signed_xml 0.0.1 → 1.0.0

data/.travis.yml

@@ -0,0 +1,6 @@
+language: ruby
+rvm:
+  - "1.9.2"
+  - "1.9.3"
+  - "2.0.0"
+  - rbx-19mode

data/README.md

@@ -1,26 +1,56 @@
-# SignedXmlDocument
+SignedXml [![Build Status](https://travis-ci.org/toddthomas/signed_xml.png)](https://travis-ci.org/toddthomas/signed_xml)
+=========
 
-TODO: Write a gem description
+SignedXml is a Ruby implementation of [XML Signatures](http://www.w3.org/TR/xmldsig-core).
 
-## Installation
+Dependencies
+------------
+
+SignedXml requires and is in love with [Nokogiri](http://nokogiri.org).
+
+Limitations
+-----------
+
+They are legion. Currently only verification of signed documents is supported.
+Allowed transformations are enveloped-signature and c14n. Only same-document
+Reference URIs are supported, and of those only the null URI (URI="", or
+the whole document) and fragment URIs which specify a literal ID are supported.
+XPointer expressions are not supported.
+
+Installation
+------------
 
 Add this line to your application's Gemfile:
 
-    gem 'signed_xml_document'
+```ruby
+gem 'signed_xml'
+```
 
 And then execute:
 
-    $ bundle
+```shell
+bundle
+```
 
 Or install it yourself as:
 
-    $ gem install signed_xml_document
+```shell
+gem install signed_xml
+```
+
+Usage
+-----
 
-## Usage
+```ruby
+require 'signed_xml'
 
-TODO: Write usage instructions here
+doc = Nokogiri::XML(File.read 'some_signed_doc.xml')
+signed_doc = SignedXml::Document.new(doc)
+signed_doc.is_verified?
+```
 
-## Contributing
+Contributing
+------------
 
 1. Fork it
 2. Create your feature branch (`git checkout -b my-new-feature`)

data/Rakefile

@@ -1 +1,6 @@
 require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/lib/signed_xml/base64_transform.rb

@@ -3,7 +3,7 @@ require 'base64'
 module SignedXml
   class Base64Transform
     def apply(input)
-      Base64.encode64(input)
+      Base64.encode64(input).chomp
     end
   end
 end

data/lib/signed_xml/c14n_transform.rb

@@ -11,14 +11,14 @@ module SignedXml
                 when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then XML_C14N_1_0
                 when "http://www.w3.org/2001/10/xml-exc-c14n" then XML_C14N_EXCLUSIVE_1_0
                 when "http://www.w3.org/2006/12/xml-c14n11" then XML_C14N_1_1
-                else raise ArgumentError.new("unknown canonicalization method #{method}")
+                else raise ArgumentError, "unknown canonicalization method #{method}"
                 end
 
       @with_comments = !!with_comments
     end
 
     def apply(input)
-      raise ArgumentError.new("input #{input.inspect}:#{input.class} is not canonicalizable") unless input.respond_to?(:canonicalize)
+      raise ArgumentError, "input #{input.inspect}:#{input.class} is not canonicalizable" unless input.respond_to?(:canonicalize)
 
       input.canonicalize(method, nil, with_comments)
     end

data/lib/signed_xml/digest_method_resolution.rb

@@ -4,11 +4,12 @@ module SignedXml
   module DigestMethodResolution
     include OpenSSL
 
-    def digester_for_id(id)
+    def new_digester_for_id(id)
       case id
       when "http://www.w3.org/2000/09/xmldsig#sha1","http://www.w3.org/2000/09/xmldsig#rsa-sha1"
         Digest::SHA1.new
-      else raise ArgumentError.new("unknown digest method #{id}")
+      else
+        raise ArgumentError, "unknown digest method #{id}"
       end
     end
   end

data/lib/signed_xml/digest_transform.rb

@@ -7,7 +7,7 @@ module SignedXml
     attr_reader :digest
 
     def initialize(method_id)
-      @digest = digester_for_id(method_id)
+      @digest = new_digester_for_id(method_id)
     end
 
     def apply(input)

data/lib/signed_xml/document.rb

@@ -3,22 +3,48 @@ require "options"
 
 module SignedXml
   class Document
+    include Logging
+
     attr_reader :doc
 
-    def initialize(doc)
-      @doc = doc
+    def initialize(thing)
+      if thing.is_a? Nokogiri::XML::Document
+        @doc = thing
+      else
+        @doc = Nokogiri::XML(thing)
+      end
     end
 
     def is_verifiable?
       signatures.any?
     end
 
-    def is_verified?(opts = {})
-      return false unless is_verifiable?
+    def is_verified?(arg = nil)
+      unless is_verifiable?
+        logger.warn "document cannot be verified because it contains no <Signature> elements"
+        return false
+      end
+
+      if arg.respond_to? :public_key
+        set_public_key_for_signatures(arg)
+      elsif arg.respond_to? :[]
+        set_certificate_store_for_signatures(arg)
+      elsif !arg.nil?
+        raise ArgumentError, "#{arg.inspect}:#{arg.class} must have a public key or be a hash of public keys"
+      end
 
       signatures.all?(&:is_verified?)
     end
 
+    def sign(private_key, certificate = nil)
+      signatures.each { |sig| sig.sign(private_key, certificate) }
+      self
+    end
+
+    def to_xml
+      doc.to_xml
+    end
+
     private
 
     def signatures
@@ -32,5 +58,15 @@ module SignedXml
       end
       signatures
     end
+
+    def set_public_key_for_signatures(certificate)
+      signatures.each { |sig| sig.public_key = certificate.public_key }
+    end
+
+    def set_certificate_store_for_signatures(cert_store)
+      raise "#{cert_store.inspect} doesn't implement []" unless cert_store.respond_to? :[]
+
+      signatures.each { |sig| sig.certificate_store = cert_store }
+    end
   end
 end

data/lib/signed_xml/fingerprinting.rb

@@ -0,0 +1,9 @@
+require 'digest'
+
+module SignedXml
+  module Fingerprinting
+    def fingerprint(data)
+      Digest::SHA1.hexdigest(data)
+    end
+  end
+end

data/lib/signed_xml/logging.rb

@@ -0,0 +1,13 @@
+module SignedXml
+  # Logging stuff borrowed from https://github.com/pezra/saml-sp
+
+  module Logging
+    def logger
+      SignedXml.logger
+    end
+
+    def self.included(base)
+      base.extend(self)
+    end
+  end
+end

data/lib/signed_xml/reference.rb

@@ -1,6 +1,7 @@
 module SignedXml
   class Reference
     include Transformable
+    include Logging
 
     attr_reader :here, :start
 
@@ -13,18 +14,26 @@ module SignedXml
         @start = here.document.root
       when /^#/
         id = uri.split('#').last
-        raise ArgumentError.new("XPointer expressions like #{id} are not yet supported") if id =~ /^xpointer/
+        raise ArgumentError, "XPointer expressions like #{id} are not yet supported" if id =~ /^xpointer/
         # TODO: handle ID attrs with names other than 'ID'
         @start = here.document.at_xpath("//*[@ID='#{id}']")
-        raise ArgumentError.new("no match found for ID #{id}") if @start.nil?
-      else raise ArgumentError.new("unsupported Reference URI #{uri}")
+        raise ArgumentError, "no match found for ID #{id}" if @start.nil?
+      else
+        raise ArgumentError, "unsupported Reference URI #{uri}"
       end
 
       @transforms = init_transforms
     end
 
     def is_verified?
-      apply_transforms.chomp == digest_value
+      result = apply_transforms == digest_value
+      logger.info "verification failed for digest value [#{digest_value}]" unless result
+      result
+    end
+
+    def compute_and_set_digest_value
+      digest_value_node.content = apply_transforms
+      logger.debug "set digest value to [#{digest_value}]"
     end
 
     private
@@ -39,7 +48,8 @@ module SignedXml
           transforms << EnvelopedSignatureTransform.new
         when %r{^http://.*c14n}
           transforms << C14NTransform.new(method)
-        else raise ArgumentError.new("unknown transform method #{method}")
+        else
+          raise ArgumentError, "unknown transform method #{method}"
         end
       end
 
@@ -53,7 +63,11 @@ module SignedXml
     end
 
     def digest_value
-      @digest_value ||= here.at_xpath('ds:DigestValue', ds: XMLDSIG_NS).text.strip
+      @digest_value ||= digest_value_node.text.strip
+    end
+
+    def digest_value_node
+      @digest_value_node ||= here.at_xpath('ds:DigestValue', ds: XMLDSIG_NS)
     end
   end
 end

data/lib/signed_xml/signature.rb

@@ -3,8 +3,12 @@ require 'base64'
 module SignedXml
   class Signature
     include DigestMethodResolution
+    include Fingerprinting
+    include Logging
 
     attr_accessor :here
+    attr_accessor :public_key
+    attr_accessor :certificate_store
 
     def initialize(here)
       @here = here
@@ -14,16 +18,46 @@ module SignedXml
       is_signed_info_verified? && are_reference_digests_verified?
     end
 
+    def sign(private_key, certificate = nil)
+      compute_digests_for_references
+      sign_signed_info(private_key)
+      set_certificate_data(certificate)
+    end
+
     private
 
     def is_signed_info_verified?
-      public_key.verify(digester_for_id(signed_info.signature_method), decoded_value, signed_info.apply_transforms)
+      return false if public_key.nil?
+
+      result = public_key.verify(new_digester_for_id(signed_info.signature_method), decoded_value, signed_info.apply_transforms)
+      logger.info "verification of signature value [#{value}] failed" unless result
+      result
     end
 
     def are_reference_digests_verified?
       references.all?(&:is_verified?)
     end
 
+    def sign_signed_info(private_key)
+      data = signed_info.apply_transforms
+      logger.debug "data to sign: [#{data}]"
+      digester = new_digester_for_id(signed_info.signature_method)
+      logger.debug "digester: #{digester.inspect}"
+      sig_value = private_key.sign(digester, data)
+      logger.debug "signature value (before Base64 encoding): [#{sig_value}]"
+      value_node.content = Base64Transform.new.apply(sig_value)
+      logger.debug "SignatureValue set to [#{value}]"
+    end
+
+    def compute_digests_for_references
+      references.each(&:compute_and_set_digest_value)
+    end
+
+    def set_certificate_data(certificate)
+      x509_cert_data_node.content = certificate.to_pem.split("\n")[1..-2].join("\n") if certificate
+      logger.debug "set certificate data to [#{x509_cert_data}]"
+    end
+
     def references
       @references ||= init_references
     end
@@ -43,23 +77,52 @@ module SignedXml
     end
 
     def value
-      @value ||= here.at_xpath('//ds:SignatureValue', ds: XMLDSIG_NS).text.strip
+      @value ||= value_node.text.strip
+    end
+
+    def value_node
+      @value_node ||= here.at_xpath('//ds:SignatureValue', ds: XMLDSIG_NS)
     end
 
     def signed_info
       @signed_info ||= SignedInfo.new(here.at_xpath("//ds:SignedInfo", ds: XMLDSIG_NS))
     end
 
+    def certificate_store
+      @certificate_store ||= {}
+    end
+
     def public_key
-      @public_key ||= x509_certificate.public_key
+      # If the user provided a certificate store, we MUST only use a
+      # key which matches the one in the signature's KeyInfo. Otherwise,
+      # use the key in the signature.
+      @public_key ||= if certificate_store.any?
+                        logger.debug "using cert store #{certificate_store}"
+                        if certificate_store.has_key? x509_cert_fingerprint
+                          certificate_store[x509_cert_fingerprint].public_key
+                        else
+                          logger.warn "Store has no certificate with fingerprint #{x509_cert_fingerprint}. Signature validation will fail."
+                          nil
+                        end
+                      else
+                        x509_certificate.public_key
+                      end
     end
 
     def x509_certificate
-      @x509_certificate ||= OpenSSL::X509::Certificate.new(certificate(x509_cert_data))
+      OpenSSL::X509::Certificate.new(certificate(x509_cert_data))
+    end
+
+    def x509_cert_fingerprint
+      @x509_cert_fingerprint ||= fingerprint(x509_certificate.to_der)
     end
 
     def x509_cert_data
-      @x509_cert_data ||= here.at_xpath("//ds:X509Certificate", ds: XMLDSIG_NS).text
+      x509_cert_data_node.text
+    end
+
+    def x509_cert_data_node
+      @x509_cert_data_node ||= here.at_xpath("//ds:X509Certificate", ds: XMLDSIG_NS)
     end
 
     def certificate(data)

data/lib/signed_xml/transformable.rb

@@ -1,12 +1,19 @@
 module SignedXml
   module Transformable
+    include Logging
+
     def transforms
       @transforms ||= []
     end
 
     def apply_transforms
       transforms.reduce(start) do |input, transform|
-        transform.apply(input)
+        logger.debug "applying transform #{transform.inspect}"
+        logger.debug "input:  [#{input}]"
+
+        result = transform.apply(input)
+        logger.debug "output: [#{result}]"
+        result
       end
     end
   end

data/lib/signed_xml/version.rb

@@ -1,3 +1,3 @@
 module SignedXml
-  VERSION = "0.0.1"
+  VERSION = "1.0.0"
 end

data/lib/signed_xml.rb

@@ -1,8 +1,30 @@
+require 'logger'
 require 'nokogiri'
 
 module SignedXml
   XMLDSIG_NS = "http://www.w3.org/2000/09/xmldsig#"
 
+  def self.Document(thing)
+    Document.new(thing)
+  end
+
+  # Logger that does nothing
+  BITBUCKET_LOGGER = Logger.new(nil)
+  class << BITBUCKET_LOGGER
+    def add(*args)
+    end
+  end
+
+  # The logger signed_xml should use
+  def self.logger
+    @@logger ||= BITBUCKET_LOGGER
+  end
+
+  # Set the logger for signed_xml
+  def self.logger=(a_logger)
+    @@logger = a_logger
+  end
+
   autoload :Transformable, 'signed_xml/transformable'
   autoload :Document, 'signed_xml/document'
   autoload :Signature, 'signed_xml/signature'
@@ -13,4 +35,6 @@ module SignedXml
   autoload :Base64Transform, 'signed_xml/base64_transform'
   autoload :C14NTransform, 'signed_xml/c14n_transform'
   autoload :EnvelopedSignatureTransform, 'signed_xml/enveloped_signature_transform'
+  autoload :Fingerprinting, 'signed_xml/fingerprinting'
+  autoload :Logging, 'signed_xml/logging'
 end

data/spec/resources/another_test_cert.pem

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEujCCA6KgAwIBAgIJAL+8HkFCI7nBMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD
+VQQGEwJVUzEWMBQGA1UECBMNQW5vdGhlciBTdGF0ZTEUMBIGA1UEBxMLU2hlbGJ5
+dmlsbGUxDTALBgNVBAoTBEFDTUUxFDASBgNVBAsTC1NrdW5rIFdvcmtzMRUwEwYD
+VQQDEwxTb21lb25lIEVsc2UxIDAeBgkqhkiG9w0BCQEWEWFsaWNlQGV4YW1wbGUu
+b3JnMB4XDTEzMDQxMjE0MjMwOVoXDTQwMDgyODE0MjMwOVowgZkxCzAJBgNVBAYT
+AlVTMRYwFAYDVQQIEw1Bbm90aGVyIFN0YXRlMRQwEgYDVQQHEwtTaGVsYnl2aWxs
+ZTENMAsGA1UEChMEQUNNRTEUMBIGA1UECxMLU2t1bmsgV29ya3MxFTATBgNVBAMT
+DFNvbWVvbmUgRWxzZTEgMB4GCSqGSIb3DQEJARYRYWxpY2VAZXhhbXBsZS5vcmcw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD8Q3VU7TN85VWWiOs0VaGC
+DWyspwTlaCEoBHZlncmYr3bzwZGuLr0fzG8XQJbyfh7kM2As9fDSmnf6p2ARfqJq
+2KFk5JPzRoY8HzU6VI0HmY57SzltABAzfHnnjL8sfQI7ZlttmXIwva1Zao+1L63X
++m5JZEAKeKoA5mNe3Fu3YGwbQRZXi5lpxeh9OpDvPo37MSpAK8nTwjpn4VwA/EPB
+TPLkZa6yhdzT6YWe0FKqWnXc4XvWxu+ivfR82HytZMnHxwkX3QjJVY4MgFlhTXN6
+0jLgwLMksxF72P+yrCbPz+w3cG76tOWCBL3O/SAHUFEKHoJ6EqnQNsfb2xdNaSmn
+AgMBAAGjggEBMIH+MB0GA1UdDgQWBBTumQKrYT5TZNHp6I2bEtpBqthL+zCBzgYD
+VR0jBIHGMIHDgBTumQKrYT5TZNHp6I2bEtpBqthL+6GBn6SBnDCBmTELMAkGA1UE
+BhMCVVMxFjAUBgNVBAgTDUFub3RoZXIgU3RhdGUxFDASBgNVBAcTC1NoZWxieXZp
+bGxlMQ0wCwYDVQQKEwRBQ01FMRQwEgYDVQQLEwtTa3VuayBXb3JrczEVMBMGA1UE
+AxMMU29tZW9uZSBFbHNlMSAwHgYJKoZIhvcNAQkBFhFhbGljZUBleGFtcGxlLm9y
+Z4IJAL+8HkFCI7nBMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKNY
+yM7gr63/l6kWL8fgkXidelF4S9JOzi5QUY8rzexPxRPv8UfGzGg2CReIlHbAQmzH
+uYkUdV4k3Is7EYzNlkO/EvhCaajIRNDUFn0BEmJLUBSB1hpQQWRxc5LH/9j0lT/f
+nodmDMpfId7R66X6lDGHVSWhPFbAJ559/8TI8FOkKFnMTdVGon2/M/hu9lZ659Kb
+Quhl1Slbi03AtxqT//IH3926aRjkd77pWWBKJ5W4L/8lOZjkHIQdlyjOtSO/Yhgc
+cd7BdioIrLXUMBNaa0Jzb7j8P5IW8RgJRIyKKQuFppIrILhCyFW6ic7ZcCX5mmG2
+lP2S5xTyx7cyd7XjBF4=
+-----END CERTIFICATE-----

data/spec/resources/another_test_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA/EN1VO0zfOVVlojrNFWhgg1srKcE5WghKAR2ZZ3JmK9288GR
+ri69H8xvF0CW8n4e5DNgLPXw0pp3+qdgEX6iatihZOST80aGPB81OlSNB5mOe0s5
+bQAQM3x554y/LH0CO2ZbbZlyML2tWWqPtS+t1/puSWRACniqAOZjXtxbt2BsG0EW
+V4uZacXofTqQ7z6N+zEqQCvJ08I6Z+FcAPxDwUzy5GWusoXc0+mFntBSqlp13OF7
+1sbvor30fNh8rWTJx8cJF90IyVWODIBZYU1zetIy4MCzJLMRe9j/sqwmz8/sN3Bu
++rTlggS9zv0gB1BRCh6CehKp0DbH29sXTWkppwIDAQABAoIBAQCNLxgQ4vypDxVa
+veCdlrtgtTC4ZHWqCyBbbDvzXV8B1FpHzHNDQCdbD6ixI9YXe5zAbTyLjU4uIIO7
+xkdPI0e1cu7JL+DaDAN+zJyWu9F+imOi/5PxPFLU7fqwLCamuIQySHQtH+839kB5
+xdkON9QdB60H6FKrSaMkA81jvwKZ2wHRenD9SQ9gJMf33Xl0yISbHsYB2tVAC3BE
+xKf7ofAGWjQjiy4CqrlHrXFnnglhvAPABwtOTrRjWbk6yG4vSupyjGRozwuPECLR
+tyjqzY2QfJZGCuN7iSUsrR7LKp0RkOSRxyXmFvWKHrH3a7xTufkiZR0WyWF2HTLv
+dGkmdj5pAoGBAP5nP2jH6GHGk6pE+T+mmTMgaov0mmMP1XbDC3cJUu1eZk2D0qDx
+s9std34fiTvruEMxB8wdkZdVHA+NQIK3hEQIMjLO6+vkcbyeeHA76jDDX0MXVnpV
+LFWfMvuPI40ZadRk5V40IGihLKMS5T0MojBwNMclkr39rYzk22NrNu5jAoGBAP3Y
+xcir110C2Uu/mRM8BveRMhSSZ1s6p6FhVmxPsa/x40WAhGn1xoL6GnF+dUBGLBEn
+0/7uV8/KmVq2AF5a53gGAyluEcf880V+EeMPab+7i3wyA98NPAG061cIL2h8K1pW
+zmC3hrveElj2f+V+3ofsOF23Ew+Gov3AFPqWJSjtAoGAbjV+M78+fXUQLVgZ/igH
+AC4P2jeJ1lZarEtMoTHJ2gjmGrh7u7tZph6pQFsbEXlJZtpLvXIly0BUmqwfgUFN
+LEe8r2QSsitR1lt0Y3KhPqS0lRT8IpzZSvJfnLjittKGlTtsXgYI8Cq6cp7R7kOV
+05QYWRl+242U7I+MNyKQNm8CgYEArb0LCaCLg05q2QxmwaJpBlJrG2dktCz+BFcx
+pmoZLFn6+lvOxRMBbi2toZYyu+4LRSakUyxgD4kT0uEUeX/wQtainV2HcABxpFN3
+/JdVAnRjMHqu6aAOPQDNvkCM6g9qQKd/EvUpkzWYCymTOcjOl+sWXRXrRsoYjmJE
+OYpAHrUCgYEA2mYFv9PV9WCTCLEIJEWL1yvWDm2UqJU5pen6dUee6djCQHiZD8+w
+qFmlIKVQn+8/Ov6g3KSZABhVF5ispNo4iERDhjR1ItyYUs3M8dR0sFhAfRe1cfQl
+msO/cWkdJQ1IDPs2RxIWE8KWIgs6Dg9DqJwfjlnzSJxvvHh5kuSdBjY=
+-----END RSA PRIVATE KEY-----

data/spec/resources/no_key_doc.xml

@@ -0,0 +1,47 @@
+<?xml version="1.0"?>
+<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2003-04-17T00:46:02Z" Version="2.0" ID="_c7055387-af61-4fce-8b98-e2927324b306">
+  <saml:Issuer>https://www.opensaml.org/IDP"</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>otynz9RFK0/mrkztml+POU0P4Rw=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>fMniqoW/jSH7isH7ka+79+WYeiE4O63mA7TdrqOTrh8Q+JZQMsYsbAnx5E7Fo4Fy
++2yE/6XgCnEUFUvyWK9J5vaS+qzoOH5RZeSDcaSZeM5rP2hW5lf7iTQG/9wLsQUX
+KQRm1/pFgm7yetYr+gfK8yvUMR0pQc4h+vo4wKyQQYpHMlS97BWFoPEvi9F1M0Ld
+7NxHSHUFGTLqm+664ZTYI3z1k2kcgsuZpwHYCYOx185U383jnW1DruwLD8KE6Nxn
+Wd9imhxAiCV2CMQkjxIkrBM8du47rm+kDToYVgOn9gU15gYAmXUN/4MwF/yvYpQE
+sAs0VcNWD5PRjIviKbRh2Q==</ds:SignatureValue>
+  </ds:Signature>
+  <Status>
+    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </Status>
+  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2003-04-17T00:46:02Z" Version="2.0">
+    <Issuer>https://www.opensaml.org/IDP</Issuer>
+    <Subject>
+      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
+        scott@example.org
+      </NameID>
+      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
+    </Subject>
+    <Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2003-04-17T00:51:02Z">
+      <AudienceRestriction>
+        <Audience>http://www.opensaml.org/SP</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AuthnStatement AuthnInstant="2003-04-17T00:46:00Z">
+      <AuthnContext>
+        <AuthnContextClassRef>
+          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        </AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</Response>

data/spec/resources/no_key_template.xml

@@ -0,0 +1,54 @@
+<Response
+  IssueInstant="2003-04-17T00:46:02Z" Version="2.0"
+  ID="_c7055387-af61-4fce-8b98-e2927324b306"
+  xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
+  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+  <saml:Issuer>https://www.opensaml.org/IDP"</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod
+        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod
+        Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="">
+        <ds:Transforms>
+          <ds:Transform
+            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </ds:Transforms>
+        <ds:DigestMethod
+          Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue/>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue/>
+  </ds:Signature>
+  <Status>
+    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </Status>
+  <Assertion ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc"
+    IssueInstant="2003-04-17T00:46:02Z" Version="2.0"
+    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
+    <Issuer>https://www.opensaml.org/IDP</Issuer>
+    <Subject>
+      <NameID
+        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
+        scott@example.org
+      </NameID>
+      <SubjectConfirmation
+        Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
+    </Subject>
+    <Conditions NotBefore="2003-04-17T00:46:02Z"
+      NotOnOrAfter="2003-04-17T00:51:02Z">
+      <AudienceRestriction>
+        <Audience>http://www.opensaml.org/SP</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AuthnStatement AuthnInstant="2003-04-17T00:46:00Z">
+      <AuthnContext>
+        <AuthnContextClassRef>
+          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        </AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</Response>

data/spec/resources/wrong_key_doc.xml

@@ -0,0 +1,78 @@
+<?xml version="1.0"?>
+<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2003-04-17T00:46:02Z" Version="2.0" ID="_c7055387-af61-4fce-8b98-e2927324b306">
+  <saml:Issuer>https://www.opensaml.org/IDP"</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>otynz9RFK0/mrkztml+POU0P4Rw=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>fMniqoW/jSH7isH7ka+79+WYeiE4O63mA7TdrqOTrh8Q+JZQMsYsbAnx5E7Fo4Fy
++2yE/6XgCnEUFUvyWK9J5vaS+qzoOH5RZeSDcaSZeM5rP2hW5lf7iTQG/9wLsQUX
+KQRm1/pFgm7yetYr+gfK8yvUMR0pQc4h+vo4wKyQQYpHMlS97BWFoPEvi9F1M0Ld
+7NxHSHUFGTLqm+664ZTYI3z1k2kcgsuZpwHYCYOx185U383jnW1DruwLD8KE6Nxn
+Wd9imhxAiCV2CMQkjxIkrBM8du47rm+kDToYVgOn9gU15gYAmXUN/4MwF/yvYpQE
+sAs0VcNWD5PRjIviKbRh2Q==</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        
+      <ds:X509Certificate>MIIEujCCA6KgAwIBAgIJAL+8HkFCI7nBMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD
+VQQGEwJVUzEWMBQGA1UECBMNQW5vdGhlciBTdGF0ZTEUMBIGA1UEBxMLU2hlbGJ5
+dmlsbGUxDTALBgNVBAoTBEFDTUUxFDASBgNVBAsTC1NrdW5rIFdvcmtzMRUwEwYD
+VQQDEwxTb21lb25lIEVsc2UxIDAeBgkqhkiG9w0BCQEWEWFsaWNlQGV4YW1wbGUu
+b3JnMB4XDTEzMDQxMjE0MjMwOVoXDTQwMDgyODE0MjMwOVowgZkxCzAJBgNVBAYT
+AlVTMRYwFAYDVQQIEw1Bbm90aGVyIFN0YXRlMRQwEgYDVQQHEwtTaGVsYnl2aWxs
+ZTENMAsGA1UEChMEQUNNRTEUMBIGA1UECxMLU2t1bmsgV29ya3MxFTATBgNVBAMT
+DFNvbWVvbmUgRWxzZTEgMB4GCSqGSIb3DQEJARYRYWxpY2VAZXhhbXBsZS5vcmcw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD8Q3VU7TN85VWWiOs0VaGC
+DWyspwTlaCEoBHZlncmYr3bzwZGuLr0fzG8XQJbyfh7kM2As9fDSmnf6p2ARfqJq
+2KFk5JPzRoY8HzU6VI0HmY57SzltABAzfHnnjL8sfQI7ZlttmXIwva1Zao+1L63X
++m5JZEAKeKoA5mNe3Fu3YGwbQRZXi5lpxeh9OpDvPo37MSpAK8nTwjpn4VwA/EPB
+TPLkZa6yhdzT6YWe0FKqWnXc4XvWxu+ivfR82HytZMnHxwkX3QjJVY4MgFlhTXN6
+0jLgwLMksxF72P+yrCbPz+w3cG76tOWCBL3O/SAHUFEKHoJ6EqnQNsfb2xdNaSmn
+AgMBAAGjggEBMIH+MB0GA1UdDgQWBBTumQKrYT5TZNHp6I2bEtpBqthL+zCBzgYD
+VR0jBIHGMIHDgBTumQKrYT5TZNHp6I2bEtpBqthL+6GBn6SBnDCBmTELMAkGA1UE
+BhMCVVMxFjAUBgNVBAgTDUFub3RoZXIgU3RhdGUxFDASBgNVBAcTC1NoZWxieXZp
+bGxlMQ0wCwYDVQQKEwRBQ01FMRQwEgYDVQQLEwtTa3VuayBXb3JrczEVMBMGA1UE
+AxMMU29tZW9uZSBFbHNlMSAwHgYJKoZIhvcNAQkBFhFhbGljZUBleGFtcGxlLm9y
+Z4IJAL+8HkFCI7nBMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKNY
+yM7gr63/l6kWL8fgkXidelF4S9JOzi5QUY8rzexPxRPv8UfGzGg2CReIlHbAQmzH
+uYkUdV4k3Is7EYzNlkO/EvhCaajIRNDUFn0BEmJLUBSB1hpQQWRxc5LH/9j0lT/f
+nodmDMpfId7R66X6lDGHVSWhPFbAJ559/8TI8FOkKFnMTdVGon2/M/hu9lZ659Kb
+Quhl1Slbi03AtxqT//IH3926aRjkd77pWWBKJ5W4L/8lOZjkHIQdlyjOtSO/Yhgc
+cd7BdioIrLXUMBNaa0Jzb7j8P5IW8RgJRIyKKQuFppIrILhCyFW6ic7ZcCX5mmG2
+lP2S5xTyx7cyd7XjBF4=</ds:X509Certificate>
+</ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <Status>
+    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </Status>
+  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2003-04-17T00:46:02Z" Version="2.0">
+    <Issuer>https://www.opensaml.org/IDP</Issuer>
+    <Subject>
+      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
+        scott@example.org
+      </NameID>
+      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
+    </Subject>
+    <Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2003-04-17T00:51:02Z">
+      <AudienceRestriction>
+        <Audience>http://www.opensaml.org/SP</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AuthnStatement AuthnInstant="2003-04-17T00:46:00Z">
+      <AuthnContext>
+        <AuthnContextClassRef>
+          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        </AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</Response>

data/spec/signed_xml_document_spec.rb

@@ -2,21 +2,18 @@ require 'spec_helper'
 
 describe SignedXml::Document do
   include SignedXml::DigestMethodResolution
+  include SignedXml::Fingerprinting
 
   let(:resources_path) { File.join(File.dirname(__FILE__), 'resources') }
 
-  let(:unsigned_doc_nodes) do
-    xml_doc_from_file(File.join(resources_path, 'unsigned_saml_response.xml'))
+  let(:unsigned_doc) do
+    SignedXml::Document(File.read(File.join(resources_path, 'unsigned_saml_response.xml')))
   end
 
-  let(:unsigned_doc) { SignedXml::Document.new(unsigned_doc_nodes) }
-
-  let(:signed_doc_nodes) do
-    xml_doc_from_file(File.join(resources_path, 'signed_saml_response.xml'))
+  let(:signed_doc) do
+    SignedXml::Document(File.read(File.join(resources_path, 'signed_saml_response.xml')))
   end
 
-  let(:signed_doc) { SignedXml::Document.new(signed_doc_nodes) }
-
   it "knows which documents can be verified" do
     unsigned_doc.is_verifiable?.should be false
     signed_doc.is_verifiable?.should be true
@@ -26,7 +23,7 @@ describe SignedXml::Document do
     unsigned_doc.is_verified?.should be false
   end
 
-  let(:test_certificate) { OpenSSL::X509::Certificate.new IO.read(File.join(resources_path, 'test_cert.pem')) }
+  let(:test_certificate) { OpenSSL::X509::Certificate.new File.read(File.join(resources_path, 'test_cert.pem')) }
 
   it "can read an embedded X.509 certificate" do
     signed_doc.send(:signatures).first.send(:x509_certificate).to_pem.should eq test_certificate.to_pem
@@ -37,7 +34,7 @@ describe SignedXml::Document do
   end
 
   it "knows the signature method of the signed info" do
-    digester_for_id(signed_doc.send(:signatures).first.send(:signed_info).signature_method).class.should == OpenSSL::Digest::SHA1
+    new_digester_for_id(signed_doc.send(:signatures).first.send(:signed_info).signature_method).class.should == OpenSSL::Digest::SHA1
   end
 
   it "knows how to canonicalize its signed info" do
@@ -52,43 +49,88 @@ describe SignedXml::Document do
     signed_doc.is_verified?.should be true
   end
 
-  let(:same_doc_ref_nodes) do
-    xml_doc_from_file(File.join(resources_path, 'same_doc_reference.xml'))
+  let(:passed_in_nokogiri_doc) do 
+    SignedXml::Document(Nokogiri::XML(File.read(File.join(resources_path, 'signed_saml_response.xml'))))
   end
 
-  let(:same_doc_ref_doc) { SignedXml::Document.new(same_doc_ref_nodes) }
+  it "works when passed a Nokogiri::XML::Document instead of a string" do
+    passed_in_nokogiri_doc.is_verified?.should be true
+  end
+
+  let(:same_doc_ref_doc) do
+    SignedXml::Document(File.read(File.join(resources_path, 'same_doc_reference.xml')))
+  end
 
   it "verifies docs with same-document references" do
     same_doc_ref_doc.is_verified?.should be true
   end
 
-  let(:two_sig_nodes) do
-    xml_doc_from_file(File.join(resources_path, 'two_sig_doc.xml'))
+  let(:two_sig_doc) do
+    SignedXml::Document(File.read(File.join(resources_path, 'two_sig_doc.xml')))
   end
 
-  let(:two_sig_doc) { SignedXml::Document.new(two_sig_nodes) }
-
   it "verifies docs with more than one signature" do
     two_sig_doc.is_verified?.should be true
   end
 
-  let(:badly_signed_doc_nodes) do
-    xml_doc_from_file(File.join(resources_path, 'badly_signed_saml_response.xml'))
+  let(:no_key_doc) do
+    SignedXml::Document(File.read(File.join(resources_path, 'no_key_doc.xml')))
+  end
+
+  it "verifies docs lacking keys if X.509 cert is provided at runtime" do
+    no_key_doc.is_verified? test_certificate
+  end
+
+  let(:test_cert_fingerprint) { fingerprint(test_certificate.to_der) }
+  let(:cert_store) { {test_cert_fingerprint => test_certificate} }
+
+  it "uses a key matching the embedded key if a cert store is provided" do
+    signed_doc.is_verified?(cert_store).should be true
   end
 
-  let(:badly_signed_doc) { SignedXml::Document.new(badly_signed_doc_nodes) }
+  let(:another_test_cert) { OpenSSL::X509::Certificate.new File.read(File.join(resources_path, 'another_test_cert.pem')) }
+  let(:another_test_cert_fp) { Digest::SHA1.hexdigest(test_certificate.to_der) }
+  let(:another_cert_store) { {another_test_cert_fp => another_test_cert} }
+
+  it "fails validation if provided cert store does not contain a key matching the embedded key" do
+    signed_doc.is_verified?(another_cert_store).should be false
+  end
+
+  let(:wrong_key_doc) do
+    SignedXml::Document(File.read(File.join(resources_path, 'wrong_key_doc.xml')))
+  end
+
+  it "fails validation of a doc with the wrong key" do
+    wrong_key_doc.is_verified?.should be false
+  end
+
+  it "uses provided cert instead of embedded cert" do
+    wrong_key_doc.is_verified? test_certificate
+  end
+
+  let(:badly_signed_doc) do
+    SignedXml::Document(File.read(File.join(resources_path, 'badly_signed_saml_response.xml')))
+  end
 
   it "fails verification of a badly-signed doc" do
     badly_signed_doc.is_verified?.should be false
   end
 
-  let(:incorrect_digest_doc_nodes) do
-    xml_doc_from_file(File.join(resources_path, 'incorrect_digest_saml_response.xml'))
+  let(:incorrect_digest_doc) do
+    SignedXml::Document(File.read(File.join(resources_path, 'incorrect_digest_saml_response.xml')))
   end
 
-  let(:incorrect_digest_doc) { SignedXml::Document.new(incorrect_digest_doc_nodes) }
-
   it "fails verification of a doc with an incorrect Resource digest" do
     incorrect_digest_doc.is_verified?.should be false
   end
+
+  let(:signed_doc_template) do
+    SignedXml::Document(File.read(File.join(resources_path, 'saml_response_template.xml')))
+  end
+
+  let(:test_private_key) { OpenSSL::PKey::RSA.new File.read(File.join(resources_path, 'test_key.pem')) }
+
+  it "signs template documents" do
+    signed_doc_template.sign(test_private_key, test_certificate).is_verified?.should be true
+  end
 end

data/spec/spec_helper.rb

@@ -1,8 +1 @@
 require 'signed_xml'
-
-def xml_doc_from_file(path)
-  file = File.open(path)
-  doc = Nokogiri::XML(file)
-  file.close
-  doc
-end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: signed_xml
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 1.0.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-04-12 00:00:00.000000000 Z
+date: 2013-04-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -83,6 +83,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - .gitignore
+- .travis.yml
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -94,14 +95,20 @@ files:
 - lib/signed_xml/digest_transform.rb
 - lib/signed_xml/document.rb
 - lib/signed_xml/enveloped_signature_transform.rb
+- lib/signed_xml/fingerprinting.rb
+- lib/signed_xml/logging.rb
 - lib/signed_xml/reference.rb
 - lib/signed_xml/signature.rb
 - lib/signed_xml/signed_info.rb
 - lib/signed_xml/transformable.rb
 - lib/signed_xml/version.rb
 - signed_xml.gemspec
+- spec/resources/another_test_cert.pem
+- spec/resources/another_test_key.pem
 - spec/resources/badly_signed_saml_response.xml
 - spec/resources/incorrect_digest_saml_response.xml
+- spec/resources/no_key_doc.xml
+- spec/resources/no_key_template.xml
 - spec/resources/same_doc_reference.xml
 - spec/resources/same_doc_reference_template.xml
 - spec/resources/saml_response_template.xml
@@ -110,6 +117,7 @@ files:
 - spec/resources/test_key.pem
 - spec/resources/two_sig_doc.xml
 - spec/resources/unsigned_saml_response.xml
+- spec/resources/wrong_key_doc.xml
 - spec/signed_xml_document_spec.rb
 - spec/spec_helper.rb
 homepage: ''
@@ -126,7 +134,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -2293715516306633631
+      hash: 299573032670506091
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -135,7 +143,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -2293715516306633631
+      hash: 299573032670506091
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.25
@@ -143,8 +151,12 @@ signing_key:
 specification_version: 3
 summary: Provides [incomplete] support for verification of XML Signatures <http://www.w3.org/TR/xmldsig-core>.
 test_files:
+- spec/resources/another_test_cert.pem
+- spec/resources/another_test_key.pem
 - spec/resources/badly_signed_saml_response.xml
 - spec/resources/incorrect_digest_saml_response.xml
+- spec/resources/no_key_doc.xml
+- spec/resources/no_key_template.xml
 - spec/resources/same_doc_reference.xml
 - spec/resources/same_doc_reference_template.xml
 - spec/resources/saml_response_template.xml
@@ -153,5 +165,6 @@ test_files:
 - spec/resources/test_key.pem
 - spec/resources/two_sig_doc.xml
 - spec/resources/unsigned_saml_response.xml
+- spec/resources/wrong_key_doc.xml
 - spec/signed_xml_document_spec.rb
 - spec/spec_helper.rb