xml_security 0.0.1

data/README.md

@@ -0,0 +1,33 @@
+# XML may not be fun, but at least we can make it secure!
+
+[![Build Status](https://travis-ci.org/phinze/xml_security.png?branch=master)](https://travis-ci.org/phinze/xml_security)
+
+```xml
+<secrets keep-them="safe" with="xml!" />
+```
+
+You too can enjoy all the glory of `xmlsec` brought to your ruby runtime!
+
+This library is being built with an eye towards building it in a proper SAML
+integration on a Ruby-based platform.
+
+## Working features 
+
+* Basic XML Document Signing
+* Basic XML Signature Verification
+* Basic XML Document Decryption
+
+## Lots left to do!
+
+* XML Encryption
+* Non-happy-path testing.
+* Memory leak squashing.
+* Testing with a SAML-layer library
+* We'll need TONS of cleanup at the Ruby/C API layer. Goal is to connect the dots, then make the constellations beautiful.
+
+## References
+
+* Using FFI for ruby/c interop: https://github.com/ffi/ffi.git
+* Wrapping XMLSec: http://www.aleksey.com/xmlsec/
+* XMLSec also used libXML2: http://www.xmlsoft.org/
+

data/lib/xml_security/c/lib_xml.rb

@@ -0,0 +1,48 @@
+require 'ffi'
+require 'ffi/libc'
+
+module XMLSecurity
+  module C
+    module LibXML
+      extend FFI::Library
+      ffi_lib 'libxml2'
+
+      # libxml functions
+      attach_function :xmlInitParser, [], :void
+      attach_function :xmlDocGetRootElement, [ :pointer ], :pointer
+      attach_function :xmlDocDumpFormatMemory, [ :pointer, :pointer, :pointer, :int ], :void
+      attach_function :xmlFreeDoc, [ :pointer ], :void
+      attach_function :xmlParseFile, [ :string ], :pointer
+      attach_function :xmlParseMemory, [ :pointer, :int ], :pointer
+      attach_function :xmlAddChild, [ :pointer, :pointer ], :pointer
+      attach_function :xmlCleanupParser, [], :void
+      attach_function :xmlNodeGetContent, [ :pointer ], :pointer # xmlChar *
+
+      #
+      # Patching over to straight libc malloc/free until we can figure out why
+      # xml{Malloc,Free} cause ruby to blow up so spectacularly. See the
+      # following thread for more info:
+      #
+      # https://groups.google.com/d/topic/ruby-ffi/wClez3YsLQE/discussion
+      #
+      # attach_function :xmlFree, [ :pointer ], :void
+      # attach_function :xmlMalloc, [ :int ], :pointer
+
+      def self.xmlMalloc(*args)
+        FFI::LibC.malloc(*args)
+      end
+
+      def self.xmlFree(*args)
+        FFI::LibC.free(*args)
+      end
+
+      def self.init
+        xmlInitParser
+      end
+
+      def self.shutdown
+        xmlCleanupParser
+      end
+    end
+  end
+end

data/lib/xml_security/c/xml_sec.rb

@@ -0,0 +1,259 @@
+require 'ffi'
+
+module XMLSecurity
+  module C
+    module XMLSec
+      extend FFI::Library
+      ffi_lib_flags :now, :global
+      ffi_lib 'xmlsec1-openssl'
+
+      enum :xmlSecKeyDataFormat, [
+          :xmlSecKeyDataFormatUnknown,
+          :xmlSecKeyDataFormatBinary,
+          :xmlSecKeyDataFormatPem,
+          :xmlSecKeyDataFormatDer,
+          :xmlSecKeyDataFormatPkcs8Pem,
+          :xmlSecKeyDataFormatPkcs8Der,
+          :xmlSecKeyDataFormatPkcs12,
+          :xmlSecKeyDataFormatCertPem,
+          :xmlSecKeyDataFormatCertDer
+      ]
+
+      enum :xmlSecKeyInfoMode, [
+          :xmlSecKeyInfoModeRead,
+          :xmlSecKeyInfoModeWrite
+      ]
+
+      enum :xmlSecAllocMode, [
+          :xmlSecAllocModeExact,
+          :xmlSecAllocModeDouble
+      ]
+
+      enum :xmlSecTransformStatus, [
+          :xmlSecTransformStatusNone,
+          :xmlSecTransformStatusWorking,
+          :xmlSecTransformStatusFinished,
+          :xmlSecTransformStatusOk,
+          :xmlSecTransformStatusFail
+      ]
+
+      enum :xmlSecTransformOperation, [
+          :xmlSecTransformOperationNone, 0,
+          :xmlSecTransformOperationEncode,
+          :xmlSecTransformOperationDecode,
+          :xmlSecTransformOperationSign,
+          :xmlSecTransformOperationVerify,
+          :xmlSecTransformOperationEncrypt,
+          :xmlSecTransformOperationDecrypt
+      ]
+
+      enum :xmlSecDSigStatus, [
+          :xmlSecDSigStatusUnknown, 0,
+          :xmlSecDSigStatusSucceeded,
+          :xmlSecDSigStatusInvalid
+      ]
+
+      class XmlSecPtrList < FFI::Struct
+        layout \
+          :id,                          :string,
+          :data,                        :pointer,        # xmlSecPtr*
+          :use,                         :uint,
+          :max,                         :uint,
+          :allocMode,                   :xmlSecAllocMode
+      end
+
+      class XmlSecKeyReq < FFI::Struct
+        layout \
+          :keyId,                       :string,         # xmlSecKeyDataId
+          :keyType,                     :uint,           # xmlSecKeyDataType
+          :keyUsage,                    :uint,           # xmlSecKeyUsage
+          :keyBitsSize,                 :uint,           # xmlSecSize
+          :keyUseWithList,              XmlSecPtrList,
+          :reserved1,                   :pointer,        # void *
+          :reserved2,                   :pointer         # void *
+      end
+
+      class XmlSecTransformCtx < FFI::Struct
+        layout \
+          :userData,                    :pointer,        # void *
+          :flags,                       :uint,
+          :flags2,                      :uint,
+          :enabledUris,                 :uint,
+          :enabledTransforms,           XmlSecPtrList,
+          :preExecCallback,             :pointer,        # xmlSecTransformCtxPreExecuteCallback
+          :result,                      :pointer,        # xmlSecBufferPtr
+          :status,                      :xmlSecTransformStatus,
+          :uri,                         :string,
+          :xptrExpr,                    :string,
+          :first,                       :pointer,        # xmlSecTransformPtr
+          :last,                        :pointer,        # xmlSecTransformPtr
+          :reserved0,                   :pointer,        # void *
+          :reserved1,                   :pointer         # void *
+      end
+
+      class XmlSecKeyInfoCtx < FFI::Struct
+        layout \
+          :userDate,                    :pointer,
+          :flags,                       :uint,
+          :flags2,                      :uint,
+          :keysMngr,                    :pointer,
+          :mode,                        :xmlSecKeyInfoMode,
+          :enabledKeyData,              XmlSecPtrList,
+          :base64LineSize,              :int,
+          :retrievalMethodCtx,          XmlSecTransformCtx,
+          :maxRetrievalMethodLevel,     :int,
+          :encCtx,                      :pointer,
+          :maxEncryptedKeyLevel,        :int,
+          :certsVerificationTime,       :time_t,
+          :certsVerificationDepth,      :int,
+          :pgpReserved,                 :pointer,
+          :curRetrievalMethodLevel,     :int,
+          :curEncryptedKeyLevel,        :int,
+          :keyReq,                      XmlSecKeyReq,
+          :reserved0,                   :pointer,
+          :reserved1,                   :pointer
+      end
+
+      # Would like to use this eventually, but something is wrong below; get segfaults when trying to use it.
+      class XmlSecKeyPtr < FFI::Struct
+        layout \
+           :name,           :string,  # xmlChar *
+           :value,          :pointer, # xmlSecKeyDataPtr
+           :dataList,       :pointer, # xmlSecPtrListPtr
+           :usage,          :pointer, # xmlSecKeyUsage
+           :notValidBefore, :pointer, # time_t
+           :notValidAfter,  :pointer  # time_t
+      end
+
+      class XmlSecDSigCtx < FFI::Struct
+        layout \
+          :userData,                    :pointer,     # void *
+          :flags,                       :uint,
+          :flags2,                      :uint,
+          :keyInfoReadCtx,              XmlSecKeyInfoCtx.by_value,
+          :keyInfoWriteCtx,             XmlSecKeyInfoCtx.by_value,
+          :transformCtx,                XmlSecTransformCtx.by_value,
+          :enabledReferenceUris,        :uint,        # xmlSecTransformUriType
+          :enabledReferenceTransforms,  :pointer,     # xmlSecPtrListPtr
+          :referencePreExecuteCallback, :pointer,     # xmlSecTransformCtxPreExecuteCallback
+          :defSignMethodId,             :string,      # xmlSecTransformId
+          :defC14NMethodId,             :string,      # xmlSecTransformId
+          :defDigestMethodId,           :string,      # xmlSecTransformId
+
+          :signKey,                     :pointer,     # xmlSecKeyPtr
+          :operation,                   :xmlSecTransformOperation,
+          :result,                      :pointer,     # xmlSecBufferPtr
+          :status,                      :xmlSecDSigStatus,
+          :signMethod,                  :pointer,     # xmlSecTransformPtr
+          :c14nMethod,                  :pointer,     # xmlSecTransformPtr
+          :preSignMemBufMethod,         :pointer,     # xmlSecTransformPtr
+          :signValueNode,               :pointer,     # xmlNodePtr
+          :id,                          :string,
+          :signedInfoReferences,        XmlSecPtrList,
+          :manifestReferences,          XmlSecPtrList,
+          :reserved0,                   :pointer,
+          :reserved1,                   :pointer
+      end
+
+      # xmlsec functions
+      attach_function :xmlSecInit, [], :int
+      attach_function :xmlSecParseMemory, [ :pointer, :uint, :int ], :pointer
+      attach_function :xmlSecFindNode, [ :pointer, :string, :string ], :pointer
+      attach_function :xmlSecFindChild, [ :pointer, :string, :string ], :pointer
+      attach_function :xmlSecDSigCtxCreate, [ :pointer ], XmlSecDSigCtx.by_ref
+      attach_function :xmlSecDSigCtxVerify, [ XmlSecDSigCtx.by_ref, :pointer ], :int
+      attach_function :xmlSecOpenSSLInit, [], :int
+      attach_function :xmlSecOpenSSLShutdown, [], :int
+      attach_function :xmlSecOpenSSLAppShutdown, [], :int
+      attach_function :xmlSecOpenSSLAppInit, [ :pointer ], :int
+      attach_function :xmlSecAddIDs, [ :pointer, :pointer, :pointer ], :void
+      attach_function :xmlSecDSigCtxDestroy, [ XmlSecDSigCtx.by_ref ], :void
+
+      attach_function :xmlSecKeysMngrCreate, [], :pointer
+      attach_function :xmlSecOpenSSLAppDefaultKeysMngrInit, [ :pointer ], :int
+      attach_function :xmlSecOpenSSLAppKeyLoad, [ :string, :xmlSecKeyDataFormat, :pointer, :pointer, :pointer ], :pointer
+      attach_function :xmlSecOpenSSLAppKeyLoadMemory, [ :pointer, :uint, :xmlSecKeyDataFormat, :pointer, :pointer, :pointer ], :pointer
+      attach_function :xmlSecOpenSSLAppKeysMngrCertLoadMemory, [ :pointer, :pointer, :uint, :xmlSecKeyDataFormat, :uint ], :int
+
+      attach_function :xmlSecOpenSSLAppDefaultKeysMngrAdoptKey, [ :pointer, :pointer ], :int
+      attach_function :xmlSecKeysMngrDestroy, [ :pointer ], :void
+
+      attach_function :xmlSecEncCtxCreate, [ :pointer ], :pointer
+      attach_function :xmlSecEncCtxDecrypt, [ :pointer, :pointer ], :int
+      attach_function :xmlSecEncCtxDestroy, [ :pointer ], :void
+
+      attach_function :xmlSecTmplSignatureCreate, [ :pointer, :pointer, :pointer, :string ], :pointer
+      attach_function :xmlSecTmplSignatureAddReference, [ :pointer, :pointer, :pointer, :pointer, :pointer ], :pointer
+
+      attach_function :xmlSecTransformExclC14NGetKlass, [], :pointer
+      attach_function :xmlSecOpenSSLTransformRsaSha1GetKlass, [], :pointer
+      attach_function :xmlSecOpenSSLTransformSha1GetKlass, [], :pointer
+      attach_function :xmlSecTransformEnvelopedGetKlass, [], :pointer
+      attach_function :xmlSecTmplSignatureEnsureKeyInfo, [ :pointer, :pointer ], :pointer
+
+      attach_function :xmlSecTmplReferenceAddTransform, [ :pointer, :pointer ], :pointer
+
+      attach_function :xmlSecKeySetName, [ :pointer, :string ], :int
+
+      attach_function :xmlSecDSigCtxSign, [ :pointer, :pointer ], :int
+
+      attach_function :xmlSecTmplKeyInfoAddKeyName, [ :pointer, :pointer ], :pointer
+      attach_function :xmlSecKeyInfoCtxCreate, [ :pointer ], XmlSecKeyInfoCtx.by_ref
+      attach_function :xmlSecKeyInfoCtxDestroy, [ XmlSecKeyInfoCtx.by_ref ], :void
+      attach_function :xmlSecKeyInfoNodeRead, [ :pointer, :pointer, :pointer ], :int
+
+      attach_function :xmlSecKeyCreate, [], :pointer
+      attach_function :xmlSecKeyDestroy, [ :pointer ], :void
+
+      attach_function :xmlSecBase64Decode, [ :pointer, :pointer, :uint ], :int
+
+      attach_function :xmlSecShutdown, [], :void
+
+      XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS = 0x00000200
+
+      def self.xmlSecNodeSignature
+        'Signature'
+      end
+
+      def self.xmlSecNodeKeyInfo
+        'KeyInfo'
+      end
+
+      def self.xmlSecNodeX509Certificate
+        'X509Certificate'
+      end
+
+      def self.xmlSecDSigNs
+        'http://www.w3.org/2000/09/xmldsig#'
+      end
+
+      def self.xmlSecEncNs
+        'http://www.w3.org/2001/04/xmlenc#'
+      end
+
+      def self.xmlSecKeyDataTypeTrusted
+        0x0100
+      end
+
+      def self.xmlSecNodeEncryptedData
+        'EncryptedData'
+      end
+
+      def self.xmlSecNodeX509Certificate
+        'X509Certificate'
+      end
+
+      def self.init
+        raise "Failed initializing XMLSec" if xmlSecInit < 0
+        raise "Failed initializing app crypto" if xmlSecOpenSSLAppInit(nil) < 0
+        raise "Failed initializing crypto" if xmlSecOpenSSLInit < 0
+      end
+
+      def self.shutdown
+        xmlSecOpenSSLShutdown
+        xmlSecOpenSSLAppShutdown
+        xmlSecShutdown
+      end
+    end
+  end
+end

data/lib/xml_security.rb

@@ -0,0 +1,250 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+#
+require 'rubygems'
+require 'ffi'
+
+require 'xml_security/c/lib_xml'
+require 'xml_security/c/xml_sec'
+
+require 'ruby-debug'
+
+module XMLSecurity
+  NAMESPACES = {
+    "xenc" => "http://www.w3.org/2001/04/xmlenc#",
+    "ds" => "http://www.w3.org/2000/09/xmldsig#"
+  }
+
+  def self.init
+    unless initialized?
+      C::LibXML.init
+      C::XMLSec.init
+      @initialized = true
+    end
+  end
+
+  def self.shutdown
+    if initialized?
+      C::XMLSec.shutdown
+      C::LibXML.shutdown
+      @initialized = false
+    end
+  end
+
+  def self.initialized?
+    !!@initialized
+  end
+
+  def self.sign(xml_document, private_key)
+    init
+
+    doc = C::LibXML.xmlParseMemory(xml_document, xml_document.size)
+    raise "could not parse XML document" if doc.null?
+
+    canonicalization_method_id = C::XMLSec.xmlSecTransformExclC14NGetKlass
+    sign_method_id = C::XMLSec.xmlSecOpenSSLTransformRsaSha1GetKlass
+
+    sign_node = C::XMLSec.xmlSecTmplSignatureCreate(doc, canonicalization_method_id, sign_method_id, nil)
+
+    raise "failed to create signature template" if sign_node.null?
+    C::LibXML.xmlAddChild(C::LibXML.xmlDocGetRootElement(doc), sign_node)
+
+    ref_node = C::XMLSec.xmlSecTmplSignatureAddReference(sign_node, C::XMLSec.xmlSecOpenSSLTransformSha1GetKlass, nil, nil, nil)
+    raise "failed to add a reference" if ref_node.null?
+
+    envelope_result = C::XMLSec.xmlSecTmplReferenceAddTransform(ref_node, C::XMLSec.xmlSecTransformEnvelopedGetKlass)
+    raise "failed to add envelope transform to reference" if envelope_result.null?
+
+    key_info_node = C::XMLSec.xmlSecTmplSignatureEnsureKeyInfo(sign_node, nil)
+    raise "failed to add key info" if key_info_node.null?
+
+    digital_signature_context = C::XMLSec.xmlSecDSigCtxCreate(nil)
+    raise "failed to create signature context" if digital_signature_context.null?
+
+    digital_signature_context[:signKey] = C::XMLSec.xmlSecOpenSSLAppKeyLoad(private_key, :xmlSecKeyDataFormatPem, nil, nil, nil)
+    raise "failed to load private pem ley from #{private_key}" if digital_signature_context[:signKey].null?
+
+    if C::XMLSec.xmlSecKeySetName(digital_signature_context[:signKey], File.basename(private_key)) < 0
+      raise "failed to set key name for key of #{private_key}"
+    end
+
+    if C::XMLSec.xmlSecTmplKeyInfoAddKeyName(key_info_node, nil).null?
+      raise "failed to add key info"
+    end
+
+    if C::XMLSec.xmlSecDSigCtxSign(digital_signature_context, sign_node) < 0
+      raise "signature failed!"
+    end
+
+    _dump_doc(doc)
+  ensure
+    C::LibXML.xmlFreeDoc(doc) if defined?(doc) && !doc.null?
+    C::XMLSec.xmlSecDSigCtxDestroy(digital_signature_context) if defined?(digital_signature_context) && !digital_signature_context.null?
+  end
+
+  def self.verify_signature(signed_xml_document, cert_fingerprint=nil)
+    init
+    if cert_fingerprint
+      return false unless _fingerprint_matches?(cert_fingerprint, cert)
+    end
+
+    doc = C::LibXML.xmlParseMemory(signed_xml_document, signed_xml_document.size)
+    raise "could not parse XML document" if doc.null?
+
+    doc_root = C::LibXML.xmlDocGetRootElement(doc)
+    raise "could not get doc root" if doc_root.null?
+
+    keys_manager = _init_keys_manager
+
+    digital_signature_context = C::XMLSec.xmlSecDSigCtxCreate(keys_manager)
+    raise "failed to create signature context" if digital_signature_context.null?
+
+    key_info_context = C::XMLSec.xmlSecKeyInfoCtxCreate(keys_manager)
+    raise "could not create key info context" if key_info_context.null?
+
+    signature_node = C::XMLSec.xmlSecFindNode(doc_root, C::XMLSec.xmlSecNodeSignature, C::XMLSec.xmlSecDSigNs)
+    raise "signature node not found" if signature_node.null?
+
+    key_info_node = C::XMLSec.xmlSecFindNode(signature_node, C::XMLSec.xmlSecNodeKeyInfo, C::XMLSec.xmlSecDSigNs)
+    raise "key_info node not found" if key_info_node.null?
+
+    certificate_node = C::XMLSec.xmlSecFindNode(signature_node, C::XMLSec.xmlSecNodeX509Certificate, C::XMLSec.xmlSecDSigNs)
+    raise "certificate node not found" if certificate_node.null?
+
+    key = C::XMLSec.xmlSecKeyCreate
+    raise "error while allocating security key" if key.null?
+
+    certptr = C::LibXML.xmlNodeGetContent(certificate_node)
+    raise "error while reading certificate node" if certptr.null?
+    cert64 = certptr.read_string
+    # C::LibXML.xmlFree(certptr)
+
+    certptr = FFI::MemoryPointer.new(:uchar, cert64.size)
+
+    bytesout = C::XMLSec.xmlSecBase64Decode(cert64, certptr, certptr.size)
+    cert = certptr.read_bytes(bytesout)
+
+    key_add_result = C::XMLSec.xmlSecOpenSSLAppKeysMngrCertLoadMemory(keys_manager, cert, cert.size, :xmlSecKeyDataFormatDer, C::XMLSec.xmlSecKeyDataTypeTrusted)
+    raise "failed to add key to keys manager" if key_add_result < 0
+
+    if C::XMLSec.xmlSecDSigCtxVerify(digital_signature_context, signature_node) < 0
+      raise "error during signature verification"
+    end
+
+    digital_signature_context[:status] == :xmlSecDSigStatusSucceeded
+  ensure
+    C::LibXML.xmlFreeDoc(doc) if defined?(doc) && doc && !doc.null?
+    C::XMLSec.xmlSecDSigCtxDestroy(digital_signature_context) if defined?(digital_signature_context) && digital_signature_context && !digital_signature_context.null?
+    C::XMLSec.xmlSecKeysMngrDestroy(keys_manager) if defined?(keys_manager) && keys_manager && !keys_manager.null?
+    C::XMLSec.xmlSecKeyInfoCtxDestroy(key_info_context) if defined?(key_info_context) && key_info_context && !key_info_context.null?
+    C::XMLSec.xmlSecKeyDestroy(key) if defined?(key) && key && !key.null?
+  end
+
+  def self.decrypt(encrypted_xml, private_key)
+    init
+
+    keys_manager = _init_keys_manager
+
+    key = C::XMLSec.xmlSecOpenSSLAppKeyLoad(private_key, :xmlSecKeyDataFormatPem, nil, nil, nil)
+    raise "failed to load private pem ley from #{private_key}" if key.null?
+
+    key_add_result = C::XMLSec.xmlSecOpenSSLAppDefaultKeysMngrAdoptKey(keys_manager, key)
+    raise "failed to add key to keys manager" if key_add_result < 0
+
+    doc = C::LibXML.xmlParseMemory(encrypted_xml, encrypted_xml.size)
+    raise "could not parse XML document" if doc.null?
+
+    doc_root = C::LibXML.xmlDocGetRootElement(doc)
+    raise "could not get root element" if doc_root.null?
+
+    start_node = C::XMLSec.xmlSecFindNode(doc_root, C::XMLSec.xmlSecNodeEncryptedData, C::XMLSec.xmlSecEncNs)
+    raise "start node not found" if start_node.null?
+
+    encryption_context = C::XMLSec.xmlSecEncCtxCreate(keys_manager)
+    raise "failed to create encryption context" if encryption_context.null?
+
+    encryption_result = C::XMLSec.xmlSecEncCtxDecrypt(encryption_context, start_node)
+    raise "decryption failed" if (encryption_result < 0)
+
+    _dump_doc(doc)
+  end
+
+  def self._init_keys_manager
+    keys_manager = C::XMLSec.xmlSecKeysMngrCreate
+    raise "failed to create keys manager" if keys_manager.null?
+
+    if C::XMLSec.xmlSecOpenSSLAppDefaultKeysMngrInit(keys_manager) < 0
+      raise "failed to init and load default openssl keys into keys manager"
+    end
+
+    keys_manager
+  end
+
+  def self._format_cert(cert)
+    # re-encode the certificate in the proper format
+    # this snippet is from http://bugs.ruby-lang.org/issues/4421
+    rsa = cert.public_key
+    modulus = rsa.n
+    exponent = rsa.e
+    oid = OpenSSL::ASN1::ObjectId.new("rsaEncryption")
+    alg_id = OpenSSL::ASN1::Sequence.new([oid, OpenSSL::ASN1::Null.new(nil)])
+    ary = [OpenSSL::ASN1::Integer.new(modulus), OpenSSL::ASN1::Integer.new(exponent)]
+    pub_key = OpenSSL::ASN1::Sequence.new(ary)
+    enc_pk = OpenSSL::ASN1::BitString.new(pub_key.to_der)
+    subject_pk_info = OpenSSL::ASN1::Sequence.new([alg_id, enc_pk])
+    base64 = Base64.encode64(subject_pk_info.to_der)
+
+    # This is the equivalent to the X.509 encoding used in >= 1.9.3
+    "-----BEGIN PUBLIC KEY-----\n#{base64}-----END PUBLIC KEY-----"
+  end
+
+
+  def self._fingerprint_matches?(expected_fingerprint, cert)
+    cert_fingerprint = Digest::SHA1.hexdigest(cert.to_der)
+    expected_fingerprint = idp_cert_fingerprint.gsub(":", "").downcase
+    return fingerprint == expected_fingerprint
+  end
+
+  def self._extract_embedded_certificate(xml_document)
+    parsed_document = LibXML::XML::Parser.string(xml_document).parse
+    base64_cert = parsed_document.find_first("//ds:X509Certificate", NAMESPACES).content
+    cert_text = Base64.decode64(base64_cert)
+    cert = OpenSSL::X509::Certificate.new(cert_text)
+    cert
+  end
+
+  def self._dump_doc(doc)
+    ptr = FFI::MemoryPointer.new(:pointer, 1)
+    sizeptr = FFI::MemoryPointer.new(:pointer, 1)
+    C::LibXML.xmlDocDumpFormatMemory(doc, ptr, sizeptr, 1)
+    strptr = ptr.read_pointer
+    result = strptr.null? ? nil : strptr.read_string
+
+    result
+  ensure
+    ptr.free if defined?(ptr) && ptr
+    sizeptr.free if defined?(sizeptr) && sizeptr
+    C::LibXML.xmlFree(strptr) if defined?(strptr) && strptr && !strptr.null?
+  end
+end

metadata

@@ -0,0 +1,97 @@
+--- !ruby/object:Gem::Specification
+name: xml_security
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Paul Hinze
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-02-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: ffi
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ruby-debug
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.3.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.3.2
+description: See http://github.com/phinze/xml_security
+email: paul.t.hinze@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/xml_security/c/lib_xml.rb
+- lib/xml_security/c/xml_sec.rb
+- lib/xml_security.rb
+homepage: http://github.com/phinze/xml_security
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Ruby bindings into the XMLSec library using ffi.
+test_files: []
+has_rdoc: