signed_xml 1.1.0 → 1.2.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 9237cab4ca63f8b3edf77ef72441071583d7369c
4
- data.tar.gz: af907d76ea132e2a73044a1cf253f3e6139fcc60
3
+ metadata.gz: 4cba993da121bca75e7dff3b2573da9fb2a49880
4
+ data.tar.gz: 18171af9b793b4af5c5dc1fdbc51284c7fb2ddbb
5
5
  SHA512:
6
- metadata.gz: c31450cf47d60eafeed2f578e1fd7720c996e107120f1f8076a948f543f55d4dd278f6016d71b8b206ba2b0a657751a05a7aab728a12e8ad5a7403249b2e35c9
7
- data.tar.gz: 2e01b8a826942db5e17055eedfdc733ad7dfcf4d60d27f59cdb69be00c1ef5e0cff78281b91cb59dc397e54c7b8590b149f518b9b61e87c3d6884aa8b5ace03e
6
+ metadata.gz: caf3a86802668b5557d4d50b98004e69c02a7cd0d4d008bf8f59f823b1073d22623e1060b58a308dae936d7d55d0be238c15769a45fd347505981b9f7050a537
7
+ data.tar.gz: c6e922e88e9287747b989fc59b8976efa0b5ea0ed04c2dc6d900d6dd646e955ef86009011a3dd32fe76294ee37235c761068c0337771fa3010745b49ebefc27b
@@ -1,8 +1,5 @@
1
1
  language: ruby
2
+ sudo: false
2
3
  rvm:
3
- - 1.9.3
4
4
  - 2.1
5
- - rbx
6
- matrix:
7
- allow_failures:
8
- - rvm: rbx
5
+ - 2.3.1
@@ -4,12 +4,60 @@ module SignedXml
4
4
  module DigestMethodResolution
5
5
  include OpenSSL
6
6
 
7
+ # The XML Signature Syntax and Processing (Second Edition) specification defines IDs for algorithms which must be
8
+ # supported by implementations. It also defines IDs for some algorithms which it recommends be supported. See
9
+ # https://www.w3.org/TR/xmldsig-core/#sec-AlgID.
10
+ #
11
+ # The XML Encryption Syntax and Processing Version 1.1 specification defines IDs for its own set of required and
12
+ # recommended algorithms, and some of these have been seen in signed XML docs in the wild. See
13
+ # https://www.w3.org/TR/xmlenc-core1/#sec-AlgID
14
+ #
15
+ # RFC 6931 defines IDs for yet more algorithms which have also been encountered in the wild. See
16
+ # https://tools.ietf.org/html/rfc6931.
17
+ #
18
+ # Note that some of these are encryption algorithms, of which the digest or hashing algorithm is only one component.
19
+ # Nevertheless, it is the only component this method aims to identify.
20
+
21
+ SHA1_IDS = %w(
22
+ http://www.w3.org/2000/09/xmldsig#sha1
23
+ http://www.w3.org/2000/09/xmldsig#dsa-sha1
24
+ http://www.w3.org/2000/09/xmldsig#rsa-sha1
25
+ )
26
+
27
+ SHA224_IDS = %w(
28
+ http://www.w3.org/2001/04/xmldsig-more#sha224
29
+ )
30
+
31
+ SHA256_IDS = %w(
32
+ http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
33
+ http://www.w3.org/2001/04/xmlenc#sha256
34
+ )
35
+
36
+ SHA384_IDS = %w(
37
+ http://www.w3.org/2001/04/xmldsig-more#sha384
38
+ http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
39
+ http://www.w3.org/2001/04/xmlenc#sha384
40
+ )
41
+
42
+ SHA512_IDS = %w(
43
+ http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
44
+ http://www.w3.org/2001/04/xmlenc#sha512
45
+ )
46
+
7
47
  def new_digester_for_id(id)
8
48
  case id
9
- when "http://www.w3.org/2000/09/xmldsig#sha1","http://www.w3.org/2000/09/xmldsig#rsa-sha1"
10
- Digest::SHA1.new
11
- else
12
- raise ArgumentError, "unknown digest method #{id}"
49
+ when *SHA1_IDS
50
+ Digest::SHA1.new
51
+ when *SHA224_IDS
52
+ Digest::SHA224.new
53
+ when *SHA256_IDS
54
+ Digest::SHA256.new
55
+ when *SHA384_IDS
56
+ Digest::SHA384.new
57
+ when *SHA512_IDS
58
+ Digest::SHA512.new
59
+ else
60
+ raise ArgumentError, "unknown digest method #{id}"
13
61
  end
14
62
  end
15
63
  end
@@ -4,14 +4,14 @@ module SignedXml
4
4
  class DigestTransform
5
5
  include DigestMethodResolution
6
6
 
7
- attr_reader :digest
7
+ attr_reader :digester
8
8
 
9
9
  def initialize(method_id)
10
- @digest = new_digester_for_id(method_id)
10
+ @digester = new_digester_for_id(method_id)
11
11
  end
12
12
 
13
13
  def apply(input)
14
- digest.digest(input)
14
+ digester.digest(input)
15
15
  end
16
16
  end
17
17
  end
@@ -118,7 +118,7 @@ module SignedXml
118
118
  end
119
119
 
120
120
  def x509_cert_data
121
- x509_cert_data_node.text
121
+ x509_cert_data_node.text.strip
122
122
  end
123
123
 
124
124
  def x509_cert_data_node
@@ -1,3 +1,3 @@
1
1
  module SignedXml
2
- VERSION = "1.1.0"
2
+ VERSION = "1.2.0"
3
3
  end
@@ -0,0 +1,71 @@
1
+ require 'spec_helper'
2
+
3
+ describe SignedXml::DigestMethodResolution do
4
+ include SignedXml::DigestMethodResolution
5
+
6
+ let(:sha1_ids) do
7
+ %w(
8
+ http://www.w3.org/2000/09/xmldsig#sha1
9
+ http://www.w3.org/2000/09/xmldsig#dsa-sha1
10
+ http://www.w3.org/2000/09/xmldsig#rsa-sha1
11
+ )
12
+ end
13
+
14
+ let(:sha224_ids) do
15
+ %w(
16
+ http://www.w3.org/2001/04/xmldsig-more#sha224
17
+ )
18
+ end
19
+
20
+ let(:sha256_ids) do
21
+ %w(
22
+ http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
23
+ http://www.w3.org/2001/04/xmlenc#sha256
24
+ )
25
+ end
26
+
27
+ let(:sha384_ids) do
28
+ %w(
29
+ http://www.w3.org/2001/04/xmldsig-more#sha384
30
+ http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
31
+ http://www.w3.org/2001/04/xmlenc#sha384
32
+ )
33
+ end
34
+
35
+ let(:sha512_ids) do
36
+ %w(
37
+ http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
38
+ http://www.w3.org/2001/04/xmlenc#sha512
39
+ )
40
+ end
41
+
42
+ it 'works for known SHA-1 IDs' do
43
+ sha1_ids.each do |id|
44
+ expect(new_digester_for_id(id).class).to eq OpenSSL::Digest::SHA1
45
+ end
46
+ end
47
+
48
+ it 'works for known SHA-224 IDs' do
49
+ sha224_ids.each do |id|
50
+ expect(new_digester_for_id(id).class).to eq OpenSSL::Digest::SHA224
51
+ end
52
+ end
53
+
54
+ it 'works for known SHA-256 IDs' do
55
+ sha256_ids.each do |id|
56
+ expect(new_digester_for_id(id).class).to eq OpenSSL::Digest::SHA256
57
+ end
58
+ end
59
+
60
+ it 'works for known SHA-384 IDs' do
61
+ sha384_ids.each do |id|
62
+ expect(new_digester_for_id(id).class).to eq OpenSSL::Digest::SHA384
63
+ end
64
+ end
65
+
66
+ it 'works for known SHA-512 IDs' do
67
+ sha512_ids.each do |id|
68
+ expect(new_digester_for_id(id).class).to eq OpenSSL::Digest::SHA512
69
+ end
70
+ end
71
+ end
@@ -0,0 +1,79 @@
1
+ <?xml version="1.0"?>
2
+ <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2003-04-17T00:46:02Z" Version="2.0" ID="_c7055387-af61-4fce-8b98-e2927324b306">
3
+ <saml:Issuer>https://www.opensaml.org/IDP"</saml:Issuer>
4
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
5
+ <ds:SignedInfo>
6
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
7
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
8
+ <ds:Reference URI="">
9
+ <ds:Transforms>
10
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
11
+ </ds:Transforms>
12
+ <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
13
+ <ds:DigestValue>otynz9RFK0/mrkztml+POU0P4Rw=</ds:DigestValue>
14
+ </ds:Reference>
15
+ </ds:SignedInfo>
16
+ <ds:SignatureValue>fMniqoW/jSH7isH7ka+79+WYeiE4O63mA7TdrqOTrh8Q+JZQMsYsbAnx5E7Fo4Fy
17
+ +2yE/6XgCnEUFUvyWK9J5vaS+qzoOH5RZeSDcaSZeM5rP2hW5lf7iTQG/9wLsQUX
18
+ KQRm1/pFgm7yetYr+gfK8yvUMR0pQc4h+vo4wKyQQYpHMlS97BWFoPEvi9F1M0Ld
19
+ 7NxHSHUFGTLqm+664ZTYI3z1k2kcgsuZpwHYCYOx185U383jnW1DruwLD8KE6Nxn
20
+ Wd9imhxAiCV2CMQkjxIkrBM8du47rm+kDToYVgOn9gU15gYAmXUN/4MwF/yvYpQE
21
+ sAs0VcNWD5PRjIviKbRh2Q==</ds:SignatureValue>
22
+ <ds:KeyInfo>
23
+ <ds:X509Data>
24
+ <ds:X509Certificate>
25
+ MIIExDCCA6ygAwIBAgIJAJsG6scSiBu+MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
26
+ VQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEUMBIGA1UEBxMLU3ByaW5nZmll
27
+ bGQxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UECxQK
28
+ QXJyciAmIERlZTELMAkGA1UEAxMCTWUxHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1w
29
+ bGUub3JnMB4XDTEzMDQxMTAwNTc1MloXDTQwMDgyNzAwNTc1MlowgZwxCzAJBgNV
30
+ BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJpbmdmaWVs
31
+ ZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQLFApB
32
+ cnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBs
33
+ ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZbhwD884KG1Aj
34
+ ZENyOQw1TpqvMkkxMSIFQwSMPg81JIDgPifCXXHimiNheo99K4TnLAV4V+6sLsP8
35
+ c2pQFr57mDSBo1x1JjSLR/LGD/scqQqzSXNXLNffF7FbH28/wL9+lBrMNxEh5LvT
36
+ Cm+rmnAHdJjGK//BbLE7Vuek3irquUo3OF6HidORr2b86ec4I2gjien3kwgmYc0n
37
+ 7pxjReEeKqpoZ1ytB3PjDlAwJchCTs6i+bmQJ5xqyDn+OHTZutCVCE9DwBLThfGr
38
+ 2j+c7po42EucuS1GMEbHWbEcSCruhQY51iR+hc54TRc/GQbwfVyfOBMJ98s5TASA
39
+ h0Sfw2DlAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUbuT5ExXORlqEIJRWCNvHgBig
40
+ I9swgdEGA1UdIwSByTCBxoAUbuT5ExXORlqEIJRWCNvHgBigI9uhgaKkgZ8wgZwx
41
+ CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJp
42
+ bmdmaWVsZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
43
+ VQQLFApBcnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVA
44
+ ZXhhbXBsZS5vcmeCCQCbBurHEogbvjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
45
+ BQUAA4IBAQABGQp+S8TgiPkMqOoHiosApgs/SttQfRZVlmhoqsJQ554xkui75PIo
46
+ RMHd42Ft8PO5aQiqXe6sbGJh9e78pSqdhytrlwIf4OSomJ2ghRGKoPESBnMQGxYT
47
+ vMx/0BvjVj8rNSFmVgTV+foSkJj2tJnr/9ZfYbRPybDRYvDhfnlE7SpfBanKK2r+
48
+ VpLSlm1c6d5cYA5xKUtQgV9wKbMZLl5B75S3CXz1K6TujHN3K/B3a4Hc7AknWqFd
49
+ qsWDWKJjyH3XzQkpPT00TqQOaM9gbYqsLXmiuLzYXV1JQhU1vs29mIIFbtQK0jYd
50
+ YEcPFLoaQoTClLMt9R+6wrJvJ9loh6P8
51
+ </ds:X509Certificate>
52
+ </ds:X509Data>
53
+ </ds:KeyInfo>
54
+ </ds:Signature>
55
+ <Status>
56
+ <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
57
+ </Status>
58
+ <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2003-04-17T00:46:02Z" Version="2.0">
59
+ <Issuer>https://www.opensaml.org/IDP</Issuer>
60
+ <Subject>
61
+ <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
62
+ scott@example.org
63
+ </NameID>
64
+ <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
65
+ </Subject>
66
+ <Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2003-04-17T00:51:02Z">
67
+ <AudienceRestriction>
68
+ <Audience>http://www.opensaml.org/SP</Audience>
69
+ </AudienceRestriction>
70
+ </Conditions>
71
+ <AuthnStatement AuthnInstant="2003-04-17T00:46:00Z">
72
+ <AuthnContext>
73
+ <AuthnContextClassRef>
74
+ urn:oasis:names:tc:SAML:2.0:ac:classes:Password
75
+ </AuthnContextClassRef>
76
+ </AuthnContext>
77
+ </AuthnStatement>
78
+ </Assertion>
79
+ </Response>
@@ -29,6 +29,18 @@ describe SignedXml::Document do
29
29
  signed_doc.send(:signatures).first.send(:x509_certificate).to_pem.should eq test_certificate.to_pem
30
30
  end
31
31
 
32
+ let(:extra_whitespace_doc) do
33
+ SignedXml::Document(File.read(File.join(resources_path, 'extra_whitespace_in_cert_tag.xml')))
34
+ end
35
+
36
+ it "can read an embedded X.509 cert even if the tag contains extra whitespace" do
37
+ # Note: this only failed with one particular cert encountered so far, and that cert can't be included in this open-
38
+ # source project. Thus this test won't fail even if the fix is removed. Hopefully I eventually figure out what it is
39
+ # about that one weird cert that leads to the failure, so that I can generate an equivalent cert which can be used
40
+ # here.
41
+ expect(extra_whitespace_doc.send(:signatures).first.send(:x509_certificate).to_pem).to eq test_certificate.to_pem
42
+ end
43
+
32
44
  it "knows the public key of the embedded X.509 certificate" do
33
45
  signed_doc.send(:signatures).first.send(:public_key).to_s.should eq test_certificate.public_key.to_s
34
46
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: signed_xml
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.0
4
+ version: 1.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Todd Thomas
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-02-03 00:00:00.000000000 Z
11
+ date: 2016-10-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nokogiri
@@ -108,9 +108,11 @@ files:
108
108
  - lib/signed_xml/transformable.rb
109
109
  - lib/signed_xml/version.rb
110
110
  - signed_xml.gemspec
111
+ - spec/digest_method_resolution_spec.rb
111
112
  - spec/resources/another_test_cert.pem
112
113
  - spec/resources/another_test_key.pem
113
114
  - spec/resources/badly_signed_saml_response.xml
115
+ - spec/resources/extra_whitespace_in_cert_tag.xml
114
116
  - spec/resources/incorrect_digest_saml_response.xml
115
117
  - spec/resources/no_key_doc.xml
116
118
  - spec/resources/no_key_template.xml
@@ -146,14 +148,16 @@ required_rubygems_version: !ruby/object:Gem::Requirement
146
148
  version: '0'
147
149
  requirements: []
148
150
  rubyforge_project:
149
- rubygems_version: 2.4.3
151
+ rubygems_version: 2.4.8
150
152
  signing_key:
151
153
  specification_version: 4
152
154
  summary: Provides [incomplete] support for verification of XML Signatures <http://www.w3.org/TR/xmldsig-core>.
153
155
  test_files:
156
+ - spec/digest_method_resolution_spec.rb
154
157
  - spec/resources/another_test_cert.pem
155
158
  - spec/resources/another_test_key.pem
156
159
  - spec/resources/badly_signed_saml_response.xml
160
+ - spec/resources/extra_whitespace_in_cert_tag.xml
157
161
  - spec/resources/incorrect_digest_saml_response.xml
158
162
  - spec/resources/no_key_doc.xml
159
163
  - spec/resources/no_key_template.xml