xmldsig-fiscalizer 0.2.4

data/spec/fixtures/unsigned/digest_sha1.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
+  <foo:Bar>bar</foo:Bar>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="#foo">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+            <ec:InclusiveNamespaces PrefixList="foo"/>
+          </ds:Transform>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue></ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue></ds:SignatureValue>
+  </ds:Signature>
+</foo:Foo>

data/spec/fixtures/unsigned/with_soap_envelope.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <soapenv:Body>
+    <samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" ID="_91e79cb2e8cded9a7fd4d68dc480b49d2d1adf88" Version="2.0" IssueInstant="2013-01-17T09:02:44Z">
+      <ds:Signature>
+        <ds:SignedInfo>
+          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+          <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+          <ds:Reference>
+            <ds:Transforms>
+              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+                <ec:InclusiveNamespaces PrefixList="ds saml samlp xs"/>
+              </ds:Transform>
+            </ds:Transforms>
+            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+            <ds:DigestValue></ds:DigestValue>
+          </ds:Reference>
+        </ds:SignedInfo>
+        <ds:SignatureValue></ds:SignatureValue>
+        <ds:KeyInfo/>
+      </ds:Signature>
+      <samlp:Status>
+        <samlp:StatusCode/>
+      </samlp:Status>
+      <samlp:Response ID="_5a88b4aeb1d290c86073874278e5ef302da66739" Version="2.0" IssueInstant="2013-01-17T09:02:44Z">
+        <samlp:Status>
+          <samlp:StatusCode/>
+        </samlp:Status>
+      </samlp:Response>
+    </samlp:ArtifactResponse>
+  </soapenv:Body>
+</soapenv:Envelope>

data/spec/fixtures/unsigned/without_canonicalization.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
+  <foo:Bar>bar</foo:Bar>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="#foo">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue></ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue></ds:SignatureValue>
+  </ds:Signature>
+</foo:Foo>

data/spec/fixtures/unsigned/without_namespace_prefix.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
+  <foo:Bar>bar</foo:Bar>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="#foo">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue></ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue></ds:SignatureValue>
+  </ds:Signature>
+</foo:Foo>

data/spec/fixtures/unsigned/without_reference_uri.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
+  <foo:Bar>bar</foo:Bar>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference>
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+            <ec:InclusiveNamespaces PrefixList="foo"/>
+          </ds:Transform>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue></ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue></ds:SignatureValue>
+  </ds:Signature>
+</foo:Foo>

data/spec/fixtures/unsigned_multiple_references.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0"?>
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
+  <soapenv:Header></soapenv:Header>
+  <soapenv:Body>
+
+    <SomeMethod ID="Data-1">
+      <Data>some Content</Data>
+    </SomeMethod>
+
+    <Timestamp ID="Timestamp-1">
+      <Created>2010-10-25T12:09:44Z</Created>
+      <Expires>2010-10-25T12:14:44Z</Expires>
+    </Timestamp>
+
+    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+      <SignedInfo>
+        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+        <Reference URI="#Timestamp-1">
+          <Transforms>
+            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+          </Transforms>
+          <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+          <DigestValue></DigestValue>
+        </Reference>
+        <Reference URI="#Data-1">
+          <Transforms>
+            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+          </Transforms>
+          <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+          <DigestValue></DigestValue>
+        </Reference>
+      </SignedInfo>
+      <SignatureValue></SignatureValue>
+    </Signature>
+
+  </soapenv:Body>
+</soapenv:Envelope>

data/spec/fixtures/unsigned_nested_signature.xml

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:baz="http://example.com/baz#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
+  <foo:Bar>bar</foo:Bar>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="#foo">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+            <ec:InclusiveNamespaces PrefixList="foo baz"/>
+          </ds:Transform>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue></ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue></ds:SignatureValue>
+  </ds:Signature>
+  <baz:Baz ID="baz">
+    <ds:Signature>
+      <ds:SignedInfo>
+        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+        <ds:Reference URI="#baz">
+          <ds:Transforms>
+            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+              <ec:InclusiveNamespaces PrefixList="foo baz"/>
+            </ds:Transform>
+          </ds:Transforms>
+          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+          <ds:DigestValue></ds:DigestValue>
+        </ds:Reference>
+      </ds:SignedInfo>
+      <ds:SignatureValue></ds:SignatureValue>
+    </ds:Signature>
+  </baz:Baz>
+</foo:Foo>

data/spec/lib/xmldsig/reference_spec.rb

@@ -0,0 +1,65 @@
+require "spec_helper"
+
+describe Xmldsig::Reference do
+  let(:document) { Nokogiri::XML::Document.parse File.read("spec/fixtures/signed.xml") }
+  let(:reference) { Xmldsig::Reference.new(document.at_xpath('//ds:Reference', Xmldsig::NAMESPACES)) }
+
+  describe "#digest_value" do
+    it "returns the digest value in the xml" do
+      reference.digest_value.should == Base64.decode64("ftoSYFdze1AWgGHF5N9i9SFKThXkqH2AdyzA3/epbJw=")
+    end
+  end
+
+  describe "#document" do
+    it "returns the document" do
+      reference.document.should == document
+    end
+  end
+
+  describe "#sign" do
+    let(:document) { Nokogiri::XML::Document.parse File.read("spec/fixtures/unsigned.xml") }
+
+    it "sets the correct digest value" do
+      reference.sign
+      reference.digest_value.should == Base64.decode64("ftoSYFdze1AWgGHF5N9i9SFKThXkqH2AdyzA3/epbJw=")
+    end
+  end
+
+  describe "#referenced_node" do
+    it "returns the referenced_node by id" do
+      reference.referenced_node.to_s.should ==
+        document.at_xpath("//*[@ID='foo']").to_s
+    end
+
+    it "returns the referenced node by parent" do
+      reference.stub(:reference_uri).and_return("")
+      reference.referenced_node.to_s.should ==
+        document.root.to_s
+    end
+
+    it "returns the reference node when using WS-Security style id attribute" do
+      node = document.at_xpath('//*[@ID]')
+      node.add_namespace('wsu', Xmldsig::NAMESPACES['wsu'])
+      node['wsu:Id'] = node['ID']
+      node.remove_attribute('ID')
+
+      reference.referenced_node.
+        attribute_with_ns('Id', Xmldsig::NAMESPACES['wsu']).value.
+        should == 'foo'
+    end
+
+    it "raises ReferencedNodeNotFound when the refenced node is not present" do
+      node = document.at_xpath('//*[@ID]')
+      node.remove_attribute('ID')
+
+      expect { reference.referenced_node }.
+        to raise_error(Xmldsig::Reference::ReferencedNodeNotFound)
+    end
+  end
+
+  describe "#reference_uri" do
+    it "returns the reference uri" do
+      reference.reference_uri.should == "#foo"
+    end
+  end
+end

data/spec/lib/xmldsig/signature_spec.rb

@@ -0,0 +1,100 @@
+require 'spec_helper'
+
+describe Xmldsig::Signature do
+  let(:certificate) { OpenSSL::X509::Certificate.new(File.read("spec/fixtures/certificate.cer")) }
+  let(:other_certificate) { OpenSSL::X509::Certificate.new(File.read("spec/fixtures/certificate2.cer")) }
+  let(:private_key) { OpenSSL::PKey::RSA.new(File.read("spec/fixtures/key.pem")) }
+  let(:document) { Nokogiri::XML::Document.parse File.read("spec/fixtures/signed.xml") }
+  let(:signature_node) { document.at_xpath("//ds:Signature", Xmldsig::NAMESPACES) }
+  let(:signature) { Xmldsig::Signature.new(signature_node) }
+
+  describe "#sign" do
+    let(:document) { Nokogiri::XML::Document.parse File.read("spec/fixtures/unsigned.xml") }
+    let(:signature_node) { document.at_xpath("//ds:Signature", Xmldsig::NAMESPACES) }
+    let(:signature) { Xmldsig::Signature.new(signature_node) }
+
+    before :each do
+      signature.sign(private_key)
+    end
+
+    it "sets the digest value" do
+      signature.references.first.digest_value.should == Base64.decode64("ftoSYFdze1AWgGHF5N9i9SFKThXkqH2AdyzA3/epbJw=")
+    end
+
+    it "sets the signature value" do
+      signature.signature_value.should == Base64.decode64("
+        E3yyqsSoxRkhYEuaEtR+SLg85gU5B4a7xUXA+d2Zn6j7F6z73dOd8iYHOusB
+        Ty3C/3ujbmPhHKg8uX9kUE8b+YoOqZt4z9pdxAq44nJEuijwi4doIPpHWirv
+        BnSoP5IoL0DYzGVrgj8udRzfAw5nNeV7wSrBZEn+yrxmUPJoUZc=
+      ")
+    end
+
+    it "accepts a block" do
+      signature.sign do |data, signature_algorithm|
+        signature_algorithm.should == "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+        private_key.sign(OpenSSL::Digest::SHA256.new, data)
+      end
+      signature.signature_value.should == Base64.decode64("
+        E3yyqsSoxRkhYEuaEtR+SLg85gU5B4a7xUXA+d2Zn6j7F6z73dOd8iYHOusB
+        Ty3C/3ujbmPhHKg8uX9kUE8b+YoOqZt4z9pdxAq44nJEuijwi4doIPpHWirv
+        BnSoP5IoL0DYzGVrgj8udRzfAw5nNeV7wSrBZEn+yrxmUPJoUZc=
+      ")
+    end
+
+    describe "multiple references" do
+      let(:document) { Nokogiri::XML::Document.parse File.read("spec/fixtures/unsigned_multiple_references.xml") }
+
+      it "can sign the document" do
+        signature.sign(private_key)
+        signature.should be_valid(certificate)
+      end
+
+      it "gets a digest per reference" do
+        signature.references.count.should be == 2
+        signature.sign(private_key)
+        signature.references[0].digest_value.should be == Base64.decode64("P1nUq8Y/LPmd+EON/mcNMNRjT78=")
+        signature.references[1].digest_value.should be == Base64.decode64("RoGAaQeuNJuDMWcgsD7RuGbFACo=")
+      end
+    end
+  end
+
+  describe "#signed_info" do
+    it "returns the canonicalized signed info element" do
+      signature.signed_info.to_s.should ==
+          document.at_xpath("//ds:SignedInfo", Xmldsig::NAMESPACES).to_s
+    end
+  end
+
+  describe "#signature_value" do
+    it "returns the signature value" do
+      signature.signature_value.should ==
+          Base64.decode64(document.at_xpath("//ds:SignatureValue", Xmldsig::NAMESPACES).content)
+    end
+  end
+
+  describe "#valid?" do
+    it "returns true with the correct certificate" do
+      signature.valid?(certificate).should be_true
+    end
+
+    it "returns false if the xml changed" do
+      signature.references.first.stub(:document).and_return(
+        Nokogiri::XML::Document.parse(File.read("spec/fixtures/signed.xml").gsub("\s\s", "\s"))
+      )
+      signature.valid?(certificate)
+      signature.errors.should include(:digest_value)
+    end
+
+    it "returns false with a difference certificate" do
+      signature.valid?(other_certificate).should be_false
+    end
+
+    it "accepts a block" do
+      signature.valid? do |signature_value, data, signature_algorithm|
+        signature_algorithm.should == "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+        certificate.public_key.verify(OpenSSL::Digest::SHA256.new, signature_value, data)
+      end
+      signature.errors.should be_empty
+    end
+  end
+end

data/spec/lib/xmldsig/signed_document_spec.rb

@@ -0,0 +1,94 @@
+require 'spec_helper'
+
+describe Xmldsig::SignedDocument do
+  let(:signed_xml) { File.read("spec/fixtures/signed.xml") }
+  let(:signed_document) { Xmldsig::SignedDocument.new(signed_xml) }
+  let(:unsigned_xml) { File.read("spec/fixtures/unsigned.xml") }
+  let(:unsigned_document) { Xmldsig::SignedDocument.new(unsigned_xml) }
+  let(:private_key) { OpenSSL::PKey::RSA.new(File.read("spec/fixtures/key.pem")) }
+  let(:certificate) { OpenSSL::X509::Certificate.new(File.read("spec/fixtures/certificate.cer")) }
+  let(:other_certificate) { OpenSSL::X509::Certificate.new(File.read("spec/fixtures/certificate2.cer")) }
+
+  describe "#initialize" do
+    it "sets the document to a nokogiri document" do
+      document = described_class.new(signed_xml)
+      document.document.should be_a(Nokogiri::XML::Document)
+    end
+  end
+
+  describe "#signatures" do
+    let(:unsigned_xml) { File.read("spec/fixtures/unsigned_nested_signature.xml") }
+    let(:unsigned_document) { Xmldsig::SignedDocument.new(unsigned_xml) }
+
+    it "returns only the signed nodes" do
+      signed_document.signatures.should be_all { |signature| signature.is_a?(Xmldsig::Signature) }
+    end
+
+    it "returns the nested signatures first" do
+      unsigned_document.signatures.first.references.first.reference_uri.should == '#baz'
+    end
+  end
+
+  describe "#signed_nodes" do
+    it "returns only the signed nodes" do
+      signed_document.signed_nodes.collect(&:name).should == %w(Foo)
+    end
+  end
+
+  describe "#validate" do
+    it "returns true if the signature and digest value are correct" do
+      signed_document.validate(certificate).should be_true
+    end
+
+    it "returns false if the certificate is not valid" do
+      signed_document.validate(other_certificate).should be_false
+    end
+
+    it "returns false if there are no signatures and validation is strict" do
+      xml_without_signature = Xmldsig::SignedDocument.new('<foo></foo>')
+      xml_without_signature.validate(certificate).should be_false
+    end
+
+    it "accepts a block" do
+      signed_document.validate do |signature_value, data|
+        certificate.public_key.verify(OpenSSL::Digest::SHA256.new, signature_value, data)
+      end.should be_true
+    end
+  end
+
+  describe "#sign" do
+    it "returns a signed document" do
+      signed_document = unsigned_document.sign(private_key)
+      Xmldsig::SignedDocument.new(signed_document).validate(certificate).should be_true
+    end
+
+    it "accepts a block" do
+      signed_document = unsigned_document.sign do |data|
+        private_key.sign(OpenSSL::Digest::SHA256.new, data)
+      end
+      Xmldsig::SignedDocument.new(signed_document).validate(certificate).should be_true
+    end
+  end
+
+
+  describe "Nested Signatures" do
+    let(:unsigned_xml) { File.read("spec/fixtures/unsigned_nested_signature.xml") }
+    let(:unsigned_document) { Xmldsig::SignedDocument.new(unsigned_xml) }
+    let(:signed_document) { unsigned_document.sign(private_key) }
+
+    it "when signed should be valid" do
+      Xmldsig::SignedDocument.new(signed_document).validate(certificate).should be_true
+    end
+
+    it "should sign 2 elements" do
+      unsigned_document.signed_nodes.count.should == 2
+    end
+
+    it "allows individual signs" do
+      unsigned_document.signatures.last.sign(private_key)
+      unsigned_document.validate(certificate).should be_false
+      unsigned_document.signatures.last.valid?(certificate).should be_true
+    end
+  end
+
+end