signer 1.8.0 → 1.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 0ef82f9441fe5557e15ba389223039ea898ed86d
-  data.tar.gz: e08734d225ce9010442d00678eff3a865ca132e6
+SHA256:
+  metadata.gz: 46a635dc54f2e8e61f854c8d6a6c30160acb223c34b91a34160eac718191484a
+  data.tar.gz: 456c0c7b78f27f7479949828b801976ca4a3771d95ca74f63de24d9799c8d2aa
 SHA512:
-  metadata.gz: bb7fad0471750095caca4ff1bef554d89b9ee2f998b58d557db3754235fa9da0e4710f3bb1dbdab0ba65a72af09fc8a08fef13f60fe1f65855854459cfa84720
-  data.tar.gz: e1a8d6b2ca4d5afc96f01e54a771c75e3ad67871a4ac39d3a1e70462c24b46efa960ed6404f2ec5435cb19ea0f52d75643f914d59d41cf876bfa8e502a841d77
+  metadata.gz: 770e3222a567b40c93c0c83d78cb6e5f3e39ec4a2e124ffad994054d290e0150416a6bad19406a2570f6ac65d48833cfbf4add49f46e9ccafcfe1e65f7189d6a
+  data.tar.gz: 899b1b4d47252ddb9c94aa081734c75718558b89f6187f0518c659765fc17e97922cad7ae96d433b58899e45e13fbb1ea41a7710c1933cd1bcc449f3f2b3feaf

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.9.0 (2019-04-16)
+
+- Refactor digest!() method for better extensibility, add GOST-R 34.10/11-2012 algorithms, fix digest node ID reference, cleanup (#22, @netcitylife)
+
 ## 1.8.0 (2018-11-14)
 
 - Add parameter to customize canonicalize algorithm (#19, @pistachiology)

data/lib/signer.rb

@@ -18,7 +18,7 @@ class Signer
   SIGNATURE_ALGORITHM = {
     # SHA 1
     sha1: {
-      id: 'http://www.w3.org/2001/04/xmlenc#sha1',
+      id: 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
       name: 'SHA1'
     },
     # SHA 256
@@ -33,9 +33,14 @@ class Signer
     },
     # GOST R 34-11 94
     gostr3411: {
-      id: 'https://www.w3.org/2001/04/xmldsig-more#rsa-gostr3411',
+      id: 'http://www.w3.org/2001/04/xmldsig-more#gostr34102001-gostr3411',
       name: 'GOST R 34.11-94'
-    }
+    },
+    # GOST R 34-11 2012 256 bit
+    gostr34112012_256: {
+      id: 'urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102012-gostr34112012-256',
+      name: 'GOST R 34.11-2012 256',
+    },
   }.freeze
 
   CANONICALIZE_ALGORITHM = {
@@ -63,7 +68,7 @@ class Signer
     self.digest_algorithm = :sha1
     self.wss = wss
     self.canonicalize_algorithm = canonicalize_algorithm
-    set_default_signature_method!
+    self.signature_digest_algorithm = :sha1
   end
 
   def to_xml
@@ -118,12 +123,8 @@ class Signer
     @cert = certificate
     # Try to guess a digest algorithm for signature creation
     case @cert.signature_algorithm
-      when 'GOST R 34.11-94 with GOST R 34.10-2001'
-        self.signature_digest_algorithm = :gostr3411
-        self.signature_algorithm_id = 'http://www.w3.org/2001/04/xmldsig-more#gostr34102001-gostr3411'
-      # Add clauses for other types of keys that require other digest algorithms and identifiers
-      else # most common 'sha1WithRSAEncryption' type included here
-        self.set_default_signature_method! # Reset any changes as they can become malformed
+    when 'GOST R 34.11-94 with GOST R 34.10-2001'
+      self.signature_digest_algorithm = :gostr3411
     end
   end
 
@@ -286,7 +287,7 @@ class Signer
   def digest!(target_node, options = {})
     if wss?
       wsu_ns = namespace_prefix(target_node, WSU_NAMESPACE)
-      current_id = target_node["#{wsu_ns}:Id"]  if wsu_ns
+      current_id = target_node["#{wsu_ns}:Id"] if wsu_ns
       id = options[:id] || current_id || "_#{Digest::SHA1.hexdigest(target_node.to_s)}"
       unless id.to_s.empty?
         wsu_ns ||= namespace_prefix(target_node, WSU_NAMESPACE, 'wsu')
@@ -295,6 +296,8 @@ class Signer
     elsif target_node['Id'].nil?
       id = options[:id] || "_#{Digest::SHA1.hexdigest(target_node.to_s)}"
       target_node['Id'] = id.to_s unless id.empty?
+    else
+      id = options[:id] || target_node['Id']
     end
 
     target_canon = canonicalize(target_node, options[:inclusive_namespaces])
@@ -311,22 +314,8 @@ class Signer
     reference_node.add_child(transforms_node) unless options[:no_transform]
     set_namespace_for_node(transforms_node, DS_NAMESPACE, ds_namespace_prefix)
 
-    transform_node = Nokogiri::XML::Node.new('Transform', document)
-    set_namespace_for_node(transform_node, DS_NAMESPACE, ds_namespace_prefix)
-    if options[:enveloped]
-      transform_node['Algorithm'] = 'http://www.w3.org/2000/09/xmldsig#enveloped-signature'
-    else
-      transform_node['Algorithm'] = 'http://www.w3.org/2001/10/xml-exc-c14n#'
-    end
-
-    if options[:inclusive_namespaces]
-      inclusive_namespaces_node = Nokogiri::XML::Node.new('ec:InclusiveNamespaces', document)
-      inclusive_namespaces_node.add_namespace_definition('ec', transform_node['Algorithm'])
-      inclusive_namespaces_node['PrefixList'] = options[:inclusive_namespaces].join(' ')
-      transform_node.add_child(inclusive_namespaces_node)
-    end
-
-    transforms_node.add_child(transform_node)
+    # create reference + transforms node
+    transform!(transforms_node, options)
 
     digest_method_node = Nokogiri::XML::Node.new('DigestMethod', document)
     digest_method_node['Algorithm'] = @digester.digest_id
@@ -383,17 +372,31 @@ class Signer
 
   protected
 
+  # Create transform nodes
+  def transform!(transforms_node, options)
+    transform_node = Nokogiri::XML::Node.new('Transform', document)
+    set_namespace_for_node(transform_node, DS_NAMESPACE, ds_namespace_prefix)
+    if options[:enveloped]
+      transform_node['Algorithm'] = 'http://www.w3.org/2000/09/xmldsig#enveloped-signature'
+    else
+      transform_node['Algorithm'] = 'http://www.w3.org/2001/10/xml-exc-c14n#'
+    end
+
+    if options[:inclusive_namespaces]
+      inclusive_namespaces_node = Nokogiri::XML::Node.new('ec:InclusiveNamespaces', document)
+      inclusive_namespaces_node.add_namespace_definition('ec', transform_node['Algorithm'])
+      inclusive_namespaces_node['PrefixList'] = options[:inclusive_namespaces].join(' ')
+      transform_node.add_child(inclusive_namespaces_node)
+    end
+
+    transforms_node.add_child(transform_node)
+  end
+
   # Check are we using ws security?
   def wss?
     wss
   end
 
-  # Reset digest algorithm for signature creation and signature algorithm identifier
-  def set_default_signature_method!
-    self.signature_digest_algorithm = :sha1
-    self.signature_algorithm_id = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
-  end
-
   ##
   # Searches in namespaces, defined on +target_node+ or its ancestors,
   # for the +namespace+ with given URI and returns its prefix.

data/lib/signer/digester.rb

@@ -28,6 +28,12 @@ class Signer
       id: 'http://www.w3.org/2001/04/xmldsig-more#gostr3411',
       digester: lambda { OpenSSL::Digest.new('md_gost94') },
     },
+    # GOST R 34-11 2012 256 bit
+    gostr34112012_256: {
+      name: 'GOST R 34.11-2012 256',
+      id: 'urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34112012-256',
+      digester: lambda { begin OpenSSL::Digest.new('streebog256') rescue OpenSSL::Digest.new('md_gost12_256') end },
+    },
   }.freeze
 
   # Class that holds +OpenSSL::Digest+ instance with some meta information for digesting in XML.

data/lib/signer/version.rb

@@ -1,3 +1,3 @@
 class Signer
-  VERSION = '1.8.0'
+  VERSION = '1.9.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: signer
 version: !ruby/object:Gem::Version
-  version: 1.8.0
+  version: 1.9.0
 platform: ruby
 authors:
 - Edgars Beigarts
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-11-14 00:00:00.000000000 Z
+date: 2019-04-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -103,8 +103,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.14
+rubygems_version: 3.0.1
 signing_key: 
 specification_version: 4
 summary: WS Security XML signer