xml-kit 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 03f1eb698452e6bde1528e6899c935996309a1b0e4fdec3995ad04d8401b71e4
-  data.tar.gz: d52d39605ff43af034bf4a913faa35757a34d2abc82f9aca970683132015229d
+  metadata.gz: 672d735085855f16805b7406db39b904cca1e04be940d8a9bb0512ddb441c94d
+  data.tar.gz: 6dd14f85bde17fae00b6b2fb3c0a70d32db6bdf8d9534053eddebcea2afa3b09
 SHA512:
-  metadata.gz: 91ab2b253526d12fc2495afc4261b4ceb8861d4644dd0ae5fcea226d7413df058001cdb6f8e6cb40a63254bcb6546f9a86fd5e9472e41818a1003ac5834442e0
-  data.tar.gz: ac71bd4d5416fadfa85763ed40839cd0e5e33ff2e4fd05ea98e3cdc8d0e29225e528614b33e7cbb1a8ac77b171e991973875b9cf7a53dc01817024d169f2dd4a
+  metadata.gz: 91479a0d7f9dd674d0b509e332c5d4de11ec9d6dc5e4a53ba5abf1b0724ffd30effd04ea4986e68d0a8d5db7de5169f72cc24dccea472dc7cf4df8cf1b57e366
+  data.tar.gz: 2a516669b6c6fcaa56a8a216f701da707547876aaee04df7efbfdb06da0a32b80dc3d1055b5d933aff022b423b9992cf3f4bc4fc95c5060f9a4200983d00cbf6

data/.rubocop.yml

@@ -1,5 +1,3 @@
-inherit_from: .rubocop_todo.yml
-
 require:
   - rubocop/cop/internal_affairs
   - rubocop-rspec
@@ -59,8 +57,10 @@ Metrics/ModuleLength:
     - 'spec/**/*.rb'
 
 Metrics/LineLength:
+  IgnoredPatterns: ['(\A|\s)#']
   Exclude:
     - 'spec/**/*.rb'
+    - 'lib/xml/kit/templates/*.builder'
 
 Naming/FileName:
   Exclude:
@@ -95,3 +95,7 @@ RSpec/NestedGroups:
 
 RSpec/SubjectStub:
   Enabled: false
+
+Style/DoubleNegation:
+  Exclude:
+    - 'lib/xml/kit/certificate.rb'

data/.travis.yml

@@ -1,11 +1,10 @@
 sudo: false
 language: ruby
-cache: bundler
 rvm:
   - 2.2.9
   - 2.3.6
   - 2.4.3
-  - 2.5.0
+  - 2.5.3
 script:
   - bin/cibuild
   - bin/lint

data/README.md

@@ -5,8 +5,7 @@
 [![Build Status](https://travis-ci.org/saml-kit/xml-kit.svg?branch=master)](https://travis-ci.org/saml-kit/xml-kit)
 [![Security](https://hakiri.io/github/saml-kit/xml-kit/master.svg)](https://hakiri.io/github/saml-kit/xml-kit/master)
 
-Xml::Kit is a toolkit for working with XML. It supports adding [XML
-Digital Signatures](https://www.w3.org/TR/xmldsig-core/)
+Xml::Kit is a toolkit for working with XML. It supports adding [XML Digital Signatures](https://www.w3.org/TR/xmldsig-core/)
 and [XML Encryption](https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html).
 
 ## Installation
@@ -29,11 +28,12 @@ Or install it yourself as:
 
 ```builder
 # ./templates/item.builder
+
 xml.instruct!
 xml.Item ID: id do
   signature_for reference_id: id, xml: xml
   xml.Encrypted do
-    encryption_for xml: xml do |encrypted_xml|
+    encrypt_data_for xml: xml do |encrypted_xml|
       encrypted_xml.EncryptMe do
         encrypted_xml.Secret "secret"
       end
@@ -48,12 +48,12 @@ require 'xml/kit'
 class Item
   include ::Xml::Kit::Templatable
 
-  def initialize
+  attr_reader :id
+
+  def initialize(signing_key_pair, encryption_certificate)
     @id = ::Xml::Kit::Id.generate
-    @signing_key_pair = ::Xml::Kit::KeyPair.generate(use: :signing)
-    @embed_signature = true
-    @encrypt = true
-    @encryption_certificate = ::Xml::Kit::KeyPair.generate(use: :encryption).certificate
+    sign_with(signing_key_pair)
+    encrypt_with(encryption_certificate)
   end
 
   def template_path
@@ -62,7 +62,9 @@ class Item
   end
 end
 
-puts Item.new.to_xml
+signing_key_pair = ::Xml::Kit::KeyPair.generate(use: :signing)
+encryption_certificate = ::Xml::Kit::KeyPair.generate(use: :encryption).certificate
+puts Item.new(signing_key_pair, encryption_certificate).to_xml
 ```
 
 This will produce something like the following:
@@ -86,8 +88,7 @@ This will produce something like the following:
     <SignatureValue>ZCSx4dad704jz0Z6rCMsnOs/oyVH3YBeEF9wtk2UFmWBW+VfhoBKw7N50GnzmAGCHyI6zajRPdff5i6UMDz3fOzh7rlROnqW0TXoG77xPiIfqJswCKE/4LzzBLrEHVbdUz90U8n0M1Ahbesrt+pbf/NkJghpvDhJW+w6oho7dyU6k57C5D//kTaSb7DvKte3a7/o8xWvPRztQhYekK+RyWjK9k/lU4WEXk5rGbx+QrD9rgIXBQOdcSjOtUosZJADz7uFod6AWRak246U62Xahz8JxE/1N22LhZY9whvB7s+c76f1Uv44NtF87D0P8UXs0TVx2jsnhEwLsT7DPQ6jDg==</SignatureValue>
     <KeyInfo>
       <X509Data>
-        <X509Certificate>MIIDQTCCAimgAwIBAgIBADANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHQWxiZXJ0YTEQMA4GA1UEBwwHQ2FsZ2FyeTEPMA0GA1UECgwGWG1sS2l0MQ8wDQYDVQQLDAZYbWxLaXQxDzANBgNVBAMMBlhtbEtpdDAeFw0xNzEyMzAxOTM1MjZaFw0xODAxMjkwNzAwMDBaMGQxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdBbGJlcnRhMRAwDgYDVQQHDAdDYWxnYXJ5MQ8wDQYDVQQKDAZYbWxLaXQxDzANBgNVBAsMBlhtbEtpdDEPMA0GA1UEAwwGWG1sS2l0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz8yvaY1zvqiSTpDc0vFgS00N0R05ytanViNy0YrcAvLH2njvLOYi8e5lWAjCUzoWTe6FMJQySIHuzr9NvZztlQBp5tydmxDsOFQ3DrBhiqtyafdCd5s8OQz1CekavgToTOm5VdZEWLD7HSCFvHXeuiS/zwEh4yYpJBAERtsSaYxT7L1wNggxc6F6UEfF1vwrGxMNH/OUi4okeS773esXeRlP5fHyMUvVC70KHauSYt/kjNR8/WuZBOY8/kFv3XiErf0PNSAYhyGHozabv8hJ2Bho0+HR12P6Xv+qKXFlDnMeAOHy23eShuUpCEBaEPAG4o8w4g/lrn0nJ+e9XrYaNQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCWybi6buMD75KBCcyd5aRtSKavYoDaZlzuohKh4z1HEzHS/fbpbxVQOrfXtuawZjNxcn62LFIe/w68EImzYkAss8LKojRcaKnIeF1/3Pzo6qfnmFpaecfYvX3ZTtw9JPOd4chy2X2WFAUMRscjSvjNvTBzFOXg60F0UMDnWOWMbc5Di/aZD8r2s/RDE3QxcUou8QhBMc2nYw77mQsXBnWmBeUA2aGP
-8OG/fOgtBKkZnNF8gx7wuodbYSmKAfFGx8+CGtnkwNr4/hXgd1qg5KmsAx+9VYozCjGKSkVUIqC5khy6N+1Pb5jMKrMQ+QU9zGhylWoJ2jiK65hzUUVUESIB</X509Certificate>
+        <X509Certificate>MIIDQTCCAimgAwIBAgIBADANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHQWxiZXJ0YTEQMA4GA1UEBwwHQ2FsZ2FyeTEPMA0GA1UECgwGWG1sS2l0MQ8wDQYDVQQLDAZYbWxLaXQxDzANBgNVBAMMBlhtbEtpdDAeFw0xNzEyMzAxOTM1MjZaFw0xODAxMjkwNzAwMDBaMGQxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdBbGJlcnRhMRAwDgYDVQQHDAdDYWxnYXJ5MQ8wDQYDVQQKDAZYbWxLaXQxDzANBgNVBAsMBlhtbEtpdDEPMA0GA1UEAwwGWG1sS2l0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz8yvaY1zvqiSTpDc0vFgS00N0R05ytanViNy0YrcAvLH2njvLOYi8e5lWAjCUzoWTe6FMJQySIHuzr9NvZztlQBp5tydmxDsOFQ3DrBhiqtyafdCd5s8OQz1CekavgToTOm5VdZEWLD7HSCFvHXeuiS/zwEh4yYpJBAERtsSaYxT7L1wNggxc6F6UEfF1vwrGxMNH/OUi4okeS773esXeRlP5fHyMUvVC70KHauSYt/kjNR8/WuZBOY8/kFv3XiErf0PNSAYhyGHozabv8hJ2Bho0+HR12P6Xv+qKXFlDnMeAOHy23eShuUpCEBaEPAG4o8w4g/lrn0nJ+e9XrYaNQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCWybi6buMD75KBCcyd5aRtSKavYoDaZlzuohKh4z1HEzHS/fbpbxVQOrfXtuawZjNxcn62LFIe/w68EImzYkAss8LKojRcaKnIeF1/3Pzo6qfnmFpaecfYvX3ZTtw9JPOd4chy2X2WFAUMRscjSvjNvTBzFOXg60F0UMDnWOWMbc5Di/aZD8r2s/RDE3QxcUou8QhBMc2nYw77mQsXBnWmBeUA2aGP8OG/fOgtBKkZnNF8gx7wuodbYSmKAfFGx8+CGtnkwNr4/hXgd1qg5KmsAx+9VYozCjGKSkVUIqC5khy6N+1Pb5jMKrMQ+QU9zGhylWoJ2jiK65hzUUVUESIB</X509Certificate>
       </X509Data>
     </KeyInfo>
   </Signature>
@@ -98,21 +99,12 @@ This will produce something like the following:
         <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
           <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
           <CipherData>
-            <CipherValue>rBJwm+gmL6eUHBZDXs2swIL3DiZ+MfmBPpM52eF0RWFtZv/gutY02KlsFLlm
-jc+DO7X5p9l1Br67FjGJrTdfSSqHf35cS1cioyaKLtgniSrD7Hf9d8qIuWt5
-6dLWjmCi21cePMJHhNiFe5yRjFHNp5LZ9dX5hvNXjbn0+p90fj8zlO2TWZv9
-atooON3BaYGCezZlmG0bWyEmloqKHiGjqaKtkdeSKJDzoo/AvubDEgz56rin
-Cpw26rEOg8BBd/KNfSXyDUifOOzXmn6myq+8+W/FFQ+6y+5SgtsbONRCqe2c
-KkNi3fYhilwLxWCaXFjONimEOkeG03yR5QnWhzEOpw==
-</CipherValue>
+            <CipherValue>rBJwm+gmL6eUHBZDXs2swIL3DiZ+MfmBPpM52eF0RWFtZv/gutY02KlsFLlmjc+DO7X5p9l1Br67FjGJrTdfSSqHf35cS1cioyaKLtgniSrD7Hf9d8qIuWt56dLWjmCi21cePMJHhNiFe5yRjFHNp5LZ9dX5hvNXjbn0+p90fj8zlO2TWZv9atooON3BaYGCezZlmG0bWyEmloqKHiGjqaKtkdeSKJDzoo/AvubDEgz56rinCpw26rEOg8BBd/KNfSXyDUifOOzXmn6myq+8+W/FFQ+6y+5SgtsbONRCqe2cKkNi3fYhilwLxWCaXFjONimEOkeG03yR5QnWhzEOpw==</CipherValue>
           </CipherData>
         </EncryptedKey>
       </KeyInfo>
       <CipherData>
-        <CipherValue>45rM0phzM/S/vpiq8Ev+uQZ6WL5qZ8av0UDVzWAlHn6Qr7zWYjHea+NF94lK
-pvmTPWQDEnfv2UW8l0VdCLc+51zHjluRE/xJh31Gk3rVuRJtLioSge/N9UM4
-5g901rE9
-</CipherValue>
+        <CipherValue>45rM0phzM/S/vpiq8Ev+uQZ6WL5qZ8av0UDVzWAlHn6Qr7zWYjHea+NF94lKpvmTPWQDEnfv2UW8l0VdCLc+51zHjluRE/xJh31Gk3rVuRJtLioSge/N9UM45g901rE9</CipherValue>
       </CipherData>
     </EncryptedData>
   </Encrypted>

data/bin/cibuild

@@ -17,5 +17,5 @@ export RUBY_HEAP_SLOTS_INCREMENT=400000
 export RUBY_HEAP_SLOTS_GROWTH_FACTOR=1
 
 ruby -v
-gem install bundler --no-ri --no-rdoc --conservative
+gem install bundler --conservative
 bin/test

data/lib/xml/kit.rb

@@ -19,9 +19,12 @@ require 'xml/kit/crypto'
 require 'xml/kit/decryption'
 require 'xml/kit/decryption_error'
 require 'xml/kit/document'
+require 'xml/kit/encrypted_data'
+require 'xml/kit/encrypted_key'
 require 'xml/kit/encryption'
 require 'xml/kit/fingerprint'
 require 'xml/kit/id'
+require 'xml/kit/key_info'
 require 'xml/kit/key_pair'
 require 'xml/kit/self_signed_certificate'
 require 'xml/kit/signature'

data/lib/xml/kit/certificate.rb

@@ -1,10 +1,15 @@
 # frozen_string_literal: true
 
+require 'xml/kit/templatable'
+
 module Xml
   module Kit
-    # {include:file:spec/xml/certificate_spec.rb}
+    # {include:file:spec/xml/kit/certificate_spec.rb}
     class Certificate
+      include Templatable
+      # rubocop:disable Metrics/LineLength
       BASE64_FORMAT = %r(\A([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z).freeze
+      # rubocop:enable Metrics/LineLength
       BEGIN_CERT = /-----BEGIN CERTIFICATE-----/.freeze
       END_CERT = /-----END CERTIFICATE-----/.freeze
       # The use can be `:signing` or `:encryption`. Use `nil` for both.
@@ -109,9 +114,8 @@ module Xml
         x509.not_before
       end
 
-      def to_xml(pretty: false, xml: ::Builder::XmlMarkup.new)
-        xml = ::Xml::Kit::Template.new(self).to_xml(xml: xml)
-        pretty ? Nokogiri::XML(xml).to_xml(indent: 2) : xml
+      def key_info
+        @key_info ||= KeyInfo.new(x509: x509)
       end
 
       class << self

data/lib/xml/kit/crypto/oaep_cipher.rb

@@ -8,7 +8,10 @@ module Xml
         ALGORITHMS = {
           ALGORITHM => true
         }.freeze
-        def initialize(_algorithm, key)
+        attr_reader :algorithm, :key
+
+        def initialize(algorithm, key)
+          @algorithm = algorithm
           @key = key
         end
 

data/lib/xml/kit/crypto/rsa_cipher.rb

@@ -5,8 +5,10 @@ module Xml
     module Crypto
       class RsaCipher
         ALGORITHM = "#{::Xml::Kit::Namespaces::XMLENC}rsa-1_5".freeze
+        attr_reader :algorithm, :key
 
-        def initialize(_algorithm, key)
+        def initialize(algorithm, key)
+          @algorithm = algorithm
           @key = key
         end
 

data/lib/xml/kit/crypto/symmetric_cipher.rb

@@ -14,7 +14,7 @@ module Xml
 
         attr_reader :algorithm, :key, :padding
 
-        def initialize(algorithm, key = nil, padding = nil)
+        def initialize(algorithm = DEFAULT_ALGORITHM, key = nil, padding = nil)
           @algorithm = algorithm
           @key = key || cipher.random_key
           @padding = padding
@@ -31,9 +31,10 @@ module Xml
         end
 
         def decrypt(cipher_text)
+          bytes = cipher_text.bytes
           result = default_decrypt(
-            cipher_text[0...cipher.iv_len],
-            cipher_text[cipher.iv_len..-1]
+            bytes[0...cipher.iv_len],
+            bytes[cipher.iv_len..-1]
           )
           return result if padding.nil?
 
@@ -41,14 +42,18 @@ module Xml
           result[0...-padding_size]
         end
 
+        def to_s
+          algorithm
+        end
+
         protected
 
         def default_decrypt(initialization_vector, data)
           cipher.decrypt
-          cipher.padding = padding unless padding.nil?
+          apply_padding_to(cipher)
           cipher.key = @key
-          cipher.iv = initialization_vector
-          cipher.update(data) << cipher.final
+          cipher.iv = initialization_vector.pack('c*')
+          cipher.update(data.pack('c*')) << cipher.final
         end
 
         private
@@ -56,6 +61,10 @@ module Xml
         def cipher
           @cipher ||= OpenSSL::Cipher.new(ALGORITHMS[algorithm])
         end
+
+        def apply_padding_to(cipher)
+          cipher.padding = padding unless padding.nil?
+        end
       end
     end
   end

data/lib/xml/kit/crypto/unknown_cipher.rb

@@ -4,7 +4,12 @@ module Xml
   module Kit
     module Crypto
       class UnknownCipher
-        def initialize(algorithm, key); end
+        attr_reader :algorithm, :key
+
+        def initialize(algorithm, key)
+          @algorithm = algorithm
+          @key = key
+        end
 
         def self.matches?(_algorithm)
           true

data/lib/xml/kit/decryption.rb

@@ -2,7 +2,7 @@
 
 module Xml
   module Kit
-    # {include:file:spec/saml/xml_decryption_spec.rb}
+    # {include:file:spec/xml/kit/decryption_spec.rb}
     class Decryption
       # The list of private keys to use to attempt to decrypt the document.
       attr_reader :cipher_registry, :private_keys
@@ -15,8 +15,11 @@ module Xml
       # Decrypts an EncryptedData section of an XML document.
       #
       # @param data [Hash] the XML document converted to a [Hash] using Hash.from_xml.
+      # @deprecated Use {#decrypt_hash} instead of this
       def decrypt(data)
-        ::Xml::Kit.deprecate('decrypt is deprecated. Use decrypt_xml or decrypt_hash instead.')
+        ::Xml::Kit.deprecate(
+          'decrypt is deprecated. Use decrypt_xml or decrypt_hash instead.'
+        )
         decrypt_hash(data)
       end
 
@@ -31,11 +34,11 @@ module Xml
       #
       # @param hash [Hash] the XML document converted to a [Hash] using Hash.from_xml.
       def decrypt_hash(hash)
-        encrypted_data = hash['EncryptedData']
+        data = hash['EncryptedData']
         to_plaintext(
-          Base64.decode64(encrypted_data['CipherData']['CipherValue']),
-          symmetric_key_from(encrypted_data),
-          encrypted_data['EncryptionMethod']['Algorithm']
+          Base64.decode64(data['CipherData']['CipherValue']),
+          symmetric_key_from(data['KeyInfo']['EncryptedKey']),
+          data['EncryptionMethod']['Algorithm']
         )
       end
 
@@ -50,12 +53,12 @@ module Xml
 
       private
 
-      def symmetric_key_from(encrypted_data, attempts = private_keys.count)
-        cipher_text = Base64.decode64(encrypted_data['KeyInfo']['EncryptedKey']['CipherData']['CipherValue'])
+      def symmetric_key_from(encrypted_key, attempts = private_keys.count)
+        cipher, algorithm = cipher_and_algorithm_from(encrypted_key)
         private_keys.each do |private_key|
           begin
             attempts -= 1
-            return to_plaintext(cipher_text, private_key, encrypted_data['KeyInfo']['EncryptedKey']['EncryptionMethod']['Algorithm'])
+            return to_plaintext(cipher, private_key, algorithm)
           rescue OpenSSL::PKey::RSAError
             raise if attempts.zero?
           end
@@ -66,6 +69,13 @@ module Xml
       def to_plaintext(cipher_text, private_key, algorithm)
         cipher_registry.cipher_for(algorithm, private_key).decrypt(cipher_text)
       end
+
+      def cipher_and_algorithm_from(encrypted_key)
+        [
+          Base64.decode64(encrypted_key['CipherData']['CipherValue']),
+          encrypted_key['EncryptionMethod']['Algorithm']
+        ]
+      end
     end
   end
 end

data/lib/xml/kit/document.rb

@@ -2,7 +2,7 @@
 
 module Xml
   module Kit
-    # {include:file:spec/saml/xml_spec.rb}
+    # {include:file:spec/xml/kit/document_spec.rb}
     class Document
       include ActiveModel::Validations
       NAMESPACES = { "ds": ::Xml::Kit::Namespaces::XMLDSIG }.freeze
@@ -47,9 +47,10 @@ module Xml
         end
       end
 
-      def invalid_signatures
-        signed_document = Xmldsig::SignedDocument.new(document, id_attr: 'ID=$uri or @Id')
-        signed_document.signatures.find_all do |signature|
+      def invalid_signatures(id_attr: 'ID=$uri or @Id')
+        Xmldsig::SignedDocument
+          .new(document, id_attr: id_attr)
+          .signatures.find_all do |signature|
           x509_certificates.all? do |certificate|
             !signature.valid?(certificate)
           end

data/lib/xml/kit/encrypted_data.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Xml
+  module Kit
+    # An implementation of the EncryptedKey element.
+    # https://www.w3.org/TR/xmlenc-core1/#sec-EncryptedData
+    #
+    # @since 0.3.0
+    class EncryptedData
+      attr_reader :key_info
+      attr_reader :symmetric_cipher
+      attr_reader :symmetric_cipher_value
+
+      def initialize(
+        raw_xml,
+        symmetric_cipher:,
+        asymmetric_cipher:,
+        key_info: nil
+      )
+        @symmetric_cipher = symmetric_cipher
+        @symmetric_cipher_value = Base64.strict_encode64(
+          symmetric_cipher.encrypt(raw_xml)
+        )
+        @key_info = key_info || create_key_info_for(
+          symmetric_cipher,
+          asymmetric_cipher
+        )
+      end
+
+      def to_xml(xml: ::Builder::XmlMarkup.new)
+        ::Xml::Kit::Template.new(self).to_xml(xml: xml)
+      end
+
+      def render(model, options)
+        ::Xml::Kit::Template.new(model).to_xml(options)
+      end
+
+      private
+
+      def create_key_info_for(symmetric_cipher, asymmetric_cipher)
+        KeyInfo.new do |x|
+          x.encrypted_key = EncryptedKey.new(
+            asymmetric_cipher: asymmetric_cipher,
+            symmetric_cipher: symmetric_cipher
+          )
+        end
+      end
+    end
+  end
+end

data/lib/xml/kit/encrypted_key.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'xml/kit/templatable'
+
+module Xml
+  module Kit
+    # An implementation of the EncryptedKey element.
+    # https://www.w3.org/TR/xmlenc-core1/#sec-EncryptedKey
+    #
+    # @since 0.3.0
+    class EncryptedKey
+      include ::Xml::Kit::Templatable
+      attr_reader :id
+      attr_reader :asymmetric_cipher, :symmetric_cipher
+      attr_accessor :key_info
+
+      def initialize(
+        id: Id.generate,
+        asymmetric_cipher:,
+        symmetric_cipher:,
+        key_info: nil
+      )
+        @id = id
+        @asymmetric_cipher = asymmetric_cipher
+        @symmetric_cipher = symmetric_cipher
+        @key_info = key_info
+      end
+
+      def cipher_value
+        Base64.strict_encode64(asymmetric_cipher.encrypt(symmetric_cipher.key))
+      end
+    end
+  end
+end

data/lib/xml/kit/encryption.rb

@@ -2,29 +2,32 @@
 
 module Xml
   module Kit
-    class Encryption
+    # @deprecated Use {#Xml::Kit::EncryptedData} class instead of this
+    class Encryption < EncryptedData
       attr_reader :asymmetric_algorithm
-      attr_reader :asymmetric_cipher_value
       attr_reader :symmetric_algorithm
       attr_reader :symmetric_cipher_value
+      attr_reader :key_info
 
       def initialize(
         raw_xml,
         public_key,
-        symmetric_algorithm: ::Xml::Kit::Crypto::SymmetricCipher::DEFAULT_ALGORITHM,
-        asymmetric_algorithm: ::Xml::Kit::Crypto::RsaCipher::ALGORITHM
+        symmetric_algorithm: Crypto::SymmetricCipher::DEFAULT_ALGORITHM,
+        asymmetric_algorithm: Crypto::RsaCipher::ALGORITHM,
+        key_info: nil
       )
         @symmetric_algorithm = symmetric_algorithm
-        symmetric_cipher = symmetric(symmetric_algorithm)
-        @symmetric_cipher_value = Base64.strict_encode64(symmetric_cipher.encrypt(raw_xml))
-
         @asymmetric_algorithm = asymmetric_algorithm
-        asymmetric_cipher = asymmetric(asymmetric_algorithm, public_key)
-        @asymmetric_cipher_value = Base64.strict_encode64(asymmetric_cipher.encrypt(symmetric_cipher.key))
+        Xml::Kit.deprecate('Encryption is deprecated. Use EncryptedData.')
+        super(raw_xml,
+          symmetric_cipher: symmetric(symmetric_algorithm),
+          asymmetric_cipher: asymmetric(asymmetric_algorithm, public_key),
+          key_info: key_info
+        )
       end
 
-      def to_xml(xml: ::Builder::XmlMarkup.new)
-        ::Xml::Kit::Template.new(self).to_xml(xml: xml)
+      def template_path
+        Template::TEMPLATES_DIR.join('encrypted_data.builder')
       end
 
       private

data/lib/xml/kit/fingerprint.rb

@@ -9,7 +9,7 @@ module Xml
     #   puts Xml::Kit::Fingerprint.new(certificate).to_s
     #   # B7:AB:DC:BD:4D:23:58:65:FD:1A:99:0C:5F:89:EA:87:AD:F1:D7:83:34:7A:E9:E4:88:12:DD:46:1F:38:05:93
     #
-    # {include:file:spec/saml/fingerprint_spec.rb}
+    # {include:file:spec/xml/kit/fingerprint_spec.rb}
     class Fingerprint
       # The OpenSSL::X509::Certificate
       attr_reader :x509

data/lib/xml/kit/key_info.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'xml/kit/key_info/key_value'
+require 'xml/kit/key_info/retrieval_method'
+require 'xml/kit/key_info/rsa_key_value'
+
+module Xml
+  module Kit
+    # An implementation of the KeyInfo element.
+    # https://www.w3.org/TR/xmldsig-core1/#sec-KeyInfo
+    #
+    # @since 0.3.0
+    class KeyInfo
+      include Templatable
+      attr_accessor :key_name
+      attr_accessor :x509_data
+      attr_accessor :encrypted_key
+
+      def initialize(x509: nil)
+        @x509_data = x509
+        yield self if block_given?
+      end
+
+      def key_value
+        @key_value ||= KeyValue.new
+      end
+
+      def retrieval_method
+        @retrieval_method ||= RetrievalMethod.new
+      end
+
+      def subject_key_identifier
+        ski = x509_data.extensions.find { |x| x.oid == 'subjectKeyIdentifier' }
+        return if ski.nil?
+
+        Base64.strict_encode64(ski.value)
+      end
+    end
+  end
+end

data/lib/xml/kit/key_info/key_value.rb

@@ -0,0 +1,17 @@
+module Xml
+  module Kit
+    class KeyInfo
+      # An implementation of the RSAKeyValue element.
+      # https://www.w3.org/TR/xmldsig-core1/#sec-KeyValue
+      #
+      # @since 0.3.0
+      class KeyValue
+        include Templatable
+
+        def rsa
+          @rsa ||= RSAKeyValue.new
+        end
+      end
+    end
+  end
+end

data/lib/xml/kit/key_info/retrieval_method.rb

@@ -0,0 +1,17 @@
+module Xml
+  module Kit
+    class KeyInfo
+      # An implementation of the RSAKeyValue element.
+      # https://www.w3.org/TR/xmldsig-core1/#sec-RetrievalMethod
+      #
+      # @since 0.3.0
+      class RetrievalMethod
+        attr_accessor :uri, :type
+
+        def initialize
+          @type = "#{Namespaces::XMLENC}EncryptedKey"
+        end
+      end
+    end
+  end
+end

data/lib/xml/kit/key_info/rsa_key_value.rb

@@ -0,0 +1,13 @@
+module Xml
+  module Kit
+    class KeyInfo
+      # An implementation of the RSAKeyValue element.
+      # https://www.w3.org/TR/xmldsig-core1/#sec-RSAKeyValue
+      #
+      # @since 0.3.0
+      class RSAKeyValue
+        attr_accessor :modulus, :exponent
+      end
+    end
+  end
+end

data/lib/xml/kit/key_pair.rb

@@ -30,9 +30,16 @@ module Xml
       # @param use [Symbol] Can be either `:signing` or `:encryption`.
       # @param passphrase [String] the passphrase to use to encrypt the private key.
       # @param algorithm [String] the symmetric algorithm to use for encrypting the private key.
-      def self.generate(use:, passphrase: SecureRandom.uuid, algorithm: ::Xml::Kit::Crypto::SymmetricCipher::DEFAULT_ALGORITHM)
+      def self.generate(
+        use:,
+        passphrase: SecureRandom.uuid,
+        algorithm: ::Xml::Kit::Crypto::SymmetricCipher::DEFAULT_ALGORITHM
+      )
         algorithm = ::Xml::Kit::Crypto::SymmetricCipher::ALGORITHMS[algorithm]
-        certificate, private_key = ::Xml::Kit::SelfSignedCertificate.new.create(algorithm: algorithm, passphrase: passphrase)
+        certificate, private_key = SelfSignedCertificate.new.create(
+          algorithm: algorithm,
+          passphrase: passphrase
+        )
         new(certificate, private_key, passphrase, use)
       end
     end

data/lib/xml/kit/self_signed_certificate.rb

@@ -5,7 +5,11 @@ module Xml
     class SelfSignedCertificate
       SUBJECT = '/C=CA/ST=AB/L=Calgary/O=XmlKit/OU=XmlKit/CN=XmlKit'.freeze
 
-      def create(algorithm: 'AES-256-CBC', passphrase: nil, key_pair: OpenSSL::PKey::RSA.new(2048))
+      def create(
+        algorithm: 'AES-256-CBC',
+        passphrase: nil,
+        key_pair: OpenSSL::PKey::RSA.new(2048)
+      )
         certificate = certificate_for(key_pair.public_key)
         certificate.sign(key_pair, OpenSSL::Digest::SHA256.new)
         [certificate.to_pem, export(key_pair, algorithm, passphrase)]
@@ -24,14 +28,25 @@ module Xml
 
       def certificate_for(public_key)
         certificate = OpenSSL::X509::Certificate.new
-        certificate.subject = certificate.issuer = OpenSSL::X509::Name.parse(SUBJECT)
+        certificate.subject =
+          certificate.issuer = OpenSSL::X509::Name.parse(SUBJECT)
         certificate.not_before = Time.now
         certificate.not_after = certificate.not_before + 30 * 24 * 60 * 60 # 30 days
         certificate.public_key = public_key
         certificate.serial = 0x0
         certificate.version = 2
+        apply_ski_extension_to(certificate)
         certificate
       end
+
+      def apply_ski_extension_to(certificate)
+        extensions = OpenSSL::X509::ExtensionFactory.new
+        extensions.subject_certificate = certificate
+        extensions.issuer_certificate = certificate
+        certificate.add_extension(
+          extensions.create_extension('subjectKeyIdentifier', 'hash', false)
+        )
+      end
     end
   end
 end

data/lib/xml/kit/signature.rb

@@ -2,6 +2,10 @@
 
 module Xml
   module Kit
+    # An implementation of the Signature element.
+    # https://www.w3.org/TR/xmldsig-core1/#sec-Signature
+    #
+    # @since 0.1.0
     class Signature
       SIGNATURE_METHODS = {
         SHA1: 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
@@ -23,7 +27,12 @@ module Xml
       attr_reader :reference_id
       attr_reader :signature_method
 
-      def initialize(reference_id, signature_method: :SH256, digest_method: :SHA256, certificate:)
+      def initialize(
+        reference_id,
+        signature_method: :SH256,
+        digest_method: :SHA256,
+        certificate:
+      )
         @certificate = certificate
         @digest_method = DIGEST_METHODS[digest_method]
         @reference_id = reference_id

data/lib/xml/kit/signatures.rb

@@ -39,7 +39,12 @@ module Xml
       end
 
       # @!visibility private
-      def self.sign(xml: ::Builder::XmlMarkup.new, key_pair:, signature_method: :SHA256, digest_method: :SHA256)
+      def self.sign(
+        xml: ::Builder::XmlMarkup.new,
+        key_pair:,
+        signature_method: :SHA256,
+        digest_method: :SHA256
+      )
         signatures = new(
           key_pair: key_pair,
           signature_method: signature_method,

data/lib/xml/kit/templatable.rb

@@ -18,21 +18,67 @@ module Xml
       attr_accessor :encryption_certificate
 
       # Returns the generated XML document with an XML Digital Signature and XML Encryption.
-      def to_xml(xml: ::Builder::XmlMarkup.new)
-        signatures.complete(render(self, xml: xml))
+      def to_xml(xml: ::Builder::XmlMarkup.new, pretty: false)
+        result = signatures.complete(render(self, xml: xml))
+        pretty ? Nokogiri::XML(result).to_xml(indent: 2) : result
       end
 
-      def encryption_for(xml:)
-        if encrypt?
-          temp = ::Builder::XmlMarkup.new
-          yield temp
-          ::Xml::Kit::Encryption.new(
-            signatures.complete(temp.target!),
-            encryption_certificate.public_key
-          ).to_xml(xml: xml)
-        else
-          yield xml
-        end
+      # Generates an {#Xml::Kit::EncryptedKey} section. https://www.w3.org/TR/xmlenc-core1/#sec-EncryptedKey
+      #
+      # @since 0.3.0
+      # @param xml [Builder::XmlMarkup] the xml builder instance
+      # @param id [String] the id of EncryptedKey element
+      def encrypt_key_for(xml:, id:)
+        ::Xml::Kit::EncryptedKey.new(
+          id: id,
+          asymmetric_cipher: asymmetric_cipher,
+          symmetric_cipher: symmetric_cipher
+        ).to_xml(xml: xml)
+      end
+
+      # @deprecated Use {#encrypt_data_for} instead of this
+      def encryption_for(*args, &block)
+        ::Xml::Kit.deprecate(
+          'encryption_for is deprecated. Use encrypt_data_for instead.'
+        )
+        encrypt_data_for(*args, &block)
+      end
+
+      # Generates an {#Xml::Kit::EncryptedData} section. https://www.w3.org/TR/xmlenc-core1/#sec-EncryptedData
+      #
+      # @since 0.3.0
+      # @param xml [Builder::XmlMarkup] the xml builder instance
+      # @param key_info [Xml::Kit::KeyInfo] the key info to render in the EncryptedData
+      def encrypt_data_for(xml:, key_info: nil)
+        return yield xml unless encrypt?
+
+        temp = ::Builder::XmlMarkup.new
+        yield temp
+        ::Xml::Kit::EncryptedData.new(
+          signatures.complete(temp.target!),
+          symmetric_cipher: symmetric_cipher,
+          asymmetric_cipher: asymmetric_cipher,
+          key_info: key_info
+        ).to_xml(xml: xml)
+      end
+
+      # Provides a default RSA asymmetric cipher. Can be overridden to provide custom ciphers.
+      #
+      # @abstract
+      # @since 0.3.0
+      def asymmetric_cipher(algorithm: Crypto::RsaCipher::ALGORITHM)
+        @asymmetric_cipher ||= Crypto.cipher_for(
+          algorithm,
+          encryption_certificate.public_key
+        )
+      end
+
+      # Provides a default aes256-cbc symmetric cipher. Can be overridden to provide custom ciphers.
+      #
+      # @abstract
+      # @since 0.3.0
+      def symmetric_cipher
+        @symmetric_cipher ||= Crypto::SymmetricCipher.new
       end
 
       def render(model, options)

data/lib/xml/kit/templates/certificate.builder

@@ -1,9 +1,5 @@
 # frozen_string_literal: true
 
 xml.KeyDescriptor use ? { use: use } : {} do
-  xml.KeyInfo "xmlns": ::Xml::Kit::Namespaces::XMLDSIG do
-    xml.X509Data do
-      xml.X509Certificate stripped
-    end
-  end
+  render key_info, xml: xml
 end

data/lib/xml/kit/templates/encrypted_data.builder

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+xml.EncryptedData xmlns: ::Xml::Kit::Namespaces::XMLENC do
+  xml.EncryptionMethod Algorithm: symmetric_cipher.algorithm
+  render key_info, xml: xml
+  xml.CipherData do
+    xml.CipherValue symmetric_cipher_value
+  end
+end

data/lib/xml/kit/templates/encrypted_key.builder

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+xml.EncryptedKey Id: id, xmlns: ::Xml::Kit::Namespaces::XMLENC do
+  xml.EncryptionMethod Algorithm: asymmetric_cipher.algorithm
+  render(key_info, xml: xml) if key_info
+  xml.CipherData do
+    xml.CipherValue cipher_value
+  end
+end

data/lib/xml/kit/templates/key_info.builder

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+xml.KeyInfo xmlns: ::Xml::Kit::Namespaces::XMLDSIG do
+  xml.KeyName key_name if key_name
+  render(key_value, xml: xml) if @key_value
+  render(retrieval_method, xml: xml) if @retrieval_method
+  if x509_data
+    xml.X509Data do
+      xml.X509SKI subject_key_identifier
+      xml.X509Certificate ::Xml::Kit::Certificate.strip(x509_data.to_pem)
+    end
+  end
+  render(encrypted_key, xml: xml) if encrypted_key
+end

data/lib/xml/kit/templates/key_value.builder

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+xml.KeyValue do
+  render(rsa, xml: xml) if @rsa
+end

data/lib/xml/kit/templates/retrieval_method.builder

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+xml.RetrievalMethod xmlns: ::Xml::Kit::Namespaces::XMLDSIG, URI: uri, Type: type

data/lib/xml/kit/templates/rsa_key_value.builder

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+xml.RSAKeyValue do
+  xml.Modulus modulus
+  xml.Exponent exponent
+end

data/lib/xml/kit/version.rb

@@ -2,6 +2,6 @@
 
 module Xml
   module Kit
-    VERSION = '0.2.0'.freeze
+    VERSION = '0.3.0'.freeze
   end
 end

data/xml-kit.gemspec

@@ -29,7 +29,6 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'nokogiri', '>= 1.8.5'
   spec.add_dependency 'tilt', '>= 1.4.1'
   spec.add_dependency 'xmldsig', '~> 0.6'
-  spec.add_development_dependency 'bundler', '~> 1.16'
   spec.add_development_dependency 'bundler-audit', '~> 0.6'
   spec.add_development_dependency 'ffaker', '~> 2.7'
   spec.add_development_dependency 'rake', '~> 10.0'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: xml-kit
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - mo khan
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-12-04 00:00:00.000000000 Z
+date: 2019-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -80,20 +80,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.6'
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.16'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.16'
 - !ruby/object:Gem::Dependency
   name: bundler-audit
   requirement: !ruby/object:Gem::Requirement
@@ -203,7 +189,6 @@ files:
 - ".gitlab-ci.yml"
 - ".rspec"
 - ".rubocop.yml"
-- ".rubocop_todo.yml"
 - ".travis.yml"
 - Gemfile
 - LICENSE.txt
@@ -225,9 +210,15 @@ files:
 - lib/xml/kit/decryption.rb
 - lib/xml/kit/decryption_error.rb
 - lib/xml/kit/document.rb
+- lib/xml/kit/encrypted_data.rb
+- lib/xml/kit/encrypted_key.rb
 - lib/xml/kit/encryption.rb
 - lib/xml/kit/fingerprint.rb
 - lib/xml/kit/id.rb
+- lib/xml/kit/key_info.rb
+- lib/xml/kit/key_info/key_value.rb
+- lib/xml/kit/key_info/retrieval_method.rb
+- lib/xml/kit/key_info/rsa_key_value.rb
 - lib/xml/kit/key_pair.rb
 - lib/xml/kit/namespaces.rb
 - lib/xml/kit/self_signed_certificate.rb
@@ -236,8 +227,13 @@ files:
 - lib/xml/kit/templatable.rb
 - lib/xml/kit/template.rb
 - lib/xml/kit/templates/certificate.builder
-- lib/xml/kit/templates/encryption.builder
+- lib/xml/kit/templates/encrypted_data.builder
+- lib/xml/kit/templates/encrypted_key.builder
+- lib/xml/kit/templates/key_info.builder
+- lib/xml/kit/templates/key_value.builder
 - lib/xml/kit/templates/nil_class.builder
+- lib/xml/kit/templates/retrieval_method.builder
+- lib/xml/kit/templates/rsa_key_value.builder
 - lib/xml/kit/templates/signature.builder
 - lib/xml/kit/version.rb
 - xml-kit.gemspec
@@ -261,8 +257,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.0.2
 signing_key: 
 specification_version: 4
 summary: A simple toolkit for working with XML.

data/.rubocop_todo.yml

@@ -1,22 +0,0 @@
-# This configuration was generated by
-# `rubocop --auto-gen-config`
-# on 2018-03-03 11:50:08 -0700 using RuboCop version 0.52.1.
-# The point is for the user to remove these configuration records
-# one by one as the offenses are removed from the code base.
-# Note that changes in the inspected code, or installation of new
-# versions of RuboCop, may require this file to be generated again.
-
-# Offense count: 2
-Metrics/AbcSize:
-  Max: 18
-
-# Offense count: 1
-Style/DoubleNegation:
-  Exclude:
-    - 'lib/xml/kit/certificate.rb'
-
-# Offense count: 29
-# Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns.
-# URISchemes: http, https
-Metrics/LineLength:
-  Max: 141

data/lib/xml/kit/templates/encryption.builder

@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-xml.EncryptedData xmlns: ::Xml::Kit::Namespaces::XMLENC do
-  xml.EncryptionMethod Algorithm: symmetric_algorithm
-  xml.KeyInfo xmlns: ::Xml::Kit::Namespaces::XMLDSIG do
-    xml.EncryptedKey xmlns: ::Xml::Kit::Namespaces::XMLENC do
-      xml.EncryptionMethod Algorithm: asymmetric_algorithm
-      xml.CipherData do
-        xml.CipherValue asymmetric_cipher_value
-      end
-    end
-  end
-  xml.CipherData do
-    xml.CipherValue symmetric_cipher_value
-  end
-end