nokogiri-xmlsec-me-harder 0.9.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 75e1a3db95d6fc1f9da0cc6688762307627bbdb6
+  data.tar.gz: 167c22b7a15b32d39efcd55ba87ac7becfe95b36
+SHA512:
+  metadata.gz: 00b7a5083c274034581cb57cba8f21fa580d4c5d66c05542d7bd811ba96d3356c6184b32b552d896c14bd0717e2e04999859011aa4d6970a155c2ac3024924dc
+  data.tar.gz: c4869b01b51fb9273afd9468764f3efe3cb20b5ade226430bd7e1699b7ed2872d2d12b48db20450edf5337961514272cd383ee8cf6e1a0878a039d97bc950aa2

data/.gitignore

@@ -0,0 +1,20 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+spec/old
+*.so
+*.sw[opn]

data/.rspec

@@ -0,0 +1,2 @@
+--color
+

data/.travis.yml

@@ -0,0 +1,3 @@
+before_install:
+  - sudo apt-get update -qq
+  - sudo apt-get install -y libxmlsec1-dev

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in xmlsec.gemspec
+gemspec

data/Guardfile

@@ -0,0 +1,13 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+guard 'rake', :task => 'default' do
+  watch(/^ext\//)
+end
+
+guard 'rspec' do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+  # watch(/^ext\//)               { "spec" }
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 TODO: Write your name
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,123 @@
+# nokogiri-xmlsec
+
+[![Build Status](https://travis-ci.org/omb-awong/xmlsec.svg)](https://travis-ci.org/omb-awong/xmlsec)
+
+Adds support to Ruby for encrypting, decrypting, signing and validating
+the signatures of XML documents, according to the [XML Encryption Syntax and
+Processing](http://www.w3.org/TR/xmlenc-core/) standard, by wrapping around the
+[xmlsec](http://www.aleksey.com/xmlsec) C library and adding relevant methods
+to `Nokogiri::XML::Document`.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'nokogiri-xmlsec'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install nokogiri-xmlsec
+
+## Usage
+
+Several methods are added to `Nokogiri::XML::Document` which expose this gem's
+functionality.
+
+### Signing
+
+The `sign!` method adds a digital signature to the XML document so that it can
+later be determined whether the document itself has been tampered with. If the
+document changes, the signature will be invalid.
+
+Signing a document will add XML nodes directly to the document itself, and
+then returns itself.
+
+    # First, get an XML document
+    doc = Nokogiri::XML("<doc><greeting>Hello, World!</greeting></doc>")
+
+    # Sign the document with a certificate, a key, and a key name
+    doc.sign! certificate: 'certificate data',
+              key: 'private key data',
+              name: 'private key name'
+
+You only need one of `certificate` or `key`, but you can pass both. If you do,
+the certificate will be included as part of the signature, so that it can be
+later verified by certificate instead of by key.
+
+The `name` is implicitly converted into a string. Thus it is effectively
+optional, since `nil` converts to `""`, and its value only matters if you plan
+to verify the signature with any of a set of keys, as in the following example:
+
+### Signature verification
+
+Verification of signatures always returns `true` if successful, `false`
+otherwise.
+
+    # Verify the document's signature to ensure it has not been tampered with
+    doc.verify_with({
+      'key-name-1' => 'public key contents',
+      'key-name-2' => 'another public key content'
+    })
+
+In the above example, the `name` field from the signing process will be used
+to determine which key to validate with. If you plan to always verify with the
+same key, you can do it like so, effectively ignoring the `name` value:
+
+    # Verify the document's signature with a specific key
+    doc.verify_with key: 'public key contents'
+
+Finally, you can also verify with a certificate:
+
+    # Verify the document's signature with a single certificate
+    doc.verify_with certificate: 'certificate data'
+
+    # Verify the document's signature with multiple certificates. Any one match
+    # will pass verification.
+    doc.verify_with certificates: [ 'cert1', 'cert2', 'cert3' ]
+
+If the certificate has been installed to your system certificates, then you can
+verify signatures like so:
+
+    # Verify with installed CA certificates
+    doc.verify_signature
+
+### Encryption & Decryption
+
+Encrypted documents can only be decrypted with the private key that corresponds
+to the public key that was used to encrypt it. Thus, the party that encrypted
+the document can be sure that the document will only be readable by its intended
+recipient.
+
+Both encryption and decryption of a document manipulates the XML nodes of the
+document in-place. Both methods return the original document, after the changes
+have been made to it.
+
+To encrypt a document, use a public key:
+
+    doc.encrypt! key: 'public key content'
+
+To decrypt a document, use a private key:
+
+    doc.decrypt! key: 'private key content'
+
+
+## Limitations and Known Issues
+
+Following is a list of limitations and/or issues I know about, but have no
+immediate plan to resolve. This is probably because I haven't needed the
+functionality, and no one has sent a pull request. (Hint, hint!)
+
+- Currently, it is not possible to operate on individual XML nodes. The
+  `nokogiri-xmlsec` operations must be performed on the entire document.
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,30 @@
+require "bundler/gem_tasks"
+require 'rake/extensiontask'
+require 'rspec/core/rake_task'
+
+Rake::ExtensionTask.new('nokogiri_ext_xmlsec')
+
+RSpec::Core::RakeTask.new :rspec
+
+desc 'clean out build files'
+task :clean do
+  rm_rf File.expand_path('../tmp', __FILE__)
+end
+
+task :default => [:clean, :compile, :rspec]
+
+desc 'code statistics, cause im a stats junky'
+task :stats do
+  def count(glob)
+    Dir[glob].inject(0) do |count, fi|
+      next unless File.file?(fi)
+      count + File.read(fi).lines.length
+    end
+  end
+
+  rb_lines = count 'lib/**/*.rb'
+  c_lines  = count 'ext/**/*.{c,h}'
+
+  puts "Lines of Ruby: #{rb_lines}"
+  puts "Lines of C:    #{c_lines}"
+end

data/ext/nokogiri_ext_xmlsec/common.h

@@ -0,0 +1,13 @@
+#ifndef NOKOGIRI_EXT_XMLSEC_COMMON_H
+#define NOKOGIRI_EXT_XMLSEC_COMMON_H
+
+#ifndef TRUE
+#define TRUE 1
+#endif
+#ifndef FALSE
+#define FALSE 0
+#endif
+
+typedef int BOOL;
+
+#endif // NOKOGIRI_EXT_XMLSEC_COMMON_H

data/ext/nokogiri_ext_xmlsec/extconf.rb

@@ -0,0 +1,27 @@
+require 'mkmf'
+
+def barf message = 'dependencies not met'
+  raise message
+end
+
+barf unless have_header('ruby.h')
+
+pkg_config('xmlsec1')
+
+$CFLAGS << " -fvisibility=hidden"
+
+if $CFLAGS =~ /\-DXMLSEC_CRYPTO=\\\\\\"openssl\\\\\\"/
+puts "Changing escaping: #{$CFLAGS}"
+  $CFLAGS['-DXMLSEC_CRYPTO=\\\\\\"openssl\\\\\\"'] =
+    '-DXMLSEC_CRYPTO=\\"openssl\\"'
+end
+
+if $CFLAGS =~ /\-DXMLSEC_CRYPTO="openssl"/
+puts "Ensure we escaping: #{$CFLAGS}"
+  $CFLAGS['-DXMLSEC_CRYPTO="openssl"'] =
+  '-DXMLSEC_CRYPTO=\\"openssl\\"'
+end
+
+puts "Clfags: #{$CFLAGS}"
+$libs = `xmlsec1-config  --libs`.strip
+create_makefile('nokogiri_ext_xmlsec')

data/ext/nokogiri_ext_xmlsec/init.c

@@ -0,0 +1,76 @@
+#include "xmlsecrb.h"
+#include "util.h"
+
+#include <xmlsec/dl.h>
+#include <xmlsec/errors.h>
+
+#ifndef XMLSEC_NO_XSLT
+#include <libxslt/xslt.h>
+#include <libxslt/security.h>
+#endif /* XMLSEC_NO_XSLT */
+
+EXTENSION_EXPORT
+void Init_nokogiri_ext_xmlsec() {
+#ifndef XMLSEC_NO_XSLT
+    xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
+
+  /* xmlsec proper */
+  // libxml
+  xmlInitParser();
+  LIBXML_TEST_VERSION
+  xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
+  xmlSubstituteEntitiesDefault(1);
+  // xslt
+
+#ifndef XMLSEC_NO_XSLT
+  xmlIndentTreeOutput = 1;
+
+  /* Disable all XSLT options that give filesystem and network access. */
+  xsltSecPrefs = xsltNewSecurityPrefs();
+  xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_READ_FILE,        xsltSecurityForbid);
+  xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_WRITE_FILE,       xsltSecurityForbid);
+  xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+  xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_READ_NETWORK,     xsltSecurityForbid);
+  xsltSetSecurityPrefs(xsltSecPrefs,  XSLT_SECPREF_WRITE_NETWORK,    xsltSecurityForbid);
+  xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
+  // xmlsec
+
+  if (xmlSecInit() < 0) {
+    rb_raise(rb_eRuntimeError, "xmlsec initialization failed");
+    return;
+  }
+  if (xmlSecCheckVersion() != 1) {
+    rb_raise(rb_eRuntimeError, "xmlsec version is not compatible");
+    return;
+  }
+  // load crypto
+  #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
+    if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
+      rb_raise(rb_eRuntimeError,
+        "Error: unable to load default xmlsec-crypto library. Make sure"
+        "that you have it installed and check shared libraries path\n"
+        "(LD_LIBRARY_PATH) envornment variable.\n");
+      return;
+    }
+  #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
+  // init crypto
+  if (xmlSecCryptoAppInit(NULL) < 0) {
+    rb_raise(rb_eRuntimeError, "unable to initialize crypto engine");
+    return;
+  }
+  // init xmlsec-crypto library
+  if (xmlSecCryptoInit() < 0) {
+    rb_raise(rb_eRuntimeError, "xmlsec-crypto initialization failed");
+  }
+
+  // Set Error callback catcher last because various modules also call this.
+  // This way we always win.
+  xmlSecErrorsSetCallback(storeErrorCallback);
+
+  /* ruby classes & objects */
+  Init_Nokogiri_ext();
+}
+

data/ext/nokogiri_ext_xmlsec/nokogiri_decrypt_with_key.c

@@ -0,0 +1,82 @@
+#include "xmlsecrb.h"
+#include "util.h"
+
+VALUE decrypt_with_key(VALUE self, VALUE rb_key_name, VALUE rb_key) {
+  VALUE rb_exception_result = Qnil;
+  const char* exception_message = NULL;
+
+  xmlDocPtr doc = NULL;
+  xmlNodePtr node = NULL;
+  xmlSecEncCtxPtr encCtx = NULL;
+  xmlSecKeysMngrPtr keyManager = NULL;
+  char *key = NULL;
+  char *keyName = NULL;
+  unsigned int keyLength = 0;
+
+  resetXmlSecError();
+
+  Check_Type(rb_key,      T_STRING);
+  Check_Type(rb_key_name, T_STRING);
+  Data_Get_Struct(self, xmlDoc, doc);
+  key       = RSTRING_PTR(rb_key);
+  keyLength = RSTRING_LEN(rb_key);
+  keyName = StringValueCStr(rb_key_name);
+
+  // find start node
+  node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeEncryptedData, xmlSecEncNs);
+  if(node == NULL) {
+      rb_exception_result = rb_eDecryptionError;
+      exception_message = "start node not found";
+      goto done;      
+  }
+
+  keyManager = createKeyManagerWithSingleKey(key, keyLength, keyName,
+                                             &rb_exception_result,
+                                             &exception_message);
+  if (keyManager == NULL) {
+    // Propagate the exception.
+    goto done;
+  }
+
+  // create encryption context
+  encCtx = xmlSecEncCtxCreate(keyManager);
+  if(encCtx == NULL) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message = "failed to create encryption context";
+    goto done;
+  }
+
+  // decrypt the data
+  if((xmlSecEncCtxDecrypt(encCtx, node) < 0) || (encCtx->result == NULL)) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message = "decryption failed";
+    goto done;
+  }
+
+  if(encCtx->resultReplaced == 0) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message =  "Not implemented: don't know how to handle decrypted, non-XML data yet";
+    goto done;
+  }
+
+done:    
+  // cleanup
+  if(encCtx != NULL) {
+    xmlSecEncCtxDestroy(encCtx);
+  }
+  
+  if (keyManager != NULL) {
+    xmlSecKeysMngrDestroy(keyManager);
+  }
+
+  if(rb_exception_result != Qnil) {
+    if (hasXmlSecLastError()) {
+      rb_raise(rb_exception_result, "%s, XmlSec error: %s", exception_message,
+               getXmlSecLastError());
+    } else {
+      rb_raise(rb_exception_result, "%s", exception_message);
+    }
+  }
+
+  return Qnil;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_encrypt_with_key.c

@@ -0,0 +1,169 @@
+#include "xmlsecrb.h"
+#include "options.h"
+#include "util.h"
+
+// Encrypes the XML Document document using XMLEnc.
+//
+// Expects 3 positional arguments:
+//   rb_rsa_key_name - String with name of the rsa key. May be the empty.
+//   rb_rsa_key - A PEM encoded rsa key for signing.
+//   rb_opts - An ruby hash that configures the encryption options.
+//             See XmlEncOptions struct for possible values.
+VALUE encrypt_with_key(VALUE self, VALUE rb_rsa_key_name, VALUE rb_rsa_key,
+                       VALUE rb_opts) {
+  VALUE rb_exception_result = Qnil;
+  const char* exception_message = NULL;
+
+  xmlDocPtr doc = NULL;
+  xmlNodePtr encDataNode = NULL;
+  xmlNodePtr encKeyNode  = NULL;
+  xmlNodePtr keyInfoNode = NULL;
+  xmlSecEncCtxPtr encCtx = NULL;
+  xmlSecKeysMngrPtr keyManager = NULL;
+  char *keyName = NULL;
+  char *key = NULL;
+  unsigned int keyLength = 0;
+
+  resetXmlSecError();
+
+  Check_Type(rb_rsa_key,      T_STRING);
+  Check_Type(rb_rsa_key_name, T_STRING);
+  Check_Type(rb_opts, T_HASH);
+
+  key       = RSTRING_PTR(rb_rsa_key);
+  keyLength = RSTRING_LEN(rb_rsa_key);
+  keyName = StringValueCStr(rb_rsa_key_name);
+
+  XmlEncOptions options;
+  if (!GetXmlEncOptions(rb_opts, &options, &rb_exception_result,
+                        &exception_message)) {
+    goto done;
+  }
+
+  Data_Get_Struct(self, xmlDoc, doc);
+
+  // create encryption template to encrypt XML file and replace 
+  // its content with encryption result
+  encDataNode = xmlSecTmplEncDataCreate(doc, options.block_encryption, NULL,
+                                        xmlSecTypeEncElement, NULL, NULL);
+  if(encDataNode == NULL) {
+    rb_exception_result = rb_eEncryptionError;
+    exception_message = "failed to create encryption template";
+    goto done;
+  }
+
+  // we want to put encrypted data in the <enc:CipherValue/> node
+  if(xmlSecTmplEncDataEnsureCipherValue(encDataNode) == NULL) {
+    rb_exception_result = rb_eEncryptionError;
+    exception_message = "failed to add CipherValue node";
+    goto done;
+  }
+
+  // add <dsig:KeyInfo/> and <dsig:KeyName/> nodes to put key name in the
+  // signed document
+  keyInfoNode = xmlSecTmplEncDataEnsureKeyInfo(encDataNode, NULL);
+  if(keyInfoNode == NULL) {
+    rb_exception_result = rb_eEncryptionError;
+    exception_message = "failed to add key info";
+    goto done;
+  }
+
+  if(xmlSecTmplKeyInfoAddKeyName(keyInfoNode, NULL) == NULL) {
+    rb_exception_result = rb_eEncryptionError;
+    exception_message = "failed to add key name";
+    goto done;
+  }
+
+  if ((keyManager = createKeyManagerWithSingleKey(
+          key, keyLength, keyName,
+          &rb_exception_result,
+          &exception_message)) == NULL) {
+    // Propagate the exception.
+    goto done;
+  }
+
+  // create encryption context, we don't need keys manager in this example
+  encCtx = xmlSecEncCtxCreate(keyManager);
+  if(encCtx == NULL) {
+    rb_exception_result = rb_eEncryptionError;
+    exception_message = "failed to create encryption context";
+    goto done;
+  }
+
+  // Generate the symmetric key.
+  encCtx->encKey = xmlSecKeyGenerateByName(BAD_CAST options.key_type, options.key_bits,
+                                           xmlSecKeyDataTypeSession);
+
+  if(encCtx->encKey == NULL) {
+    rb_exception_result = rb_eDecryptionError;
+    exception_message = "failed to generate session key";
+    goto done;
+  }
+
+  // Set key name.
+  if(xmlSecKeySetName(encCtx->encKey, (xmlSecByte *)keyName) < 0) {
+    rb_exception_result = rb_eEncryptionError;
+    exception_message = "failed to set key name";
+    goto done;
+  }
+
+  // Add <enc:EncryptedKey/> node to the <dsig:KeyInfo/> tag to include
+  // the session key.
+  encKeyNode = xmlSecTmplKeyInfoAddEncryptedKey(keyInfoNode,
+                                       options.key_transport, // encMethodId encryptionMethod
+                                       NULL, // xmlChar *idAttribute
+                                       NULL, // xmlChar *typeAttribute
+                                       NULL  // xmlChar *recipient
+                                      );
+  if (encKeyNode == NULL) {
+    rb_exception_result = rb_eEncryptionError;
+    exception_message = "failed to add encrypted key node";
+    goto done;
+  }
+  if (xmlSecTmplEncDataEnsureCipherValue(encKeyNode) == NULL) {
+    rb_exception_result = rb_eEncryptionError;
+    exception_message = "failed to add encrypted cipher value";
+    goto done;
+  }
+
+  // encrypt the data
+  if(xmlSecEncCtxXmlEncrypt(encCtx, encDataNode, xmlDocGetRootElement(doc)) < 0) {
+    rb_exception_result = rb_eEncryptionError;
+    exception_message = "encryption failed";
+    goto done;
+  }
+  
+  // the template is inserted in the doc, so don't free it
+  encDataNode = NULL;
+  encKeyNode = NULL;
+
+done:
+
+  /* cleanup */
+  if(encCtx != NULL) {
+    xmlSecEncCtxDestroy(encCtx);
+  }
+
+  if (encKeyNode != NULL) {
+    xmlFreeNode(encKeyNode);
+  }
+
+  if(encDataNode != NULL) {
+    xmlFreeNode(encDataNode);
+  }
+
+  if (keyManager != NULL) {
+    xmlSecKeysMngrDestroy(keyManager);
+  }
+
+  if(rb_exception_result != Qnil) {
+    if (hasXmlSecLastError()) {
+      rb_raise(rb_exception_result, "%s, XmlSec error: %s", exception_message,
+               getXmlSecLastError());
+    } else {
+      rb_raise(rb_exception_result, "%s", exception_message);
+    }
+  }
+
+  return Qnil;
+}