to add enveloped transform to reference";
-    goto done;
-  }
-
-  if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformExclC14NId) == NULL) {
-    rb_exception_result = rb_eSigningError;
-    exception_message = "failed to add canonicalization transform to reference";
-    goto done;
-  }
-
-  // add <dsig:KeyInfo/> and <dsig:KeyName/> nodes to put key name in the signed
-  // document
-  keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
-  if(keyInfoNode == NULL) {
-    rb_exception_result = rb_eSigningError;
-    exception_message = "failed to add key info";
-    goto done;
-  }
-  if(xmlSecTmplKeyInfoAddKeyName(keyInfoNode, NULL) == NULL) {
-    rb_exception_result = rb_eSigningError;
-    exception_message = "failed to add key name";
-    goto done;
-  }
-
-  // create signature context, we don't need keys manager in this example
-  dsigCtx = createDSigContext(NULL);
-  if(dsigCtx == NULL) {
-    rb_exception_result = rb_eSigningError;
-    exception_message = "failed to create signature context";
-    goto done;
-  }
-
-  // load private key, assuming that there is no password
-  dsigCtx->signKey = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)rsaKey,
-                                                  rsaKeyLength,
-                                                  xmlSecKeyDataFormatPem,
-                                                  NULL, // password
-                                                  NULL,
-                                                  NULL);
-  if(dsigCtx->signKey == NULL) {
-    rb_exception_result = rb_eSigningError;
-    exception_message = "failed to load private pem key";
-    goto done;
-  }
-
-  // set key name
-  if(xmlSecKeySetName(dsigCtx->signKey, (xmlSecByte *)keyName) < 0) {
-    rb_exception_result = rb_eSigningError;
-    exception_message = "failed to set key name";
-    goto done;
-  }
-
-  // sign the template
-  if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
-    rb_exception_result = rb_eSigningError;
-    exception_message = "signature failed";
-    goto done;
-  }
-
-done:
-  if(dsigCtx != NULL) {
-    xmlSecDSigCtxDestroy(dsigCtx);
-  }
-
-  if(rb_exception_result != Qnil) {
-    if (hasXmlSecLastError()) {
-      rb_raise(rb_exception_result, "%s, XmlSec error: %s", exception_message,
-               getXmlSecLastError());
-    } else {
-      rb_raise(rb_exception_result, "%s", exception_message);
-    }
-  }
-
-  return Qnil;
-}