nokogiri-xmlsec1 0.0.6

data/ext/nokogiri_ext_xmlsec/nokogiri_sign_rsa.c

@@ -0,0 +1,95 @@
+#include "xmlsecrb.h"
+
+// TODO the signature context probably should be a ruby instance variable
+// and separate object, instead of being allocated/freed in each method.
+
+VALUE sign_with_key(VALUE self, VALUE rb_key_name, VALUE rb_rsa_key) {
+  xmlDocPtr doc;
+  xmlNodePtr signNode = NULL;
+  xmlNodePtr refNode = NULL;
+  xmlNodePtr keyInfoNode = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  char *keyName;
+  char *rsaKey;
+  unsigned int rsaKeyLength;
+
+  Data_Get_Struct(self, xmlDoc, doc);
+  rsaKey = RSTRING_PTR(rb_rsa_key);
+  rsaKeyLength = RSTRING_LEN(rb_rsa_key);
+  keyName = RSTRING_PTR(rb_key_name);
+
+  // create signature template for RSA-SHA1 enveloped signature
+  signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId,
+                                         xmlSecTransformRsaSha1Id, NULL);
+  if (signNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to create signature template");
+    goto done;
+  }
+
+  // add <dsig:Signature/> node to the doc
+  xmlAddChild(xmlDocGetRootElement(doc), signNode);
+
+  // add reference
+  refNode = xmlSecTmplSignatureAddReference(signNode, xmlSecTransformSha1Id,
+                                        NULL, NULL, NULL);
+  if(refNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to add reference to signature template");
+    goto done;
+  }
+
+  // add enveloped transform
+  if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) {
+    rb_raise(rb_eSigningError, "failed to add enveloped transform to reference");
+    goto done;
+  }
+
+  // add <dsig:KeyInfo/> and <dsig:KeyName/> nodes to put key name in the signed
+  // document
+  keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
+  if(keyInfoNode == NULL) {
+    rb_raise(rb_eSigningError, "failed to add key info");
+    goto done;
+  }
+  if(xmlSecTmplKeyInfoAddKeyName(keyInfoNode, NULL) == NULL) {
+    rb_raise(rb_eSigningError, "failed to add key name");
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = xmlSecDSigCtxCreate(NULL);
+  if(dsigCtx == NULL) {
+    rb_raise(rb_eSigningError, "failed to create signature context");
+    goto done;
+  }
+
+  // load private key, assuming that there is no password
+  dsigCtx->signKey = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)rsaKey,
+                                                  rsaKeyLength,
+                                                  xmlSecKeyDataFormatPem,
+                                                  NULL, // password
+                                                  NULL,
+                                                  NULL);
+  if(dsigCtx->signKey == NULL) {
+    rb_raise(rb_eSigningError, "failed to load private pem key");
+    goto done;
+  }
+
+  // set key name
+  if(xmlSecKeySetName(dsigCtx->signKey, (xmlSecByte *)keyName) < 0) {
+    rb_raise(rb_eSigningError, "failed to set key name");
+    goto done;
+  }
+
+  // sign the template
+  if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
+    rb_raise(rb_eSigningError, "signature failed");
+    goto done;
+  }
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  return T_NIL;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_verify_signature_certificates.c

@@ -0,0 +1,96 @@
+#include "xmlsecrb.h"
+
+static xmlSecKeysMngrPtr getKeyManager(VALUE rb_certs) {
+  int i, numCerts = RARRAY_LEN(rb_certs);
+  xmlSecKeysMngrPtr keyManager = xmlSecKeysMngrCreate();
+  VALUE rb_cert;
+  char *cert;
+  unsigned int certLength;
+  int numSuccessful = 0;
+
+  if (keyManager == NULL) return NULL;
+
+  if (xmlSecCryptoAppDefaultKeysMngrInit(keyManager) < 0) {
+    rb_raise(rb_eKeystoreError, "could not initialize key manager");
+    xmlSecKeysMngrDestroy(keyManager);
+    return NULL;
+  }
+
+  for (i = 0; i < numCerts; i++) {
+    rb_cert = RARRAY_PTR(rb_certs)[i];
+    Check_Type(rb_cert, T_STRING);
+    cert = RSTRING_PTR(rb_cert);
+    certLength = RSTRING_LEN(rb_cert);
+
+    if(xmlSecCryptoAppKeysMngrCertLoadMemory(keyManager,
+                                             (xmlSecByte *)cert,
+                                             certLength,
+                                             xmlSecKeyDataFormatPem,
+                                             xmlSecKeyDataTypeTrusted) < 0) {
+      rb_warn("failed to load certificate at index %d", i);
+    } else {
+      numSuccessful++;
+    }
+  }
+
+  // note, numCerts could be zero, meaning that we should use system SSL certs
+  if (numSuccessful == 0 && numCerts != 0) {
+    rb_raise(rb_eKeystoreError, "Could not load any of the specified certificates for signature verification");
+    xmlSecKeysMngrDestroy(keyManager);
+    return NULL;
+  }
+
+  return keyManager;
+}
+
+VALUE verify_signature_with_certificates(VALUE self, VALUE rb_certs) {
+  xmlDocPtr doc;
+  xmlNodePtr node = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  xmlSecKeysMngrPtr keyManager = NULL;
+  VALUE result = Qfalse;
+
+  Check_Type(rb_certs, T_ARRAY);
+  Data_Get_Struct(self, xmlDoc, doc);
+
+  // find start node
+  node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
+  if(node == NULL) {
+    rb_raise(rb_eVerificationError, "start node not found");
+    goto done;
+  }
+
+  keyManager = getKeyManager(rb_certs);
+  if (keyManager == NULL) {
+    rb_raise(rb_eKeystoreError, "failed to create key manager");
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = xmlSecDSigCtxCreate(keyManager);
+  if(dsigCtx == NULL) {
+    rb_raise(rb_eVerificationError, "failed to create signature context");
+    goto done;
+  }
+
+  // verify signature
+  if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
+    rb_raise(rb_eVerificationError, "error occurred during signature verification");
+    goto done;
+  }
+      
+  if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
+    result = Qtrue;
+  }    
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  if (keyManager != NULL) {
+    xmlSecKeysMngrDestroy(keyManager);
+  }
+
+  return result;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_verify_signature_named_keys.c

@@ -0,0 +1,106 @@
+#include "xmlsecrb.h"
+
+static int addRubyKeyToManager(VALUE rb_key, VALUE rb_value, VALUE rb_manager) {
+  xmlSecKeysMngrPtr keyManager = (xmlSecKeysMngrPtr)rb_manager;
+  char *keyName, *keyData;
+  unsigned int keyDataLength;
+  xmlSecKeyPtr key;
+
+  Check_Type(rb_key, T_STRING);
+  Check_Type(rb_value, T_STRING);
+  keyName = RSTRING_PTR(rb_key);
+  keyData = RSTRING_PTR(rb_value);
+  keyDataLength = RSTRING_LEN(rb_value);
+
+  // load key
+  key = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)keyData,
+                                     keyDataLength,
+                                     xmlSecKeyDataFormatPem,
+                                     NULL, // password
+                                     NULL, NULL);
+  if (key == NULL) {
+    rb_warn("failed to load '%s' public or private pem key", keyName);
+    return ST_CONTINUE;
+  }
+
+  // set key name
+  if (xmlSecKeySetName(key, BAD_CAST keyName) < 0) {
+    rb_warn("failed to set key name for key '%s'", keyName);
+    return ST_CONTINUE;
+  }
+  
+  // add key to key manager; from now on the manager is responsible for
+  // destroying the key
+  if (xmlSecCryptoAppDefaultKeysMngrAdoptKey(keyManager, key) < 0) {
+    rb_warn("failed to add key '%s' to key manager", keyName);
+    return ST_CONTINUE;
+  }
+
+  return ST_CONTINUE;
+}
+
+static xmlSecKeysMngrPtr getKeyManager(VALUE rb_hash) {
+  xmlSecKeysMngrPtr keyManager = xmlSecKeysMngrCreate();
+  if (keyManager == NULL) return NULL;
+  if (xmlSecCryptoAppDefaultKeysMngrInit(keyManager) < 0) {
+    rb_raise(rb_eKeystoreError, "could not initialize key manager");
+    xmlSecKeysMngrDestroy(keyManager);
+    return NULL;
+  }
+
+  rb_hash_foreach(rb_hash, addRubyKeyToManager, (VALUE)keyManager);
+
+  return keyManager;
+}
+
+VALUE verify_signature_with_named_keys(VALUE self, VALUE rb_hash) {
+  xmlDocPtr doc;
+  xmlNodePtr node = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  xmlSecKeysMngrPtr keyManager = NULL;
+  VALUE result = Qfalse;
+
+  Check_Type(rb_hash, T_HASH);
+  Data_Get_Struct(self, xmlDoc, doc);
+
+  // find start node
+  node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
+  if(node == NULL) {
+    rb_raise(rb_eVerificationError, "start node not found");
+    goto done;
+  }
+
+  keyManager = getKeyManager(rb_hash);
+  if (keyManager == NULL) {
+    rb_raise(rb_eKeystoreError, "failed to create key manager");
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = xmlSecDSigCtxCreate(keyManager);
+  if(dsigCtx == NULL) {
+    rb_raise(rb_eVerificationError, "failed to create signature context");
+    goto done;
+  }
+
+  // verify signature
+  if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
+    rb_raise(rb_eVerificationError, "signature could not be verified");
+    goto done;
+  }
+      
+  if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
+    result = Qtrue;
+  }    
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  if (keyManager != NULL) {
+    xmlSecKeysMngrDestroy(keyManager);
+  }
+
+  return result;
+}

data/ext/nokogiri_ext_xmlsec/nokogiri_verify_signature_rsa.c

@@ -0,0 +1,56 @@
+#include "xmlsecrb.h"
+
+VALUE verify_signature_with_rsa_key(VALUE self, VALUE rb_rsa_key) {
+  xmlDocPtr doc;
+  xmlNodePtr node = NULL;
+  xmlSecDSigCtxPtr dsigCtx = NULL;
+  char *rsaKey;
+  unsigned int rsaKeyLength;
+  VALUE result = Qfalse;
+
+  Data_Get_Struct(self, xmlDoc, doc);
+  rsaKey = RSTRING_PTR(rb_rsa_key);
+  rsaKeyLength = RSTRING_LEN(rb_rsa_key);
+
+  // find start node
+  node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
+  if(node == NULL) {
+    rb_raise(rb_eVerificationError, "start node not found");
+    goto done;
+  }
+
+  // create signature context, we don't need keys manager in this example
+  dsigCtx = xmlSecDSigCtxCreate(NULL);
+  if(dsigCtx == NULL) {
+    rb_raise(rb_eVerificationError, "failed to create signature context");
+    goto done;
+  }
+
+  // load public key
+  dsigCtx->signKey = xmlSecCryptoAppKeyLoadMemory((xmlSecByte *)rsaKey,
+                                                  rsaKeyLength,
+                                                  xmlSecKeyDataFormatPem,
+                                                  NULL, // password
+                                                  NULL, NULL);
+  if(dsigCtx->signKey == NULL) {
+    rb_raise(rb_eVerificationError, "failed to load public pem key");
+    goto done;
+  }
+
+  // verify signature
+  if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
+    rb_raise(rb_eVerificationError, "signature could not be verified");
+    goto done;
+  }
+      
+  if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
+    result = Qtrue;
+  }    
+
+done:
+  if(dsigCtx != NULL) {
+    xmlSecDSigCtxDestroy(dsigCtx);
+  }
+
+  return result;
+}

data/ext/nokogiri_ext_xmlsec/shutdown.c

@@ -0,0 +1,12 @@
+#include "xmlsecrb.h"
+
+/* not actually called anywhere right now, but here for posterity */
+void Shutdown_xmlsecrb() {
+  xmlSecCryptoShutdown();
+  xmlSecCryptoAppShutdown();
+  xmlSecShutdown();
+  xsltCleanupGlobals();
+  #ifndef XMLSEC_NO_XSLT
+    xsltCleanupGlobals();            
+  #endif /* XMLSEC_NO_XSLT */
+}

data/ext/nokogiri_ext_xmlsec/xmlsecrb.h

@@ -0,0 +1,39 @@
+#ifndef XMLSECRB_H
+#define XMLSECRB_H
+
+#include <ruby.h>
+
+#include <libxml/tree.h>
+#include <libxml/xmlmemory.h>
+#include <libxml/parser.h>
+#include <libxml/xmlstring.h>
+
+#include <libxslt/xslt.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/xmltree.h>
+#include <xmlsec/xmldsig.h>
+#include <xmlsec/xmlenc.h>
+#include <xmlsec/templates.h>
+#include <xmlsec/crypto.h>
+#include <xmlsec/dl.h>
+
+VALUE sign_with_key(VALUE self, VALUE rb_key_name, VALUE rb_rsa_key);
+VALUE sign_with_certificate(VALUE self, VALUE rb_key_name, VALUE rb_rsa_key, VALUE rb_cert);
+VALUE verify_signature_with_rsa_key(VALUE self, VALUE rb_rsa_key);
+VALUE verify_signature_with_named_keys(VALUE self, VALUE rb_keys);
+VALUE verify_signature_with_certificates(VALUE self, VALUE rb_certs);
+VALUE encrypt_with_key(VALUE self, VALUE rb_key_name, VALUE rb_key);
+VALUE decrypt_with_key(VALUE self, VALUE rb_key_name, VALUE rb_key);
+VALUE set_id_attribute(VALUE self, VALUE rb_attr_name);
+
+void Init_Nokogiri_ext(void);
+
+extern VALUE rb_cNokogiri_XML_Document;
+extern VALUE rb_eSigningError;
+extern VALUE rb_eVerificationError;
+extern VALUE rb_eKeystoreError;
+extern VALUE rb_eEncryptionError;
+extern VALUE rb_eDecryptionError;
+
+#endif // XMLSECRB_H

data/lib/nokogiri-xmlsec.rb

@@ -0,0 +1 @@
+require 'xmlsec'

data/lib/xmlsec.rb

@@ -0,0 +1,110 @@
+require "xmlsec/version"
+require 'nokogiri'
+require 'nokogiri_ext_xmlsec'
+
+class Nokogiri::XML::Document
+  # Signs this document, and then returns it.
+  #
+  # Examples:
+  #
+  #     doc.sign! key: 'rsa-private-key'
+  #     doc.sign! key: 'rsa-private-key', name: 'key-name'
+  #     doc.sign! x509: 'x509 certificate', key: 'cert private key'
+  #     doc.sign! x509: 'x509 certificate', key: 'cert private key',
+  #               name: 'key-name'
+  #
+  # You can also use `:cert` or `:certificate` as aliases for `:x509`.
+  #
+  def sign! opts
+    if (cert = opts[:x509]) || (cert = opts[:cert]) || (cert = opts[:certificate])
+      raise "need a private :key" unless opts[:key]
+      sign_with_certificate opts[:name].to_s, opts[:key], cert
+    elsif opts[:key]
+      sign_with_key opts[:name].to_s, opts[:key]
+    else
+      raise "No private :key was given"
+    end
+    self
+  end
+
+  # Verifies the signature on the current document.
+  #
+  # Returns `true` if the signature is valid, `false` otherwise.
+  # 
+  # Examples:
+  #
+  #     # Try to validate with the given public or private key
+  #     doc.verify_with key: 'rsa-key'
+  #
+  #     # Try to validate with a set of keys. It will try to match
+  #     # based on the contents of the `KeyName` element.
+  #     doc.verify_with({
+  #       'key-name'         => 'x509 certificate',
+  #       'another-key-name' => 'rsa-public-key'
+  #     })
+  #     
+  #     # Try to validate with a trusted certificate
+  #     doc.verify_with(x509: 'certificate')
+  #
+  #     # Try to validate with a set of certificates, any one of which
+  #     # can match
+  #     doc.verify_with(x509: ['cert1', 'cert2'])
+  #
+  # You can also use `:cert` or `:certificate` or `:certs` or
+  # `:certificates` as aliases for `:x509`.
+  #
+  def verify_with opts_or_keys
+    if (certs = opts_or_keys[:x509]) ||
+       (certs = opts_or_keys[:cert]) ||
+       (certs = opts_or_keys[:certs]) ||
+       (certs = opts_or_keys[:certificate]) ||
+       (certs = opts_or_keys[:certificates])
+      certs = [certs] unless certs.kind_of?(Array)
+      verify_with_certificates certs
+    elsif opts_or_keys[:key]
+      verify_with_rsa_key opts_or_keys[:key]
+    else
+      verify_with_named_keys opts_or_keys
+    end
+  end
+
+  # Attempts to verify the signature of this document using only certificates
+  # installed on the system. This is equivalent to calling
+  # `verify_with certificates: []` (that is, an empty array).
+  #
+  def verify_signature
+    verify_with_certificates []
+  end
+
+  # Encrypts the current document, then returns it.
+  #
+  # Examples:
+  # 
+  #     # encrypt with a public key and optional key name
+  #     doc.encrypt! key: 'public-key', name: 'name'
+  #
+  def encrypt! opts
+    if opts[:key]
+      encrypt_with_key opts[:name].to_s, opts[:key]
+    else
+      raise "public :key is required for encryption"
+    end
+    self
+  end
+
+  # Decrypts the current document, then returns it.
+  #
+  # Examples:
+  #
+  #     # decrypt with a specific private key
+  #     doc.decrypt! key: 'private-key'
+  #
+  def decrypt! opts
+    if opts[:key]
+      decrypt_with_key opts[:name].to_s, opts[:key]
+    else
+      raise 'inadequate options specified for decryption'
+    end
+    self
+  end
+end