ruby-saml 0.9.4 → 1.0.0

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -3,16 +3,31 @@ require "uuid"
 require "onelogin/ruby-saml/logging"
 require "onelogin/ruby-saml/saml_message"
 
+# Only supports SAML 2.0
 module OneLogin
   module RubySaml
+
+    # SAML2 Logout Response (SLO SP initiated, Parser)
+    #
     class SloLogoutresponse < SamlMessage
 
-      attr_reader :uuid # Can be obtained if neccessary
+      # Logout Response ID
+      attr_reader :uuid
 
+      # Initializes the Logout Response. A SloLogoutresponse Object that is an extension of the SamlMessage class.
+      # Asigns an ID, a random uuid.
+      #
       def initialize
         @uuid = "_" + UUID.new.generate
       end
 
+      # Creates the Logout Response string.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
+      # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [String] Logout Request string that includes the SAMLRequest
+      #
       def create(settings, request_id = nil, logout_message = nil, params = {})
         params = create_params(settings, request_id, logout_message, params)
         params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
@@ -25,6 +40,13 @@ module OneLogin
         @logout_url = settings.idp_slo_target_url + response_params
       end
 
+      # Creates the Get parameters for the logout response.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
+      # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [Hash] Parameters
+      #
       def create_params(settings, request_id = nil, logout_message = nil, params = {})
         # The method expects :RelayState but sometimes we get 'RelayState' instead.
         # Based on the HashWithIndifferentAccess value in Rails we could experience
@@ -45,11 +67,14 @@ module OneLogin
 
         if settings.security[:logout_responses_signed] && !settings.security[:embed_sign] && settings.private_key
           params['SigAlg']    = settings.security[:signature_method]
-          url_string          = "SAMLResponse=#{CGI.escape(base64_response)}"
-          url_string         << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
-          url_string         << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-          private_key         = settings.get_sp_key()
-          signature           = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
+          url_string = OneLogin::RubySaml::Utils.build_query(
+            :type => 'SAMLResponse',
+            :data => base64_response,
+            :relay_state => relay_state,
+            :sig_alg => params['SigAlg']
+          )
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
           params['Signature'] = encode(signature)
         end
 
@@ -60,6 +85,12 @@ module OneLogin
         response_params
       end
 
+      # Creates the SAMLResponse String.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
+      # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+      # @return [String] The SAMLResponse String.
+      #
       def create_logout_response_xml_doc(settings, request_id = nil, logout_message = nil)
         time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
 
@@ -73,6 +104,11 @@ module OneLogin
         root.attributes['InResponseTo'] = request_id unless request_id.nil?
         root.attributes['Destination'] = settings.idp_slo_target_url unless settings.idp_slo_target_url.nil?
 
+        if settings.issuer != nil
+          issuer = root.add_element "saml:Issuer"
+          issuer.text = settings.issuer
+        end
+        
         # add success message
         status = root.add_element 'samlp:Status'
 
@@ -85,15 +121,10 @@ module OneLogin
         status_message = status.add_element 'samlp:StatusMessage'
         status_message.text = logout_message
 
-        if settings.issuer != nil
-          issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.issuer
-        end
-
         # embed signature
         if settings.security[:logout_responses_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
-          private_key = settings.get_sp_key()
-          cert = settings.get_sp_cert()
+          private_key = settings.get_sp_key
+          cert = settings.get_sp_cert
           response_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
         end
 

data/lib/onelogin/ruby-saml/utils.rb

@@ -1,49 +1,172 @@
 module OneLogin
   module RubySaml
+
+    # SAML2 Auxiliary class
+    #    
     class Utils
-      def self.format_cert(cert, heads=true)
-        cert = cert.delete("\n").delete("\r").delete("\x0D")
-        if cert
-          cert = cert.gsub('-----BEGIN CERTIFICATE-----', '')
-          cert = cert.gsub('-----END CERTIFICATE-----', '')
-          cert = cert.gsub(' ', '')
-
-          if heads
-            cert = cert.scan(/.{1,64}/).join("\n")+"\n"
-            cert = "-----BEGIN CERTIFICATE-----\n" + cert + "-----END CERTIFICATE-----\n"
-          end
+
+      DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+      XENC      = "http://www.w3.org/2001/04/xmlenc#"
+
+      # Return a properly formatted x509 certificate
+      #
+      # @param cert [String] The original certificate
+      # @return [String] The formatted certificate
+      #
+      def self.format_cert(cert)
+        # don't try to format an encoded certificate or if is empty or nil
+        return cert if cert.nil? || cert.empty? || cert.match(/\x0d/)
+
+        cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "")
+        cert = cert.gsub(/[\n\r\s]/, "")
+        cert = cert.scan(/.{1,64}/)
+        cert = cert.join("\n")
+        "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----"
+      end
+
+      # Return a properly formatted private key
+      #
+      # @param key [String] The original private key
+      # @return [String] The formatted private key
+      #
+      def self.format_private_key(key)
+        # don't try to format an encoded private key or if is empty  
+        return key if key.nil? || key.empty? || key.match(/\x0d/)
+
+        # is this an rsa key?
+        rsa_key = key.match("RSA PRIVATE KEY")
+        key = key.gsub(/\-{5}\s?(BEGIN|END)( RSA)? PRIVATE KEY\s?\-{5}/, "")
+        key = key.gsub(/[\n\r\s]/, "")
+        key = key.scan(/.{1,64}/)
+        key = key.join("\n")
+        key_label = rsa_key ? "RSA PRIVATE KEY" : "PRIVATE KEY"
+        "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----"
+      end
+
+      # Build the Query String signature that will be used in the HTTP-Redirect binding
+      # to generate the Signature
+      # @param params [Hash] Parameters to build the Query String
+      # @option params [String] :type 'SAMLRequest' or 'SAMLResponse'
+      # @option params [String] :data Base64 encoded SAMLRequest or SAMLResponse
+      # @option params [String] :relay_state The RelayState parameter
+      # @option params [String] :sig_alg The SigAlg parameter
+      # @return [String] The Query String
+      #
+      def self.build_query(params)
+        type, data, relay_state, sig_alg = [:type, :data, :relay_state, :sig_alg].map { |k| params[k]}
+
+        url_string = "#{type}=#{CGI.escape(data)}"
+        url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
+        url_string << "&SigAlg=#{CGI.escape(sig_alg)}"
+      end
+
+      # Validate the Signature parameter sent on the HTTP-Redirect binding
+      # @param params [Hash] Parameters to be used in the validation process
+      # @option params [OpenSSL::X509::Certificate] cert The Identity provider public certtificate
+      # @option params [String] sig_alg The SigAlg parameter
+      # @option params [String] signature The Signature parameter (base64 encoded)
+      # @option params [String] query_string The SigAlg parameter
+      # @return [Boolean] True if the Signature is valid, False otherwise
+      #
+      def self.verify_signature(params)
+        cert, sig_alg, signature, query_string = [:cert, :sig_alg, :signature, :query_string].map { |k| params[k]}
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(sig_alg)
+        return cert.public_key.verify(signature_algorithm.new, Base64.decode64(signature), query_string)
+      end
+
+      # Build the status error message
+      # @param status_code [String] StatusCode value
+      # @param status_message [Strig] StatusMessage value
+      # @return [String] The status error message
+      def self.status_error_msg(error_msg, status_code = nil, status_message = nil)
+        unless status_code.nil?
+          printable_code = status_code.split(':').last
+          error_msg << ', was ' + printable_code
         end
-        cert
-      end
-
-      def self.format_private_key(key, heads=true)
-        key = key.delete("\n").delete("\r").delete("\x0D")
-        if key
-          if key.index('-----BEGIN PRIVATE KEY-----') != nil
-            key = key.gsub('-----BEGIN PRIVATE KEY-----', '')
-            key = key.gsub('-----END PRIVATE KEY-----', '')
-            key = key.gsub(' ', '')
-            if heads
-              key = key.scan(/.{1,64}/).join("\n")+"\n"
-              key = "-----BEGIN PRIVATE KEY-----\n" + key + "-----END PRIVATE KEY-----\n"
-            end
-          else
-            key = key.gsub('-----BEGIN RSA PRIVATE KEY-----', '')
-            key = key.gsub('-----END RSA PRIVATE KEY-----', '')
-            key = key.gsub(' ', '')
-            if heads
-              key = key.scan(/.{1,64}/).join("\n")+"\n"
-              key = "-----BEGIN RSA PRIVATE KEY-----\n" + key + "-----END RSA PRIVATE KEY-----\n"
-            end
-          end
+
+        unless status_message.nil?
+          error_msg << ' -> ' + status_message
         end
+
+        error_msg
+      end
+
+      # Obtains the decrypted string from an Encrypted node element in XML
+      # @param encrypted_node [REXML::Element]     The Encrypted element
+      # @param private_key    [OpenSSL::PKey::RSA] The Service provider private key
+      # @return [String] The decrypted data
+      def self.decrypt_data(encrypted_node, private_key)
+        encrypt_data = REXML::XPath.first(
+          encrypted_node,
+          "./xenc:EncryptedData",
+          { 'xenc' => XENC }
+        )
+        symmetric_key = retrieve_symmetric_key(encrypt_data, private_key)
+        cipher_value = REXML::XPath.first(
+          encrypt_data,
+          "//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue",
+          { 'xenc' => XENC }
+        )
+        node = Base64.decode64(cipher_value.text)
+        encrypt_method = REXML::XPath.first(
+          encrypt_data,
+          "//xenc:EncryptedData/xenc:EncryptionMethod",
+          { 'xenc' => XENC }
+        )
+        algorithm = encrypt_method.attributes['Algorithm']
+        retrieve_plaintext(node, symmetric_key, algorithm)        
+      end
+
+      # Obtains the symmetric key from the EncryptedData element
+      # @param encrypt_data [REXML::Element]     The EncryptedData element
+      # @param private_key [OpenSSL::PKey::RSA] The Service provider private key
+      # @return [String] The symmetric key
+      def self.retrieve_symmetric_key(encrypt_data, private_key)
+        encrypted_symmetric_key_element = REXML::XPath.first(
+          encrypt_data,
+          "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey/xenc:CipherData/xenc:CipherValue",
+          { "ds" => DSIG, "xenc" => XENC }
+        )
+        cipher_text = Base64.decode64(encrypted_symmetric_key_element.text)
+        encrypt_method = REXML::XPath.first(
+          encrypt_data,
+          "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey/xenc:EncryptionMethod",
+          {"ds" => DSIG,  "xenc" => XENC }
+        )
+        algorithm = encrypt_method.attributes['Algorithm']
+        retrieve_plaintext(cipher_text, private_key, algorithm)        
       end
-      # Given a REXML::Element instance, return the concatenation of all child text nodes. Assumes
-      # that there all children other than text nodes can be ignored (e.g. comments). If nil is
-      # passed, nil will be returned.
-      def self.element_text(element)
-        element.texts.map(&:value).join if element
+
+      # Obtains the deciphered text
+      # @param cipher_text [String]   The ciphered text
+      # @param symmetric_key [String] The symetric key used to encrypt the text
+      # @param algorithm [String]     The encrypted algorithm
+      # @return [String] The deciphered text
+      def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
+        case algorithm
+          when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt
+          when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
+          when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
+          when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
+          when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
+          when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
+        end
+
+        if cipher          
+          iv_len = cipher.iv_len
+          data = cipher_text[iv_len..-1]
+          cipher.padding, cipher.key, cipher.iv = 0, symmetric_key, cipher_text[0..iv_len-1]
+          assertion_plaintext = cipher.update(data)
+          assertion_plaintext << cipher.final
+        elsif rsa
+          rsa.private_decrypt(cipher_text)
+        elsif oaep
+          oaep.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+        else
+          cipher_text
+        end
       end
+
     end
   end
-end
+end

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '0.9.4'
+    VERSION = '1.0.0'
   end
 end

data/lib/schemas/saml-schema-metadata-2.0.xsd

@@ -247,8 +247,6 @@
                 <sequence>
                     <element ref="md:AssertionConsumerService" maxOccurs="unbounded"/>
                     <element ref="md:AttributeConsumingService" minOccurs="0" maxOccurs="unbounded"/>
-                    <element ref="md:SingleLogoutService" minOccurs="0" maxOccurs="unbounded"/>
-                    <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
                 </sequence>
                 <attribute name="AuthnRequestsSigned" type="boolean" use="optional"/>
                 <attribute name="WantAssertionsSigned" type="boolean" use="optional"/>

data/lib/xml_security.rb

@@ -29,15 +29,17 @@ require "openssl"
 require 'nokogiri'
 require "digest/sha1"
 require "digest/sha2"
-require "onelogin/ruby-saml/utils"
 require "onelogin/ruby-saml/validation_error"
 
 module XMLSecurity
 
   class BaseDocument < REXML::Document
+    REXML::Document::entity_expansion_limit = 0
 
     C14N            = "http://www.w3.org/2001/10/xml-exc-c14n#"
     DSIG            = "http://www.w3.org/2000/09/xmldsig#"
+    NOKOGIRI_OPTIONS = Nokogiri::XML::ParseOptions::STRICT |
+                       Nokogiri::XML::ParseOptions::NONET
 
     def canon_algorithm(element)
       algorithm = element
@@ -46,7 +48,6 @@ module XMLSecurity
       end
 
       case algorithm
-        when "http://www.w3.org/2001/10/xml-exc-c14n#"         then Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
         when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then Nokogiri::XML::XML_C14N_1_0
         when "http://www.w3.org/2006/12/xml-c14n11"            then Nokogiri::XML::XML_C14N_1_1
         else                                                        Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
@@ -108,7 +109,9 @@ module XMLSecurity
       #<Object />
     #</Signature>
     def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_method = SHA1)
-      noko = Nokogiri.parse(self.to_s)
+      noko = Nokogiri.parse(self.to_s) do |options|
+        options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
+      end
 
       signature_element = REXML::Element.new("ds:Signature").add_namespace('ds', DSIG)
       signed_info_element = signature_element.add_element("ds:SignedInfo")
@@ -130,7 +133,10 @@ module XMLSecurity
       reference_element.add_element("ds:DigestValue").text = compute_digest(canon_doc, algorithm(digest_method_element))
 
       # add SignatureValue
-      noko_sig_element = Nokogiri.parse(signature_element.to_s)
+      noko_sig_element = Nokogiri.parse(signature_element.to_s) do |options|
+        options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
+      end
+
       noko_signed_info_element = noko_sig_element.at_xpath('//ds:Signature/ds:SignedInfo', 'ds' => DSIG)
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm(C14N))
 
@@ -180,12 +186,19 @@ module XMLSecurity
     def initialize(response, errors = [])
       super(response)
       @errors = errors
-      extract_signed_element_id
+    end
+
+    def signed_element_id
+      @signed_element_id ||= extract_signed_element_id
     end
 
     def validate_document(idp_cert_fingerprint, soft = true, options = {})
       # get cert from response
-      cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
+      cert_element = REXML::XPath.first(
+        self,
+        "//ds:X509Certificate",
+        { "ds"=>DSIG }
+      )
       unless cert_element
         if soft
           return false
@@ -193,7 +206,7 @@ module XMLSecurity
           raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate)")
         end
       end
-      base64_cert = OneLogin::RubySaml::Utils.element_text(cert_element)
+      base64_cert = cert_element.text
       cert_text = Base64.decode64(base64_cert)
       cert = OpenSSL::X509::Certificate.new(cert_text)
 
@@ -219,37 +232,63 @@ module XMLSecurity
       # check for inclusive namespaces
       inclusive_namespaces = extract_inclusive_namespaces
 
-      document = Nokogiri.parse(self.to_s)
+      document = Nokogiri.parse(self.to_s) do |options|
+        options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
+      end
 
       # create a working copy so we don't modify the original
       @working_copy ||= REXML::Document.new(self.to_s).root
 
       # store and remove signature node
       @sig_element ||= begin
-        element = REXML::XPath.first(@working_copy, "//ds:Signature", {"ds"=>DSIG})
+        element = REXML::XPath.first(
+          @working_copy,
+          "//ds:Signature",
+          {"ds"=>DSIG}
+        )
         element.remove
       end
 
       # verify signature
-      signed_info_element     = REXML::XPath.first(@sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
+      signed_info_element = REXML::XPath.first(
+        @sig_element,
+        "//ds:SignedInfo",
+        {"ds"=>DSIG}
+      )
       noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
       noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
-      canon_algorithm = canon_algorithm REXML::XPath.first(@sig_element, '//ds:CanonicalizationMethod', 'ds' => DSIG)
+      canon_algorithm = canon_algorithm REXML::XPath.first(
+        @sig_element,
+        '//ds:CanonicalizationMethod',
+        'ds' => DSIG
+      )
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
       noko_sig_element.remove
 
       # check digests
       REXML::XPath.each(@sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
-        uri                           = ref.attributes.get_attribute("URI").value
-
-        hashed_element                = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
-        canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
-        canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
-
-        digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod", 'ds' => DSIG))
-
-        hash                          = digest_algorithm.digest(canon_hashed_element)
-        digest_value                  = Base64.decode64(OneLogin::RubySaml::Utils.element_text(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG})))
+        uri = ref.attributes.get_attribute("URI").value
+
+        hashed_element = document.at_xpath("//*[@ID=$uri]", nil, { 'uri' => uri[1..-1] })
+        canon_algorithm = canon_algorithm REXML::XPath.first(
+          ref,
+          '//ds:CanonicalizationMethod',
+          { "ds" => DSIG }
+        )
+        canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
+
+        digest_algorithm = algorithm(REXML::XPath.first(
+          ref,
+          "//ds:DigestMethod",
+          { "ds" => DSIG }
+        ))
+        hash = digest_algorithm.digest(canon_hashed_element)
+        encoded_digest_value = REXML::XPath.first(
+          ref,
+          "//ds:DigestValue",
+          { "ds" => DSIG }
+        ).text
+        digest_value = Base64.decode64(encoded_digest_value)
 
         unless digests_match?(hash, digest_value)
           @errors << "Digest mismatch"
@@ -257,15 +296,25 @@ module XMLSecurity
         end
       end
 
-      base64_signature        = OneLogin::RubySaml::Utils.element_text(REXML::XPath.first(@sig_element, "//ds:SignatureValue", {"ds"=>DSIG}))
-      signature               = Base64.decode64(base64_signature)
+      base64_signature = REXML::XPath.first(
+        @sig_element,
+        "//ds:SignatureValue",
+        {"ds" => DSIG}
+      ).text
+
+      signature = Base64.decode64(base64_signature)
 
       # get certificate object
-      cert_text               = Base64.decode64(base64_cert)
-      cert                    = OpenSSL::X509::Certificate.new(cert_text)
+      cert_text = Base64.decode64(base64_cert)
+      cert = OpenSSL::X509::Certificate.new(cert_text)
 
       # signature method
-      signature_algorithm     = algorithm(REXML::XPath.first(signed_info_element, "//ds:SignatureMethod", {"ds"=>DSIG}))
+      sig_alg_value = REXML::XPath.first(
+        signed_info_element,
+        "//ds:SignatureMethod",
+        {"ds"=>DSIG}
+      )
+      signature_algorithm = algorithm(sig_alg_value)
 
       unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
         @errors << "Key validation error"
@@ -282,12 +331,21 @@ module XMLSecurity
     end
 
     def extract_signed_element_id
-      reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
-      self.signed_element_id  = reference_element.attribute("URI").value[1..-1] unless reference_element.nil?
+      reference_element = REXML::XPath.first(
+        self,
+        "//ds:Signature/ds:SignedInfo/ds:Reference",
+        {"ds"=>DSIG}
+      )
+      self.signed_element_id = reference_element.attribute("URI").value[1..-1] unless reference_element.nil?
     end
 
     def extract_inclusive_namespaces
-      if element = REXML::XPath.first(self, "//ec:InclusiveNamespaces", { "ec" => C14N })
+      element = REXML::XPath.first(
+        self,
+        "//ec:InclusiveNamespaces",
+        { "ec" => C14N }
+      )
+      if element
         prefix_list = element.attributes.get_attribute("PrefixList").value
         prefix_list.split(" ")
       else