nokogiri-xmlsec 0.0.3

data/ext/nokogiri_ext_xmlsec/shutdown.c

@@ -0,0 +1,12 @@
+#include "xmlsecrb.h"
+
+/* not actually called anywhere right now, but here for posterity */
+void Shutdown_xmlsecrb() {
+  xmlSecCryptoShutdown();
+  xmlSecCryptoAppShutdown();
+  xmlSecShutdown();
+  xsltCleanupGlobals();
+  #ifndef XMLSEC_NO_XSLT
+    xsltCleanupGlobals();            
+  #endif /* XMLSEC_NO_XSLT */
+}

data/ext/nokogiri_ext_xmlsec/xmlsecrb.h

@@ -0,0 +1,38 @@
+#ifndef XMLSECRB_H
+#define XMLSECRB_H
+
+#include <ruby.h>
+
+#include <libxml/tree.h>
+#include <libxml/xmlmemory.h>
+#include <libxml/parser.h>
+#include <libxml/xmlstring.h>
+
+#include <libxslt/xslt.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/xmltree.h>
+#include <xmlsec/xmldsig.h>
+#include <xmlsec/xmlenc.h>
+#include <xmlsec/templates.h>
+#include <xmlsec/crypto.h>
+#include <xmlsec/dl.h>
+
+VALUE sign_with_key(VALUE self, VALUE rb_key_name, VALUE rb_rsa_key);
+VALUE sign_with_certificate(VALUE self, VALUE rb_key_name, VALUE rb_rsa_key, VALUE rb_cert);
+VALUE verify_signature_with_rsa_key(VALUE self, VALUE rb_rsa_key);
+VALUE verify_signature_with_named_keys(VALUE self, VALUE rb_keys);
+VALUE verify_signature_with_certificates(VALUE self, VALUE rb_certs);
+VALUE encrypt_with_key(VALUE self, VALUE rb_key_name, VALUE rb_key);
+VALUE decrypt_with_key(VALUE self, VALUE rb_key_name, VALUE rb_key);
+
+void Init_Nokogiri_ext(void);
+
+extern VALUE rb_cNokogiri_XML_Document;
+extern VALUE rb_eSigningError;
+extern VALUE rb_eVerificationError;
+extern VALUE rb_eKeystoreError;
+extern VALUE rb_eEncryptionError;
+extern VALUE rb_eDecryptionError;
+
+#endif // XMLSECRB_H

data/lib/nokogiri-xmlsec.rb

@@ -0,0 +1 @@
+require 'xmlsec'

data/lib/xmlsec.rb

@@ -0,0 +1,110 @@
+require "xmlsec/version"
+require 'nokogiri'
+require 'nokogiri_ext_xmlsec'
+
+class Nokogiri::XML::Document
+  # Signs this document, and then returns it.
+  #
+  # Examples:
+  #
+  #     doc.sign! key: 'rsa-private-key'
+  #     doc.sign! key: 'rsa-private-key', name: 'key-name'
+  #     doc.sign! x509: 'x509 certificate', key: 'cert private key'
+  #     doc.sign! x509: 'x509 certificate', key: 'cert private key',
+  #               name: 'key-name'
+  #
+  # You can also use `:cert` or `:certificate` as aliases for `:x509`.
+  #
+  def sign! opts
+    if (cert = opts[:x509]) || (cert = opts[:cert]) || (cert = opts[:certificate])
+      raise "need a private :key" unless opts[:key]
+      sign_with_certificate opts[:name].to_s, opts[:key], cert
+    elsif opts[:key]
+      sign_with_key opts[:name].to_s, opts[:key]
+    else
+      raise "No private :key was given"
+    end
+    self
+  end
+
+  # Verifies the signature on the current document.
+  #
+  # Returns `true` if the signature is valid, `false` otherwise.
+  # 
+  # Examples:
+  #
+  #     # Try to validate with the given public or private key
+  #     doc.verify_with key: 'rsa-key'
+  #
+  #     # Try to validate with a set of keys. It will try to match
+  #     # based on the contents of the `KeyName` element.
+  #     doc.verify_with({
+  #       'key-name'         => 'x509 certificate',
+  #       'another-key-name' => 'rsa-public-key'
+  #     })
+  #     
+  #     # Try to validate with a trusted certificate
+  #     doc.verify_with(x509: 'certificate')
+  #
+  #     # Try to validate with a set of certificates, any one of which
+  #     # can match
+  #     doc.verify_with(x509: ['cert1', 'cert2'])
+  #
+  # You can also use `:cert` or `:certificate` or `:certs` or
+  # `:certificates` as aliases for `:x509`.
+  #
+  def verify_with opts_or_keys
+    if (certs = opts_or_keys[:x509]) ||
+       (certs = opts_or_keys[:cert]) ||
+       (certs = opts_or_keys[:certs]) ||
+       (certs = opts_or_keys[:certificate]) ||
+       (certs = opts_or_keys[:certificates])
+      certs = [certs] unless certs.kind_of?(Array)
+      verify_with_certificates certs
+    elsif opts_or_keys[:key]
+      verify_with_rsa_key opts_or_keys[:key]
+    else
+      verify_with_named_keys opts_or_keys
+    end
+  end
+
+  # Attempts to verify the signature of this document using only certificates
+  # installed on the system. This is equivalent to calling
+  # `verify_with certificates: []` (that is, an empty array).
+  #
+  def verify_signature
+    verify_with_certificates []
+  end
+
+  # Encrypts the current document, then returns it.
+  #
+  # Examples:
+  # 
+  #     # encrypt with a public key and optional key name
+  #     doc.encrypt! key: 'public-key', name: 'name'
+  #
+  def encrypt! opts
+    if opts[:key]
+      encrypt_with_key opts[:name].to_s, opts[:key]
+    else
+      raise "private :key is required for encryption"
+    end
+    self
+  end
+
+  # Decrypts the current document, then returns it.
+  #
+  # Examples:
+  #
+  #     # decrypt with a specific private key
+  #     doc.decrypt! key: 'private-key'
+  #
+  def decrypt! opts
+    if opts[:key]
+      decrypt_with_key opts[:name].to_s, opts[:key]
+    else
+      raise 'inadequate options specified for decryption'
+    end
+    self
+  end
+end

data/lib/xmlsec/version.rb

@@ -0,0 +1,3 @@
+module Xmlsec
+  VERSION = '0.0.3'
+end

data/nokogiri-xmlsec.gemspec

@@ -0,0 +1,36 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'xmlsec/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "nokogiri-xmlsec"
+  spec.version       = Xmlsec::VERSION
+  spec.authors       = ["Colin MacKenzie IV"]
+  spec.email         = ["sinisterchipmunk@gmail.com"]
+  spec.description   = %q{Adds support to Ruby for encrypting, decrypting,
+    signing and validating the signatures of XML documents, according to the
+    [XML Encryption Syntax and Processing](http://www.w3.org/TR/xmlenc-core/)
+    standard, by wrapping around the [xmlsec](http://www.aleksey.com/xmlsec) C
+    library and adding relevant methods to `Nokogiri::XML::Document`.}
+  spec.summary       = %q{Wrapper around http://www.aleksey.com/xmlsec to
+    support XML encryption, decryption, signing and signature validation in
+    Ruby}
+  spec.homepage      = "https://github.com/sinisterchipmunk/xmlsec"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+  spec.extensions = %w{ext/nokogiri_ext_xmlsec/extconf.rb}
+
+  spec.add_dependency 'nokogiri'
+  
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rake-compiler"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "guard-rspec"
+  spec.add_development_dependency "guard-rake"
+end

data/spec/fixtures/cert/server.crt

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICLzCCAZgCCQCVuhhQ38rw0TANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJV
+UzEQMA4GA1UECAwHR2VvcmdpYTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTAgFw0xMzA1MjUxODQwMDRa
+GA8zMDEyMDkyNTE4NDAwNFowWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3Jn
+aWExITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAwwO
+d3d3Lmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALE4oSql
+eymfHtzOeY86WyvfsjZmaz2XnIo9dzZsK71yMEKkgvXQnnYy9pK0NaYcG0B0hcii
+3fqGBiHMkZY2BOGWwCC/wOmJCzLq9q6caPWUs71Zko+h59LaqV93vzDmZaXYfFoQ
+gSVEWpEpCSo560x0mSuLnJYdQQzZ/L6xvxZ1AgMBAAEwDQYJKoZIhvcNAQEFBQAD
+gYEATyK/RlfpohUVimgFkycTF2hyusjctseXoZDCctgg/STMsL8iA0P9YB6k91GC
+kWpwevuiwarD1MfSUV6goPINFkIBvfK+5R9lpHaTqqs615z8T9R5VJgaLcFe3tWd
+7oq3V2q5Nl6MrZfXj2N07qe6/9zfdauxYO26vAEKCvIkbMo=
+-----END CERTIFICATE-----

data/spec/fixtures/cert/server.csr

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBmzCCAQQCAQAwWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExITAf
+BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAwwOd3d3Lmdv
+b2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALE4oSqleymfHtzO
+eY86WyvfsjZmaz2XnIo9dzZsK71yMEKkgvXQnnYy9pK0NaYcG0B0hcii3fqGBiHM
+kZY2BOGWwCC/wOmJCzLq9q6caPWUs71Zko+h59LaqV93vzDmZaXYfFoQgSVEWpEp
+CSo560x0mSuLnJYdQQzZ/L6xvxZ1AgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQB6
+8K0q16EAkGoYLFHvVHxpqk+annbB8ZqpbV43T12Ngx7KiMsdTjrgho0lP/OllHcr
+3vQ0yHnI1K1EeV9Q+/lXqaRl9ws3PL1QMOFm4XD1uIEPG+umRYgrjuZhFab+2Zfs
+rgyILF2yRSy0oVeTBxVK5igV6qYcXFFBRIj7nnV8Jg==
+-----END CERTIFICATE REQUEST-----

data/spec/fixtures/cert/server.key.decrypted

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQCxOKEqpXspnx7cznmPOlsr37I2Zms9l5yKPXc2bCu9cjBCpIL1
+0J52MvaStDWmHBtAdIXIot36hgYhzJGWNgThlsAgv8DpiQsy6vaunGj1lLO9WZKP
+oefS2qlfd78w5mWl2HxaEIElRFqRKQkqOetMdJkri5yWHUEM2fy+sb8WdQIDAQAB
+AoGAB1d8PcMLPicsZSNcn9VgD4o93MkTakLMpmFzfdqvWTLQ0wHztvFEj0r/Mgar
+Lk19x4bMQAqXPZitylqqMVndi9U8squvAvkZcgYL57MNQRgmLtjSMfk4wCY9ieDa
+newt4cP7nGN/ZkU5R0lRMGExKSrMZW8HAkK4WJpbfnOpwGECQQDkoggBRH4aFlaj
+Xhw+mSIxOpmzFBhXZ0z+bvoCipPKIhbnwKt0dupn0xAwatNmakBt0p46SFOgW8QQ
+TV51G/bdAkEAxm8yEod77IM6bhLL+3h/nsGOGsA0xs22U6FBrz34Nvd4gwmICMcF
+t4P3iHYzJfUt+Z2zv5ucX2tuD4uoWsqIeQJAercdZNDGfmoPBpC0yESZPaMebCgV
+CJTBlq8qMcL/oDa75Jhdbp2FI0T+I36zCP1up4OsucuoVyHqEnX0hRcFYQJAD3Nz
+E6xHAviI4S9HgNI2JbduiDi1I1G7Q7HHuox5ulX0pUdlt0E/+bUl3hNOEkOQC+Ky
+r1W/jFKCJGW8ey1QCQJAYDh1BmlLswafEnkNmwydNz4gVflHJvsF8A1c2wJVytkT
+3HVWvwOAfcumDNDNkSUJ+0DQs17qgOMCDwFgFzUb+Q==
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/cert/server.key.encrypted

@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,6F8CC52C2E211FF4
+
+T5g21oYrsS435g2GRNBFs+IwpKYAsF0RDt9SNuCXp6hD2MbcF3q8Su/wvj9inAZi
+S7V8Qp8mmBsjo+vh0oTggVFmk7/fyTAa6ltQL+1UH7b8vecgGFKSBV8TG3+k9S4C
+ZgXyR9pTgzQx+8M5LrnOnM8fpf638xouHvMo7zTFPhimehIMrMcXAyRZaRfcDhlg
+YR+JRvSa0Q9vxhsC19fjfnlU7FdV8B9Ypo/+23TNmKpfU99oV6oPNoiWzkziKtvZ
+mwYjrYw6r91ANFCRIux5+CjfOqVxissxzmZ5vyV89LoXjLAEDVmv2vJ+8w2b8zAN
+FAXtcx74MutSQQBrG4xffwwRJwf0uPhzMohRoiholOoaMFSOFBasA+phn7hr7m9a
+JWj4icCRVZlm+rztbbiapBUtm4ER1tdBGr84TgqasM5CK/qhXt9CCnUBRaimIwad
+9dib2jnkzuqlyrdzLyaFU0IRSq+GQAK7sgya/V2q96lWdzejMGx/07hL6lvPY/h7
+o8puMwpCK4XKYantqXL26oCxSgcrlA2nlR+SfmRKhwDwy8rPsTBm55BxwGr8Jj+9
+6bY6VOR+vZkjSVDKNBOq8gUJvPksQV0CK0eSgPTli0ncCInzFPeLGISIa90rFD7I
+97w/ZzTywVnTWO9DhedliwqDSOOYTdVoRfygQfpaFoa1aqR9tKWoc30kbqXvgvUR
+mlDwiY1zxpKsTHKu7omf0bp5m8dlW4EarWgTsTRQ8EOHoIucgjdaSxPEDDi8WGOW
+Nbqb2ZZz7wsIL71XgC13A+va1C0F709PK/Xnd5IwRf8=
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/rsa.pem

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQC15La+LSmHNUs/yqzSuzKdBUED1OfaOZpBp8zxAAQy7VlTrqRh
+/eiJH3VSeRRZEygORvtLgi/teF2P+z/mfJ6IHIdCdkn8MF4CCCQKkjm7JKRrKfK5
+fOUp1NZF22oP8x0L4j67NYCtR9F6KIkV5A6FPAZGI8nsHnyJzRwqmG2xbQIDAQAB
+AoGBAJDT2UW3g/dqUc4rPExWTUiFJG0+mpVBhDd+ukmyL6W1Iojk53I2z25PJAVU
+7wS1ohEsJ27J7Aty6Vx5Ozn0Q+zYVaKRSxcazNeGbwS0UaGrN0lMvWDs7RmVGCdx
+bI2LUTQ88Bl94dW4QObAub+wMOL6xmVEVrJssZnm+CIqS2UBAkEA49QDNB//oHmi
+iqD4SFotE8Lz80qBGHN15YIm80TKUR2k1LusZl6R5+2nYTF2vPsG+HGXPbkGhqTn
+JL9GMBv7TQJBAMxinne8+bKTvOl/hhdAohFs7aHUBZhZOEuXIf1jYENASk2weYC6
+95SlHvWcwPHfqVbpwt83sGL8aDm8CCPYPqECQQDEFRQQx72GC0oG0FYAR4RmbrLx
+YN1NAwqkVmlZlIogWEgmQ8Q0cw5Ws+cMMrtEGTU9nN4TZGymc8TwjqNFAsA9AkEA
+ol8Cp/uQn6cxIIt4Gsb1OkTAcJ0BKOxQhfT2QtiNJEBSB3BYxsVCZWvcsaGrwzw9
+yteBQlZ6odkGcD+Kc/eaoQJAH+0a7jlHDu2VCHI63OiNZQJ8J9oxaPvWZyKYSaCO
+iGvon/Z6KGQhXMedPDaCH7UjeMle5AVhjSrSvF6OglgZ9g==
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/rsa.pub

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC15La+LSmHNUs/yqzSuzKdBUED
+1OfaOZpBp8zxAAQy7VlTrqRh/eiJH3VSeRRZEygORvtLgi/teF2P+z/mfJ6IHIdC
+dkn8MF4CCCQKkjm7JKRrKfK5fOUp1NZF22oP8x0L4j67NYCtR9F6KIkV5A6FPAZG
+I8nsHnyJzRwqmG2xbQIDAQAB
+-----END PUBLIC KEY-----

data/spec/fixtures/sign2-doc.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0"?>
+<Envelope xmlns="urn:envelope">
+  <Data>
+  Hello, World!
+  </Data>
+</Envelope>

data/spec/fixtures/sign2-result.xml

@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+<Envelope xmlns="urn:envelope">
+  <Data>
+  Hello, World!
+  </Data>
+<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+<SignedInfo>
+<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+<Reference>
+<Transforms>
+<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+</Transforms>
+<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+<DigestValue>Te51eBcV78RHrLH5Dv0P24r8vW8=</DigestValue>
+</Reference>
+</SignedInfo>
+<SignatureValue>DPwu/iB8Sx21tywM69YUztjuMbKdAsfwOniDWlabk2jmEgbtwPlKFgZ9A5wdZbFj
+D+SGQrv0y0d0UV8SBV5zeAeyyX7uwpm45iEbtQjirC6oaJ5Eu9caBCRqbcxNSTdR
+yKGnO1r+dK/9T/MFANce39wBaeOUzo2qJe2128iWal4=</SignatureValue>
+<KeyInfo>
+<KeyName>test</KeyName>
+</KeyInfo>
+</Signature></Envelope>

data/spec/fixtures/sign3-result.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0"?>
+<Envelope xmlns="urn:envelope">
+  <Data>
+  Hello, World!
+  </Data>
+<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+<SignedInfo>
+<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+<Reference>
+<Transforms>
+<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+</Transforms>
+<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+<DigestValue>Te51eBcV78RHrLH5Dv0P24r8vW8=</DigestValue>
+</Reference>
+</SignedInfo>
+<SignatureValue>FNY3KHaZF2vVo/WKCRftatol0c22ozKn7S6Uw+GGjfAodlZwSPU5yq6rbfEBpMIi
+igz6OFpeB5fFOIJM7n428uT+tcE48AnmHvh2Dd+THs5NgGxIrogfYQGyzvX/GHox
+bmLwCVE/mRMHEG3UY67WctjP5DaSk0VCANpMnBnn+g4=</SignatureValue>
+<KeyInfo>
+<X509Data>
+<X509Certificate>MIICLzCCAZgCCQCVuhhQ38rw0TANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJV
+UzEQMA4GA1UECAwHR2VvcmdpYTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTAgFw0xMzA1MjUxODQwMDRa
+GA8zMDEyMDkyNTE4NDAwNFowWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3Jn
+aWExITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAwwO
+d3d3Lmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALE4oSql
+eymfHtzOeY86WyvfsjZmaz2XnIo9dzZsK71yMEKkgvXQnnYy9pK0NaYcG0B0hcii
+3fqGBiHMkZY2BOGWwCC/wOmJCzLq9q6caPWUs71Zko+h59LaqV93vzDmZaXYfFoQ
+gSVEWpEpCSo560x0mSuLnJYdQQzZ/L6xvxZ1AgMBAAEwDQYJKoZIhvcNAQEFBQAD
+gYEATyK/RlfpohUVimgFkycTF2hyusjctseXoZDCctgg/STMsL8iA0P9YB6k91GC
+kWpwevuiwarD1MfSUV6goPINFkIBvfK+5R9lpHaTqqs615z8T9R5VJgaLcFe3tWd
+7oq3V2q5Nl6MrZfXj2N07qe6/9zfdauxYO26vAEKCvIkbMo=</X509Certificate>
+</X509Data>
+</KeyInfo>
+</Signature></Envelope>

data/spec/lib/nokogiri/xml/document/encryption_and_decryption_spec.rb

@@ -0,0 +1,28 @@
+require 'spec_helper'
+
+describe "encryption and decryption:" do
+  subject do
+    Nokogiri::XML(fixture('sign2-doc.xml'))
+  end
+
+  describe 'encrypting with an RSA public key' do
+    before do
+      @original = subject.to_s
+      subject.encrypt! key: fixture('rsa.pub'), name: 'test'
+    end
+
+    # it generates a new key every time so will never match the fixture
+    specify { subject.to_s.should_not == @original }
+    specify { subject.to_s.should_not =~ /Hello.*World/i }
+    # specify { subject.to_s.should == fixture('encrypt2-result.xml') }
+
+    describe 'decrypting with the RSA private key' do
+      before do
+        subject.decrypt! key: fixture('rsa.pem'), name: 'test'
+      end
+
+      specify { subject.to_s.should == fixture('sign2-doc.xml') }
+    end
+  end
+
+end

data/spec/lib/nokogiri/xml/document/signing_and_verifying_spec.rb

@@ -0,0 +1,70 @@
+require 'spec_helper'
+
+describe "signing and verifying signatures:" do
+  subject do
+    Nokogiri::XML(fixture('sign2-doc.xml'))
+  end
+
+  describe 'signing a document with an RSA key' do
+    before { subject.sign! key: fixture('rsa.pem'), name: 'test' }
+
+    it 'should produce a signed document' do
+      subject.to_s.should == fixture('sign2-result.xml')
+    end
+
+    describe 'verifying the document with a single public key' do
+      it 'should be valid' do
+        subject.verify_with(key: fixture('rsa.pub')).should == true
+      end
+    end
+
+    describe 'verifying the document with a set of keys' do
+      it 'should be valid' do
+        subject.verify_with({
+          'test' => fixture('rsa.pub')
+        }).should == true
+      end
+    end
+  end
+
+  describe 'signing a document with an RSA key and X509 certificate' do
+    before do
+      subject.sign! key: fixture('cert/server.key.decrypted'),
+                    name: 'test',
+                    x509: fixture('cert/server.crt')
+    end
+
+    it 'should produce a signed document' do
+      subject.to_s.should == fixture('sign3-result.xml')
+    end
+
+    describe 'verifying the document with an array of X509 certificates' do
+      specify { subject.verify_with(x509: [fixture('cert/server.crt')]).should == true }
+      specify { subject.verify_with(certs: [fixture('cert/server.crt')]).should == true }
+      specify { subject.verify_with(certificates: [fixture('cert/server.crt')]).should == true }
+
+      it 'should verify using system certificates' do
+        # subject.verify_signature.should == true -- sort of.
+        unless subject.verify_signature
+          raise <<-end_error
+            Could not use system certificates to verify the signature.
+            Note that this may not be a failing spec. You should copy
+            or symlink the file `spec/fixtures/cert/server.crt` into
+            the directory shown by running `openssl version -d`. After
+            doing so, run `sudo c_rehash CERT_PATH`, where
+            CERT_PATH is the same directory you copied the certificate
+            into (/usr/lib/ssl/certs by default on Ubuntu). After doing
+            that, run this spec again and see if it passes.
+          end_error
+        end
+      end
+    end
+
+    describe 'verifying the document with one X509 certificate' do
+      specify { subject.verify_with(x509: fixture('cert/server.crt')).should == true }
+      specify { subject.verify_with(cert: fixture('cert/server.crt')).should == true }
+      specify { subject.verify_with(certificate: fixture('cert/server.crt')).should == true }
+    end
+  end
+
+end