ruby-saml 0.8.8 → 0.8.13

data/lib/onelogin/ruby-saml/utils.rb

@@ -1,15 +1,184 @@
+if RUBY_VERSION < '1.9'
+  require 'uuid'
+else
+  require 'securerandom'
+end
+
+require "base64"
+require "zlib"
+
 module OneLogin
   module RubySaml
 
     # SAML2 Auxiliary class
     #
     class Utils
+      @@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
+
+      BASE64_FORMAT = %r(\A([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z)
+
       # Given a REXML::Element instance, return the concatenation of all child text nodes. Assumes
       # that there all children other than text nodes can be ignored (e.g. comments). If nil is
       # passed, nil will be returned.
       def self.element_text(element)
         element.texts.map(&:value).join if element
       end
+
+      # Return a properly formatted x509 certificate
+      #
+      # @param cert [String] The original certificate
+      # @return [String] The formatted certificate
+      #
+      def self.format_cert(cert)
+        # don't try to format an encoded certificate or if is empty or nil
+        if cert.respond_to?(:ascii_only?)
+          return cert if cert.nil? || cert.empty? || !cert.ascii_only?
+        else
+          return cert if cert.nil? || cert.empty? || cert.match(/\x0d/)
+        end
+
+        if cert.scan(/BEGIN CERTIFICATE/).length > 1
+            formatted_cert = []
+          cert.scan(/-{5}BEGIN CERTIFICATE-{5}[\n\r]?.*?-{5}END CERTIFICATE-{5}[\n\r]?/m) {|c|
+            formatted_cert << format_cert(c)
+          }
+          formatted_cert.join("\n")
+        else
+          cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "")
+          cert = cert.gsub(/\r/, "")
+          cert = cert.gsub(/\n/, "")
+          cert = cert.gsub(/\s/, "")
+          cert = cert.scan(/.{1,64}/)
+          cert = cert.join("\n")
+          "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----"
+        end
+      end
+
+      # Return a properly formatted private key
+      #
+      # @param key [String] The original private key
+      # @return [String] The formatted private key
+      #
+      def self.format_private_key(key)
+        # don't try to format an encoded private key or if is empty
+        return key if key.nil? || key.empty? || key.match(/\x0d/)
+
+        # is this an rsa key?
+        rsa_key = key.match("RSA PRIVATE KEY")
+        key = key.gsub(/\-{5}\s?(BEGIN|END)( RSA)? PRIVATE KEY\s?\-{5}/, "")
+        key = key.gsub(/\n/, "")
+        key = key.gsub(/\r/, "")
+        key = key.gsub(/\s/, "")
+        key = key.scan(/.{1,64}/)
+        key = key.join("\n")
+        key_label = rsa_key ? "RSA PRIVATE KEY" : "PRIVATE KEY"
+        "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----"
+      end
+
+      # Build the Query String signature that will be used in the HTTP-Redirect binding
+      # to generate the Signature
+      # @param params [Hash] Parameters to build the Query String
+      # @option params [String] :type 'SAMLRequest' or 'SAMLResponse'
+      # @option params [String] :data Base64 encoded SAMLRequest or SAMLResponse
+      # @option params [String] :relay_state The RelayState parameter
+      # @option params [String] :sig_alg The SigAlg parameter
+      # @return [String] The Query String
+      #
+      def self.build_query(params)
+        type, data, relay_state, sig_alg = [:type, :data, :relay_state, :sig_alg].map { |k| params[k]}
+          url_string = "#{type}=#{CGI.escape(data)}"
+        url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
+        url_string << "&SigAlg=#{CGI.escape(sig_alg)}"
+      end
+
+      def self.uuid
+        RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
+      end
+
+      # Build the status error message
+      # @param status_code [String] StatusCode value
+      # @param status_message [Strig] StatusMessage value
+      # @return [String] The status error message
+      def self.status_error_msg(error_msg, raw_status_code = nil, status_message = nil)
+        unless raw_status_code.nil?
+          if raw_status_code.include? "|"
+            status_codes = raw_status_code.split(' | ')
+            values = status_codes.collect do |status_code|
+              status_code.split(':').last
+            end
+            printable_code = values.join(" => ")
+          else
+            printable_code = raw_status_code.split(':').last
+          end
+          error_msg << ', was ' + printable_code
+        end
+
+        unless status_message.nil?
+          error_msg << ' -> ' + status_message
+        end
+
+        error_msg
+      end
+
+      # Base64 decode and try also to inflate a SAML Message
+      # @param saml [String] The deflated and encoded SAML Message
+      # @return [String] The plain SAML Message
+      #
+      def self.decode_raw_saml(saml)
+        return saml unless base64_encoded?(saml)
+
+        decoded = decode(saml)
+        begin
+          inflate(decoded)
+        rescue
+          decoded
+        end
+      end
+
+      # Base 64 decode method
+      # @param string [String] The string message
+      # @return [String] The decoded string
+      #
+      def self.decode(string)
+        Base64.decode64(string)
+      end
+
+      # Base 64 encode method
+      # @param string [String] The string
+      # @return [String] The encoded string
+      #
+      def self.encode(string)
+        if Base64.respond_to?('strict_encode64')
+          Base64.strict_encode64(string)
+        else
+          Base64.encode64(string).gsub(/\n/, "")
+        end
+      end
+
+      # Check if a string is base64 encoded
+      # @param string [String] string to check the encoding of
+      # @return [true, false] whether or not the string is base64 encoded
+      #
+      def self.base64_encoded?(string)
+        !!string.gsub(/[\r\n]|\\r|\\n|\s/, "").match(BASE64_FORMAT)
+      end
+
+      # Inflate method
+      # @param deflated [String] The string
+      # @return [String] The inflated string
+      #
+      def self.inflate(deflated)
+        Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(deflated)
+      end
+
+      # Deflate method
+      # @param inflated [String] The string
+      # @return [String] The deflated string
+      #
+      def self.deflate(inflated)
+        Zlib::Deflate.deflate(inflated, 9)[2..-5]
+      end
+
     end
   end
 end

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '0.8.8'
+    VERSION = '0.8.13'
   end
 end

data/lib/ruby-saml.rb

@@ -2,10 +2,11 @@ require 'onelogin/ruby-saml/logging'
 require 'onelogin/ruby-saml/authrequest'
 require 'onelogin/ruby-saml/logoutrequest'
 require 'onelogin/ruby-saml/logoutresponse'
+require 'onelogin/ruby-saml/slo_logoutresponse'
 require 'onelogin/ruby-saml/response'
 require 'onelogin/ruby-saml/settings'
 require 'onelogin/ruby-saml/utils'
 require 'onelogin/ruby-saml/validation_error'
 require 'onelogin/ruby-saml/metadata'
 require 'onelogin/ruby-saml/version'
-require 'onelogin/ruby-saml/attributes'
+require 'onelogin/ruby-saml/attributes'

data/lib/xml_security.rb

@@ -34,89 +34,323 @@ require "onelogin/ruby-saml/utils"
 
 module XMLSecurity
 
-  class SignedDocument < REXML::Document
-    C14N = "http://www.w3.org/2001/10/xml-exc-c14n#"
-    DSIG = "http://www.w3.org/2000/09/xmldsig#"
+  class BaseDocument < REXML::Document
+    REXML::Document::entity_expansion_limit = 0
 
-    attr_accessor :signed_element_id
+    C14N            = "http://www.w3.org/2001/10/xml-exc-c14n#"
+    DSIG            = "http://www.w3.org/2000/09/xmldsig#"
+    NOKOGIRI_OPTIONS = Nokogiri::XML::ParseOptions::STRICT |
+                       Nokogiri::XML::ParseOptions::NONET
 
-    def initialize(response)
-      super(response)
-      extract_signed_element_id
+    def canon_algorithm(element)
+      algorithm = element
+      if algorithm.is_a?(REXML::Element)
+        algorithm = element.attribute('Algorithm').value
+      end
+
+      case algorithm
+        when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
+             "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
+          Nokogiri::XML::XML_C14N_1_0
+        when "http://www.w3.org/2006/12/xml-c14n11",
+             "http://www.w3.org/2006/12/xml-c14n11#WithComments"
+          Nokogiri::XML::XML_C14N_1_1
+        else
+          Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+      end
     end
 
-    def validate_document(idp_cert_fingerprint, soft = true)
-      # get cert from response
-      cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
-      raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate)") unless cert_element
-      base64_cert  = OneLogin::RubySaml::Utils.element_text(cert_element)
-      cert_text    = Base64.decode64(base64_cert)
-      cert         = OpenSSL::X509::Certificate.new(cert_text)
+    def algorithm(element)
+      algorithm = element
+      if algorithm.is_a?(REXML::Element)
+        algorithm = element.attribute("Algorithm").value
+      end
 
-      # check cert matches registered idp cert
-      fingerprint = Digest::SHA1.hexdigest(cert.to_der)
+      algorithm = algorithm && algorithm =~ /(rsa-)?sha(.*?)$/i && $2.to_i
 
-      if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
-        return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Fingerprint mismatch"))
+      case algorithm
+      when 256 then OpenSSL::Digest::SHA256
+      when 384 then OpenSSL::Digest::SHA384
+      when 512 then OpenSSL::Digest::SHA512
+      else
+        OpenSSL::Digest::SHA1
       end
+    end
 
-      validate_signature(base64_cert, soft)
+  end
+
+  class Document < BaseDocument
+    RSA_SHA1        = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+    RSA_SHA256      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+    RSA_SHA384      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
+    RSA_SHA512      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
+    SHA1            = "http://www.w3.org/2000/09/xmldsig#sha1"
+    SHA256          = 'http://www.w3.org/2001/04/xmlenc#sha256'
+    SHA384          = "http://www.w3.org/2001/04/xmldsig-more#sha384"
+    SHA512          = 'http://www.w3.org/2001/04/xmlenc#sha512'
+    ENVELOPED_SIG   = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+    INC_PREFIX_LIST = "#default samlp saml ds xs xsi md"
+
+    attr_writer :uuid
+
+    def uuid
+      @uuid ||= begin
+        document.root.nil? ? nil : document.root.attributes['ID']
+      end
     end
 
-    def validate_signature(base64_cert, soft = true)
-      # validate references
+    #<Signature>
+      #<SignedInfo>
+        #<CanonicalizationMethod />
+        #<SignatureMethod />
+        #<Reference>
+           #<Transforms>
+           #<DigestMethod>
+           #<DigestValue>
+        #</Reference>
+        #<Reference /> etc.
+      #</SignedInfo>
+      #<SignatureValue />
+      #<KeyInfo />
+      #<Object />
+    #</Signature>
+    def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_method = SHA1)
+      noko = Nokogiri::XML(self.to_s) do |config|
+        config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
+      end
 
-      # check for inclusive namespaces
-      inclusive_namespaces = extract_inclusive_namespaces
+      signature_element = REXML::Element.new("ds:Signature").add_namespace('ds', DSIG)
+      signed_info_element = signature_element.add_element("ds:SignedInfo")
+      signed_info_element.add_element("ds:CanonicalizationMethod", {"Algorithm" => C14N})
+      signed_info_element.add_element("ds:SignatureMethod", {"Algorithm" => signature_method})
 
-      document = Nokogiri.parse(self.to_s)
+      # Add Reference
+      reference_element = signed_info_element.add_element("ds:Reference", {"URI" => "##{uuid}"})
 
-      # create a working copy so we don't modify the original
-      @working_copy ||= REXML::Document.new(self.to_s).root
+      # Add Transforms
+      transforms_element = reference_element.add_element("ds:Transforms")
+      transforms_element.add_element("ds:Transform", {"Algorithm" => ENVELOPED_SIG})
+      c14element = transforms_element.add_element("ds:Transform", {"Algorithm" => C14N})
+      c14element.add_element("ec:InclusiveNamespaces", {"xmlns:ec" => C14N, "PrefixList" => INC_PREFIX_LIST})
 
-      # store and remove signature node
-      @sig_element ||= begin
-        element = REXML::XPath.first(@working_copy, "//ds:Signature", {"ds"=>DSIG})
-        element.remove
+      digest_method_element = reference_element.add_element("ds:DigestMethod", {"Algorithm" => digest_method})
+      inclusive_namespaces = INC_PREFIX_LIST.split(" ")
+      canon_doc = noko.canonicalize(canon_algorithm(C14N), inclusive_namespaces)
+      reference_element.add_element("ds:DigestValue").text = compute_digest(canon_doc, algorithm(digest_method_element))
+
+      # add SignatureValue
+      noko_sig_element = Nokogiri::XML(signature_element.to_s) do |config|
+        config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
       end
 
+      noko_signed_info_element = noko_sig_element.at_xpath('//ds:Signature/ds:SignedInfo', 'ds' => DSIG)
+      canon_string = noko_signed_info_element.canonicalize(canon_algorithm(C14N))
 
-      # verify signature
-      signed_info_element     = REXML::XPath.first(@sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
-      noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
-      noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
-      canon_algorithm = canon_algorithm REXML::XPath.first(@sig_element, '//ds:CanonicalizationMethod', 'ds' => DSIG)
-      canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
-      noko_sig_element.remove
+      signature = compute_signature(private_key, algorithm(signature_method).new, canon_string)
+      signature_element.add_element("ds:SignatureValue").text = signature
 
-      # check digests
-      REXML::XPath.each(@sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
-        uri                           = ref.attributes.get_attribute("URI").value
+      # add KeyInfo
+      key_info_element       = signature_element.add_element("ds:KeyInfo")
+      x509_element           = key_info_element.add_element("ds:X509Data")
+      x509_cert_element      = x509_element.add_element("ds:X509Certificate")
+      if certificate.is_a?(String)
+        certificate = OpenSSL::X509::Certificate.new(certificate)
+      end
+      x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, "")
+
+      # add the signature
+      issuer_element = self.elements["//saml:Issuer"]
+      if issuer_element
+        self.root.insert_after issuer_element, signature_element
+      else
+        if sp_sso_descriptor = self.elements["/md:EntityDescriptor"]
+          self.root.insert_before sp_sso_descriptor, signature_element
+        else
+          self.root.add_element(signature_element)
+        end
+      end
+    end
+
+    protected
+
+    def compute_signature(private_key, signature_algorithm, document)
+      Base64.encode64(private_key.sign(signature_algorithm, document)).gsub(/\n/, "")
+    end
 
-        hashed_element                = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
-        canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
-        canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
+    def compute_digest(document, digest_algorithm)
+      digest = digest_algorithm.digest(document)
+      Base64.encode64(digest).strip!
+    end
+
+  end
+
+  class SignedDocument < BaseDocument
+
+    attr_writer :signed_element_id
+
+    def signed_element_id
+      @signed_element_id ||= extract_signed_element_id
+    end
 
-        digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod", 'ds' => DSIG))
+    def validate_document(idp_cert_fingerprint, soft = true, options = {})
+      # get cert from response
+      cert_element = REXML::XPath.first(
+        self,
+        "//ds:X509Certificate",
+        { "ds"=>DSIG }
+      )
+
+      if cert_element
+        base64_cert = OneLogin::RubySaml::Utils.element_text(cert_element)
+        cert_text = Base64.decode64(base64_cert)
+        begin
+          cert = OpenSSL::X509::Certificate.new(cert_text)
+        rescue OpenSSL::X509::CertificateError => _e
+          return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Certificate Error"))
+        end
+
+        if options[:fingerprint_alg]
+          fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(options[:fingerprint_alg]).new
+        else
+          fingerprint_alg = OpenSSL::Digest::SHA1.new
+        end
+        fingerprint = fingerprint_alg.hexdigest(cert.to_der)
+
+        # check cert matches registered idp cert
+        if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+          return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Fingerprint mismatch"))
+        end
+      else
+        if options[:cert]
+          base64_cert = Base64.encode64(options[:cert].to_pem)
+        else
+          return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate) and not cert provided at settings"))
+        end
+      end
+      validate_signature(base64_cert, soft)
+    end
 
-        hash                          = digest_algorithm.digest(canon_hashed_element)
-        digest_value                  = Base64.decode64(OneLogin::RubySaml::Utils.element_text(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG})))
+    def validate_document_with_cert(idp_cert, soft = true)
+      # get cert from response
+      cert_element = REXML::XPath.first(
+        self,
+        "//ds:X509Certificate",
+        { "ds"=>DSIG }
+      )
+
+      if cert_element
+        base64_cert = OneLogin::RubySaml::Utils.element_text(cert_element)
+        cert_text = Base64.decode64(base64_cert)
+        begin
+          cert = OpenSSL::X509::Certificate.new(cert_text)
+        rescue OpenSSL::X509::CertificateError => _e
+          return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Certificate Error"))
+        end
 
-        unless digests_match?(hash, digest_value)
-          return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Digest mismatch"))
+        # check saml response cert matches provided idp cert
+        if idp_cert.to_pem != cert.to_pem
+          return false
         end
+      else
+        base64_cert = Base64.encode64(idp_cert.to_pem)
       end
+      validate_signature(base64_cert, true)
+    end
+
+    def validate_signature(base64_cert, soft = true)
 
-      base64_signature        = OneLogin::RubySaml::Utils.element_text(REXML::XPath.first(@sig_element, "//ds:SignatureValue", {"ds"=>DSIG}))
-      signature               = Base64.decode64(base64_signature)
+      document = Nokogiri::XML(self.to_s) do |config|
+        config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
+      end
 
-      # get certificate object
-      cert_text               = Base64.decode64(base64_cert)
-      cert                    = OpenSSL::X509::Certificate.new(cert_text)
+      # create a rexml document
+      @working_copy ||= REXML::Document.new(self.to_s).root
+
+      # get signature node
+      sig_element = REXML::XPath.first(
+          @working_copy,
+          "//ds:Signature",
+          {"ds"=>DSIG}
+      )
+
+      if sig_element.nil?
+        return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("No Signature Node"))
+      end
 
       # signature method
-      signature_algorithm     = algorithm(REXML::XPath.first(signed_info_element, "//ds:SignatureMethod", {"ds"=>DSIG}))
+      sig_alg_value = REXML::XPath.first(
+        sig_element,
+        "./ds:SignedInfo/ds:SignatureMethod",
+        {"ds"=>DSIG}
+      )
+      signature_algorithm = algorithm(sig_alg_value)
+
+      # get signature
+      base64_signature = REXML::XPath.first(
+        sig_element,
+        "./ds:SignatureValue",
+        {"ds" => DSIG}
+      )
+
+      if base64_signature.nil?
+        return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("SignatureValue not found"))
+      end
+
+      signature = Base64.decode64(OneLogin::RubySaml::Utils.element_text(base64_signature))
+
+      # canonicalization method
+      canon_algorithm = canon_algorithm REXML::XPath.first(
+        sig_element,
+        './ds:SignedInfo/ds:CanonicalizationMethod',
+        'ds' => DSIG
+      )
+
+      noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
+      noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
+
+      canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
+      noko_sig_element.remove
 
+      # get inclusive namespaces
+      inclusive_namespaces = extract_inclusive_namespaces
+
+      # check digests
+      ref = REXML::XPath.first(sig_element, "//ds:Reference", {"ds"=>DSIG})
+
+      hashed_element = document.at_xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+
+      canon_algorithm = canon_algorithm REXML::XPath.first(
+        ref,
+        '//ds:CanonicalizationMethod',
+        { "ds" => DSIG }
+      )
+
+      canon_algorithm = process_transforms(ref, canon_algorithm)
+
+      canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
+
+      digest_algorithm = algorithm(REXML::XPath.first(
+        ref,
+        "//ds:DigestMethod",
+        { "ds" => DSIG }
+      ))
+      hash = digest_algorithm.digest(canon_hashed_element)
+      encoded_digest_value = REXML::XPath.first(
+        ref,
+        "//ds:DigestValue",
+        { "ds" => DSIG }
+      )
+      digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(encoded_digest_value))
+
+      unless digests_match?(hash, digest_value)
+        return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Digest mismatch"))
+      end
+
+      # get certificate object
+      cert_text = Base64.decode64(base64_cert)
+      cert = OpenSSL::X509::Certificate.new(cert_text)
+
+      # verify signature
       unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
         return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Key validation error"))
       end
@@ -126,43 +360,61 @@ module XMLSecurity
 
     private
 
+    def process_transforms(ref, canon_algorithm)
+      transforms = REXML::XPath.match(
+        ref,
+        "//ds:Transforms/ds:Transform",
+        { "ds" => DSIG }
+      )
+
+      transforms.each do |transform_element|
+        if transform_element.attributes && transform_element.attributes["Algorithm"]
+          algorithm = transform_element.attributes["Algorithm"]
+          case algorithm
+            when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
+                 "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
+              canon_algorithm = Nokogiri::XML::XML_C14N_1_0
+            when "http://www.w3.org/2006/12/xml-c14n11",
+                 "http://www.w3.org/2006/12/xml-c14n11#WithComments"
+              canon_algorithm = Nokogiri::XML::XML_C14N_1_1
+            when "http://www.w3.org/2001/10/xml-exc-c14n#",
+                 "http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
+              canon_algorithm = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+          end
+        end
+      end
+
+      canon_algorithm
+    end
+
     def digests_match?(hash, digest_value)
       hash == digest_value
     end
 
     def extract_signed_element_id
-      reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
-      self.signed_element_id  = reference_element.attribute("URI").value[1..-1] unless reference_element.nil?
-    end
+      reference_element = REXML::XPath.first(
+        self,
+        "//ds:Signature/ds:SignedInfo/ds:Reference",
+        {"ds"=>DSIG}
+      )
 
-    def canon_algorithm(element)
-      algorithm = element.attribute('Algorithm').value if element
-      case algorithm
-        when "http://www.w3.org/2001/10/xml-exc-c14n#"         then Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
-        when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then Nokogiri::XML::XML_C14N_1_0
-        when "http://www.w3.org/2006/12/xml-c14n11"            then Nokogiri::XML::XML_C14N_1_1
-        else                                                        Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
-      end
-    end
+      return nil if reference_element.nil?
 
-    def algorithm(element)
-      algorithm = element.attribute("Algorithm").value if element
-      algorithm = algorithm && algorithm =~ /sha(.*?)$/i && $1.to_i
-      case algorithm
-      when 256 then OpenSSL::Digest::SHA256
-      when 384 then OpenSSL::Digest::SHA384
-      when 512 then OpenSSL::Digest::SHA512
-      else
-        OpenSSL::Digest::SHA1
-      end
+      sei = reference_element.attribute("URI").value[1..-1]
+      sei.nil? ? reference_element.parent.parent.parent.attribute("ID").value : sei
     end
 
     def extract_inclusive_namespaces
-      if element = REXML::XPath.first(self, "//ec:InclusiveNamespaces", { "ec" => C14N })
+      element = REXML::XPath.first(
+        self,
+        "//ec:InclusiveNamespaces",
+        { "ec" => C14N }
+      )
+      if element
         prefix_list = element.attributes.get_attribute("PrefixList").value
         prefix_list.split(" ")
       else
-        []
+        nil
       end
     end