signer 1.3.1 → 1.4.0

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    MjdkYWY0NGIxMWEwZWEyNDEwNDkwN2E2ZDA0NWZlODcxNGVhMmM3Zg==
-  data.tar.gz: !binary |-
-    M2M3Njg5MTE1ZDQ4NTM4ZGU5YjI0OWNjY2IzMmNiMDVhYjE0NjEzYQ==
+SHA1:
+  metadata.gz: 90bf367f95fe6b6176fc18f58e91eed7c5c27d84
+  data.tar.gz: 85539298e638c7bf0824fa2f537565286603c9c5
 SHA512:
-  metadata.gz: !binary |-
-    Zjg3YjhhMzAwZjJmZTM4M2Y1MGIwODM5ZmE4OGFlMTM3ZTYwODM4YjA0ODJl
-    ZWI2MWNkYThkMjNhOTEwNzhkZGI3MmE1MzQ4MDMzMmQ4ZDgyOWZmMDc5MDNi
-    YzY3ZTY2NmY2NDdhODFhMjAxOGE2M2I5Y2UyMjNkODc1MjM4MGI=
-  data.tar.gz: !binary |-
-    YjIwOWQ4YmJiMjAzZDhmNTRiMjYxNDljMzQzMGEwNzA4N2U0ZTgwNTZjZmVj
-    ZTgxMDg5MzBlOGY4NmZjYWE2YmEzNTgwZDA3NTM4NzQ4ZWU4MGFkY2RiNzYz
-    Nzc1MGYzMTM0NTg4OWRmOTliMmI2NWFkODZhMzcwNjllN2RlN2M=
+  metadata.gz: f8ee8286d29dde4704486e7b4b70ffe5242234b159e3b7929e9a9997d71779b0303d0838bb3fb6dd9fe0803363d416a5d3a071974a4f9762b2c63f19c964f9ea
+  data.tar.gz: af759eb3935fb4968e04f6b821544ff04e932e413c837b28b1b36f1b687e845f5e86eb6e18cbac8f96491c0a2627fc1f340d02636bc2143e6a40f30c166d421b

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.4.0 (2014-06-24)
+
+- Support signing and digesting with inclusive namespaces (#5, @Envek)
+
 ## 1.3.1 (2014-06-24)
 
 - Fix namespace issue for SecurityTokenReference tag (#4, #@Envek)

data/README.md

@@ -225,3 +225,5 @@ If you need to digest a `BinarySecurityToken` tag, you need to construct it your
 signer.digest!(signer.binary_security_token_node) # Constructing tag and digesting it
 signer.sign! # No need to pass a :security_token option, as we already constructed and inserted this node
 ```
+
+If you need to use canonicalization with inclusive namespaces you can pass array of namespace prefixes in `:inclusive_namespaces` option in both `digest!` and `sign!` methods.

data/lib/signer.rb

@@ -72,8 +72,8 @@ class Signer
     @security_node ||= document.xpath('//wsse:Security', wsse: WSSE_NAMESPACE).first
   end
 
-  def canonicalize(node = document)
-    node.canonicalize(Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0, nil, nil) # The last argument should be exactly +nil+ to remove comments from result
+  def canonicalize(node = document, inclusive_namespaces=nil)
+    node.canonicalize(Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0, inclusive_namespaces, nil) # The last argument should be exactly +nil+ to remove comments from result
   end
 
   # <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
@@ -176,13 +176,27 @@ class Signer
     data_node
   end
 
-  # <Reference URI="#_0">
-  #   <Transforms>
-  #     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
-  #   </Transforms>
-  #   <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
-  #   <DigestValue>aeqXriJuUCk4tPNPAGDXGqHj6ao=</DigestValue>
-  # </Reference>
+  ##
+  # Digests some +target_node+, which integrity you wish to track. Any changes in digested node will invalidate signed message.
+  # All digest should be calculated **before** signing.
+  #
+  # Available options:
+  # * [+:id+]                   Id for the node, if you don't want to use automatically calculated one
+  # * [+:inclusive_namespaces+] Array of namespace prefixes which definitions should be added to node during canonicalization
+  # * [+:enveloped+]
+  #
+  # Example of XML that will be inserted in message for call like <tt>digest!(node, inclusive_namespaces: ['soap'])</tt>:
+  #
+  #   <Reference URI="#_0">
+  #     <Transforms>
+  #       <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+  #         <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap" />
+  #       </Transform>
+  #     </Transforms>
+  #     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+  #     <DigestValue>aeqXriJuUCk4tPNPAGDXGqHj6ao=</DigestValue>
+  #   </Reference>
+
   def digest!(target_node, options = {})
     wsu_ns = namespace_prefix(target_node, WSU_NAMESPACE)
     current_id = target_node["#{wsu_ns}:Id"]  if wsu_ns
@@ -191,7 +205,7 @@ class Signer
       wsu_ns ||= namespace_prefix(target_node, WSU_NAMESPACE, 'wsu')
       target_node["#{wsu_ns}:Id"] = id.to_s
     end
-    target_canon = canonicalize(target_node)
+    target_canon = canonicalize(target_node, options[:inclusive_namespaces])
     target_digest = Base64.encode64(@digester.digest(target_canon)).strip
 
     reference_node = Nokogiri::XML::Node.new('Reference', document)
@@ -207,6 +221,12 @@ class Signer
     else
       transform_node['Algorithm'] = 'http://www.w3.org/2001/10/xml-exc-c14n#'
     end
+    if options[:inclusive_namespaces]
+      inclusive_namespaces_node = Nokogiri::XML::Node.new('ec:InclusiveNamespaces', document)
+      inclusive_namespaces_node.add_namespace_definition('ec', transform_node['Algorithm'])
+      inclusive_namespaces_node['PrefixList'] = options[:inclusive_namespaces].join(' ')
+      transform_node.add_child(inclusive_namespaces_node)
+    end
     transforms_node.add_child(transform_node)
 
     digest_method_node = Nokogiri::XML::Node.new('DigestMethod', document)
@@ -219,7 +239,16 @@ class Signer
     self
   end
 
-  # <SignatureValue>...</SignatureValue>
+  ##
+  # Sign document with provided certificate, private key and other options
+  #
+  # This should be very last action before calling +to_xml+, all the required nodes should be digested with +digest!+ **before** signing.
+  #
+  # Available options:
+  # * [+:security_token+]       Serializes certificate in DER format, encodes it with Base64 and inserts it within +<BinarySecurityToken>+ tag
+  # * [+:issuer_serial+]
+  # * [+:inclusive_namespaces+] Array of namespace prefixes which definitions should be added to signed info node during canonicalization
+
   def sign!(options = {})
     if options[:security_token]
       binary_security_token_node
@@ -229,7 +258,15 @@ class Signer
       x509_data_node
     end
 
-    signed_info_canon = canonicalize(signed_info_node)
+    if options[:inclusive_namespaces]
+      c14n_method_node = signed_info_node.at_xpath('ds:CanonicalizationMethod', ds: 'http://www.w3.org/2000/09/xmldsig#')
+      inclusive_namespaces_node = Nokogiri::XML::Node.new('ec:InclusiveNamespaces', document)
+      inclusive_namespaces_node.add_namespace_definition('ec', c14n_method_node['Algorithm'])
+      inclusive_namespaces_node['PrefixList'] = options[:inclusive_namespaces].join(' ')
+      c14n_method_node.add_child(inclusive_namespaces_node)
+    end
+
+    signed_info_canon = canonicalize(signed_info_node, options[:inclusive_namespaces])
 
     signature = private_key.sign(@sign_digester.digester, signed_info_canon)
     signature_value_digest = Base64.encode64(signature).gsub("\n", '')

data/lib/signer/version.rb

@@ -1,3 +1,3 @@
 class Signer
-  VERSION = "1.3.1"
+  VERSION = '1.4.0'
 end

data/spec/fixtures/output_1_inclusive_namespaces.xml

@@ -0,0 +1,48 @@
+<?xml version="1.0"?>
+<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:wsurandom="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
+  <s:Header>
+    <a:Action s:mustUnderstand="1">http://tempuri.org/IDocumentService/SearchDocuments</a:Action>
+    <a:MessageID>urn:uuid:30db5d4f-ab84-46be-907c-be690a92979b</a:MessageID>
+    <a:ReplyTo>
+      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
+    </a:ReplyTo>
+    <To xmlns="http://www.w3.org/2005/08/addressing" xmlns:a="http://www.w3.org/2003/05/soap-envelope" a:mustUnderstand="1">http://tempuri.org/PublicServices/Test/1.0.12/PublicServices/DocumentService.svc</To>
+    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
+      <wsurandom:Timestamp>
+        <wsurandom:Created>2012-05-02T18:17:14.467Z</wsurandom:Created>
+        <wsurandom:Expires>2012-05-02T18:22:14.467Z</wsurandom:Expires>
+      </wsurandom:Timestamp>
+      <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsurandom:Id="uuid-639b8970-7644-4f9e-9bc4-9c2e367808fc-1">MIICsDCCAhmgAwIBAgIJAOUHvh4oho0tMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTIwNTAzMTMxODIyWhcNMTMwNTAzMTMxODIyWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvK5hMPv/R5IFmwWyJOyEaFUrF/ZsmN+Gip8hvR6rLP3YPNx9iFYvPcZllFmuVwyaz7YT2N5BsqTwLdyi5v4HY4fUtuz0p8jIPoSd6dfDvcnSpf4QLTOgOaL3ciPEbgDHH2tnIksukoWzqCYva+qFZ74NFl19swXotW9fA4Jzs4QIDAQABo4GnMIGkMB0GA1UdDgQWBBRU1WEHDnP8Hr7ZulxrSzEwOcYpMzB1BgNVHSMEbjBsgBRU1WEHDnP8Hr7ZulxrSzEwOcYpM6FJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAOUHvh4oho0tMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEASY/9SAOK57q9mGnNJJeyDbmyGrAHSJTod646xTHYkMvhUqwHyk9PTr5bdfmswpmyVn+AQ43U2tU5vnpTBmKpHWD2+HSHgGa92mMLrfBOd8EBZ329NL3N2HDPIaHr4NPGyhNrSK3QVOnAq2D0jlyrGYJlLli1NxHiBz7FCEJaVI8=</wsse:BinarySecurityToken>
+      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <SignedInfo>
+          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="s"/>
+          </CanonicalizationMethod>
+          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+          <Reference URI="#_846355fa6c1fbadc2f04c0e0a86eda85d9cbfa31">
+            <Transforms>
+              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="s"/>
+              </Transform>
+            </Transforms>
+            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+            <DigestValue>lXzKYCXgcLpnf/2Q8ieQqj3Er7I=</DigestValue>
+          </Reference>
+        </SignedInfo>
+        <SignatureValue>Bs6O0JuOix9vzDX7gTUMWJ+xzB4IfIWI7l/HjMnE4MnfnFlDQeU1a+0OuqiWiesdzImDLZvqjAeSBUPQOnP4eil2O9qTEd4FvTAUm6DldBV+4ECSXozDiLyPaHMSrm4JZyuePF6d3IOroDYn7ZREWBYgBGHiga7F7+h4s9ZW2XQ=</SignatureValue>
+        <KeyInfo>
+          <wsse:SecurityTokenReference>
+            <wsse:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-639b8970-7644-4f9e-9bc4-9c2e367808fc-1"/>
+          </wsse:SecurityTokenReference>
+        </KeyInfo>
+      </Signature>
+    </wsse:Security>
+  </s:Header>
+  <s:Body wsurandom:Id="_846355fa6c1fbadc2f04c0e0a86eda85d9cbfa31">
+    <SearchDocuments xmlns="http://tempuri.org/">
+      <searchCriteria xmlns:b="http://schemas.datacontract.org/2004/07/BusinessLogic.Data.Documents.Integration" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
+        <b:RegistrationNo>1</b:RegistrationNo>
+      </searchCriteria>
+    </SearchDocuments>
+  </s:Body>
+</s:Envelope>

data/spec/signer_spec.rb

@@ -68,6 +68,26 @@ describe Signer do
     signer.to_xml.should == Nokogiri::XML(File.read(output_xml_file), &:noblanks).to_xml(:save_with => 0)
   end
 
+  it "should digest and sign SOAP XML with inclusive namespaces" do
+    input_xml_file   = File.join(File.dirname(__FILE__), 'fixtures', 'input_1.xml')
+    cert_file        = File.join(File.dirname(__FILE__), 'fixtures', 'cert.pem')
+    private_key_file = File.join(File.dirname(__FILE__), 'fixtures', 'key.pem')
+
+    signer = Signer.new(File.read(input_xml_file))
+    signer.cert = OpenSSL::X509::Certificate.new(File.read(cert_file))
+    signer.private_key = OpenSSL::PKey::RSA.new(File.read(private_key_file), "test")
+
+    signer.document.xpath("//soap:Body", { "soap" => "http://www.w3.org/2003/05/soap-envelope" }).each do |node|
+      signer.digest!(node, inclusive_namespaces: ['s'])
+    end
+
+    signer.sign!(security_token: true, inclusive_namespaces: ['s'])
+
+    output_xml_file = File.join(File.dirname(__FILE__), 'fixtures', 'output_1_inclusive_namespaces.xml')
+
+    signer.to_xml.should == Nokogiri::XML(File.read(output_xml_file), &:noblanks).to_xml(:save_with => 0)
+  end
+
   it "should sign simple XML" do
     input_xml_file   = File.join(File.dirname(__FILE__), 'fixtures', 'input_2.xml')
     cert_file        = File.join(File.dirname(__FILE__), 'fixtures', 'cert.pem')

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: signer
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 1.4.0
 platform: ruby
 authors:
 - Edgars Beigarts
@@ -11,47 +11,47 @@ cert_chain: []
 date: 2014-06-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
   name: rake
-  type: :development
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+  type: :development
   prerelease: false
-- !ruby/object:Gem::Dependency
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
   name: rspec
-  type: :development
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+  type: :development
   prerelease: false
-- !ruby/object:Gem::Dependency
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.5.1
+        version: '0'
+- !ruby/object:Gem::Dependency
   name: nokogiri
-  type: :runtime
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.5.1
+  type: :runtime
   prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.1
 description: WS Security XML signer
 email:
 - edgars.beigarts@gmail.com
@@ -59,18 +59,19 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- lib/signer/digester.rb
-- lib/signer/version.rb
-- lib/signer.rb
-- README.md
 - CHANGELOG.md
 - LICENSE
+- README.md
+- lib/signer.rb
+- lib/signer/digester.rb
+- lib/signer/version.rb
 - spec/fixtures/cert.pem
 - spec/fixtures/input_1.xml
 - spec/fixtures/input_2.xml
 - spec/fixtures/input_3_c14n_comments.xml
 - spec/fixtures/key.pem
 - spec/fixtures/output_1.xml
+- spec/fixtures/output_1_inclusive_namespaces.xml
 - spec/fixtures/output_1_sha256.xml
 - spec/fixtures/output_2.xml
 - spec/fixtures/output_3_c14n_comments.xml
@@ -85,17 +86,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.1.11
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: WS Security XML signer
@@ -106,6 +107,7 @@ test_files:
 - spec/fixtures/input_3_c14n_comments.xml
 - spec/fixtures/key.pem
 - spec/fixtures/output_1.xml
+- spec/fixtures/output_1_inclusive_namespaces.xml
 - spec/fixtures/output_1_sha256.xml
 - spec/fixtures/output_2.xml
 - spec/fixtures/output_3_c14n_comments.xml