xml-kit 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 3a289752cbc49e2c74959f38b5b104ecbd02b4b8
+  data.tar.gz: 1475f47273a9d9483645c629517b3bf087f686c9
+SHA512:
+  metadata.gz: 0576d38d7792ee436cfe335809516219730d817d5fc0a0d605affc897861e248ea07cc8ffe7e5312b77f2f1a85dd87b034a6d06e05a2b4c4f82afd8a655d8e0c
+  data.tar.gz: f7c764c6ff671e16b4992d0bea126819238ae766368d5c8b6215ca2cecbaa30890a5fad7ee2ba802be74de4f29bcfe63476cc6c0520a390c4c36bcf205a6e269

data/.gitignore

@@ -0,0 +1,12 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.gitlab-ci.yml

@@ -0,0 +1,15 @@
+image: ruby:2.2
+
+before_script:
+  - apt-get update && apt-get install -y locales
+  - echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
+  - locale-gen
+  - export LC_ALL=en_US.UTF-8
+  - ruby -v
+  - which ruby
+  - gem install bundler --no-ri --no-rdoc
+  - bundle install --jobs $(nproc) "${FLAGS[@]}"
+
+rspec:
+  script:
+    - bundle exec rspec

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.4.3
+before_install: gem install bundler -v 1.16.0

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in xml-kit.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 mo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,39 @@
+# Xml::Kit
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/xml/kit`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+TODO: Delete this and the text above, and describe your gem
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'xml-kit'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install xml-kit
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/saml-kit/xml-kit.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "xml/kit"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/xml/kit.rb

@@ -0,0 +1,40 @@
+require "active_model"
+require "active_support/core_ext/numeric/time"
+require "base64"
+require "builder"
+require "logger"
+require "nokogiri"
+require "openssl"
+require "tilt"
+require "xmldsig"
+
+require "xml/kit/namespaces"
+
+require "xml/kit/builders/encryption"
+require "xml/kit/builders/signature"
+require "xml/kit/certificate"
+require "xml/kit/crypto"
+require "xml/kit/decryption"
+require "xml/kit/document"
+require "xml/kit/fingerprint"
+require "xml/kit/id"
+require "xml/kit/key_pair"
+require "xml/kit/self_signed_certificate"
+require "xml/kit/signatures"
+require "xml/kit/templatable"
+require "xml/kit/template"
+require "xml/kit/version"
+
+module Xml
+  module Kit
+    class << self
+      def logger
+        @logger ||= Logger.new(STDOUT)
+      end
+
+      def logger=(logger)
+        @logger = logger
+      end
+    end
+  end
+end

data/lib/xml/kit/builders/encryption.rb

@@ -0,0 +1,20 @@
+module Xml
+  module Kit
+    module Builders
+      class Encryption
+        attr_reader :public_key
+        attr_reader :key, :iv, :encrypted
+
+        def initialize(raw_xml, public_key)
+          @public_key = public_key
+          cipher = OpenSSL::Cipher.new('AES-256-CBC')
+          cipher.encrypt
+          @key = cipher.random_key
+          @iv = cipher.random_iv
+          @encrypted = cipher.update(raw_xml) + cipher.final
+        end
+      end
+    end
+  end
+end
+

data/lib/xml/kit/builders/signature.rb

@@ -0,0 +1,34 @@
+module Xml
+  module Kit
+    module Builders
+      class Signature
+        SIGNATURE_METHODS = {
+          SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+          SHA224: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha224",
+          SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+          SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
+          SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+        }.freeze
+        DIGEST_METHODS = {
+          SHA1: "http://www.w3.org/2000/09/xmldsig#SHA1",
+          SHA224: "http://www.w3.org/2001/04/xmldsig-more#sha224",
+          SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
+          SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
+          SHA512: "http://www.w3.org/2001/04/xmlenc#sha512",
+        }.freeze
+
+        attr_reader :certificate
+        attr_reader :digest_method
+        attr_reader :reference_id
+        attr_reader :signature_method
+
+        def initialize(reference_id, signature_method: :SH256, digest_method: :SHA256, certificate:)
+          @certificate = certificate
+          @digest_method = DIGEST_METHODS[digest_method]
+          @reference_id = reference_id
+          @signature_method = SIGNATURE_METHODS[signature_method]
+        end
+      end
+    end
+  end
+end

data/lib/xml/kit/builders/templates/certificate.builder

@@ -0,0 +1,7 @@
+xml.KeyDescriptor use: use do
+  xml.KeyInfo "xmlns": ::Xml::Kit::Namespaces::XMLDSIG do
+    xml.X509Data do
+      xml.X509Certificate stripped
+    end
+  end
+end

data/lib/xml/kit/builders/templates/encryption.builder

@@ -0,0 +1,14 @@
+xml.EncryptedData xmlns: ::Xml::Kit::Namespaces::XMLENC do
+  xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
+  xml.KeyInfo xmlns: ::Xml::Kit::Namespaces::XMLDSIG do
+    xml.EncryptedKey xmlns: ::Xml::Kit::Namespaces::XMLENC do
+      xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#rsa-1_5"
+      xml.CipherData do
+        xml.CipherValue Base64.encode64(public_key.public_encrypt(key))
+      end
+    end
+  end
+  xml.CipherData do
+    xml.CipherValue Base64.encode64(iv + encrypted)
+  end
+end

data/lib/xml/kit/builders/templates/signature.builder

@@ -0,0 +1,20 @@
+xml.Signature "xmlns" => ::Xml::Kit::Namespaces::XMLDSIG do
+  xml.SignedInfo do
+    xml.CanonicalizationMethod Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#"
+    xml.SignatureMethod Algorithm: signature_method
+    xml.Reference URI: "##{reference_id}" do
+      xml.Transforms do
+        xml.Transform Algorithm: "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+        xml.Transform Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#"
+      end
+      xml.DigestMethod Algorithm: digest_method
+      xml.DigestValue ""
+    end
+  end
+  xml.SignatureValue ""
+  xml.KeyInfo do
+    xml.X509Data do
+      xml.X509Certificate certificate.stripped
+    end
+  end
+end

data/lib/xml/kit/certificate.rb

@@ -0,0 +1,96 @@
+module Xml
+  module Kit
+    # {include:file:spec/xml/certificate_spec.rb}
+    class Certificate
+      BEGIN_CERT=/-----BEGIN CERTIFICATE-----/
+      END_CERT=/-----END CERTIFICATE-----/
+      # The use can be `:signing` or `:encryption`
+      attr_reader :use
+
+      def initialize(value, use:)
+        @value = value
+        @use = use.downcase.to_sym
+      end
+
+      # @return [Xml::Kit::Fingerprint] the certificate fingerprint.
+      def fingerprint
+        Fingerprint.new(value)
+      end
+
+      # Returns true if this certificate is for the specified use.
+      #
+      # @param use [Symbol] `:signing` or `:encryption`.
+      # @return [Boolean] true or false.
+      def for?(use)
+        self.use == use.to_sym
+      end
+
+      # Returns true if this certificate is used for encryption.
+      #
+      # return [Boolean] true or false.
+      def encryption?
+        for?(:encryption)
+      end
+
+      # Returns true if this certificate is used for signing.
+      #
+      # return [Boolean] true or false.
+      def signing?
+        for?(:signing)
+      end
+
+      # Returns the x509 form.
+      #
+      # return [OpenSSL::X509::Certificate] the OpenSSL equivalent.
+      def x509
+        self.class.to_x509(value)
+      end
+
+      # Returns the public key.
+      #
+      # @return [OpenSSL::PKey::RSA] the RSA public key.
+      def public_key
+        x509.public_key
+      end
+
+      def ==(other)
+        self.fingerprint == other.fingerprint
+      end
+
+      def eql?(other)
+        self == other
+      end
+
+      def hash
+        value.hash
+      end
+
+      def to_s
+        value
+      end
+
+      def to_h
+        { use: @use, fingerprint: fingerprint.to_s }
+      end
+
+      def inspect
+        to_h.inspect
+      end
+
+      def stripped
+        value.to_s.gsub(BEGIN_CERT, '').gsub(END_CERT, '').gsub(/\n/, '')
+      end
+
+      def self.to_x509(value)
+        OpenSSL::X509::Certificate.new(Base64.decode64(value))
+      rescue OpenSSL::X509::CertificateError => error
+        ::Xml::Kit.logger.warn(error)
+        OpenSSL::X509::Certificate.new(value)
+      end
+
+      private
+
+      attr_reader :value
+    end
+  end
+end

data/lib/xml/kit/crypto.rb

@@ -0,0 +1,17 @@
+require 'xml/kit/crypto/oaep_cipher'
+require 'xml/kit/crypto/rsa_cipher'
+require 'xml/kit/crypto/simple_cipher'
+require 'xml/kit/crypto/unknown_cipher'
+
+module Xml
+  module Kit
+    module Crypto
+      DECRYPTORS = [ SimpleCipher, RsaCipher, OaepCipher, UnknownCipher ]
+
+      # @!visibility private
+      def self.decryptor_for(algorithm, key)
+        DECRYPTORS.find { |x| x.matches?(algorithm) }.new(algorithm, key)
+      end
+    end
+  end
+end

data/lib/xml/kit/crypto/oaep_cipher.rb

@@ -0,0 +1,22 @@
+module Xml
+  module Kit
+    module Crypto
+      class OaepCipher
+        ALGORITHMS = {
+          'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' => true,
+        }
+        def initialize(algorithm, key)
+          @key = key
+        end
+
+        def self.matches?(algorithm)
+          ALGORITHMS[algorithm]
+        end
+
+        def decrypt(cipher_text)
+          @key.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+        end
+      end
+    end
+  end
+end

data/lib/xml/kit/crypto/rsa_cipher.rb

@@ -0,0 +1,23 @@
+module Xml
+  module Kit
+    module Crypto
+      class RsaCipher
+        ALGORITHMS = {
+          'http://www.w3.org/2001/04/xmlenc#rsa-1_5' => true,
+        }
+
+        def initialize(algorithm, key)
+          @key = key
+        end
+
+        def self.matches?(algorithm)
+          ALGORITHMS[algorithm]
+        end
+
+        def decrypt(cipher_text)
+          @key.private_decrypt(cipher_text)
+        end
+      end
+    end
+  end
+end

data/lib/xml/kit/crypto/simple_cipher.rb

@@ -0,0 +1,34 @@
+module Xml
+  module Kit
+    module Crypto
+      class SimpleCipher
+        ALGORITHMS = {
+          'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' => 'DES-EDE3-CBC',
+          'http://www.w3.org/2001/04/xmlenc#aes128-cbc' => 'AES-128-CBC',
+          'http://www.w3.org/2001/04/xmlenc#aes192-cbc' => 'AES-192-CBC',
+          'http://www.w3.org/2001/04/xmlenc#aes256-cbc' => 'AES-256-CBC',
+        }
+
+        def initialize(algorithm, private_key)
+          @algorithm = algorithm
+          @private_key = private_key
+        end
+
+        def self.matches?(algorithm)
+          ALGORITHMS[algorithm]
+        end
+
+        def decrypt(cipher_text)
+          cipher = OpenSSL::Cipher.new(ALGORITHMS[@algorithm])
+          cipher.decrypt
+          iv = cipher_text[0..cipher.iv_len-1]
+          data = cipher_text[cipher.iv_len..-1]
+          #cipher.padding = 0
+          cipher.key = @private_key
+          cipher.iv = iv
+          cipher.update(data) + cipher.final
+        end
+      end
+    end
+  end
+end

data/lib/xml/kit/crypto/unknown_cipher.rb

@@ -0,0 +1,18 @@
+module Xml
+  module Kit
+    module Crypto
+      class UnknownCipher
+        def initialize(algorithm, key)
+        end
+
+        def self.matches?(algorithm)
+          true
+        end
+
+        def decrypt(cipher_text)
+          cipher_text
+        end
+      end
+    end
+  end
+end

data/lib/xml/kit/decryption.rb

@@ -0,0 +1,44 @@
+module Xml
+  module Kit
+    # {include:file:spec/saml/xml_decryption_spec.rb}
+    class Decryption
+      # The list of private keys to use to attempt to decrypt the document.
+      attr_reader :private_keys
+
+      def initialize(private_keys:)
+        @private_keys = private_keys
+      end
+
+      # Decrypts an EncryptedData section of an XML document.
+      #
+      # @param data [Hash] the XML document converted to a [Hash] using Hash.from_xml.
+      def decrypt(data)
+        encrypted_data = data['EncryptedData']
+        symmetric_key = symmetric_key_from(encrypted_data)
+        cipher_text = Base64.decode64(encrypted_data["CipherData"]["CipherValue"])
+        to_plaintext(cipher_text, symmetric_key, encrypted_data["EncryptionMethod"]['Algorithm'])
+      end
+
+      private
+
+      def symmetric_key_from(encrypted_data)
+        encrypted_key = encrypted_data['KeyInfo']['EncryptedKey']
+        cipher_text = Base64.decode64(encrypted_key['CipherData']['CipherValue'])
+        attempts = private_keys.count
+        private_keys.each do |private_key|
+          begin
+            attempts -= 1
+            return to_plaintext(cipher_text, private_key, encrypted_key["EncryptionMethod"]['Algorithm'])
+          rescue OpenSSL::PKey::RSAError => error
+            ::Xml::Kit.logger.error(error)
+            raise if attempts.zero?
+          end
+        end
+      end
+
+      def to_plaintext(cipher_text, symmetric_key, algorithm)
+        Crypto.decryptor_for(algorithm, symmetric_key).decrypt(cipher_text)
+      end
+    end
+  end
+end

data/lib/xml/kit/document.rb

@@ -0,0 +1,75 @@
+module Xml
+  module Kit
+    # {include:file:spec/saml/xml_spec.rb}
+    class Document
+      include ActiveModel::Validations
+      NAMESPACES = { "ds": ::Xml::Kit::Namespaces::XMLDSIG }.freeze
+
+      validate :validate_signatures
+      validate :validate_certificates
+
+      def initialize(raw_xml, namespaces: NAMESPACES)
+        @raw_xml = raw_xml
+        @namespaces = namespaces
+        @document = ::Nokogiri::XML(raw_xml)
+      end
+
+      # Returns the first XML node found by searching the document with the provided XPath.
+      #
+      # @param xpath [String] the XPath to use to search the document
+      def find_by(xpath)
+        document.at_xpath(xpath, namespaces)
+      end
+
+      # Returns all XML nodes found by searching the document with the provided XPath.
+      #
+      # @param xpath [String] the XPath to use to search the document
+      def find_all(xpath)
+        document.search(xpath, namespaces)
+      end
+
+      # Return the XML document as a [String].
+      #
+      # @param pretty [Boolean] return the XML string in a human readable format if true.
+      def to_xml(pretty: true)
+        pretty ? document.to_xml(indent: 2) : raw_xml
+      end
+
+      private
+
+      attr_reader :raw_xml, :document, :namespaces
+
+      def validate_signatures
+        invalid_signatures.flat_map(&:errors).uniq.each do |error|
+          errors.add(error, "is invalid")
+        end
+      end
+
+      def invalid_signatures
+        signed_document = Xmldsig::SignedDocument.new(document, id_attr: 'ID=$uri or @Id')
+        signed_document.signatures.find_all do |signature|
+          x509_certificates.all? do |certificate|
+            !signature.valid?(certificate)
+          end
+        end
+      end
+
+      def validate_certificates(now = Time.current)
+        return if find_by('//ds:Signature').nil?
+
+        x509_certificates.each do |certificate|
+          inactive = now < certificate.not_before
+          errors.add(:certificate, "Not valid before #{certificate.not_before}") if inactive
+
+          expired = now > certificate.not_after
+          errors.add(:certificate, "Not valid after #{certificate.not_after}") if expired
+        end
+      end
+
+      def x509_certificates
+        xpath = "//ds:KeyInfo/ds:X509Data/ds:X509Certificate"
+        find_all(xpath).map { |item| Certificate.to_x509(item.text) }
+      end
+    end
+  end
+end

data/lib/xml/kit/fingerprint.rb

@@ -0,0 +1,50 @@
+module Xml
+  module Kit
+    # This generates a fingerprint for an X509 Certificate.
+    #
+    #   certificate, _ = Xml::Kit::SelfSignedCertificate.new("password").create
+    #
+    #   puts Xml::Kit::Fingerprint.new(certificate).to_s
+    #   # B7:AB:DC:BD:4D:23:58:65:FD:1A:99:0C:5F:89:EA:87:AD:F1:D7:83:34:7A:E9:E4:88:12:DD:46:1F:38:05:93
+    #
+    # {include:file:spec/saml/fingerprint_spec.rb}
+    class Fingerprint
+      # The OpenSSL::X509::Certificate
+      attr_reader :x509
+
+      def initialize(raw_certificate)
+        @x509 = Certificate.to_x509(raw_certificate)
+      end
+
+      # Generates a formatted fingerprint using the specified hash algorithm.
+      #
+      # @param algorithm [OpenSSL::Digest] the openssl algorithm to use `OpenSSL::Digest::SHA256`, `OpenSSL::Digest::SHA1`.
+      # @return [String] in the format of `"BF:ED:C5:F1:6C:AB:F5:B2:15:1F:BF:BD:7D:68:1A:F9:A5:4E:4C:19:30:BC:6D:25:B1:8E:98:D4:23:FD:B4:09"`
+      def algorithm(algorithm)
+        pretty_fingerprint(algorithm.new.hexdigest(x509.to_der))
+      end
+
+      def ==(other)
+        self.to_s == other.to_s
+      end
+
+      def eql?(other)
+        self == other
+      end
+
+      def hash
+        to_s.hash
+      end
+
+      def to_s
+        algorithm(OpenSSL::Digest::SHA256)
+      end
+
+      private
+
+      def pretty_fingerprint(fingerprint)
+        fingerprint.upcase.scan(/../).join(":")
+      end
+    end
+  end
+end

data/lib/xml/kit/id.rb

@@ -0,0 +1,13 @@
+module Xml
+  module Kit
+    # This class is used primary for generating ID.
+    #https://www.w3.org/2001/XMLSchema.xsd
+    class Id
+      # Generate an ID that conforms to the XML Schema.
+      # https://www.w3.org/2001/XMLSchema.xsd
+      def self.generate
+        "_#{SecureRandom.uuid}"
+      end
+    end
+  end
+end

data/lib/xml/kit/key_pair.rb

@@ -0,0 +1,29 @@
+module Xml
+  module Kit
+    class KeyPair # :nodoc:
+      attr_reader :certificate, :private_key, :use
+
+      def initialize(certificate, private_key, passphrase, use)
+        @use = use
+        @certificate = ::Xml::Kit::Certificate.new(certificate, use: use)
+        @private_key = OpenSSL::PKey::RSA.new(private_key, passphrase)
+      end
+
+      # Returns true if the key pair is the designated use.
+      #
+      # @param use [Symbol] Can be either `:signing` or `:encryption`.
+      def for?(use)
+        @use == use
+      end
+
+      # Returns a generated self signed certificate with private key.
+      #
+      # @param use [Symbol] Can be either `:signing` or `:encryption`.
+      # @param passphrase [String] the passphrase to use to encrypt the private key.
+      def self.generate(use:, passphrase: SecureRandom.uuid)
+        certificate, private_key = ::Xml::Kit::SelfSignedCertificate.new(passphrase).create
+        new(certificate, private_key, passphrase, use)
+      end
+    end
+  end
+end

data/lib/xml/kit/namespaces.rb

@@ -0,0 +1,17 @@
+module Xml
+  module Kit
+    module Namespaces
+      ENVELOPED_SIG = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+      RSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+      RSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+      RSA_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
+      RSA_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
+      SHA1 = "http://www.w3.org/2000/09/xmldsig#sha1"
+      SHA256 = 'http://www.w3.org/2001/04/xmlenc#sha256'
+      SHA384 = "http://www.w3.org/2001/04/xmldsig-more#sha384"
+      SHA512 = 'http://www.w3.org/2001/04/xmlenc#sha512'
+      XMLDSIG = "http://www.w3.org/2000/09/xmldsig#"
+      XMLENC = "http://www.w3.org/2001/04/xmlenc#"
+    end
+  end
+end

data/lib/xml/kit/self_signed_certificate.rb

@@ -0,0 +1,28 @@
+module Xml
+  module Kit
+    class SelfSignedCertificate
+      SUBJECT="/C=CA/ST=Alberta/L=Calgary/O=XmlKit/OU=XmlKit/CN=XmlKit"
+
+      def initialize(passphrase)
+        @passphrase = passphrase
+      end
+
+      def create
+        rsa_key = OpenSSL::PKey::RSA.new(2048)
+        public_key = rsa_key.public_key
+        certificate = OpenSSL::X509::Certificate.new
+        certificate.subject = certificate.issuer = OpenSSL::X509::Name.parse(SUBJECT)
+        certificate.not_before = Time.now.to_i
+        certificate.not_after = (Date.today + 30).to_time.to_i
+        certificate.public_key = public_key
+        certificate.serial = 0x0
+        certificate.version = 2
+        certificate.sign(rsa_key, OpenSSL::Digest::SHA256.new)
+        [
+          certificate.to_pem,
+          rsa_key.to_pem(OpenSSL::Cipher.new('AES-256-CBC'), @passphrase)
+        ]
+      end
+    end
+  end
+end

data/lib/xml/kit/signatures.rb

@@ -0,0 +1,67 @@
+module Xml
+  module Kit
+    # @!visibility private
+    class Signatures # :nodoc:
+      attr_reader :key_pair, :signature_method, :digest_method
+
+      # @!visibility private
+      def initialize(key_pair:, signature_method:, digest_method:)
+        @digest_method = digest_method
+        @key_pair = key_pair
+        @signature_method = signature_method
+      end
+
+      # @!visibility private
+      def sign_with(key_pair)
+        @key_pair = key_pair
+      end
+
+      # @!visibility private
+      def build(reference_id)
+        return nil if key_pair.nil?
+
+        ::Xml::Kit::Builders::Signature.new(
+          reference_id,
+          certificate: key_pair.certificate,
+          signature_method: signature_method,
+          digest_method: digest_method
+        )
+      end
+
+      # @!visibility private
+      def complete(raw_xml)
+        return raw_xml if key_pair.nil?
+
+        private_key = key_pair.private_key
+        Xmldsig::SignedDocument.new(raw_xml).sign(private_key)
+      end
+
+      # @!visibility private
+      def self.sign(xml: ::Builder::XmlMarkup.new, key_pair:, signature_method: :SHA256, digest_method: :SHA256)
+        signatures = new(
+          key_pair: key_pair,
+          signature_method: signature_method,
+          digest_method: digest_method,
+        )
+        yield xml, XmlSignatureTemplate.new(xml, signatures)
+        signatures.complete(xml.target!)
+      end
+
+      class XmlSignatureTemplate # :nodoc:
+        # @!visibility private
+        attr_reader :signatures, :xml
+
+        # @!visibility private
+        def initialize(xml, signatures)
+          @signatures = signatures
+          @xml = xml
+        end
+
+        # @!visibility private
+        def template(reference_id)
+          Template.new(signatures.build(reference_id)).to_xml(xml: xml)
+        end
+      end
+    end
+  end
+end

data/lib/xml/kit/templatable.rb

@@ -0,0 +1,83 @@
+module Xml
+  module Kit
+    module Templatable
+      # Can be used to disable embeding a signature.
+      # By default a signature will be embedded if a signing
+      # certificate is available.
+      attr_accessor :embed_signature
+
+      # Used to enable/disable encrypting the document.
+      attr_accessor :encrypt
+
+      # The [Xml::Kit::KeyPair] to use for generating a signature.
+      attr_accessor :signing_key_pair
+
+      # The [Xml::Kit::Certificate] that contains the public key to use for encrypting the document.
+      attr_accessor :encryption_certificate
+
+      # Returns the generated XML document with an XML Digital Signature and XML Encryption.
+      def to_xml(xml: ::Builder::XmlMarkup.new)
+        signatures.complete(render(self, xml: xml))
+      end
+
+      def encryption_for(xml:)
+        if encrypt?
+          temp = ::Builder::XmlMarkup.new
+          yield temp
+          signed_xml = signatures.complete(temp.target!)
+          xml_encryption = ::Xml::Kit::Builders::Encryption.new(
+            signed_xml,
+            encryption_certificate.public_key
+          )
+          render(xml_encryption, xml: xml)
+        else
+          yield xml
+        end
+      end
+
+      def render(model, options)
+        ::Xml::Kit::Template.new(model).to_xml(options)
+      end
+
+      def signature_for(reference_id:, xml:)
+        return unless sign?
+        render(signatures.build(reference_id), xml: xml)
+      end
+
+      # Allows you to specify which key pair to use for generating an XML digital signature.
+      #
+      # @param key_pair [Xml::Kit::KeyPair] the key pair to use for signing.
+      def sign_with(key_pair)
+        signatures.sign_with(key_pair)
+      end
+
+      private
+
+      def sign?
+        embed_signature
+      end
+
+      # @!visibility private
+      def signatures
+        @signatures ||= ::Xml::Kit::Signatures.new(
+          key_pair: signing_key_pair,
+          digest_method: digest_method,
+          signature_method: signature_method,
+        )
+      end
+
+      def digest_method
+        :SHA256
+      end
+
+      def signature_method
+        :SHA256
+      end
+
+      # @!visibility private
+      def encrypt?
+        encrypt && encryption_certificate
+      end
+    end
+  end
+end

data/lib/xml/kit/template.rb

@@ -0,0 +1,32 @@
+module Xml
+  module Kit
+    class Template
+      attr_reader :target
+
+      def initialize(target)
+        @target = target
+      end
+
+      # Returns the compiled template as a [String].
+      #
+      # @param options [Hash] The options hash to pass to the template engine.
+      def to_xml(options = {})
+        template.render(target, options)
+      end
+
+      private
+
+      def template_path
+        return target.template_path if target.respond_to?(:template_path)
+
+        root_path = File.expand_path(File.dirname(__FILE__))
+        template_name = "#{target.class.name.split("::").last.underscore}.builder"
+        File.join(root_path, "builders/templates/", template_name)
+      end
+
+      def template
+        Tilt.new(template_path)
+      end
+    end
+  end
+end

data/lib/xml/kit/version.rb

@@ -0,0 +1,5 @@
+module Xml
+  module Kit
+    VERSION = "0.1.0"
+  end
+end

data/xml-kit.gemspec

@@ -0,0 +1,36 @@
+# coding: utf-8
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "xml/kit/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "xml-kit"
+  spec.version       = Xml::Kit::VERSION
+  spec.authors       = ["mo khan"]
+  spec.email         = ["mo@mokhan.ca"]
+
+  spec.summary       = %q{A simple toolkit for working with XML.}
+  spec.description   = %q{A simple toolkit for working with XML.}
+  spec.homepage      = "http://www.mokhan.ca"
+  spec.license       = "MIT"
+  spec.required_ruby_version = '>= 2.2.0'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.metadata["yard.run"] = "yri"
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "activemodel", ">= 4.2.0"
+  spec.add_dependency "builder", "~> 3.2"
+  spec.add_dependency "nokogiri", "~> 1.8"
+  spec.add_dependency "tilt", "~> 2.0"
+  spec.add_dependency "xmldsig", "~> 0.6"
+  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "ffaker", "~> 2.7"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "simplecov", "~> 0.15.1"
+end

metadata

@@ -0,0 +1,220 @@
+--- !ruby/object:Gem::Specification
+name: xml-kit
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- mo khan
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-12-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activemodel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.2.0
+- !ruby/object:Gem::Dependency
+  name: builder
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: tilt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: xmldsig
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: ffaker
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.15.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.15.1
+description: A simple toolkit for working with XML.
+email:
+- mo@mokhan.ca
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".gitlab-ci.yml"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/xml/kit.rb
+- lib/xml/kit/builders/encryption.rb
+- lib/xml/kit/builders/signature.rb
+- lib/xml/kit/builders/templates/certificate.builder
+- lib/xml/kit/builders/templates/encryption.builder
+- lib/xml/kit/builders/templates/nil_class.builder
+- lib/xml/kit/builders/templates/signature.builder
+- lib/xml/kit/certificate.rb
+- lib/xml/kit/crypto.rb
+- lib/xml/kit/crypto/oaep_cipher.rb
+- lib/xml/kit/crypto/rsa_cipher.rb
+- lib/xml/kit/crypto/simple_cipher.rb
+- lib/xml/kit/crypto/unknown_cipher.rb
+- lib/xml/kit/decryption.rb
+- lib/xml/kit/document.rb
+- lib/xml/kit/fingerprint.rb
+- lib/xml/kit/id.rb
+- lib/xml/kit/key_pair.rb
+- lib/xml/kit/namespaces.rb
+- lib/xml/kit/self_signed_certificate.rb
+- lib/xml/kit/signatures.rb
+- lib/xml/kit/templatable.rb
+- lib/xml/kit/template.rb
+- lib/xml/kit/version.rb
+- xml-kit.gemspec
+homepage: http://www.mokhan.ca
+licenses:
+- MIT
+metadata:
+  yard.run: yri
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.14
+signing_key: 
+specification_version: 4
+summary: A simple toolkit for working with XML.
+test_files: []