xmldsig-fiscalizer 0.2.4

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 2af9d1508d566e056ff120a185ca6a714b1da10f
+  data.tar.gz: eaeedd065b180313b84e6919ef386ecd98b7169c
+SHA512:
+  metadata.gz: fb6470d68f64f84802c1fa60c5cd5c6edcf8059d077a6c292bb1dcee729a7114e0a656007b061e9872d0755348fd8a35350109cdf1e064de58f4a6308277838d
+  data.tar.gz: 909f60a9657222993191e72e7d69de72ad07bdac7aa2afcf9eaf1e72c72eec4349b74dea5bb206e777ecc63e58b179b11116d32d84cdac16829c06cd313a4b5c

data/.gitignore

@@ -0,0 +1,19 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+.rvmrc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+.idea

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format progress

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.0.0
+  - 1.9.3

data/CHANGELOG.md

@@ -0,0 +1,4 @@
+# Changelog
+
+v0.2.2 3-8-2013
+- added default canonicalization

data/Gemfile

@@ -0,0 +1,12 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in xmldsig.gemspec
+gemspec
+
+group :test, :development do
+  gem 'simplecov'
+  gem 'rspec'
+  gem 'guard-rspec'
+  gem 'rb-fsevent', '~> 0.9.1'
+  gem 'rake'
+end

data/Guardfile

@@ -0,0 +1,24 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+guard 'rspec' do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+
+  # Rails example
+  watch(%r{^app/(.+)\.rb$})                           { |m| "spec/#{m[1]}_spec.rb" }
+  watch(%r{^app/(.*)(\.erb|\.haml)$})                 { |m| "spec/#{m[1]}#{m[2]}_spec.rb" }
+  watch(%r{^app/controllers/(.+)_(controller)\.rb$})  { |m| ["spec/routing/#{m[1]}_routing_spec.rb", "spec/#{m[2]}s/#{m[1]}_#{m[2]}_spec.rb", "spec/acceptance/#{m[1]}_spec.rb"] }
+  watch(%r{^spec/support/(.+)\.rb$})                  { "spec" }
+  watch('config/routes.rb')                           { "spec/routing" }
+  watch('app/controllers/application_controller.rb')  { "spec/controllers" }
+
+  # Capybara features specs
+  watch(%r{^app/views/(.+)/.*\.(erb|haml)$})          { |m| "spec/features/#{m[1]}_spec.rb" }
+
+  # Turnip features and steps
+  watch(%r{^spec/acceptance/(.+)\.feature$})
+  watch(%r{^spec/acceptance/steps/(.+)_steps\.rb$})   { |m| Dir[File.join("**/#{m[1]}.feature")][0] || 'spec/acceptance' }
+end
+

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2013 benoist
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,80 @@
+[![Build Status](https://secure.travis-ci.org/benoist/xmldsig.png?branch=master)](http://travis-ci.org/benoist/xmldsig)
+# Xmldsig
+
+This gem is a (partial) implementation of the XMLDsig specification (http://www.w3.org/TR/xmldsig-core)
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'xmldsig'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install xmldsig
+
+## Usage
+
+```ruby
+unsigned_xml = <<-XML
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
+  <foo:Bar>bar</foo:Bar>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="#foo">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+            <ec:InclusiveNamespaces PrefixList="foo"/>
+          </ds:Transform>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue></ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue></ds:SignatureValue>
+  </ds:Signature>
+</foo:Foo>
+XML
+
+private_key = OpenSSL::PKey::RSA.new(File.read("key.pem"))
+certificate = OpenSSL::X509::Certificate.new(File.read("certificate.cer"))
+
+unsigned_document = Xmldsig::SignedDocument.new(unsigned_xml)
+signed_xml = unsigned_document.sign(private_key)
+
+# With block
+signed_xml = unsigned_document.sign do |data|
+  private_key.sign(OpenSSL::Digest::SHA256.new, data)
+end
+
+# Validation
+
+signed_document = Xmldsig::SignedDocument.new(signed_xml)
+signed_document.validate(certificate)
+
+# With block
+signed_document = Xmldsig::SignedDocument.new(signed_xml)
+signed_document.validate do |signature_value, data|
+  certificate.public_key.verify(OpenSSL::Digest::SHA256.new, signature_value, data)
+end
+```
+
+## Known issues
+
+1. Windows in app purchase verification requires extra whitespace removal: https://github.com/benoist/xmldsig/issues/13
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,10 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:core) do |spec|
+  spec.rspec_opts = ['--backtrace']
+end
+
+task :default => [:core]

data/lib/xmldsig.rb

@@ -0,0 +1,20 @@
+require "nokogiri"
+require "openssl"
+require "base64"
+require "xmldsig/version"
+require "xmldsig/canonicalizer"
+require "xmldsig/signed_document"
+require "xmldsig/transforms/transform"
+require "xmldsig/transforms/canonicalize"
+require "xmldsig/transforms/enveloped_signature"
+require "xmldsig/transforms"
+require "xmldsig/reference"
+require "xmldsig/signature"
+
+module Xmldsig
+  NAMESPACES = {
+      "ds"  => "http://www.w3.org/2000/09/xmldsig#",
+      "ec"  => "http://www.w3.org/2001/10/xml-exc-c14n#",
+      "wsu" => "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+  }
+end

data/lib/xmldsig/canonicalizer.rb

@@ -0,0 +1,30 @@
+module Xmldsig
+  class Canonicalizer
+    attr_accessor :node, :method, :inclusive_namespaces
+
+    def initialize(node, method = nil, inclusive_namespaces = [])
+      @node = node
+      @method = method
+      @inclusive_namespaces = inclusive_namespaces
+    end
+
+    def canonicalize
+      node.canonicalize(mode(method), inclusive_namespaces)
+    end
+
+    private
+
+    def mode(method)
+      case method
+        when "http://www.w3.org/2001/10/xml-exc-c14n#"
+          Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+        when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
+          Nokogiri::XML::XML_C14N_1_0
+        when "http://www.w3.org/2006/12/xml-c14n11"
+          Nokogiri::XML::XML_C14N_1_1
+        else
+          Nokogiri::XML::XML_C14N_1_0
+      end
+    end
+  end
+end

data/lib/xmldsig/reference.rb

@@ -0,0 +1,80 @@
+module Xmldsig
+  class Reference
+    attr_accessor :reference, :errors
+
+    class ReferencedNodeNotFound < Exception;
+    end
+
+    def initialize(reference)
+      @reference = reference
+      @errors    = []
+    end
+
+    def document
+      reference.document
+    end
+
+    def sign
+      self.digest_value = calculate_digest_value
+    end
+
+    def referenced_node
+      if reference_uri && reference_uri != ""
+        id = reference_uri[1..-1]
+        if ref = document.dup.at_xpath("//*[@ID='#{id}' or @Id='#{id}' or @id='#{id}' or @wsu:Id='#{id}']", NAMESPACES)
+          ref
+        else
+          raise(
+              ReferencedNodeNotFound,
+              "Could not find the referenced node #{id}'"
+          )
+        end
+      else
+        document.dup.root
+      end
+    end
+
+    def reference_uri
+      reference.get_attribute("URI")
+    end
+
+    def digest_value
+      Base64.decode64 reference.at_xpath("descendant::ds:DigestValue", NAMESPACES).content
+    end
+
+    def calculate_digest_value
+      transformed = transforms.apply(referenced_node)
+      case transformed
+        when String
+          digest_method.digest transformed
+        when Nokogiri::XML::Node
+          digest_method.digest Canonicalizer.new(transformed).canonicalize
+      end
+    end
+
+    def digest_method
+      algorithm = reference.at_xpath("descendant::ds:DigestMethod", NAMESPACES).get_attribute("Algorithm")
+      case algorithm
+        when "http://www.w3.org/2001/04/xmlenc#sha256"
+          Digest::SHA2
+        when "http://www.w3.org/2000/09/xmldsig#sha1"
+          Digest::SHA1
+      end
+    end
+
+    def digest_value=(digest_value)
+      reference.at_xpath("descendant::ds:DigestValue", NAMESPACES).content =
+          Base64.encode64(digest_value).chomp
+    end
+
+    def transforms
+      Transforms.new(reference.xpath("descendant::ds:Transform", NAMESPACES))
+    end
+
+    def validate_digest_value
+      unless digest_value == calculate_digest_value
+        @errors << :digest_value
+      end
+    end
+  end
+end

data/lib/xmldsig/signature.rb

@@ -0,0 +1,93 @@
+module Xmldsig
+  class Signature
+    attr_accessor :signature
+
+    def initialize(signature)
+      @signature = signature
+    end
+
+    def references
+      @references ||= signature.xpath("descendant::ds:Reference", NAMESPACES).map do |node|
+        Reference.new(node)
+      end
+    end
+
+    def errors
+      references.flat_map(&:errors) + @errors
+    end
+
+    def sign(private_key = nil, &block)
+      references.each(&:sign)
+      self.signature_value = calculate_signature_value(private_key, &block)
+    end
+
+    def signed_info
+      signature.at_xpath("descendant::ds:SignedInfo", NAMESPACES)
+    end
+
+    def signature_value
+      Base64.decode64 signature.at_xpath("descendant::ds:SignatureValue", NAMESPACES).content
+    end
+
+    def valid?(certificate = nil, &block)
+      @errors = []
+      references.each { |r| r.errors = [] }
+      validate_digest_values
+      validate_signature_value(certificate, &block)
+      errors.empty?
+    end
+
+    private
+
+    def canonicalization_method
+      signed_info.at_xpath("descendant::ds:CanonicalizationMethod", NAMESPACES).get_attribute("Algorithm")
+    end
+
+    def canonicalized_signed_info
+      Canonicalizer.new(signed_info, canonicalization_method).canonicalize
+    end
+
+    def calculate_signature_value(private_key, &block)
+      if private_key
+        private_key.sign(signature_method.new, canonicalized_signed_info)
+      else
+        yield(canonicalized_signed_info, signature_algorithm)
+      end
+    end
+
+    def signature_algorithm
+      signed_info.at_xpath("descendant::ds:SignatureMethod", NAMESPACES).get_attribute("Algorithm")
+    end
+
+    def signature_method
+      algorithm = signature_algorithm && signature_algorithm =~ /sha(.*?)$/i && $1.to_i
+      case algorithm
+        when 256 then
+          OpenSSL::Digest::SHA256
+        else
+          OpenSSL::Digest::SHA1
+      end
+    end
+
+    def signature_value=(signature_value)
+      signature.at_xpath("descendant::ds:SignatureValue", NAMESPACES).content =
+          Base64.encode64(signature_value).chomp
+    end
+
+    def validate_digest_values
+      references.each(&:validate_digest_value)
+    end
+
+    def validate_signature_value(certificate)
+      signature_valid = if certificate
+        certificate.public_key.verify(signature_method.new, signature_value, canonicalized_signed_info)
+      else
+        yield(signature_value, canonicalized_signed_info, signature_algorithm)
+      end
+
+      unless signature_valid
+        @errors << :signature
+      end
+    end
+  end
+end

data/lib/xmldsig/signed_document.rb

@@ -0,0 +1,26 @@
+module Xmldsig
+  class SignedDocument
+    attr_accessor :document
+
+    def initialize(document, options = {})
+      @document = Nokogiri::XML::Document.parse(document)
+    end
+
+    def validate(certificate = nil, &block)
+      signatures.any? && signatures.all? { |signature| signature.valid?(certificate, &block) }
+    end
+
+    def sign(private_key = nil, instruct = true, &block)
+      signatures.each { |signature| signature.sign(private_key, &block) }
+      instruct ? @document.to_s : @document.root.to_s
+    end
+
+    def signed_nodes
+      signatures.flat_map(&:references).map(&:referenced_node)
+    end
+
+    def signatures
+      document.xpath("//ds:Signature", NAMESPACES).reverse.collect { |node| Signature.new(node) } || []
+    end
+  end
+end