nokogiri-xmlsec 0.0.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 5ce9aa5774cf601b1d61c7a91d1a40b54ccc1707
+  data.tar.gz: 09ddf766c88fd311c714f1d64f20ba8c2be1de55
+SHA512:
+  metadata.gz: 8dc8f5fb6f6523d39572a633e91b1948dc4fb3b956082e50919dbfb06565872b2d26ac3ffce27aa3a3cf79fe5e264235ecb25900e9ef3b4169a31687848bed30
+  data.tar.gz: de1fb73e0f83c43c9f4f1de2afcc13f7b65a7b41dedacc727b37341ea325f54e03f7764ced670e1c946bcbcb51994edce0dadf2e398bd03661a09362f6731f76

data/.gitignore

@@ -0,0 +1,19 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+spec/old
+*.so

data/.rspec

@@ -0,0 +1,2 @@
+--color
+

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in xmlsec.gemspec
+gemspec

data/Guardfile

@@ -0,0 +1,13 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+guard 'rake', :task => 'default' do
+  watch(/^ext\//)
+end
+
+guard 'rspec' do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+  # watch(/^ext\//)               { "spec" }
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 TODO: Write your name
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,121 @@
+# nokogiri-xmlsec
+
+Adds support to Ruby for encrypting, decrypting, signing and validating
+the signatures of XML documents, according to the [XML Encryption Syntax and
+Processing](http://www.w3.org/TR/xmlenc-core/) standard, by wrapping around the
+[xmlsec](http://www.aleksey.com/xmlsec) C library and adding relevant methods
+to `Nokogiri::XML::Document`.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'nokogiri-xmlsec'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install nokogiri-xmlsec
+
+## Usage
+
+Several methods are added to `Nokogiri::XML::Document` which expose this gem's
+functionality.
+
+### Signing
+
+The `sign!` method adds a digital signature to the XML document so that it can
+later be determined whether the document itself has been tampered with. If the
+document changes, the signature will be invalid.
+
+Signing a document will add XML nodes directly to the document itself, and
+then returns itself.
+
+    # First, get an XML document
+    doc = Nokogiri::XML("<doc><greeting>Hello, World!</greeting></doc>")
+
+    # Sign the document with a certificate, a key, and a key name
+    doc.sign! certificate: 'certificate data',
+              key: 'private key data',
+              name: 'private key name'
+
+You only need one of `certificate` or `key`, but you can pass both. If you do,
+the certificate will be included as part of the signature, so that it can be
+later verified by certificate instead of by key.
+
+The `name` is implicitly converted into a string. Thus it is effectively
+optional, since `nil` converts to `""`, and its value only matters if you plan
+to verify the signature with any of a set of keys, as in the following example:
+
+### Signature verification
+
+Verification of signatures always returns `true` if successful, `false`
+otherwise.
+
+    # Verify the document's signature to ensure it has not been tampered with
+    doc.verify_with({
+      'key-name-1' => 'public key contents',
+      'key-name-2' => 'another public key content'
+    })
+
+In the above example, the `name` field from the signing process will be used
+to determine which key to validate with. If you plan to always verify with the
+same key, you can do it like so, effectively ignoring the `name` value:
+
+    # Verify the document's signature with a specific key
+    doc.verify_with key: 'public key contents'
+
+Finally, you can also verify with a certificate:
+
+    # Verify the document's signature with a single certificate
+    doc.verify_with certificate: 'certificate data'
+
+    # Verify the document's signature with multiple certificates. Any one match
+    # will pass verification.
+    doc.verify_with certificates: [ 'cert1', 'cert2', 'cert3' ]
+
+If the certificate has been installed to your system certificates, then you can
+verify signatures like so:
+
+    # Verify with installed CA certificates
+    doc.verify_signature
+
+### Encryption & Decryption
+
+Encrypted documents can only be decrypted with the private key that corresponds
+to the public key that was used to encrypt it. Thus, the party that encrypted
+the document can be sure that the document will only be readable by its intended
+recipient.
+
+Both encryption and decryption of a document manipulates the XML nodes of the
+document in-place. Both methods return the original document, after the changes
+have been made to it.
+
+To encrypt a document, use a public key:
+
+    doc.encrypt! key: 'public key content'
+
+To decrypt a document, use a private key:
+
+    doc.decrypt! key: 'private key content'
+
+
+## Limitations and Known Issues
+
+Following is a list of limitations and/or issues I know about, but have no
+immediate plan to resolve. This is probably because I haven't needed the
+functionality, and no one has sent a pull request. (Hint, hint!)
+
+- Currently, it is not possible to operate on individual XML nodes. The
+  `nokogiri-xmlsec` operations must be performed on the entire document.
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,30 @@
+require "bundler/gem_tasks"
+require 'rake/extensiontask'
+require 'rspec/core/rake_task'
+
+Rake::ExtensionTask.new('nokogiri_ext_xmlsec')
+
+RSpec::Core::RakeTask.new :rspec
+
+desc 'clean out build files'
+task :clean do
+  rm_rf File.expand_path('../tmp', __FILE__)
+end
+
+task :default => [:clean, :compile, :rspec]
+
+desc 'code statistics, cause im a stats junky'
+task :stats do
+  def count(glob)
+    Dir[glob].inject(0) do |count, fi|
+      next unless File.file?(fi)
+      count + File.read(fi).lines.length
+    end
+  end
+
+  rb_lines = count 'lib/**/*.rb'
+  c_lines  = count 'ext/**/*.{c,h}'
+
+  puts "Lines of Ruby: #{rb_lines}"
+  puts "Lines of C:    #{c_lines}"
+end

data/ext/nokogiri_ext_xmlsec/extconf.rb

@@ -0,0 +1,20 @@
+require 'mkmf'
+
+def barf message = 'dependencies not met'
+  raise message
+end
+
+barf unless have_header('ruby.h')
+
+if pkg_config('xmlsec1-openssl')
+  # HACK 'openssl' is escaped too many times, I don't know why
+  if $CFLAGS =~ /\-DXMLSEC_CRYPTO=\\\\\\"openssl\\\\\\"/
+    $CFLAGS['-DXMLSEC_CRYPTO=\\\\\\"openssl\\\\\\"'] =
+      '-DXMLSEC_CRYPTO=\\"openssl\\"'
+  end
+  
+  have_library 'xmlsec1-openssl'
+  create_makefile('nokogiri_ext_xmlsec')
+else
+  barf "xmlsec1 is not installed."
+end

data/ext/nokogiri_ext_xmlsec/init.c

@@ -0,0 +1,46 @@
+#include "xmlsecrb.h"
+
+void Init_nokogiri_ext_xmlsec() {
+  /* xmlsec proper */
+  // libxml
+  xmlInitParser();
+  LIBXML_TEST_VERSION
+  xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
+  xmlSubstituteEntitiesDefault(1);
+  // xslt
+  #ifndef XMLSEC_NO_XSLT
+    xmlIndentTreeOutput = 1; 
+  #endif /* XMLSEC_NO_XSLT */
+  // xmlsec
+  if (xmlSecInit() < 0) {
+    rb_raise(rb_eRuntimeError, "xmlsec initialization failed");
+    return;
+  }
+  if (xmlSecCheckVersion() != 1) {
+    rb_raise(rb_eRuntimeError, "xmlsec version is not compatible");
+    return;
+  }
+  // load crypto
+  #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
+    if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
+      rb_raise(rb_eRuntimeError,
+        "Error: unable to load default xmlsec-crypto library. Make sure"
+        "that you have it installed and check shared libraries path\n"
+        "(LD_LIBRARY_PATH) envornment variable.\n");
+      return;
+    }
+  #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
+  // init crypto
+  if (xmlSecCryptoAppInit(NULL) < 0) {
+    rb_raise(rb_eRuntimeError, "unable to initialize crypto engine");
+    return;
+  }
+  // init xmlsec-crypto library
+  if (xmlSecCryptoInit() < 0) {
+    rb_raise(rb_eRuntimeError, "xmlsec-crypto initialization failed");
+  }
+
+  /* ruby classes & objects */
+  Init_Nokogiri_ext();
+}
+

data/ext/nokogiri_ext_xmlsec/nokogiri_decrypt_with_key.c

@@ -0,0 +1,124 @@
+#include "xmlsecrb.h"
+
+static xmlSecKeysMngrPtr getKeyManager(char* keyStr, unsigned int keyLength, char *keyName) {
+  xmlSecKeysMngrPtr mngr;
+  xmlSecKeyPtr key;
+  
+  /* create and initialize keys manager, we use a simple list based
+   * keys manager, implement your own xmlSecKeysStore klass if you need
+   * something more sophisticated 
+   */
+  mngr = xmlSecKeysMngrCreate();
+  if(mngr == NULL) {
+    rb_raise(rb_eDecryptionError, "failed to create keys manager.");
+    return(NULL);
+  }
+  if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
+    rb_raise(rb_eDecryptionError, "failed to initialize keys manager.");
+    xmlSecKeysMngrDestroy(mngr);
+    return(NULL);
+  }    
+  
+  /* load private RSA key */
+  // key = xmlSecCryptoAppKeyLoad(key_file, xmlSecKeyDataFormatPem, NULL, NULL, NULL);
+  key = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)keyStr,
+                                     keyLength,
+                                     xmlSecKeyDataFormatPem,
+                                     NULL, // password
+                                     NULL, NULL);
+  if(key == NULL) {
+    rb_raise(rb_eDecryptionError, "failed to load rsa key");
+    xmlSecKeysMngrDestroy(mngr);
+    return(NULL);
+  }
+
+  /* set key name to the file name, this is just an example! */
+  if(xmlSecKeySetName(key, BAD_CAST keyName) < 0) {
+    rb_raise(rb_eDecryptionError, "failed to set key name");
+    xmlSecKeyDestroy(key);  
+    xmlSecKeysMngrDestroy(mngr);
+    return(NULL);
+  }
+
+  /* add key to keys manager, from now on keys manager is responsible 
+   * for destroying key 
+   */
+  if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0) {
+    rb_raise(rb_eDecryptionError, "failed to add key to keys manager");
+    xmlSecKeyDestroy(key);
+    xmlSecKeysMngrDestroy(mngr);
+    return(NULL);
+  }
+
+  return(mngr);
+}
+
+VALUE decrypt_with_key(VALUE self, VALUE rb_key_name, VALUE rb_key) {
+  xmlDocPtr doc;
+  xmlNodePtr node = NULL;
+  xmlSecEncCtxPtr encCtx = NULL;
+  xmlSecKeysMngrPtr keyManager = NULL;
+  char *key;
+  char *keyName;
+  unsigned int keyLength;
+
+  Check_Type(rb_key,      T_STRING);
+  Check_Type(rb_key_name, T_STRING);
+  Data_Get_Struct(self, xmlDoc, doc);
+  key       = RSTRING_PTR(rb_key);
+  keyLength = RSTRING_LEN(rb_key);
+  keyName   = RSTRING_PTR(rb_key_name);
+
+
+  // find start node
+  node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeEncryptedData, xmlSecEncNs);
+  if(node == NULL) {
+      rb_raise(rb_eDecryptionError, "start node not found");
+      goto done;      
+  }
+
+  keyManager = getKeyManager(key, keyLength, keyName);
+  if (keyManager == NULL) {
+    rb_raise(rb_eEncryptionError, "failed to create key manager");
+    goto done;
+  }
+
+  // create encryption context
+  encCtx = xmlSecEncCtxCreate(keyManager);
+  if(encCtx == NULL) {
+    rb_raise(rb_eDecryptionError, "failed to create encryption context");
+    goto done;
+  }
+
+  // decrypt the data
+  if((xmlSecEncCtxDecrypt(encCtx, node) < 0) || (encCtx->result == NULL)) {
+    rb_raise(rb_eDecryptionError, "decryption failed");
+    goto done;
+  }
+
+  if(encCtx->resultReplaced == 0) {
+    fprintf(stdout, "Decrypted binary data (%d bytes):", xmlSecBufferGetSize(encCtx->result));
+    if(xmlSecBufferGetData(encCtx->result) != NULL) {
+      fwrite(xmlSecBufferGetData(encCtx->result), 
+             1, 
+             xmlSecBufferGetSize(encCtx->result),
+             stdout);
+      fprintf(stdout, "\n");
+    }
+
+    rb_raise(rb_eDecryptionError, "Not implemented: don't know how to handle decrypted, non-XML data yet");
+    goto done;
+  }
+
+done:    
+  // cleanup
+  if(encCtx != NULL) {
+    xmlSecEncCtxDestroy(encCtx);
+  }
+  
+  if (keyManager != NULL) {
+    xmlSecKeysMngrDestroy(keyManager);
+  }
+
+  return T_NIL;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_encrypt_with_key.c

@@ -0,0 +1,182 @@
+#include "xmlsecrb.h"
+
+static xmlSecKeysMngrPtr getKeyManager(char* keyStr, unsigned int keyLength, char *keyName) {
+  xmlSecKeysMngrPtr mngr;
+  xmlSecKeyPtr key;
+  
+  /* create and initialize keys manager, we use a simple list based
+   * keys manager, implement your own xmlSecKeysStore klass if you need
+   * something more sophisticated 
+   */
+  mngr = xmlSecKeysMngrCreate();
+  if(mngr == NULL) {
+    rb_raise(rb_eDecryptionError, "failed to create keys manager.");
+    return(NULL);
+  }
+  if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
+    rb_raise(rb_eDecryptionError, "failed to initialize keys manager.");
+    xmlSecKeysMngrDestroy(mngr);
+    return(NULL);
+  }    
+  
+  /* load private RSA key */
+  // key = xmlSecCryptoAppKeyLoad(key_file, xmlSecKeyDataFormatPem, NULL, NULL, NULL);
+  key = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)keyStr,
+                                     keyLength,
+                                     xmlSecKeyDataFormatPem,
+                                     NULL, // password
+                                     NULL, NULL);
+  if(key == NULL) {
+    rb_raise(rb_eDecryptionError, "failed to load rsa key");
+    xmlSecKeysMngrDestroy(mngr);
+    return(NULL);
+  }
+
+  /* set key name to the file name, this is just an example! */
+  if(xmlSecKeySetName(key, BAD_CAST keyName) < 0) {
+    rb_raise(rb_eDecryptionError, "failed to set key name");
+    xmlSecKeyDestroy(key);  
+    xmlSecKeysMngrDestroy(mngr);
+    return(NULL);
+  }
+      
+  /* add key to keys manager, from now on keys manager is responsible 
+   * for destroying key 
+   */
+  if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0) {
+    rb_raise(rb_eDecryptionError, "failed to add key to keys manager");
+    xmlSecKeyDestroy(key);
+    xmlSecKeysMngrDestroy(mngr);
+    return(NULL);
+  }
+
+  return(mngr);
+}
+
+VALUE encrypt_with_key(VALUE self, VALUE rb_key_name, VALUE rb_key) {
+  xmlDocPtr doc;
+  xmlNodePtr encDataNode = NULL;
+  xmlNodePtr encKeyNode  = NULL;
+  xmlNodePtr keyInfoNode = NULL;
+  xmlSecEncCtxPtr encCtx = NULL;
+  xmlSecKeysMngrPtr keyManager = NULL;
+  char *keyName;
+  char *key;
+  unsigned int keyLength;
+
+  Check_Type(rb_key_name, T_STRING);
+  Check_Type(rb_key,      T_STRING);
+  Data_Get_Struct(self, xmlDoc, doc);
+  key       = RSTRING_PTR(rb_key);
+  keyLength = RSTRING_LEN(rb_key);
+  keyName   = RSTRING_PTR(rb_key_name);
+
+  // create encryption template to encrypt XML file and replace 
+  // its content with encryption result
+  encDataNode = xmlSecTmplEncDataCreate(doc, xmlSecTransformDes3CbcId,
+                              NULL, xmlSecTypeEncElement, NULL, NULL);
+  if(encDataNode == NULL) {
+    rb_raise(rb_eEncryptionError, "failed to create encryption template");
+    goto done;
+  }
+
+  // we want to put encrypted data in the <enc:CipherValue/> node
+  if(xmlSecTmplEncDataEnsureCipherValue(encDataNode) == NULL) {
+    rb_raise(rb_eEncryptionError, "failed to add CipherValue node");
+    goto done;
+  }
+
+  // add <dsig:KeyInfo/> and <dsig:KeyName/> nodes to put key name in the
+  // signed document
+  keyInfoNode = xmlSecTmplEncDataEnsureKeyInfo(encDataNode, NULL);
+  if(keyInfoNode == NULL) {
+    rb_raise(rb_eEncryptionError, "failed to add key info");
+    goto done;
+  }
+
+  if(xmlSecTmplKeyInfoAddKeyName(keyInfoNode, NULL) == NULL) {
+    rb_raise(rb_eEncryptionError, "failed to add key name");
+    goto done;
+  }
+
+  keyManager = getKeyManager(key, keyLength, keyName);
+  if (keyManager == NULL) {
+    rb_raise(rb_eEncryptionError, "failed to create key manager");
+    goto done;
+  }
+
+  // create encryption context, we don't need keys manager in this example
+  encCtx = xmlSecEncCtxCreate(keyManager);
+  if(encCtx == NULL) {
+    rb_raise(rb_eEncryptionError, "failed to create encryption context");
+    goto done;
+  }
+
+  // generate a 3DES key
+  // TODO make a note of this one, it lets us pass in key type and bits from ruby
+  encCtx->encKey = xmlSecKeyGenerateByName((xmlChar *)"des", 192,
+                                           xmlSecKeyDataTypeSession);
+
+  // encCtx->encKey = xmlSecKeyGenerate(xmlSecKeyDataDesId, 192,
+  //                                    xmlSecKeyDataTypeSession);
+  // encCtx->encKey = xmlSecAppCryptoKeyGenerate(xmlSecAppCmdLineParamGetString(&sessionKeyParam),
+  //                               NULL, xmlSecKeyDataTypeSession);
+  if(encCtx->encKey == NULL) {
+    rb_raise(rb_eDecryptionError, "failed to generate session des key");
+    goto done;
+  }
+
+  // set key name
+  if(xmlSecKeySetName(encCtx->encKey, (xmlSecByte *)keyName) < 0) {
+    rb_raise(rb_eEncryptionError, "failed to set key name to '%s'", keyName);
+    goto done;
+  }
+
+  // add <enc:EncryptedKey/> node to the <dsig:KeyInfo/> tag to include
+  // the session key
+  encKeyNode = xmlSecTmplKeyInfoAddEncryptedKey(keyInfoNode,
+                                       xmlSecTransformRsaPkcs1Id, // encMethodId encryptionMethod
+                                       NULL, // xmlChar *idAttribute
+                                       NULL, // xmlChar *typeAttribute
+                                       NULL  // xmlChar *recipient
+                                      );
+  if (encKeyNode == NULL) {
+    rb_raise(rb_eEncryptionError, "failed to add encrypted key node");
+    goto done;
+  }
+  if (xmlSecTmplEncDataEnsureCipherValue(encKeyNode) == NULL) {
+    rb_raise(rb_eEncryptionError, "failed to add encrypted cipher value");
+    goto done;
+  }
+
+  // encrypt the data
+  if(xmlSecEncCtxXmlEncrypt(encCtx, encDataNode, xmlDocGetRootElement(doc)) < 0) {
+    rb_raise(rb_eEncryptionError, "encryption failed");
+    goto done;
+  }
+  
+  // the template is inserted in the doc, so don't free it
+  encDataNode = NULL;
+  encKeyNode = NULL;
+
+done:
+
+  /* cleanup */
+  if(encCtx != NULL) {
+    xmlSecEncCtxDestroy(encCtx);
+  }
+
+  if (encKeyNode != NULL) {
+    xmlFreeNode(encKeyNode);
+  }
+
+  if(encDataNode != NULL) {
+    xmlFreeNode(encDataNode);
+  }
+
+  if (keyManager != NULL) {
+    xmlSecKeysMngrDestroy(keyManager);
+  }
+
+  return T_NIL;
+}