xml-kit 0.1.14 → 0.5.0

data/lib/xml/kit/crypto/unknown_cipher.rb

@@ -4,7 +4,12 @@ module Xml
   module Kit
     module Crypto
       class UnknownCipher
-        def initialize(algorithm, key); end
+        attr_reader :algorithm, :key
+
+        def initialize(algorithm, key)
+          @algorithm = algorithm
+          @key = key
+        end
 
         def self.matches?(_algorithm)
           true

data/lib/xml/kit/decryption.rb

@@ -2,20 +2,24 @@
 
 module Xml
   module Kit
-    # {include:file:spec/saml/xml_decryption_spec.rb}
+    # {include:file:spec/xml/kit/decryption_spec.rb}
     class Decryption
       # The list of private keys to use to attempt to decrypt the document.
-      attr_reader :private_keys
+      attr_reader :cipher_registry, :private_keys
 
-      def initialize(private_keys:)
+      def initialize(private_keys:, cipher_registry: ::Xml::Kit::Crypto)
         @private_keys = private_keys
+        @cipher_registry = cipher_registry
       end
 
       # Decrypts an EncryptedData section of an XML document.
       #
       # @param data [Hash] the XML document converted to a [Hash] using Hash.from_xml.
+      # @deprecated Use {#decrypt_hash} instead of this
       def decrypt(data)
-        ::Xml::Kit.deprecate('decrypt is deprecated. Use decrypt_xml or decrypt_hash instead.')
+        ::Xml::Kit.deprecate(
+          'decrypt is deprecated. Use decrypt_xml or decrypt_hash instead.'
+        )
         decrypt_hash(data)
       end
 
@@ -30,12 +34,12 @@ module Xml
       #
       # @param hash [Hash] the XML document converted to a [Hash] using Hash.from_xml.
       def decrypt_hash(hash)
-        encrypted_data = hash['EncryptedData']
-        symmetric_key = symmetric_key_from(encrypted_data)
-        cipher_value = encrypted_data['CipherData']['CipherValue']
-        cipher_text = Base64.decode64(cipher_value)
-        algorithm = encrypted_data['EncryptionMethod']['Algorithm']
-        to_plaintext(cipher_text, symmetric_key, algorithm)
+        data = hash['EncryptedData']
+        to_plaintext(
+          Base64.decode64(data['CipherData']['CipherValue']),
+          symmetric_key_from(data['KeyInfo']['EncryptedKey']),
+          data['EncryptionMethod']['Algorithm']
+        )
       end
 
       # Decrypts an EncryptedData Nokogiri::XML::Element.
@@ -49,21 +53,26 @@ module Xml
 
       private
 
-      def symmetric_key_from(encrypted_data, attempts = private_keys.count)
-        cipher_text = Base64.decode64(encrypted_data['KeyInfo']['EncryptedKey']['CipherData']['CipherValue'])
+      def symmetric_key_from(encrypted_key, attempts = private_keys.count)
+        cipher, algorithm = cipher_and_algorithm_from(encrypted_key)
         private_keys.each do |private_key|
-          begin
-            attempts -= 1
-            return to_plaintext(cipher_text, private_key, encrypted_data['KeyInfo']['EncryptedKey']['EncryptionMethod']['Algorithm'])
-          rescue OpenSSL::PKey::RSAError
-            raise if attempts.zero?
-          end
+          attempts -= 1
+          return to_plaintext(cipher, private_key, algorithm)
+        rescue OpenSSL::PKey::RSAError
+          raise if attempts.zero?
         end
         raise DecryptionError, private_keys
       end
 
-      def to_plaintext(cipher_text, symmetric_key, algorithm)
-        Crypto.cipher_for(algorithm, symmetric_key).decrypt(cipher_text)
+      def to_plaintext(cipher_text, private_key, algorithm)
+        cipher_registry.cipher_for(algorithm, private_key).decrypt(cipher_text)
+      end
+
+      def cipher_and_algorithm_from(encrypted_key)
+        [
+          Base64.decode64(encrypted_key['CipherData']['CipherValue']),
+          encrypted_key['EncryptionMethod']['Algorithm']
+        ]
       end
     end
   end

data/lib/xml/kit/document.rb

@@ -2,7 +2,7 @@
 
 module Xml
   module Kit
-    # {include:file:spec/saml/xml_spec.rb}
+    # {include:file:spec/xml/kit/document_spec.rb}
     class Document
       include ActiveModel::Validations
       NAMESPACES = { "ds": ::Xml::Kit::Namespaces::XMLDSIG }.freeze
@@ -47,9 +47,10 @@ module Xml
         end
       end
 
-      def invalid_signatures
-        signed_document = Xmldsig::SignedDocument.new(document, id_attr: 'ID=$uri or @Id')
-        signed_document.signatures.find_all do |signature|
+      def invalid_signatures(id_attr: 'ID=$uri or @Id')
+        Xmldsig::SignedDocument
+          .new(document, id_attr: id_attr)
+          .signatures.find_all do |signature|
           x509_certificates.all? do |certificate|
             !signature.valid?(certificate)
           end

data/lib/xml/kit/encrypted_data.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Xml
+  module Kit
+    # An implementation of the EncryptedKey element.
+    # https://www.w3.org/TR/xmlenc-core1/#sec-EncryptedData
+    #
+    # @since 0.3.0
+    class EncryptedData
+      attr_reader :id
+      attr_reader :key_info
+      attr_reader :symmetric_cipher
+      attr_reader :symmetric_cipher_value
+
+      def initialize(raw_xml,
+                     id: Id.generate,
+                     symmetric_cipher: nil,
+                     asymmetric_cipher: nil,
+                     key_info: nil)
+        @id = id
+        @symmetric_cipher = symmetric_cipher ||
+          key_info.try(:symmetric_cipher) ||
+          Xml::Kit::Crypto::SymmetricCipher.new
+        @symmetric_cipher_value = Base64.strict_encode64(
+          @symmetric_cipher.encrypt(raw_xml)
+        )
+        @key_info = key_info ||
+          create_key_info_for(@symmetric_cipher, asymmetric_cipher)
+      end
+
+      def to_xml(xml: ::Builder::XmlMarkup.new)
+        ::Xml::Kit::Template.new(self).to_xml(xml: xml)
+      end
+
+      def render(model, options)
+        ::Xml::Kit::Template.new(model).to_xml(options)
+      end
+
+      private
+
+      def create_key_info_for(symmetric_cipher, asymmetric_cipher)
+        KeyInfo.new do |x|
+          x.encrypted_key = EncryptedKey.new(
+            asymmetric_cipher: asymmetric_cipher,
+            symmetric_cipher: symmetric_cipher
+          )
+        end
+      end
+    end
+  end
+end

data/lib/xml/kit/encrypted_key.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'xml/kit/templatable'
+
+module Xml
+  module Kit
+    # An implementation of the EncryptedKey element.
+    # https://www.w3.org/TR/xmlenc-core1/#sec-EncryptedKey
+    #
+    # @since 0.3.0
+    class EncryptedKey
+      include ::Xml::Kit::Templatable
+      attr_reader :id
+      attr_reader :asymmetric_cipher, :symmetric_cipher
+      attr_accessor :key_info
+
+      def initialize(id: Id.generate,
+                     asymmetric_cipher: nil,
+                     symmetric_cipher: nil,
+                     key_info: nil)
+        @id = id
+        @asymmetric_cipher = asymmetric_cipher ||
+          key_info.try(:asymmetric_cipher)
+        @symmetric_cipher = symmetric_cipher ||
+          key_info.try(:symmetric_cipher) ||
+          Xml::Kit::Crypto::SymmetricCipher.new
+        @key_info = key_info
+      end
+
+      def cipher_value
+        Base64.strict_encode64(asymmetric_cipher.encrypt(symmetric_cipher.key))
+      end
+    end
+  end
+end

data/lib/xml/kit/encryption.rb

@@ -2,36 +2,45 @@
 
 module Xml
   module Kit
-    class Encryption
+    # @deprecated Use {#Xml::Kit::EncryptedData} class instead of this
+    class Encryption < EncryptedData
+      DEFAULT_SYMMETRIC = Crypto::SymmetricCipher::DEFAULT_ALGORITHM
+      DEFAULT_ASYMMETRIC = Crypto::RsaCipher::ALGORITHM
+
       attr_reader :asymmetric_algorithm
-      attr_reader :asymmetric_cipher_value
       attr_reader :symmetric_algorithm
       attr_reader :symmetric_cipher_value
+      attr_reader :key_info
 
-      def initialize(
-        raw_xml,
-        public_key,
-        symmetric_algorithm: ::Xml::Kit::Crypto::SymmetricCipher::DEFAULT_ALGORITHM,
-        asymmetric_algorithm: ::Xml::Kit::Crypto::RsaCipher::ALGORITHM
-      )
+      def initialize(raw_xml, public_key,
+                     symmetric_algorithm: DEFAULT_SYMMETRIC,
+                     asymmetric_algorithm: DEFAULT_ASYMMETRIC, key_info: nil)
         @symmetric_algorithm = symmetric_algorithm
-        @symmetric_cipher_value = Base64.encode64(symmetric_cipher.encrypt(raw_xml)).delete("\n")
-
         @asymmetric_algorithm = asymmetric_algorithm
-        cipher = Crypto.cipher_for(asymmetric_algorithm, public_key)
-        @asymmetric_cipher_value = Base64.encode64(cipher.encrypt(symmetric_cipher.key)).delete("\n")
+        Xml::Kit.deprecate('Encryption', alternative: 'EncryptedData')
+        super(raw_xml,
+          symmetric_cipher: symmetric(symmetric_algorithm),
+          asymmetric_cipher: asymmetric(asymmetric_algorithm, public_key),
+          key_info: key_info
+        )
       end
 
-      def to_xml(xml: ::Builder::XmlMarkup.new)
-        ::Xml::Kit::Template.new(self).to_xml(xml: xml)
+      def template_path
+        Template::TEMPLATES_DIR.join('encrypted_data.builder')
       end
 
       private
 
-      def symmetric_cipher
-        @symmetric_cipher ||= ::Xml::Kit::Crypto::SymmetricCipher.new(
-          symmetric_algorithm
-        )
+      def symmetric(algorithm)
+        return algorithm unless algorithm.is_a?(String)
+
+        ::Xml::Kit::Crypto::SymmetricCipher.new(algorithm)
+      end
+
+      def asymmetric(algorithm, public_key)
+        return algorithm unless algorithm.is_a?(String)
+
+        ::Xml::Kit::Crypto.cipher_for(algorithm, public_key)
       end
     end
   end

data/lib/xml/kit/fingerprint.rb

@@ -9,7 +9,7 @@ module Xml
     #   puts Xml::Kit::Fingerprint.new(certificate).to_s
     #   # B7:AB:DC:BD:4D:23:58:65:FD:1A:99:0C:5F:89:EA:87:AD:F1:D7:83:34:7A:E9:E4:88:12:DD:46:1F:38:05:93
     #
-    # {include:file:spec/saml/fingerprint_spec.rb}
+    # {include:file:spec/xml/kit/fingerprint_spec.rb}
     class Fingerprint
       # The OpenSSL::X509::Certificate
       attr_reader :x509

data/lib/xml/kit/key_info.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'xml/kit/key_info/key_value'
+require 'xml/kit/key_info/retrieval_method'
+require 'xml/kit/key_info/rsa_key_value'
+
+module Xml
+  module Kit
+    # An implementation of the KeyInfo element.
+    # https://www.w3.org/TR/xmldsig-core1/#sec-KeyInfo
+    #
+    # @since 0.3.0
+    class KeyInfo
+      include Templatable
+      attr_accessor :key_name
+      attr_accessor :x509_data
+      attr_accessor :encrypted_key
+
+      def initialize(x509: nil, encrypted_key: nil)
+        @encrypted_key = encrypted_key
+        @x509_data = x509
+        yield self if block_given?
+      end
+
+      def asymmetric_cipher(algorithm: Crypto::RsaCipher::ALGORITHM)
+        return encrypted_key.asymmetric_cipher if encrypted_key
+
+        if x509_data
+          return Crypto.cipher_for(
+            derive_algorithm_from(x509_data.public_key),
+            x509_data.public_key
+          )
+        end
+
+        super(algorithm: algorithm)
+      end
+
+      def symmetric_cipher
+        return super if encrypted_key.nil?
+
+        encrypted_key.symmetric_cipher
+      end
+
+      def key_value
+        @key_value ||= KeyValue.new
+      end
+
+      def retrieval_method
+        @retrieval_method ||= RetrievalMethod.new
+      end
+
+      def subject_key_identifier
+        ski = x509_data.extensions.find { |x| x.oid == 'subjectKeyIdentifier' }
+        return if ski.nil?
+
+        Base64.strict_encode64(ski.value)
+      end
+
+      private
+
+      def derive_algorithm_from(key)
+        case key
+        when OpenSSL::PKey::RSA
+          "#{::Xml::Kit::Namespaces::XMLENC}rsa-1_5"
+        else
+          raise ::Xml::Kit::Error, "#{key.try(:class)} is not supported"
+        end
+      end
+    end
+  end
+end

data/lib/xml/kit/key_info/key_value.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Xml
+  module Kit
+    class KeyInfo
+      # An implementation of the RSAKeyValue element.
+      # https://www.w3.org/TR/xmldsig-core1/#sec-KeyValue
+      #
+      # @since 0.3.0
+      class KeyValue
+        include Templatable
+
+        def rsa
+          @rsa ||= RSAKeyValue.new
+        end
+      end
+    end
+  end
+end

data/lib/xml/kit/key_info/retrieval_method.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Xml
+  module Kit
+    class KeyInfo
+      # An implementation of the RSAKeyValue element.
+      # https://www.w3.org/TR/xmldsig-core1/#sec-RetrievalMethod
+      #
+      # @since 0.3.0
+      class RetrievalMethod
+        attr_accessor :uri, :type
+
+        def initialize
+          @type = "#{Namespaces::XMLENC}EncryptedKey"
+        end
+      end
+    end
+  end
+end

data/lib/xml/kit/key_info/rsa_key_value.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Xml
+  module Kit
+    class KeyInfo
+      # An implementation of the RSAKeyValue element.
+      # https://www.w3.org/TR/xmldsig-core1/#sec-RSAKeyValue
+      #
+      # @since 0.3.0
+      class RSAKeyValue
+        attr_accessor :modulus, :exponent
+      end
+    end
+  end
+end

data/lib/xml/kit/key_pair.rb

@@ -30,9 +30,14 @@ module Xml
       # @param use [Symbol] Can be either `:signing` or `:encryption`.
       # @param passphrase [String] the passphrase to use to encrypt the private key.
       # @param algorithm [String] the symmetric algorithm to use for encrypting the private key.
-      def self.generate(use:, passphrase: SecureRandom.uuid, algorithm: ::Xml::Kit::Crypto::SymmetricCipher::DEFAULT_ALGORITHM)
-        algorithm = ::Xml::Kit::Crypto::SymmetricCipher::ALGORITHMS[algorithm]
-        certificate, private_key = ::Xml::Kit::SelfSignedCertificate.new.create(algorithm: algorithm, passphrase: passphrase)
+      def self.generate(use:,
+                        passphrase: SecureRandom.uuid,
+                        algorithm: Crypto::SymmetricCipher::DEFAULT_ALGORITHM)
+        algorithm = Crypto::SymmetricCipher::ALGORITHMS[algorithm]
+        certificate, private_key = SelfSignedCertificate.new.create(
+          algorithm: algorithm,
+          passphrase: passphrase
+        )
         new(certificate, private_key, passphrase, use)
       end
     end

data/lib/xml/kit/namespaces.rb

@@ -3,18 +3,18 @@
 module Xml
   module Kit
     module Namespaces
-      CANONICALIZATION = 'http://www.w3.org/2001/10/xml-exc-c14n#'.freeze
-      ENVELOPED_SIG = 'http://www.w3.org/2000/09/xmldsig#enveloped-signature'.freeze
-      RSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'.freeze
-      RSA_SHA256 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'.freeze
-      RSA_SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'.freeze
-      RSA_SHA512 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'.freeze
-      SHA1 = 'http://www.w3.org/2000/09/xmldsig#sha1'.freeze
-      SHA256 = 'http://www.w3.org/2001/04/xmlenc#sha256'.freeze
-      SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#sha384'.freeze
-      SHA512 = 'http://www.w3.org/2001/04/xmlenc#sha512'.freeze
-      XMLDSIG = 'http://www.w3.org/2000/09/xmldsig#'.freeze
-      XMLENC = 'http://www.w3.org/2001/04/xmlenc#'.freeze
+      CANONICALIZATION = 'http://www.w3.org/2001/10/xml-exc-c14n#'
+      ENVELOPED_SIG = 'http://www.w3.org/2000/09/xmldsig#enveloped-signature'
+      RSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+      RSA_SHA256 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
+      RSA_SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
+      RSA_SHA512 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
+      SHA1 = 'http://www.w3.org/2000/09/xmldsig#sha1'
+      SHA256 = 'http://www.w3.org/2001/04/xmlenc#sha256'
+      SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#sha384'
+      SHA512 = 'http://www.w3.org/2001/04/xmlenc#sha512'
+      XMLDSIG = 'http://www.w3.org/2000/09/xmldsig#'
+      XMLENC = 'http://www.w3.org/2001/04/xmlenc#'
     end
   end
 end