nokogiri-xmlsec 0.0.3

data/ext/nokogiri_ext_xmlsec/nokogiri_init.c

@@ -0,0 +1,29 @@
+#include "xmlsecrb.h"
+
+VALUE rb_cNokogiri_XML_Document = T_NIL;
+VALUE rb_eSigningError = T_NIL;
+VALUE rb_eVerificationError = T_NIL;
+VALUE rb_eKeystoreError = T_NIL;
+VALUE rb_eEncryptionError = T_NIL;
+VALUE rb_eDecryptionError = T_NIL;
+
+void Init_Nokogiri_ext() {
+  VALUE XMLSec = rb_define_module("XMLSec");
+  VALUE Nokogiri = rb_define_module("Nokogiri");
+  VALUE Nokogiri_XML = rb_define_module_under(Nokogiri, "XML");
+  rb_cNokogiri_XML_Document = rb_const_get(Nokogiri_XML, rb_intern("Document"));
+
+  rb_define_method(rb_cNokogiri_XML_Document, "sign_with_key",            sign_with_key, 2);
+  rb_define_method(rb_cNokogiri_XML_Document, "sign_with_certificate",    sign_with_certificate, 3);
+  rb_define_method(rb_cNokogiri_XML_Document, "verify_with_rsa_key",      verify_signature_with_rsa_key, 1);
+  rb_define_method(rb_cNokogiri_XML_Document, "verify_with_named_keys",   verify_signature_with_named_keys, 1);
+  rb_define_method(rb_cNokogiri_XML_Document, "verify_with_certificates", verify_signature_with_certificates, 1);
+  rb_define_method(rb_cNokogiri_XML_Document, "encrypt_with_key",         encrypt_with_key, 2);
+  rb_define_method(rb_cNokogiri_XML_Document, "decrypt_with_key",         decrypt_with_key, 2);
+
+  rb_eSigningError      = rb_define_class_under(XMLSec, "SigningError",      rb_eRuntimeError);
+  rb_eVerificationError = rb_define_class_under(XMLSec, "VerificationError", rb_eRuntimeError);
+  rb_eKeystoreError     = rb_define_class_under(XMLSec, "KeystoreError",     rb_eRuntimeError);
+  rb_eEncryptionError   = rb_define_class_under(XMLSec, "EncryptionError",   rb_eRuntimeError);
+  rb_eDecryptionError   = rb_define_class_under(XMLSec, "DecryptionError",   rb_eRuntimeError);
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_sign_certificate.c

@@ -0,0 +1,104 @@
+#include "xmlsecrb.h"
+
+VALUE sign_with_certificate(VALUE self, VALUE rb_key_name, VALUE rb_rsa_key, VALUE rb_cert) {
+  xmlDocPtr doc;
+  xmlNodePtr signNode = NULL;
+  xmlNodePtr refNode = NULL;
+  xmlNodePtr keyInfoNode = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  char *keyName;
+  char *certificate;
+  char *rsaKey;
+  unsigned int rsaKeyLength, certificateLength;
+
+  Data_Get_Struct(self, xmlDoc, doc);
+  rsaKey = RSTRING_PTR(rb_rsa_key);
+  rsaKeyLength = RSTRING_LEN(rb_rsa_key);
+  keyName = RSTRING_PTR(rb_key_name);
+  certificate = RSTRING_PTR(rb_cert);
+  certificateLength = RSTRING_LEN(rb_cert);
+
+  // create signature template for RSA-SHA1 enveloped signature
+  signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId,
+                                         xmlSecTransformRsaSha1Id, NULL);
+  if (signNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to create signature template");
+    goto done;
+  }
+
+  // add <dsig:Signature/> node to the doc
+  xmlAddChild(xmlDocGetRootElement(doc), signNode);
+
+  // add reference
+  refNode = xmlSecTmplSignatureAddReference(signNode, xmlSecTransformSha1Id,
+                                        NULL, NULL, NULL);
+  if(refNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to add reference to signature template");
+    goto done;
+  }
+
+  // add enveloped transform
+  if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) {
+    rb_raise(rb_eSigningError, "failed to add enveloped transform to reference");
+    goto done;
+  }
+
+  // add <dsig:KeyInfo/> and <dsig:X509Data/>
+  keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
+  if(keyInfoNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to add key info");
+    goto done;
+  }
+  
+  if(xmlSecTmplKeyInfoAddX509Data(keyInfoNode) == NULL) {
+    rb_raise(rb_eSigningError, "failed to add X509Data node");
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = xmlSecDSigCtxCreate(NULL);
+  if(dsigCtx == NULL) {
+    rb_raise(rb_eSigningError, "failed to create signature context");
+    goto done;
+  }
+
+  // load private key, assuming that there is not password
+  dsigCtx->signKey = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)rsaKey,
+                                                  rsaKeyLength,
+                                                  xmlSecKeyDataFormatPem,
+                                                  NULL, // password
+                                                  NULL,
+                                                  NULL);
+  if(dsigCtx->signKey == NULL) {
+    rb_raise(rb_eSigningError, "failed to load private key");
+    goto done;
+  }
+  
+  // load certificate and add to the key
+  if(xmlSecCryptoAppKeyCertLoadMemory(dsigCtx->signKey,
+                                      (xmlSecByte *)certificate,
+                                      certificateLength,
+                                      xmlSecKeyDataFormatPem) < 0) {
+    rb_raise(rb_eSigningError, "failed to load certificate");
+    goto done;
+  }
+
+  // set key name
+  if(xmlSecKeySetName(dsigCtx->signKey, (xmlSecByte *)keyName) < 0) {
+    rb_raise(rb_eSigningError, "failed to set key name");
+    goto done;
+  }
+
+  // sign the template
+  if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
+    rb_raise(rb_eSigningError, "signature failed");
+    goto done;
+  }
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  return T_NIL;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_sign_rsa.c

@@ -0,0 +1,95 @@
+#include "xmlsecrb.h"
+
+// TODO the signature context probably should be a ruby instance variable
+// and separate object, instead of being allocated/freed in each method.
+
+VALUE sign_with_key(VALUE self, VALUE rb_key_name, VALUE rb_rsa_key) {
+  xmlDocPtr doc;
+  xmlNodePtr signNode = NULL;
+  xmlNodePtr refNode = NULL;
+  xmlNodePtr keyInfoNode = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  char *keyName;
+  char *rsaKey;
+  unsigned int rsaKeyLength;
+
+  Data_Get_Struct(self, xmlDoc, doc);
+  rsaKey = RSTRING_PTR(rb_rsa_key);
+  rsaKeyLength = RSTRING_LEN(rb_rsa_key);
+  keyName = RSTRING_PTR(rb_key_name);
+
+  // create signature template for RSA-SHA1 enveloped signature
+  signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId,
+                                         xmlSecTransformRsaSha1Id, NULL);
+  if (signNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to create signature template");
+    goto done;
+  }
+
+  // add <dsig:Signature/> node to the doc
+  xmlAddChild(xmlDocGetRootElement(doc), signNode);
+
+  // add reference
+  refNode = xmlSecTmplSignatureAddReference(signNode, xmlSecTransformSha1Id,
+                                        NULL, NULL, NULL);
+  if(refNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to add reference to signature template");
+    goto done;
+  }
+
+  // add enveloped transform
+  if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) {
+    rb_raise(rb_eSigningError, "failed to add enveloped transform to reference");
+    goto done;
+  }
+
+  // add <dsig:KeyInfo/> and <dsig:KeyName/> nodes to put key name in the signed
+  // document
+  keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
+  if(keyInfoNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to add key info");
+    goto done;
+  }
+  if(xmlSecTmplKeyInfoAddKeyName(keyInfoNode, NULL) == NULL) {
+    rb_raise(rb_eSigningError, "failed to add key name");
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = xmlSecDSigCtxCreate(NULL);
+  if(dsigCtx == NULL) {
+    rb_raise(rb_eSigningError, "failed to create signature context");
+    goto done;
+  }
+
+  // load private key, assuming that there is no password
+  dsigCtx->signKey = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)rsaKey,
+                                                  rsaKeyLength,
+                                                  xmlSecKeyDataFormatPem,
+                                                  NULL, // password
+                                                  NULL,
+                                                  NULL);
+  if(dsigCtx->signKey == NULL) {
+    rb_raise(rb_eSigningError, "failed to load private pem key");
+    goto done;
+  }
+
+  // set key name
+  if(xmlSecKeySetName(dsigCtx->signKey, (xmlSecByte *)keyName) < 0) {
+    rb_raise(rb_eSigningError, "failed to set key name");
+    goto done;
+  }
+
+  // sign the template
+  if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
+    rb_raise(rb_eSigningError, "signature failed");
+    goto done;
+  }
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  return T_NIL;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_verify_signature_certificates.c

@@ -0,0 +1,96 @@
+#include "xmlsecrb.h"
+
+static xmlSecKeysMngrPtr getKeyManager(VALUE rb_certs) {
+  int i, numCerts = RARRAY_LEN(rb_certs);
+  xmlSecKeysMngrPtr keyManager = xmlSecKeysMngrCreate();
+  VALUE rb_cert;
+  char *cert;
+  unsigned int certLength;
+  int numSuccessful = 0;
+
+  if (keyManager == NULL) return NULL;
+
+  if (xmlSecCryptoAppDefaultKeysMngrInit(keyManager) < 0) {
+    rb_raise(rb_eKeystoreError, "could not initialize key manager");
+    xmlSecKeysMngrDestroy(keyManager);
+    return NULL;
+  }
+
+  for (i = 0; i < numCerts; i++) {
+    rb_cert = RARRAY_PTR(rb_certs)[i];
+    Check_Type(rb_cert, T_STRING);
+    cert = RSTRING_PTR(rb_cert);
+    certLength = RSTRING_LEN(rb_cert);
+
+    if(xmlSecCryptoAppKeysMngrCertLoadMemory(keyManager,
+                                             (xmlSecByte *)cert,
+                                             certLength,
+                                             xmlSecKeyDataFormatPem,
+                                             xmlSecKeyDataTypeTrusted) < 0) {
+      rb_warn("failed to load certificate at index %d", i);
+    } else {
+      numSuccessful++;
+    }
+  }
+
+  // note, numCerts could be zero, meaning that we should use system SSL certs
+  if (numSuccessful == 0 && numCerts != 0) {
+    rb_raise(rb_eKeystoreError, "Could not load any of the specified certificates for signature verification");
+    xmlSecKeysMngrDestroy(keyManager);
+    return NULL;
+  }
+
+  return keyManager;
+}
+
+VALUE verify_signature_with_certificates(VALUE self, VALUE rb_certs) {
+  xmlDocPtr doc;
+  xmlNodePtr node = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  xmlSecKeysMngrPtr keyManager = NULL;
+  VALUE result = Qfalse;
+
+  Check_Type(rb_certs, T_ARRAY);
+  Data_Get_Struct(self, xmlDoc, doc);
+
+  // find start node
+  node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
+  if(node == NULL) {
+    rb_raise(rb_eVerificationError, "start node not found");
+    goto done;
+  }
+
+  keyManager = getKeyManager(rb_certs);
+  if (keyManager == NULL) {
+    rb_raise(rb_eKeystoreError, "failed to create key manager");
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = xmlSecDSigCtxCreate(keyManager);
+  if(dsigCtx == NULL) {
+    rb_raise(rb_eVerificationError, "failed to create signature context");
+    goto done;
+  }
+
+  // verify signature
+  if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
+    rb_raise(rb_eVerificationError, "signature could not be verified");
+    goto done;
+  }
+      
+  if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
+    result = Qtrue;
+  }    
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  if (keyManager != NULL) {
+    xmlSecKeysMngrDestroy(keyManager);
+  }
+
+  return result;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_verify_signature_named_keys.c

@@ -0,0 +1,106 @@
+#include "xmlsecrb.h"
+
+static int addRubyKeyToManager(VALUE rb_key, VALUE rb_value, VALUE rb_manager) {
+  xmlSecKeysMngrPtr keyManager = (xmlSecKeysMngrPtr)rb_manager;
+  char *keyName, *keyData;
+  unsigned int keyDataLength;
+  xmlSecKeyPtr key;
+
+  Check_Type(rb_key, T_STRING);
+  Check_Type(rb_value, T_STRING);
+  keyName = RSTRING_PTR(rb_key);
+  keyData = RSTRING_PTR(rb_value);
+  keyDataLength = RSTRING_LEN(rb_value);
+
+  // load key
+  key = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)keyData,
+                                     keyDataLength,
+                                     xmlSecKeyDataFormatPem,
+                                     NULL, // password
+                                     NULL, NULL);
+  if (key == NULL) {
+    rb_warn("failed to load '%s' public or private pem key", keyName);
+    return ST_CONTINUE;
+  }
+
+  // set key name
+  if (xmlSecKeySetName(key, BAD_CAST keyName) < 0) {
+    rb_warn("failed to set key name for key '%s'", keyName);
+    return ST_CONTINUE;
+  }
+  
+  // add key to key manager; from now on the manager is responsible for
+  // destroying the key
+  if (xmlSecCryptoAppDefaultKeysMngrAdoptKey(keyManager, key) < 0) {
+    rb_warn("failed to add key '%s' to key manager", keyName);
+    return ST_CONTINUE;
+  }
+
+  return ST_CONTINUE;
+}
+
+static xmlSecKeysMngrPtr getKeyManager(VALUE rb_hash) {
+  xmlSecKeysMngrPtr keyManager = xmlSecKeysMngrCreate();
+  if (keyManager == NULL) return NULL;
+  if (xmlSecCryptoAppDefaultKeysMngrInit(keyManager) < 0) {
+    rb_raise(rb_eKeystoreError, "could not initialize key manager");
+    xmlSecKeysMngrDestroy(keyManager);
+    return NULL;
+  }
+
+  rb_hash_foreach(rb_hash, addRubyKeyToManager, (VALUE)keyManager);
+
+  return keyManager;
+}
+
+VALUE verify_signature_with_named_keys(VALUE self, VALUE rb_hash) {
+  xmlDocPtr doc;
+  xmlNodePtr node = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  xmlSecKeysMngrPtr keyManager = NULL;
+  VALUE result = Qfalse;
+
+  Check_Type(rb_hash, T_HASH);
+  Data_Get_Struct(self, xmlDoc, doc);
+
+  // find start node
+  node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
+  if(node == NULL) {
+    rb_raise(rb_eVerificationError, "start node not found");
+    goto done;
+  }
+
+  keyManager = getKeyManager(rb_hash);
+  if (keyManager == NULL) {
+    rb_raise(rb_eKeystoreError, "failed to create key manager");
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = xmlSecDSigCtxCreate(keyManager);
+  if(dsigCtx == NULL) {
+    rb_raise(rb_eVerificationError, "failed to create signature context");
+    goto done;
+  }
+
+  // verify signature
+  if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
+    rb_raise(rb_eVerificationError, "signature could not be verified");
+    goto done;
+  }
+      
+  if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
+    result = Qtrue;
+  }    
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  if (keyManager != NULL) {
+    xmlSecKeysMngrDestroy(keyManager);
+  }
+
+  return result;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_verify_signature_rsa.c

@@ -0,0 +1,56 @@
+#include "xmlsecrb.h"
+
+VALUE verify_signature_with_rsa_key(VALUE self, VALUE rb_rsa_key) {
+  xmlDocPtr doc;
+  xmlNodePtr node = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  char *rsaKey;
+  unsigned int rsaKeyLength;
+  VALUE result = Qfalse;
+
+  Data_Get_Struct(self, xmlDoc, doc);
+  rsaKey = RSTRING_PTR(rb_rsa_key);
+  rsaKeyLength = RSTRING_LEN(rb_rsa_key);
+
+  // find start node
+  node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
+  if(node == NULL) {
+    rb_raise(rb_eVerificationError, "start node not found");
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = xmlSecDSigCtxCreate(NULL);
+  if(dsigCtx == NULL) {
+    rb_raise(rb_eVerificationError, "failed to create signature context");
+    goto done;
+  }
+
+  // load public key
+  dsigCtx->signKey = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)rsaKey,
+                                                  rsaKeyLength,
+                                                  xmlSecKeyDataFormatPem,
+                                                  NULL, // password
+                                                  NULL, NULL);
+  if(dsigCtx->signKey == NULL) {
+    rb_raise(rb_eVerificationError, "failed to load public pem key");
+    goto done;
+  }
+
+  // verify signature
+  if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
+    rb_raise(rb_eVerificationError, "signature could not be verified");
+    goto done;
+  }
+      
+  if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
+    result = Qtrue;
+  }    
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  return result;
+}