signer 1.5.0 → 1.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ae216e81d9f7a7ee4d382887c57ac53a915e7173
-  data.tar.gz: 01e67fcff1cbe03eafaa72e083d9849ddede5bb4
+  metadata.gz: a37c55f9fdbf134383fd475503fbd47cee739f42
+  data.tar.gz: 60999a93aa7427c4a132c75985a915f7d18a2995
 SHA512:
-  metadata.gz: e9dc941878f1f90d72cf33deba4a2f1c82e84d94f108461a2187a1042520db896368322ed3d1e136bab90d1274fa5e3a4ef96fd10ada602b7878844ec59a642a
-  data.tar.gz: 5ff0201e154fa6fd8174c10f1605a4a9f630362db0a8a4b37afed9f61da674b959a5f8cccfd326e1b40a9cc6d310cb5f88353bcb13986c6c395c69c3c1d9cd4e
+  metadata.gz: 47fdf2988627bbf355ac5ab6a1ffe80bbe660d7bd6315ec65c3ed96978191653d1f3919270b960685364487910f846970e21f00738c456affea72b6d31695378
+  data.tar.gz: 00e6ba00e46ab22ef6a9029d0cc1f28b00c04a8b90cfd2a512a84b2d444bea9b627806d5059efd74f7f66312e8b0465adeb66716abb5733941268ab83b87dfb7

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.5.1 (2017-03-23)
+
+- Allow to set up custom xmldsig namespace prefix for Signature node (#14, @Envek)
+
 ## 1.5.0 (2017-01-23)
 
 - Add posibility to disable noblanks method in Signer initialization (#16, @bpietraga)

data/README.md

@@ -229,9 +229,14 @@ signer.sign! # No need to pass a :security_token option, as we already construct
 
 If you need to use canonicalization with inclusive namespaces you can pass array of namespace prefixes in `:inclusive_namespaces` option in both `digest!` and `sign!` methods.
 
+If you need `Signature` tags to be in explicit namespace (say, `<ds:Signature>`) instead of to be in implicit default namespace you can specify next option:
+
+```ruby
+signer.ds_namespace_prefix = 'ds'
+```
 
 Every new instance of signer has Nokogiri `noblanks` set as default in process of parsing xml file. If you need to disable it, pass opional argument `noblanks: false`.
 
-```
+```ruby
 Signer.new(File.read("example.xml"), noblanks: false)
 ```

data/lib/signer.rb

@@ -7,12 +7,13 @@ require "signer/digester"
 require "signer/version"
 
 class Signer
-  attr_accessor :document, :private_key, :signature_algorithm_id
+  attr_accessor :document, :private_key, :signature_algorithm_id, :ds_namespace_prefix
   attr_reader :cert
   attr_writer :security_node, :signature_node, :security_token_id
 
   WSU_NAMESPACE = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
   WSSE_NAMESPACE = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
+  DS_NAMESPACE = 'http://www.w3.org/2000/09/xmldsig#'
 
   def initialize(document, noblanks: true)
     self.document = Nokogiri::XML(document.to_s) do |config|
@@ -81,10 +82,10 @@ class Signer
   # <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
   def signature_node
     @signature_node ||= begin
-      @signature_node = security_node.at_xpath('ds:Signature', ds: 'http://www.w3.org/2000/09/xmldsig#')
+      @signature_node = security_node.at_xpath('ds:Signature', ds: DS_NAMESPACE)
       unless @signature_node
         @signature_node = Nokogiri::XML::Node.new('Signature', document)
-        @signature_node.default_namespace = 'http://www.w3.org/2000/09/xmldsig#'
+        set_namespace_for_node(@signature_node, DS_NAMESPACE, ds_namespace_prefix)
         security_node.add_child(@signature_node)
       end
       @signature_node
@@ -97,16 +98,19 @@ class Signer
   #   ...
   # </SignedInfo>
   def signed_info_node
-    node = signature_node.at_xpath('ds:SignedInfo', ds: 'http://www.w3.org/2000/09/xmldsig#')
+    node = signature_node.at_xpath('ds:SignedInfo', ds: DS_NAMESPACE)
     unless node
       node = Nokogiri::XML::Node.new('SignedInfo', document)
       signature_node.add_child(node)
+      set_namespace_for_node(node, DS_NAMESPACE, ds_namespace_prefix)
       canonicalization_method_node = Nokogiri::XML::Node.new('CanonicalizationMethod', document)
       canonicalization_method_node['Algorithm'] = 'http://www.w3.org/2001/10/xml-exc-c14n#'
       node.add_child(canonicalization_method_node)
+      set_namespace_for_node(canonicalization_method_node, DS_NAMESPACE, ds_namespace_prefix)
       signature_method_node = Nokogiri::XML::Node.new('SignatureMethod', document)
       signature_method_node['Algorithm'] = self.signature_algorithm_id
       node.add_child(signature_method_node)
+      set_namespace_for_node(signature_method_node, DS_NAMESPACE, ds_namespace_prefix)
     end
     node
   end
@@ -136,6 +140,7 @@ class Signer
       key_info_node = Nokogiri::XML::Node.new('KeyInfo', document)
       security_token_reference_node = Nokogiri::XML::Node.new("#{wsse_ns}:SecurityTokenReference", document)
       key_info_node.add_child(security_token_reference_node)
+      set_namespace_for_node(key_info_node, DS_NAMESPACE, ds_namespace_prefix)
       reference_node = Nokogiri::XML::Node.new("#{wsse_ns}:Reference", document)
       reference_node['ValueType'] = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'
       reference_node['URI'] = "##{security_token_id}"
@@ -177,6 +182,13 @@ class Signer
 
     signed_info_node.add_next_sibling(key_info_node)
 
+    set_namespace_for_node(key_info_node, DS_NAMESPACE, ds_namespace_prefix)
+    set_namespace_for_node(data_node, DS_NAMESPACE, ds_namespace_prefix)
+    set_namespace_for_node(issuer_serial_node, DS_NAMESPACE, ds_namespace_prefix)
+    set_namespace_for_node(cetificate_node, DS_NAMESPACE, ds_namespace_prefix)
+    set_namespace_for_node(issuer_name_node, DS_NAMESPACE, ds_namespace_prefix)
+    set_namespace_for_node(issuer_number_node, DS_NAMESPACE, ds_namespace_prefix)
+
     data_node
   end
 
@@ -215,11 +227,14 @@ class Signer
     reference_node = Nokogiri::XML::Node.new('Reference', document)
     reference_node['URI'] = id.to_s.size > 0 ? "##{id}" : ""
     signed_info_node.add_child(reference_node)
+    set_namespace_for_node(reference_node, DS_NAMESPACE, ds_namespace_prefix)
 
     transforms_node = Nokogiri::XML::Node.new('Transforms', document)
     reference_node.add_child(transforms_node)
+    set_namespace_for_node(transforms_node, DS_NAMESPACE, ds_namespace_prefix)
 
     transform_node = Nokogiri::XML::Node.new('Transform', document)
+    set_namespace_for_node(transform_node, DS_NAMESPACE, ds_namespace_prefix)
     if options[:enveloped]
       transform_node['Algorithm'] = 'http://www.w3.org/2000/09/xmldsig#enveloped-signature'
     else
@@ -236,10 +251,12 @@ class Signer
     digest_method_node = Nokogiri::XML::Node.new('DigestMethod', document)
     digest_method_node['Algorithm'] = @digester.digest_id
     reference_node.add_child(digest_method_node)
+    set_namespace_for_node(digest_method_node, DS_NAMESPACE, ds_namespace_prefix)
 
     digest_value_node = Nokogiri::XML::Node.new('DigestValue', document)
     digest_value_node.content = target_digest
     reference_node.add_child(digest_value_node)
+    set_namespace_for_node(digest_value_node, DS_NAMESPACE, ds_namespace_prefix)
     self
   end
 
@@ -263,7 +280,7 @@ class Signer
     end
 
     if options[:inclusive_namespaces]
-      c14n_method_node = signed_info_node.at_xpath('ds:CanonicalizationMethod', ds: 'http://www.w3.org/2000/09/xmldsig#')
+      c14n_method_node = signed_info_node.at_xpath('ds:CanonicalizationMethod', ds: DS_NAMESPACE)
       inclusive_namespaces_node = Nokogiri::XML::Node.new('ec:InclusiveNamespaces', document)
       inclusive_namespaces_node.add_namespace_definition('ec', c14n_method_node['Algorithm'])
       inclusive_namespaces_node['PrefixList'] = options[:inclusive_namespaces].join(' ')
@@ -278,6 +295,7 @@ class Signer
     signature_value_node = Nokogiri::XML::Node.new('SignatureValue', document)
     signature_value_node.content = signature_value_digest
     signed_info_node.add_next_sibling(signature_value_node)
+    set_namespace_for_node(signature_value_node, DS_NAMESPACE, ds_namespace_prefix)
     self
   end
 
@@ -306,4 +324,13 @@ class Signer
     end
   end
 
+  ##
+  # Searches for namespace with given +href+ within +node+ ancestors and assigns it to this node.
+  # If there is no such namespace, it will create it with +desired_prefix+ if present or as default namespace otherwise.
+  # In most cases you should insert +node+ in the document tree before calling this method to avoid duplicating namespace definitions
+  def set_namespace_for_node(node, href, desired_prefix = nil)
+    return node.namespace if node.namespace && node.namespace.href == href # This node already in target namespace, done
+    namespace = node.namespace_scopes.find { |ns| ns.href == href }
+    node.namespace = namespace || node.add_namespace_definition(desired_prefix, href)
+  end
 end

data/lib/signer/version.rb

@@ -1,3 +1,3 @@
 class Signer
-  VERSION = '1.5.0'
+  VERSION = '1.5.1'
 end

data/spec/fixtures/output_2_with_ds_prefix.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0"?>
+<ApplicationRequest xmlns="http://bxd.fi/xmldata/">
+  <CustomerId>679155330</CustomerId>
+  <Command>GetUserInfo</Command>
+  <Timestamp>2010-05-10T13:22:19.847+03:00</Timestamp>
+  <Environment>PRODUCTION</Environment>
+  <SoftwareId>Petri</SoftwareId>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>U9tsT4lrRMp8ZdKMnblgeMCGfvI=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>rOCe8McbIFa4Ul3pnzd/dBjFWoT4JtSghJgzZGLrz17K/j0W1JyaopcZeMD+8M5/GplAlQrJg3ZSkQvY9Sf7WpqZeLYHW17J0ZJpwas+/OOXUEdyUiec7q9OgWsFLH9DBNuJdLKE3CO6w/8tTKQ/kidYnPBXT6FKioNlSJVZsuI=</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509IssuerSerial>
+          <ds:X509IssuerName>C=AU,ST=Some-State,O=Internet Widgits Pty Ltd</ds:X509IssuerName>
+          <ds:X509SerialNumber>16503368396260674861</ds:X509SerialNumber>
+        </ds:X509IssuerSerial>
+        <ds:X509Certificate>MIICsDCCAhmgAwIBAgIJAOUHvh4oho0tMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTIwNTAzMTMxODIyWhcNMTMwNTAzMTMxODIyWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvK5hMPv/R5IFmwWyJOyEaFUrF/ZsmN+Gip8hvR6rLP3YPNx9iFYvPcZllFmuVwyaz7YT2N5BsqTwLdyi5v4HY4fUtuz0p8jIPoSd6dfDvcnSpf4QLTOgOaL3ciPEbgDHH2tnIksukoWzqCYva+qFZ74NFl19swXotW9fA4Jzs4QIDAQABo4GnMIGkMB0GA1UdDgQWBBRU1WEHDnP8Hr7ZulxrSzEwOcYpMzB1BgNVHSMEbjBsgBRU1WEHDnP8Hr7ZulxrSzEwOcYpM6FJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAOUHvh4oho0tMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEASY/9SAOK57q9mGnNJJeyDbmyGrAHSJTod646xTHYkMvhUqwHyk9PTr5bdfmswpmyVn+AQ43U2tU5vnpTBmKpHWD2+HSHgGa92mMLrfBOd8EBZ329NL3N2HDPIaHr4NPGyhNrSK3QVOnAq2D0jlyrGYJlLli1NxHiBz7FCEJaVI8=</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+</ApplicationRequest>

data/spec/signer_spec.rb

@@ -139,6 +139,28 @@ describe Signer do
     signer.to_xml.should == Nokogiri::XML(File.read(output_xml_file), &:noblanks).to_xml(:save_with => 0)
   end
 
+  it "should sign simple XML with custom DS namespace prefix" do
+    input_xml_file   = File.join(File.dirname(__FILE__), 'fixtures', 'input_2.xml')
+    cert_file        = File.join(File.dirname(__FILE__), 'fixtures', 'cert.pem')
+    private_key_file = File.join(File.dirname(__FILE__), 'fixtures', 'key.pem')
+
+    signer = Signer.new(File.read(input_xml_file))
+    signer.cert = OpenSSL::X509::Certificate.new(File.read(cert_file))
+    signer.private_key = OpenSSL::PKey::RSA.new(File.read(private_key_file), "test")
+    signer.security_node = signer.document.root
+    signer.security_token_id = ""
+    signer.ds_namespace_prefix = 'ds'
+    signer.digest!(signer.document.root, :id => "", :enveloped => true)
+    signer.sign!(:issuer_serial => true)
+
+    # File.open(File.join(File.dirname(__FILE__), 'fixtures', 'output_2_with_ds_prefix.xml'), "w") do |f|
+    #   f.write signer.document.to_s
+    # end
+    output_xml_file = File.join(File.dirname(__FILE__), 'fixtures', 'output_2_with_ds_prefix.xml')
+
+    signer.to_xml.should == Nokogiri::XML(File.read(output_xml_file), &:noblanks).to_xml(:save_with => 0)
+  end
+
   it "should digest and sign SOAP XML with security node and digested binary token with noblanks diabled" do
     input_xml_file   = File.join(File.dirname(__FILE__), 'fixtures', 'input_4_with_nested_signatures.xml')
     cert_file        = File.join(File.dirname(__FILE__), 'fixtures', 'cert.pem')

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: signer
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 1.5.1
 platform: ruby
 authors:
 - Edgars Beigarts
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-01-23 00:00:00.000000000 Z
+date: 2017-03-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -75,6 +75,7 @@ files:
 - spec/fixtures/output_1_inclusive_namespaces.xml
 - spec/fixtures/output_1_sha256.xml
 - spec/fixtures/output_2.xml
+- spec/fixtures/output_2_with_ds_prefix.xml
 - spec/fixtures/output_3_c14n_comments.xml
 - spec/fixtures/output_4_with_nested_signatures.xml
 - spec/fixtures/output_4_with_nested_signatures_with_noblanks_disabled.xml
@@ -99,7 +100,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.3
+rubygems_version: 2.6.8
 signing_key: 
 specification_version: 4
 summary: WS Security XML signer
@@ -114,6 +115,7 @@ test_files:
 - spec/fixtures/output_1_inclusive_namespaces.xml
 - spec/fixtures/output_1_sha256.xml
 - spec/fixtures/output_2.xml
+- spec/fixtures/output_2_with_ds_prefix.xml
 - spec/fixtures/output_3_c14n_comments.xml
 - spec/fixtures/output_4_with_nested_signatures.xml
 - spec/fixtures/output_4_with_nested_signatures_with_noblanks_disabled.xml