xmldsig 0.1.0 → 0.2.0

data/lib/xmldsig.rb

@@ -8,11 +8,13 @@ require "xmldsig/transforms/transform"
 require "xmldsig/transforms/canonicalize"
 require "xmldsig/transforms/enveloped_signature"
 require "xmldsig/transforms"
+require "xmldsig/reference"
 require "xmldsig/signature"
 
 module Xmldsig
   NAMESPACES = {
-      "ds" => "http://www.w3.org/2000/09/xmldsig#",
-      "ec" => "http://www.w3.org/2001/10/xml-exc-c14n#"
+      "ds"  => "http://www.w3.org/2000/09/xmldsig#",
+      "ec"  => "http://www.w3.org/2001/10/xml-exc-c14n#",
+      "wsu" => "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   }
 end

data/lib/xmldsig/reference.rb

@@ -0,0 +1,74 @@
+module Xmldsig
+  class Reference
+    attr_accessor :reference, :errors
+
+    class ReferencedNodeNotFound < Exception; end
+
+    def initialize(reference)
+      @reference = reference
+      @errors    = []
+    end
+
+    def document
+      reference.document
+    end
+
+    def sign
+      self.digest_value = calculate_digest_value
+    end
+
+    def referenced_node
+      if reference_uri && reference_uri != ""
+        id = reference_uri[1..-1]
+        if ref = document.dup.at_xpath("//*[@ID='#{id}' or @wsu:Id='#{id}']", NAMESPACES)
+          ref
+        else
+          raise(
+            ReferencedNodeNotFound,
+            "Could not find the referenced node #{id}'"
+          )
+        end
+      else
+        document.dup.root
+      end
+    end
+
+    def reference_uri
+      reference.get_attribute("URI")
+    end
+
+    def digest_value
+      Base64.decode64 reference.at_xpath("descendant::ds:DigestValue", NAMESPACES).content
+    end
+
+    def calculate_digest_value
+      node = transforms.apply(referenced_node)
+      digest_method.digest node
+    end
+
+    def digest_method
+      algorithm = reference.at_xpath("descendant::ds:DigestMethod", NAMESPACES).get_attribute("Algorithm")
+      case algorithm
+        when "http://www.w3.org/2001/04/xmlenc#sha256"
+          Digest::SHA2
+        when "http://www.w3.org/2000/09/xmldsig#sha1"
+          Digest::SHA1
+      end
+    end
+
+    def digest_value=(digest_value)
+      reference.at_xpath("descendant::ds:DigestValue", NAMESPACES).content =
+        Base64.encode64(digest_value).chomp
+    end
+
+    def transforms
+      Transforms.new(reference.xpath("descendant::ds:Transform", NAMESPACES))
+    end
+
+    def validate_digest_value
+      unless digest_value == calculate_digest_value
+        @errors << :digest_value
+      end
+    end
+  end
+end

data/lib/xmldsig/signature.rb

@@ -1,34 +1,23 @@
 module Xmldsig
   class Signature
-    attr_accessor :signature, :errors
+    attr_accessor :signature
 
     def initialize(signature)
       @signature = signature
-      @errors    = []
     end
 
-    def digest_value
-      Base64.decode64 signed_info.at_xpath("descendant::ds:DigestValue", NAMESPACES).content
-    end
-
-    def document
-      signature.document
-    end
-
-    def referenced_node
-      if reference_uri && reference_uri != ""
-        document.dup.at_xpath("//*[@ID='#{reference_uri[1..-1]}']")
-      else
-        document.dup.root
+    def references
+      @references ||= signature.xpath("descendant::ds:Reference", NAMESPACES).map do |node|
+        Reference.new(node)
       end
     end
 
-    def reference_uri
-      signature.at_xpath("descendant::ds:Reference", NAMESPACES).get_attribute("URI")
+    def errors
+      references.flat_map(&:errors) + @errors
     end
 
     def sign(private_key = nil, &block)
-      self.digest_value    = calculate_digest_value
+      references.each(&:sign)
       self.signature_value = calculate_signature_value(private_key, &block)
     end
 
@@ -42,18 +31,14 @@ module Xmldsig
 
     def valid?(certificate = nil, &block)
       @errors = []
-      validate_digest_value
+      references.each { |r| r.errors = [] }
+      validate_digest_values
       validate_signature_value(certificate, &block)
-      @errors.empty?
+      errors.empty?
     end
 
     private
 
-    def calculate_digest_value
-      node = transforms.apply(referenced_node)
-      digest_method.digest node
-    end
-
     def canonicalization_method
       signed_info.at_xpath("descendant::ds:CanonicalizationMethod", NAMESPACES).get_attribute("Algorithm")
     end
@@ -70,21 +55,6 @@ module Xmldsig
       end
     end
 
-    def digest_method
-      algorithm = signed_info.at_xpath("descendant::ds:DigestMethod", NAMESPACES).get_attribute("Algorithm")
-      case algorithm
-        when "http://www.w3.org/2001/04/xmlenc#sha256"
-          Digest::SHA2
-        when "http://www.w3.org/2000/09/xmldsig#sha1"
-          Digest::SHA1
-      end
-    end
-
-    def digest_value=(digest_value)
-      signed_info.at_xpath("descendant::ds:DigestValue", NAMESPACES).content =
-          Base64.encode64(digest_value).chomp
-    end
-
     def signature_algorithm
       signed_info.at_xpath("descendant::ds:SignatureMethod", NAMESPACES).get_attribute("Algorithm")
     end
@@ -104,14 +74,8 @@ module Xmldsig
           Base64.encode64(signature_value).chomp
     end
 
-    def transforms
-      Transforms.new(signature.xpath("descendant::ds:Transform", NAMESPACES))
-    end
-
-    def validate_digest_value
-      unless digest_value == calculate_digest_value
-        errors << :digest_value
-      end
+    def validate_digest_values
+      references.each(&:validate_digest_value)
     end
 
     def validate_signature_value(certificate)
@@ -122,7 +86,7 @@ module Xmldsig
       end
 
       unless signature_valid
-        errors << :signature
+        @errors << :signature
       end
     end
   end

data/lib/xmldsig/signed_document.rb

@@ -16,7 +16,7 @@ module Xmldsig
     end
 
     def signed_nodes
-      signatures.collect(&:referenced_node)
+      signatures.flat_map(&:references).map(&:referenced_node)
     end
 
     def signatures

data/lib/xmldsig/version.rb

@@ -1,3 +1,3 @@
 module Xmldsig
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/spec/fixtures/unsigned_multiple_references.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0"?>
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
+  <soapenv:Header></soapenv:Header>
+  <soapenv:Body>
+
+    <SomeMethod ID="Data-1">
+      <Data>some Content</Data>
+    </SomeMethod>
+
+    <Timestamp ID="Timestamp-1">
+      <Created>2010-10-25T12:09:44Z</Created>
+      <Expires>2010-10-25T12:14:44Z</Expires>
+    </Timestamp>
+
+    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+      <SignedInfo>
+        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+        <Reference URI="#Timestamp-1">
+          <Transforms>
+            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+          </Transforms>
+          <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+          <DigestValue></DigestValue>
+        </Reference>
+        <Reference URI="#Data-1">
+          <Transforms>
+            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+          </Transforms>
+          <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+          <DigestValue></DigestValue>
+        </Reference>
+      </SignedInfo>
+      <SignatureValue></SignatureValue>
+    </Signature>
+
+  </soapenv:Body>
+</soapenv:Envelope>

data/spec/lib/xmldsig/reference_spec.rb

@@ -0,0 +1,65 @@
+require "spec_helper"
+
+describe Xmldsig::Reference do
+  let(:document) { Nokogiri::XML::Document.parse File.read("spec/fixtures/signed.xml") }
+  let(:reference) { Xmldsig::Reference.new(document.at_xpath('//ds:Reference', Xmldsig::NAMESPACES)) }
+
+  describe "#digest_value" do
+    it "returns the digest value in the xml" do
+      reference.digest_value.should == Base64.decode64("ftoSYFdze1AWgGHF5N9i9SFKThXkqH2AdyzA3/epbJw=")
+    end
+  end
+
+  describe "#document" do
+    it "returns the document" do
+      reference.document.should == document
+    end
+  end
+
+  describe "#sign" do
+    let(:document) { Nokogiri::XML::Document.parse File.read("spec/fixtures/unsigned.xml") }
+
+    it "sets the correct digest value" do
+      reference.sign
+      reference.digest_value.should == Base64.decode64("ftoSYFdze1AWgGHF5N9i9SFKThXkqH2AdyzA3/epbJw=")
+    end
+  end
+
+  describe "#referenced_node" do
+    it "returns the referenced_node by id" do
+      reference.referenced_node.to_s.should ==
+        document.at_xpath("//*[@ID='foo']").to_s
+    end
+
+    it "returns the referenced node by parent" do
+      reference.stub(:reference_uri).and_return("")
+      reference.referenced_node.to_s.should ==
+        document.root.to_s
+    end
+
+    it "returns the reference node when using WS-Security style id attribute" do
+      node = document.at_xpath('//*[@ID]')
+      node.add_namespace('wsu', Xmldsig::NAMESPACES['wsu'])
+      node['wsu:Id'] = node['ID']
+      node.remove_attribute('ID')
+
+      reference.referenced_node.
+        attribute_with_ns('Id', Xmldsig::NAMESPACES['wsu']).value.
+        should == 'foo'
+    end
+
+    it "raises ReferencedNodeNotFound when the refenced node is not present" do
+      node = document.at_xpath('//*[@ID]')
+      node.remove_attribute('ID')
+
+      expect { reference.referenced_node }.
+        to raise_error(Xmldsig::Reference::ReferencedNodeNotFound)
+    end
+  end
+
+  describe "#reference_uri" do
+    it "returns the reference uri" do
+      reference.reference_uri.should == "#foo"
+    end
+  end
+end

data/spec/lib/xmldsig/signature_spec.rb

@@ -8,37 +8,6 @@ describe Xmldsig::Signature do
   let(:signature_node) { document.at_xpath("//ds:Signature", Xmldsig::NAMESPACES) }
   let(:signature) { Xmldsig::Signature.new(signature_node) }
 
-  describe "#digest_value" do
-    it "returns the digest value in the xml" do
-      signature.digest_value.should == Base64.decode64("ftoSYFdze1AWgGHF5N9i9SFKThXkqH2AdyzA3/epbJw=")
-    end
-  end
-
-  describe "#document" do
-    it "returns the document" do
-      signature.document.should == document
-    end
-  end
-
-  describe "#referenced_node" do
-    it "returns the referenced_node by id" do
-      signature.referenced_node.to_s.should ==
-          document.at_xpath("//*[@ID='foo']").to_s
-    end
-
-    it "returns the referenced node by parent" do
-      signature.stub(:reference_uri).and_return("")
-      signature.referenced_node.to_s.should ==
-          document.root.to_s
-    end
-  end
-
-  describe "#reference_uri" do
-    it "returns the reference uri" do
-      signature.reference_uri.should == "#foo"
-    end
-  end
-
   describe "#sign" do
     let(:document) { Nokogiri::XML::Document.parse File.read("spec/fixtures/unsigned.xml") }
     let(:signature_node) { document.at_xpath("//ds:Signature", Xmldsig::NAMESPACES) }
@@ -49,7 +18,7 @@ describe Xmldsig::Signature do
     end
 
     it "sets the digest value" do
-      signature.digest_value.should == Base64.decode64("ftoSYFdze1AWgGHF5N9i9SFKThXkqH2AdyzA3/epbJw=")
+      signature.references.first.digest_value.should == Base64.decode64("ftoSYFdze1AWgGHF5N9i9SFKThXkqH2AdyzA3/epbJw=")
     end
 
     it "sets the signature value" do
@@ -72,6 +41,21 @@ describe Xmldsig::Signature do
       ")
     end
 
+    describe "multiple references" do
+      let(:document) { Nokogiri::XML::Document.parse File.read("spec/fixtures/unsigned_multiple_references.xml") }
+
+      it "can sign the document" do
+        signature.sign(private_key)
+        signature.should be_valid(certificate)
+      end
+
+      it "gets a digest per reference" do
+        signature.references.count.should be == 2
+        signature.sign(private_key)
+        signature.references[0].digest_value.should be == Base64.decode64("P1nUq8Y/LPmd+EON/mcNMNRjT78=")
+        signature.references[1].digest_value.should be == Base64.decode64("RoGAaQeuNJuDMWcgsD7RuGbFACo=")
+      end
+    end
   end
 
   describe "#signed_info" do
@@ -94,7 +78,9 @@ describe Xmldsig::Signature do
     end
 
     it "returns false if the xml changed" do
-      signature.stub(:document).and_return(Nokogiri::XML::Document.parse(File.read("spec/fixtures/signed.xml").gsub("\s\s", "\s")))
+      signature.references.first.stub(:document).and_return(
+        Nokogiri::XML::Document.parse(File.read("spec/fixtures/signed.xml").gsub("\s\s", "\s"))
+      )
       signature.valid?(certificate)
       signature.errors.should include(:digest_value)
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: xmldsig
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-06-02 00:00:00.000000000 Z
+date: 2013-06-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -44,6 +44,7 @@ files:
 - Rakefile
 - lib/xmldsig.rb
 - lib/xmldsig/canonicalizer.rb
+- lib/xmldsig/reference.rb
 - lib/xmldsig/signature.rb
 - lib/xmldsig/signed_document.rb
 - lib/xmldsig/transforms.rb
@@ -63,7 +64,9 @@ files:
 - spec/fixtures/unsigned/with_soap_envelope.xml
 - spec/fixtures/unsigned/without_namespace_prefix.xml
 - spec/fixtures/unsigned/without_reference_uri.xml
+- spec/fixtures/unsigned_multiple_references.xml
 - spec/fixtures/unsigned_nested_signature.xml
+- spec/lib/xmldsig/reference_spec.rb
 - spec/lib/xmldsig/signature_spec.rb
 - spec/lib/xmldsig/signed_document_spec.rb
 - spec/lib/xmldsig/transforms/transform_spec.rb
@@ -107,7 +110,9 @@ test_files:
 - spec/fixtures/unsigned/with_soap_envelope.xml
 - spec/fixtures/unsigned/without_namespace_prefix.xml
 - spec/fixtures/unsigned/without_reference_uri.xml
+- spec/fixtures/unsigned_multiple_references.xml
 - spec/fixtures/unsigned_nested_signature.xml
+- spec/lib/xmldsig/reference_spec.rb
 - spec/lib/xmldsig/signature_spec.rb
 - spec/lib/xmldsig/signed_document_spec.rb
 - spec/lib/xmldsig/transforms/transform_spec.rb