signed_xml 1.1.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9237cab4ca63f8b3edf77ef72441071583d7369c
-  data.tar.gz: af907d76ea132e2a73044a1cf253f3e6139fcc60
+  metadata.gz: 4cba993da121bca75e7dff3b2573da9fb2a49880
+  data.tar.gz: 18171af9b793b4af5c5dc1fdbc51284c7fb2ddbb
 SHA512:
-  metadata.gz: c31450cf47d60eafeed2f578e1fd7720c996e107120f1f8076a948f543f55d4dd278f6016d71b8b206ba2b0a657751a05a7aab728a12e8ad5a7403249b2e35c9
-  data.tar.gz: 2e01b8a826942db5e17055eedfdc733ad7dfcf4d60d27f59cdb69be00c1ef5e0cff78281b91cb59dc397e54c7b8590b149f518b9b61e87c3d6884aa8b5ace03e
+  metadata.gz: caf3a86802668b5557d4d50b98004e69c02a7cd0d4d008bf8f59f823b1073d22623e1060b58a308dae936d7d55d0be238c15769a45fd347505981b9f7050a537
+  data.tar.gz: c6e922e88e9287747b989fc59b8976efa0b5ea0ed04c2dc6d900d6dd646e955ef86009011a3dd32fe76294ee37235c761068c0337771fa3010745b49ebefc27b

data/.travis.yml

@@ -1,8 +1,5 @@
 language: ruby
+sudo: false
 rvm:
-  - 1.9.3
   - 2.1
-  - rbx
-matrix:
-  allow_failures:
-    - rvm: rbx
+  - 2.3.1

data/lib/signed_xml/digest_method_resolution.rb

@@ -4,12 +4,60 @@ module SignedXml
   module DigestMethodResolution
     include OpenSSL
 
+    # The XML Signature Syntax and Processing (Second Edition) specification defines IDs for algorithms which must be
+    # supported by implementations. It also defines IDs for some algorithms which it recommends be supported. See
+    # https://www.w3.org/TR/xmldsig-core/#sec-AlgID.
+    #
+    # The XML Encryption Syntax and Processing Version 1.1 specification defines IDs for its own set of required and
+    # recommended algorithms, and some of these have been seen in signed XML docs in the wild. See
+    # https://www.w3.org/TR/xmlenc-core1/#sec-AlgID
+    #
+    # RFC 6931 defines IDs for yet more algorithms which have also been encountered in the wild. See
+    # https://tools.ietf.org/html/rfc6931.
+    #
+    # Note that some of these are encryption algorithms, of which the digest or hashing algorithm is only one component.
+    # Nevertheless, it is the only component this method aims to identify.
+
+    SHA1_IDS = %w(
+      http://www.w3.org/2000/09/xmldsig#sha1
+      http://www.w3.org/2000/09/xmldsig#dsa-sha1
+      http://www.w3.org/2000/09/xmldsig#rsa-sha1
+    )
+
+    SHA224_IDS = %w(
+      http://www.w3.org/2001/04/xmldsig-more#sha224
+    )
+
+    SHA256_IDS = %w(
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+      http://www.w3.org/2001/04/xmlenc#sha256
+    )
+
+    SHA384_IDS = %w(
+      http://www.w3.org/2001/04/xmldsig-more#sha384
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
+      http://www.w3.org/2001/04/xmlenc#sha384
+    )
+
+    SHA512_IDS = %w(
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
+      http://www.w3.org/2001/04/xmlenc#sha512
+    )
+
     def new_digester_for_id(id)
       case id
-      when "http://www.w3.org/2000/09/xmldsig#sha1","http://www.w3.org/2000/09/xmldsig#rsa-sha1"
-        Digest::SHA1.new
-      else
-        raise ArgumentError, "unknown digest method #{id}"
+        when *SHA1_IDS
+          Digest::SHA1.new
+        when *SHA224_IDS
+          Digest::SHA224.new
+        when *SHA256_IDS
+          Digest::SHA256.new
+        when *SHA384_IDS
+          Digest::SHA384.new
+        when *SHA512_IDS
+          Digest::SHA512.new
+        else
+          raise ArgumentError, "unknown digest method #{id}"
       end
     end
   end

data/lib/signed_xml/digest_transform.rb

@@ -4,14 +4,14 @@ module SignedXml
   class DigestTransform
     include DigestMethodResolution
 
-    attr_reader :digest
+    attr_reader :digester
 
     def initialize(method_id)
-      @digest = new_digester_for_id(method_id)
+      @digester = new_digester_for_id(method_id)
     end
 
     def apply(input)
-      digest.digest(input)
+      digester.digest(input)
     end
   end
 end

data/lib/signed_xml/signature.rb

@@ -118,7 +118,7 @@ module SignedXml
     end
 
     def x509_cert_data
-      x509_cert_data_node.text
+      x509_cert_data_node.text.strip
     end
 
     def x509_cert_data_node

data/lib/signed_xml/version.rb

@@ -1,3 +1,3 @@
 module SignedXml
-  VERSION = "1.1.0"
+  VERSION = "1.2.0"
 end

data/spec/digest_method_resolution_spec.rb

@@ -0,0 +1,71 @@
+require 'spec_helper'
+
+describe SignedXml::DigestMethodResolution do
+  include SignedXml::DigestMethodResolution
+
+  let(:sha1_ids) do
+    %w(
+      http://www.w3.org/2000/09/xmldsig#sha1
+      http://www.w3.org/2000/09/xmldsig#dsa-sha1
+      http://www.w3.org/2000/09/xmldsig#rsa-sha1
+    )
+  end
+
+  let(:sha224_ids) do
+    %w(
+      http://www.w3.org/2001/04/xmldsig-more#sha224
+    )
+  end
+
+  let(:sha256_ids) do
+    %w(
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+      http://www.w3.org/2001/04/xmlenc#sha256
+    )
+  end
+
+  let(:sha384_ids) do
+    %w(
+      http://www.w3.org/2001/04/xmldsig-more#sha384
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
+      http://www.w3.org/2001/04/xmlenc#sha384
+    )
+  end
+
+  let(:sha512_ids) do
+    %w(
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
+      http://www.w3.org/2001/04/xmlenc#sha512
+    )
+  end
+
+  it 'works for known SHA-1 IDs' do
+    sha1_ids.each do |id|
+      expect(new_digester_for_id(id).class).to eq OpenSSL::Digest::SHA1
+    end
+  end
+
+  it 'works for known SHA-224 IDs' do
+    sha224_ids.each do |id|
+      expect(new_digester_for_id(id).class).to eq OpenSSL::Digest::SHA224
+    end
+  end
+
+  it 'works for known SHA-256 IDs' do
+    sha256_ids.each do |id|
+      expect(new_digester_for_id(id).class).to eq OpenSSL::Digest::SHA256
+    end
+  end
+
+  it 'works for known SHA-384 IDs' do
+    sha384_ids.each do |id|
+      expect(new_digester_for_id(id).class).to eq OpenSSL::Digest::SHA384
+    end
+  end
+
+  it 'works for known SHA-512 IDs' do
+    sha512_ids.each do |id|
+      expect(new_digester_for_id(id).class).to eq OpenSSL::Digest::SHA512
+    end
+  end
+end

data/spec/resources/extra_whitespace_in_cert_tag.xml

@@ -0,0 +1,79 @@
+<?xml version="1.0"?>
+<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2003-04-17T00:46:02Z" Version="2.0" ID="_c7055387-af61-4fce-8b98-e2927324b306">
+  <saml:Issuer>https://www.opensaml.org/IDP"</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>otynz9RFK0/mrkztml+POU0P4Rw=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>fMniqoW/jSH7isH7ka+79+WYeiE4O63mA7TdrqOTrh8Q+JZQMsYsbAnx5E7Fo4Fy
++2yE/6XgCnEUFUvyWK9J5vaS+qzoOH5RZeSDcaSZeM5rP2hW5lf7iTQG/9wLsQUX
+KQRm1/pFgm7yetYr+gfK8yvUMR0pQc4h+vo4wKyQQYpHMlS97BWFoPEvi9F1M0Ld
+7NxHSHUFGTLqm+664ZTYI3z1k2kcgsuZpwHYCYOx185U383jnW1DruwLD8KE6Nxn
+Wd9imhxAiCV2CMQkjxIkrBM8du47rm+kDToYVgOn9gU15gYAmXUN/4MwF/yvYpQE
+sAs0VcNWD5PRjIviKbRh2Q==</ds:SignatureValue>
+<ds:KeyInfo>
+<ds:X509Data>
+<ds:X509Certificate>
+MIIExDCCA6ygAwIBAgIJAJsG6scSiBu+MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
+VQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEUMBIGA1UEBxMLU3ByaW5nZmll
+bGQxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UECxQK
+QXJyciAmIERlZTELMAkGA1UEAxMCTWUxHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1w
+bGUub3JnMB4XDTEzMDQxMTAwNTc1MloXDTQwMDgyNzAwNTc1MlowgZwxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJpbmdmaWVs
+ZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQLFApB
+cnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBs
+ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZbhwD884KG1Aj
+ZENyOQw1TpqvMkkxMSIFQwSMPg81JIDgPifCXXHimiNheo99K4TnLAV4V+6sLsP8
+c2pQFr57mDSBo1x1JjSLR/LGD/scqQqzSXNXLNffF7FbH28/wL9+lBrMNxEh5LvT
+Cm+rmnAHdJjGK//BbLE7Vuek3irquUo3OF6HidORr2b86ec4I2gjien3kwgmYc0n
+7pxjReEeKqpoZ1ytB3PjDlAwJchCTs6i+bmQJ5xqyDn+OHTZutCVCE9DwBLThfGr
+2j+c7po42EucuS1GMEbHWbEcSCruhQY51iR+hc54TRc/GQbwfVyfOBMJ98s5TASA
+h0Sfw2DlAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUbuT5ExXORlqEIJRWCNvHgBig
+I9swgdEGA1UdIwSByTCBxoAUbuT5ExXORlqEIJRWCNvHgBigI9uhgaKkgZ8wgZwx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRQwEgYDVQQHEwtTcHJp
+bmdmaWVsZDEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
+VQQLFApBcnJyICYgRGVlMQswCQYDVQQDEwJNZTEdMBsGCSqGSIb3DQEJARYObWVA
+ZXhhbXBsZS5vcmeCCQCbBurHEogbvjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4IBAQABGQp+S8TgiPkMqOoHiosApgs/SttQfRZVlmhoqsJQ554xkui75PIo
+RMHd42Ft8PO5aQiqXe6sbGJh9e78pSqdhytrlwIf4OSomJ2ghRGKoPESBnMQGxYT
+vMx/0BvjVj8rNSFmVgTV+foSkJj2tJnr/9ZfYbRPybDRYvDhfnlE7SpfBanKK2r+
+VpLSlm1c6d5cYA5xKUtQgV9wKbMZLl5B75S3CXz1K6TujHN3K/B3a4Hc7AknWqFd
+qsWDWKJjyH3XzQkpPT00TqQOaM9gbYqsLXmiuLzYXV1JQhU1vs29mIIFbtQK0jYd
+YEcPFLoaQoTClLMt9R+6wrJvJ9loh6P8
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+</ds:Signature>
+  <Status>
+    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </Status>
+  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2003-04-17T00:46:02Z" Version="2.0">
+    <Issuer>https://www.opensaml.org/IDP</Issuer>
+    <Subject>
+      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
+        scott@example.org
+      </NameID>
+      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
+    </Subject>
+    <Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2003-04-17T00:51:02Z">
+      <AudienceRestriction>
+        <Audience>http://www.opensaml.org/SP</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AuthnStatement AuthnInstant="2003-04-17T00:46:00Z">
+      <AuthnContext>
+        <AuthnContextClassRef>
+          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        </AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</Response>

data/spec/signed_xml_document_spec.rb

@@ -29,6 +29,18 @@ describe SignedXml::Document do
     signed_doc.send(:signatures).first.send(:x509_certificate).to_pem.should eq test_certificate.to_pem
   end
 
+  let(:extra_whitespace_doc) do
+    SignedXml::Document(File.read(File.join(resources_path, 'extra_whitespace_in_cert_tag.xml')))
+  end
+
+  it "can read an embedded X.509 cert even if the tag contains extra whitespace" do
+    # Note: this only failed with one particular cert encountered so far, and that cert can't be included in this open-
+    # source project. Thus this test won't fail even if the fix is removed. Hopefully I eventually figure out what it is
+    # about that one weird cert that leads to the failure, so that I can generate an equivalent cert which can be used
+    # here.
+    expect(extra_whitespace_doc.send(:signatures).first.send(:x509_certificate).to_pem).to eq test_certificate.to_pem
+  end
+
   it "knows the public key of the embedded X.509 certificate" do
     signed_doc.send(:signatures).first.send(:public_key).to_s.should eq test_certificate.public_key.to_s
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: signed_xml
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.0
 platform: ruby
 authors:
 - Todd Thomas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-02-03 00:00:00.000000000 Z
+date: 2016-10-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -108,9 +108,11 @@ files:
 - lib/signed_xml/transformable.rb
 - lib/signed_xml/version.rb
 - signed_xml.gemspec
+- spec/digest_method_resolution_spec.rb
 - spec/resources/another_test_cert.pem
 - spec/resources/another_test_key.pem
 - spec/resources/badly_signed_saml_response.xml
+- spec/resources/extra_whitespace_in_cert_tag.xml
 - spec/resources/incorrect_digest_saml_response.xml
 - spec/resources/no_key_doc.xml
 - spec/resources/no_key_template.xml
@@ -146,14 +148,16 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.3
+rubygems_version: 2.4.8
 signing_key: 
 specification_version: 4
 summary: Provides [incomplete] support for verification of XML Signatures <http://www.w3.org/TR/xmldsig-core>.
 test_files:
+- spec/digest_method_resolution_spec.rb
 - spec/resources/another_test_cert.pem
 - spec/resources/another_test_key.pem
 - spec/resources/badly_signed_saml_response.xml
+- spec/resources/extra_whitespace_in_cert_tag.xml
 - spec/resources/incorrect_digest_saml_response.xml
 - spec/resources/no_key_doc.xml
 - spec/resources/no_key_template.xml