xml_security 0.0.1 → 0.0.3

data/lib/xml_security.rb

@@ -25,10 +25,13 @@
 require 'rubygems'
 require 'ffi'
 
+require 'xml_security/c/libc'
 require 'xml_security/c/lib_xml'
 require 'xml_security/c/xml_sec'
 
-require 'ruby-debug'
+require 'time'
+require 'base64'
+require 'digest/sha1'
 
 module XMLSecurity
   NAMESPACES = {
@@ -103,11 +106,8 @@ module XMLSecurity
     C::XMLSec.xmlSecDSigCtxDestroy(digital_signature_context) if defined?(digital_signature_context) && !digital_signature_context.null?
   end
 
-  def self.verify_signature(signed_xml_document, cert_fingerprint=nil)
+  def self.verify_signature(signed_xml_document, options={})
     init
-    if cert_fingerprint
-      return false unless _fingerprint_matches?(cert_fingerprint, cert)
-    end
 
     doc = C::LibXML.xmlParseMemory(signed_xml_document, signed_xml_document.size)
     raise "could not parse XML document" if doc.null?
@@ -115,6 +115,12 @@ module XMLSecurity
     doc_root = C::LibXML.xmlDocGetRootElement(doc)
     raise "could not get doc root" if doc_root.null?
 
+    # add the ID attribute as an id. yeah, hacky
+    idary = FFI::MemoryPointer.new(:pointer, 2)
+    idary[0].put_pointer(0, FFI::MemoryPointer.from_string("ID"))
+    idary[1].put_pointer(0, nil)
+    C::XMLSec.xmlSecAddIDs(doc, doc_root, idary)
+
     keys_manager = _init_keys_manager
 
     digital_signature_context = C::XMLSec.xmlSecDSigCtxCreate(keys_manager)
@@ -126,26 +132,28 @@ module XMLSecurity
     signature_node = C::XMLSec.xmlSecFindNode(doc_root, C::XMLSec.xmlSecNodeSignature, C::XMLSec.xmlSecDSigNs)
     raise "signature node not found" if signature_node.null?
 
-    key_info_node = C::XMLSec.xmlSecFindNode(signature_node, C::XMLSec.xmlSecNodeKeyInfo, C::XMLSec.xmlSecDSigNs)
-    raise "key_info node not found" if key_info_node.null?
-
     certificate_node = C::XMLSec.xmlSecFindNode(signature_node, C::XMLSec.xmlSecNodeX509Certificate, C::XMLSec.xmlSecDSigNs)
     raise "certificate node not found" if certificate_node.null?
 
     key = C::XMLSec.xmlSecKeyCreate
     raise "error while allocating security key" if key.null?
 
-    certptr = C::LibXML.xmlNodeGetContent(certificate_node)
-    raise "error while reading certificate node" if certptr.null?
-    cert64 = certptr.read_string
-    # C::LibXML.xmlFree(certptr)
+    cert64ptr = C::LibXML.xmlNodeGetContent(certificate_node)
+    raise "error while reading certificate node" if cert64ptr.null?
+    cert64 = cert64ptr.read_string
+    C::LibXML.xmlFree(cert64ptr)
 
-    certptr = FFI::MemoryPointer.new(:uchar, cert64.size)
+    cert = Base64.decode64(cert64)
 
-    bytesout = C::XMLSec.xmlSecBase64Decode(cert64, certptr, certptr.size)
-    cert = certptr.read_bytes(bytesout)
+    if options.has_key? :cert_fingerprint
+      return false unless _fingerprint_matches?(options[:cert_fingerprint], cert)
+    end
 
-    key_add_result = C::XMLSec.xmlSecOpenSSLAppKeysMngrCertLoadMemory(keys_manager, cert, cert.size, :xmlSecKeyDataFormatDer, C::XMLSec.xmlSecKeyDataTypeTrusted)
+    if options.has_key? :as_of
+      digital_signature_context[:keyInfoReadCtx][:certsVerificationTime] = Time.parse(options[:as_of]).to_i
+    end
+
+    key_add_result = C::XMLSec.xmlSecOpenSSLAppKeysMngrCertLoadMemory(keys_manager, cert, cert.size, :xmlSecKeyDataFormatCertDer, C::XMLSec.xmlSecKeyDataTypeTrusted)
     raise "failed to add key to keys manager" if key_add_result < 0
 
     if C::XMLSec.xmlSecDSigCtxVerify(digital_signature_context, signature_node) < 0
@@ -190,6 +198,12 @@ module XMLSecurity
     _dump_doc(doc)
   end
 
+  def self.mute(&block)
+    C::XMLSec.xmlSecErrorsDefaultCallbackEnableOutput(false)
+    block.call
+    C::XMLSec.xmlSecErrorsDefaultCallbackEnableOutput(true)
+  end
+
   def self._init_keys_manager
     keys_manager = C::XMLSec.xmlSecKeysMngrCreate
     raise "failed to create keys manager" if keys_manager.null?
@@ -201,37 +215,10 @@ module XMLSecurity
     keys_manager
   end
 
-  def self._format_cert(cert)
-    # re-encode the certificate in the proper format
-    # this snippet is from http://bugs.ruby-lang.org/issues/4421
-    rsa = cert.public_key
-    modulus = rsa.n
-    exponent = rsa.e
-    oid = OpenSSL::ASN1::ObjectId.new("rsaEncryption")
-    alg_id = OpenSSL::ASN1::Sequence.new([oid, OpenSSL::ASN1::Null.new(nil)])
-    ary = [OpenSSL::ASN1::Integer.new(modulus), OpenSSL::ASN1::Integer.new(exponent)]
-    pub_key = OpenSSL::ASN1::Sequence.new(ary)
-    enc_pk = OpenSSL::ASN1::BitString.new(pub_key.to_der)
-    subject_pk_info = OpenSSL::ASN1::Sequence.new([alg_id, enc_pk])
-    base64 = Base64.encode64(subject_pk_info.to_der)
-
-    # This is the equivalent to the X.509 encoding used in >= 1.9.3
-    "-----BEGIN PUBLIC KEY-----\n#{base64}-----END PUBLIC KEY-----"
-  end
-
-
   def self._fingerprint_matches?(expected_fingerprint, cert)
-    cert_fingerprint = Digest::SHA1.hexdigest(cert.to_der)
-    expected_fingerprint = idp_cert_fingerprint.gsub(":", "").downcase
-    return fingerprint == expected_fingerprint
-  end
-
-  def self._extract_embedded_certificate(xml_document)
-    parsed_document = LibXML::XML::Parser.string(xml_document).parse
-    base64_cert = parsed_document.find_first("//ds:X509Certificate", NAMESPACES).content
-    cert_text = Base64.decode64(base64_cert)
-    cert = OpenSSL::X509::Certificate.new(cert_text)
-    cert
+    cert_fingerprint = Digest::SHA1.hexdigest(cert)
+    expected_fingerprint = expected_fingerprint.gsub(":", "").downcase
+    return cert_fingerprint == expected_fingerprint
   end
 
   def self._dump_doc(doc)

data/lib/xml_security/c/lib_xml.rb

@@ -1,12 +1,30 @@
-require 'ffi'
-require 'ffi/libc'
-
 module XMLSecurity
   module C
     module LibXML
       extend FFI::Library
       ffi_lib 'libxml2'
 
+      class XmlNode < FFI::Struct
+        layout \
+           :_private,   :pointer,
+           :type,       :int,          # <- cheating, actually an xmlElementType enum
+           :name,       :string,
+           :children,   XmlNode.by_ref,
+           :last,       :pointer,
+           :parent,     :pointer,
+           :next,       :pointer,
+           :prev,       :pointer,
+           :doc,        :pointer,
+
+           :ns,         :pointer,
+           :content,    :string,
+           :properties, :pointer,
+           :nsDef,      :pointer,
+           :psvi,       :pointer,
+           :line,       :ushort,
+           :extra,      :ushort
+      end
+
       # libxml functions
       attach_function :xmlInitParser, [], :void
       attach_function :xmlDocGetRootElement, [ :pointer ], :pointer
@@ -29,11 +47,11 @@ module XMLSecurity
       # attach_function :xmlMalloc, [ :int ], :pointer
 
       def self.xmlMalloc(*args)
-        FFI::LibC.malloc(*args)
+        C::LibC.malloc(*args)
       end
 
       def self.xmlFree(*args)
-        FFI::LibC.free(*args)
+        C::LibC.free(*args)
       end
 
       def self.init

data/lib/xml_security/c/libc.rb

@@ -0,0 +1,11 @@
+module XMLSecurity
+  module C
+    module LibC
+      extend FFI::Library
+      ffi_lib [FFI::CURRENT_PROCESS, 'c']
+
+      attach_function :malloc, [:size_t], :pointer
+      attach_function :free, [:pointer], :void
+    end
+  end
+end

data/lib/xml_security/c/xml_sec.rb

@@ -147,7 +147,7 @@ module XMLSecurity
           :signMethod,                  :pointer,     # xmlSecTransformPtr
           :c14nMethod,                  :pointer,     # xmlSecTransformPtr
           :preSignMemBufMethod,         :pointer,     # xmlSecTransformPtr
-          :signValueNode,               :pointer,     # xmlNodePtr
+          :signValueNode,               LibXML::XmlNode.by_ref,     # xmlNodePtr
           :id,                          :string,
           :signedInfoReferences,        XmlSecPtrList,
           :manifestReferences,          XmlSecPtrList,
@@ -158,7 +158,7 @@ module XMLSecurity
       # xmlsec functions
       attach_function :xmlSecInit, [], :int
       attach_function :xmlSecParseMemory, [ :pointer, :uint, :int ], :pointer
-      attach_function :xmlSecFindNode, [ :pointer, :string, :string ], :pointer
+      attach_function :xmlSecFindNode, [ :pointer, :string, :string ], LibXML::XmlNode.by_ref
       attach_function :xmlSecFindChild, [ :pointer, :string, :string ], :pointer
       attach_function :xmlSecDSigCtxCreate, [ :pointer ], XmlSecDSigCtx.by_ref
       attach_function :xmlSecDSigCtxVerify, [ XmlSecDSigCtx.by_ref, :pointer ], :int
@@ -209,7 +209,10 @@ module XMLSecurity
 
       attach_function :xmlSecShutdown, [], :void
 
+      attach_function :xmlSecErrorsDefaultCallbackEnableOutput, [ :bool ], :void
+
       XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS = 0x00000200
+      XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS = 0x00004000
 
       def self.xmlSecNodeSignature
         'Signature'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: xml_security
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.3
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-02-06 00:00:00.000000000 Z
+date: 2013-02-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
@@ -27,38 +27,6 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: ruby-debug
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 1.3.2
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 1.3.2
 description: See http://github.com/phinze/xml_security
 email: paul.t.hinze@gmail.com
 executables: []
@@ -67,6 +35,7 @@ extra_rdoc_files: []
 files:
 - README.md
 - lib/xml_security/c/lib_xml.rb
+- lib/xml_security/c/libc.rb
 - lib/xml_security/c/xml_sec.rb
 - lib/xml_security.rb
 homepage: http://github.com/phinze/xml_security