xmldsig-fiscalizer 0.2.4

data/lib/xmldsig/transforms.rb

@@ -0,0 +1,26 @@
+module Xmldsig
+  class Transforms < Array
+
+    def apply(node)
+      @node = node
+      each do |transform_node|
+        @node = get_transform(@node, transform_node).transform
+      end
+      @node
+    end
+
+    private
+
+    def get_transform(node, transform_node)
+      case transform_node.get_attribute("Algorithm")
+        when "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+          Transforms::EnvelopedSignature.new(node, transform_node)
+        when "http://www.w3.org/2001/10/xml-exc-c14n#",
+            "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
+            "http://www.w3.org/2006/12/xml-c14n11"
+          Transforms::Canonicalize.new(node, transform_node)
+      end
+    end
+
+  end
+end

data/lib/xmldsig/transforms/canonicalize.rb

@@ -0,0 +1,25 @@
+module Xmldsig
+  class Transforms < Array
+    class Canonicalize < Transform
+      def transform
+        self.node = Canonicalizer.new(node, algorithm, inclusive_namespaces).canonicalize
+        node
+      end
+
+      private
+
+      def algorithm
+        transform_node.get_attribute("Algorithm")
+      end
+
+      def inclusive_namespaces
+        inclusive_namespaces = transform_node.at_xpath("descendant::ec:InclusiveNamespaces", Xmldsig::NAMESPACES)
+        if inclusive_namespaces && inclusive_namespaces.has_attribute?("PrefixList")
+          inclusive_namespaces.get_attribute("PrefixList").to_s.split(" ")
+        else
+          []
+        end
+      end
+    end
+  end
+end

data/lib/xmldsig/transforms/enveloped_signature.rb

@@ -0,0 +1,10 @@
+module Xmldsig
+  class Transforms < Array
+    class EnvelopedSignature < Transform
+      def transform
+        node.xpath("descendant::ds:Signature", Xmldsig::NAMESPACES).first.remove
+        node
+      end
+    end
+  end
+end

data/lib/xmldsig/transforms/transform.rb

@@ -0,0 +1,18 @@
+module Xmldsig
+  class Transforms < Array
+    class Transform
+
+      attr_accessor :node, :transform_node
+
+      def initialize(node, transform_node)
+        @node           = node
+        @transform_node = transform_node
+      end
+
+      def transform
+        warn("Transform called but not implemented!")
+        self
+      end
+    end
+  end
+end

data/lib/xmldsig/version.rb

@@ -0,0 +1,3 @@
+module Xmldsig
+  VERSION = '0.2.4'
+end

data/signing_service.rb

@@ -0,0 +1,133 @@
+require 'base64'
+
+class SigningService
+
+  class << self
+    def create_redirect_params(xml, relay_state = "")
+      relay_state = relay_state ? "&RelayState=#{CGI.escape(relay_state)}" : ""
+
+      encoded_xml     = Saml::Encoding.to_http_redirect_binding_param(xml)
+      response_params = "SAMLResponse=#{encoded_xml}#{relay_state}&SigAlg=#{CGI.escape('http://www.w3.org/2000/09/xmldsig#rsa-sha1')}"
+      signature       = CGI.escape(sign_params(:params => response_params, :private_key => Saml::Config.private_key))
+
+      "#{response_params}&Signature=#{signature}"
+    end
+
+    def parse_signature_params(query)
+      params = {}
+      query.split(/[&;]/).each do |pairs|
+        key, value = pairs.split('=',2)
+        params[key] = value
+      end
+
+      relay_state       = params["RelayState"] ? "&RelayState=#{params['RelayState']}" : ""
+      "SAMLRequest=#{params['SAMLRequest']}#{relay_state}&SigAlg=#{params['SigAlg']}"
+    end
+
+    def sign_params(options={})
+      key = OpenSSL::PKey::RSA.new options[:private_key]
+      Base64.encode64(key.sign(OpenSSL::Digest::SHA1.new, options[:params])).gsub("\n", '')
+    end
+
+    def verify_params(options={})
+      cert = OpenSSL::X509::Certificate.new(options[:cert_pem])
+      key  = OpenSSL::PKey::RSA.new cert.public_key
+      key.verify(OpenSSL::Digest::SHA1.new, Base64.decode64(options[:signature]), parse_signature_params(options[:query_string]))
+    end
+
+    def sign!(xml, options={})
+      raise "Missing :id_attr option" if options[:id_attr].nil?
+      in_tmp_dir do
+        options[:private_key_path] = create_tmp_file(options[:private_key])
+        xml_file_path              = create_tmp_file xml
+        command                    = sign_command(xml_file_path, options)
+        result, exitstatus         = run command
+        if exitstatus == 0
+          result
+        else
+          run sign_command(xml_file_path, options.merge(:debug => true))
+          raise "unable to sign xml: #{command}\ngot error #{exitstatus}:\n#{result}"
+        end
+      end
+    end
+
+    # You can add --pubkey rsapub.pem or --trusted rootcert.pem to check that signature
+    # is actually valid. See http://www.aleksey.com/pipermail/xmlsec/2003/001120.html
+    def verify_signature!(xml, options={})
+      in_tmp_dir do
+        if options[:id_attr].blank?
+          raise "Missing :id_attr option"
+        end
+        if options[:cert_pem].blank?
+          raise "Missing :cert_pem option"
+        else
+          options[:cert_path] = create_tmp_file(options[:cert_pem])
+        end
+        command            = verify_command(create_tmp_file(xml), options)
+        result, exitstatus = run command
+        if (exitstatus) != 0
+          raise "unable to validate xml signature: #{command}\ngot error #{exitstatus}:\n#{result}"
+        end
+        result
+      end
+    end
+  end
+
+  def self.logger
+    @logger ||= Logger.new('test.log')
+  end
+
+  private #------------------------------------------------------------------------------
+
+  class << self
+    def in_tmp_dir
+      Dir.mktmpdir do |dir|
+        Dir.chdir(dir) do
+          yield
+        end
+      end
+    end
+
+    def create_tmp_file contents
+      file_path = "signing_tmp_#{Time.now.to_f}_#{::SecureRandom.hex}"
+      File.open(file_path, 'w+') do |f|
+        f.puts contents.to_s.strip
+      end
+      file_path
+    end
+
+    def run command
+      result     = `#{command}`
+      exitstatus = $?.exitstatus
+      if exitstatus != 0
+        logger.error "Got exitstatus '#{exitstatus}' when running #{command}:\n#{result}"
+      end
+      [result, exitstatus]
+    end
+
+    def sign_command(xml_file_path, options)
+      command = xml_sec_command
+      command << " --sign "
+      command << " --print-debug " if options[:debug]
+      command << " --id-attr:#{options[:id_attr]} " if options[:id_attr]
+      command << " --enabled-reference-uris empty,same-doc,local "
+      command << " --privkey-pem #{options[:private_key_path]} " if options[:private_key_path]
+      command << " #{xml_file_path}"
+      command
+    end
+
+    def verify_command(xml_file_path, options)
+      command = xml_sec_command
+      command << " --verify "
+      command << " --print-debug " if options[:debug]
+      command << " --id-attr:#{options[:id_attr]} " if options[:id_attr]
+      command << " --enabled-reference-uris empty,same-doc,local "
+      command << " --pubkey-cert-pem #{options[:cert_path]}" if options[:cert_path]
+      command << " #{xml_file_path} 2>&1"
+    end
+
+    def xml_sec_command
+      "xmlsec1"
+    end
+  end
+end

data/spec/fixtures/certificate.cer

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICgjCCAeugAwIBAgIBADANBgkqhkiG9w0BAQUFADA6MQswCQYDVQQGEwJCRTEN
+MAsGA1UECgwEVGVzdDENMAsGA1UECwwEVGVzdDENMAsGA1UEAwwEVGVzdDAeFw0x
+MzAxMTMxNTMzNDNaFw0xNDAxMTMxNTMzNDNaMDoxCzAJBgNVBAYTAkJFMQ0wCwYD
+VQQKDARUZXN0MQ0wCwYDVQQLDARUZXN0MQ0wCwYDVQQDDARUZXN0MIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQC37C0mhTmdr8iVfQPQuOKtzG/fhwG4ILuUX1Vk
+5uN9oSZJxhb5Kn8aBppny1BSekgk12wn4AE/6i7Jfix3SZWoqdaxpdDalvQSdNey
+n6GmV2oP4lzp6XjXmtRxvOywgTYuhf/DBlpiq7B/vTF7kMwYgs0ahM3mRJG2V7LA
+RTXUfwIDAQABo4GXMIGUMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBRkMx3Z
+wHO3Zog0pWdYNB38NRmWMGIGA1UdIwRbMFmAFBRkMx3ZwHO3Zog0pWdYNB38NRmW
+oT6kPDA6MQswCQYDVQQGEwJCRTENMAsGA1UECgwEVGVzdDENMAsGA1UECwwEVGVz
+dDENMAsGA1UEAwwEVGVzdIIBADANBgkqhkiG9w0BAQUFAAOBgQBs8voSBDgN7HL1
+i5EP+G/ymWUVenpGvRZCnfkR9Wo4ORzj1Y7ohXHooOzDJ2oi0yDwatXnPpe3hauq
+QDid6d4i7F1Wpgdo2MibqXP8/DPzhuBARvPSzip+yS6ITjqKN/YN4K+kpja2Sh7D
+dxWND3opvVHZTXywjZpdF1OsmNhOCg==
+-----END CERTIFICATE-----

data/spec/fixtures/certificate2.cer

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICgjCCAeugAwIBAgIBADANBgkqhkiG9w0BAQUFADA6MQswCQYDVQQGEwJCRTEN
+MAsGA1UECgwEVGVzdDENMAsGA1UECwwEVGVzdDENMAsGA1UEAwwEVGVzdDAeFw0x
+MzAxMTExNTI4MzdaFw0xNDAxMTExNTI4MzdaMDoxCzAJBgNVBAYTAkJFMQ0wCwYD
+VQQKDARUZXN0MQ0wCwYDVQQLDARUZXN0MQ0wCwYDVQQDDARUZXN0MIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQDQnLpvMvXoPGcAsdk2j2AeLLPysVtFc1f6CSGA
+fiIR2dzs8h/MN5R0bFBASDUGUGdYyr0QGcKNtqW/cd3Sr1rS2fh5Bopnq9YS6od6
+J6P3AGIKwmJuIBwwfsvnX3eKGDYeOqmrIo5mdPRAob2D1+FhXbMxeYbRhGMmItC0
+dle7LQIDAQABo4GXMIGUMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFM7pPtef
+Oj5Og5wLqI0Lt5UUmw0uMGIGA1UdIwRbMFmAFM7pPtefOj5Og5wLqI0Lt5UUmw0u
+oT6kPDA6MQswCQYDVQQGEwJCRTENMAsGA1UECgwEVGVzdDENMAsGA1UECwwEVGVz
+dDENMAsGA1UEAwwEVGVzdIIBADANBgkqhkiG9w0BAQUFAAOBgQBTIt/4/sraPO4g
+mmY2oSGG19I2Fs24pV/bX8xqI10iexpGsxnpCQIeiDTUHamo12vyXDPx8zANdVTh
+FSAWHEESBMLrS8pybbAL7sU4ij4JmfxygGk6OEsc3jKY00NYom+Mg3JObIgtjOIK
+YfrH7uvpm+AIXsef5vrst4MI6GhEAA==
+-----END CERTIFICATE-----

data/spec/fixtures/key.pem

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQC37C0mhTmdr8iVfQPQuOKtzG/fhwG4ILuUX1Vk5uN9oSZJxhb5
+Kn8aBppny1BSekgk12wn4AE/6i7Jfix3SZWoqdaxpdDalvQSdNeyn6GmV2oP4lzp
+6XjXmtRxvOywgTYuhf/DBlpiq7B/vTF7kMwYgs0ahM3mRJG2V7LARTXUfwIDAQAB
+AoGBAKDQkd3niSw2YiVLTQW4UwNyCLOioT80567g+JKkS28yc374BGhS3xWLhoCQ
+xieHogMMlRX8iDsxcT1e5FRc88wtIh4vnpUeV++tU9nqpF9SAZV1HAHsOZwyrNUc
+0nZHgDcyyClirb2wbBG4L+SkrC2kS0MTlx+HiobGpMYsXMh5AkEA4EPrLY7fUaNl
+bzbJb+Thb3M4UsoXzFuFm0Z/H8ty6aw9yi1pxuh8OiyGGFqPB/gl3zUE1LNdTzx5
+xLt93Qdf8wJBANHy1EHwTcNbHJ935NQXF8RpllGyZG1X962NwtJ9x46MTPAhOceU
+9ZU+OCSOvl+7fKjjcw8TsLYiv4q+RMGZKEUCQHPaomOmqzdBceVCKE3lr5AjtbUP
+Mbwgi6TrhkCmmXadxE3tp/dZotNqrNtn7Pvw9Z+ZhCVdg5arZzx6n0rPxIECQDFZ
+oBUj1FOgXhkKCKrmBrsvipsHkN22+Mw971alJDxYtFkZpkhItnVvW6kUOKGuI35b
+gJdBrJ8TieymDulnA/UCQGfl27mqPX4JTzN+RiZHqGyGSzBi1ggH3vsI2oXDQZ7k
+uOAPiLSBR83eeHGkE2C5fn0QfQGgFNDFjC/6Su/Wvt4=
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/signed.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" ID="foo">
+  <foo:Bar>bar</foo:Bar>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="#foo">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+            <ec:InclusiveNamespaces PrefixList="foo"/>
+          </ds:Transform>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue>ftoSYFdze1AWgGHF5N9i9SFKThXkqH2AdyzA3/epbJw=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>E3yyqsSoxRkhYEuaEtR+SLg85gU5B4a7xUXA+d2Zn6j7F6z73dOd8iYHOusB
+Ty3C/3ujbmPhHKg8uX9kUE8b+YoOqZt4z9pdxAq44nJEuijwi4doIPpHWirv
+BnSoP5IoL0DYzGVrgj8udRzfAw5nNeV7wSrBZEn+yrxmUPJoUZc=</ds:SignatureValue>
+  </ds:Signature>
+</foo:Foo>

data/spec/fixtures/signed/ideal.cert

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm8CBgE4cUAd7DANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMCREUxDzANBgNVBAgT
+Bkhlc3NlbjEaMBgGA1UEBxMRRnJhbmtmdXJ0IGFtIE1haW4xDTALBgNVBAoTBFJBQk8xHTAbBgNV
+BAsTFE1lcmNoYW50IFhNTCBTaWduaW5nMRwwGgYDVQQDExNBdG9zIFdvcmxkbGluZSBHbWJIMB4X
+DTEyMDYzMDIyMDAwMFoXDTE3MDcwMTEwMDAwMFowgYYxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZI
+ZXNzZW4xGjAYBgNVBAcTEUZyYW5rZnVydCBhbSBNYWluMQ0wCwYDVQQKEwRSQUJPMR0wGwYDVQQL
+ExRNZXJjaGFudCBYTUwgU2lnbmluZzEcMBoGA1UEAxMTQXRvcyBXb3JsZGxpbmUgR21iSDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL+hIul8xb811QmqLg9mzkoHh+0BdnQJZCqyHyFM
+eY7tkFOW8vwi13OxSMGLFzNnehjitMievsx2s5yQW/3NrjG3xLw/18PJrSIgulngs6Cjw9mmIRSn
+FZp3ViZR5aEmjP3aHGxIT7MTqt/AzU6TVaOYur55WmiOFJSA15AN+Onf3U+H06y/kbZlj9+QwKxe
+6jEZnaMlfSyhct5elswqEKjencUUU6qdRmsH8nSXmyrFJstXKlZsygDBJQSWxHqNE4r6lnYmpflC
+76KMNcW1xsp58Qa8axlpZ3UjL+nVtBKw4t+R2ebQcz12N+vv/8TBJd8ckZ+YwW4Cm2fGGcc2CcEC
+AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAaLXoT+EezVl4YFcFTWI58Zg7C7WujRn+pTSFGN8MLFtx
+MKfujLAMRh3YPVzXr2yE1kdMiMbq7IKtsKpb3PPgD3rb6YrP7zcwzDRxkXs802BgVxCPmdYrsa1i
+PdJReq2VVTKoBHXSiKWowwBQFPOOc1XjFHcJ3Nq5WgssGEjk+puRW+i8GLaIv1KdwVlWLyHNArTs
+W5JCcdtBhnMDz/g3/fRMu4EAnVFVmM75KNztVvgqkt+mZVuXfHfTCSv2RVFbrJvm/xrCmGk1VxDE
+t4zSMdFEi98xh8DOC1oIhMf6JDImL1JyHqTljOIjBCo2uE5TFqQ/QZiOk0IC8Rb9y3lb2g==
+-----END CERTIFICATE-----

data/spec/fixtures/signed/ideal.txt

@@ -0,0 +1,41 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48RGlyZWN0
+b3J5UmVzIHhtbG5zPSJodHRwOi8vd3d3LmlkZWFsZGVzay5jb20vaWRlYWwv
+bWVzc2FnZXMvbWVyLWFjcS8zLjMuMSIgeG1sbnM6bnMyPSJodHRwOi8vd3d3
+LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIiB2ZXJzaW9uPSIzLjMuMSI+CiAg
+ICA8Y3JlYXRlRGF0ZVRpbWVzdGFtcD4yMDEzLTA3LTExVDEwOjA2OjU5Ljg3
+Nlo8L2NyZWF0ZURhdGVUaW1lc3RhbXA+CiAgICA8QWNxdWlyZXI+CiAgICAg
+ICAgPGFjcXVpcmVySUQ+MDAyMDwvYWNxdWlyZXJJRD4KICAgIDwvQWNxdWly
+ZXI+CiAgICA8RGlyZWN0b3J5PgogICAgICAgIDxkaXJlY3RvcnlEYXRlVGlt
+ZXN0YW1wPjIwMTMtMDctMTFUMTA6MDY6NTkuODc2WjwvZGlyZWN0b3J5RGF0
+ZVRpbWVzdGFtcD4KICAgICAgICA8Q291bnRyeT4KICAgICAgICAgICAgPGNv
+dW50cnlOYW1lcz5EZXV0c2NobGFuZDwvY291bnRyeU5hbWVzPgogICAgICAg
+ICAgICA8SXNzdWVyPgogICAgICAgICAgICAgICAgPGlzc3VlcklEPklOR0JO
+TDJBPC9pc3N1ZXJJRD4KICAgICAgICAgICAgICAgIDxpc3N1ZXJOYW1lPklz
+c3VlciBTaW11bGF0aW9uIFYzIC0gSU5HPC9pc3N1ZXJOYW1lPgogICAgICAg
+ICAgICA8L0lzc3Vlcj4KICAgICAgICAgICAgPElzc3Vlcj4KICAgICAgICAg
+ICAgICAgIDxpc3N1ZXJJRD5SQUJPTkwyVTwvaXNzdWVySUQ+CiAgICAgICAg
+ICAgICAgICA8aXNzdWVyTmFtZT5Jc3N1ZXIgU2ltdWxhdGlvbiBWMyAtIFJB
+Qk88L2lzc3Vlck5hbWU+CiAgICAgICAgICAgIDwvSXNzdWVyPgogICAgICAg
+IDwvQ291bnRyeT4KICAgIDwvRGlyZWN0b3J5Pgo8U2lnbmF0dXJlIHhtbG5z
+PSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48U2lnbmVk
+SW5mbz48Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6
+Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxTaWduYXR1
+cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0
+L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2Ii8+PFJlZmVyZW5jZSBVUkk9IiI+
+PFRyYW5zZm9ybXM+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cu
+dzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+
+PC9UcmFuc2Zvcm1zPjxEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8v
+d3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48RGlnZXN0VmFs
+dWU+a2NnajNnSWppMFk1OEJ4MlhTTUFNZytUNmhqa21HbWhTNWFRc21IUW4r
+MD08L0RpZ2VzdFZhbHVlPjwvUmVmZXJlbmNlPjwvU2lnbmVkSW5mbz48U2ln
+bmF0dXJlVmFsdWU+bHNXOUo2bXVPWWpFMVJpMGgwZHNFYVRqTU96MEs0RnFv
+bnlOamNIbkFONTE2Um9HOTZDcGxvQWJRdHBhUlAva0trajBlRUh4UWVXeQoy
+WFZHcHliYjRTUjNqdU96ZlM3b21rcHhoeXZqZkJVSStjNUZrUTBma1dmOHFB
+YVRxeUxoSXhhVGtGZHpNZ0xvKy9CU3QvNExuenFZClVmcDRLR1hlQmpDZHRU
+Mmg0R2F3eFo4c0Y1cUlXQzg5SUl5UkNwMXhuVmUzQlVlTkc3RmNSN3dlV1dY
+MGhIZDZhaHF6aUxTMnFWYW8KRUZZdmRaK003ajVWZ0hndUt2aWtlK01tKzlW
+Mmo0UlVuMVJobWg5R2ZsR1VzK2c4SWtWRmtibkdQQ3JJVm5HOElUOWYrOSsr
+cFQzegpPMGJ5NzZKWXVRRDdnWFFrMnZ3dFBkVjFMTHBRMHdoMjJ2UUtrUT09
+PC9TaWduYXR1cmVWYWx1ZT48S2V5SW5mbz48S2V5TmFtZT5GQzBBMTdBN0FC
+RDcyMzY5NzI2RUE0RDREQkVGOTgzODEyOEE3Qzc4PC9LZXlOYW1lPjwvS2V5
+SW5mbz48L1NpZ25hdHVyZT48L0RpcmVjdG9yeVJlcz4=

data/spec/fixtures/unsigned.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
+  <foo:Bar>bar</foo:Bar>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="#foo">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+            <ec:InclusiveNamespaces PrefixList="foo"/>
+          </ds:Transform>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue></ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue></ds:SignatureValue>
+  </ds:Signature>
+</foo:Foo>

data/spec/fixtures/unsigned/canonicalizer_1_0.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
+  <foo:Bar>bar</foo:Bar>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="#foo">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue></ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue></ds:SignatureValue>
+  </ds:Signature>
+</foo:Foo>

data/spec/fixtures/unsigned/canonicalizer_1_1.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
+  <foo:Bar>bar</foo:Bar>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="#foo">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue></ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue></ds:SignatureValue>
+  </ds:Signature>
+</foo:Foo>

data/spec/fixtures/unsigned/canonicalizer_exc.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
+  <foo:Bar>bar</foo:Bar>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="#foo">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+            <ec:InclusiveNamespaces PrefixList="foo"/>
+          </ds:Transform>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue></ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue></ds:SignatureValue>
+  </ds:Signature>
+</foo:Foo>