xmldsig 0.2.10 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 227a4b8476b3589a1daedcb5fcf290f0aecf8188
4
- data.tar.gz: 3617f08f692df2042ae4b29e630d481162add76b
3
+ metadata.gz: c660b351f5875742f3eadd11bee9e6db8cb52c5e
4
+ data.tar.gz: 9ca1137b37ea2fd0571caf180818f690a387847d
5
5
  SHA512:
6
- metadata.gz: 948280bdfbd54908b3c5955b2c164512983b24b4c7852436e36ec76b861bd603ad3f72b591e9a5c8471a6ca1231de57aa83631cf5ce6acc1f433101a7a6d0a49
7
- data.tar.gz: 28edb78b29c0792616bd82e351edf30156726469db9413a93b701f1007da1b0b26b0a3c32e203e2ad42f4e229ada259a901731fb1a2ba817cf868330ae6830a5
6
+ metadata.gz: bbe25b7ed1e30ff825dac52c101b74dbb3337112c54d539b869460c7833e8a2d19d67801abed19d118f044cfeb9d7689295f74d0496c3a8695f1420e83216ab7
7
+ data.tar.gz: be13b6062f6d168b5605e3d4048c8b7eb0d5f111d919a9781e95b92abb545eb8d11f3f0ce3ae909ee709ce5cde433532324d27531f0e5eefb41fb133d8af877c
data/lib/xmldsig.rb CHANGED
@@ -17,4 +17,12 @@ module Xmldsig
17
17
  "ec" => "http://www.w3.org/2001/10/xml-exc-c14n#",
18
18
  "wsu" => "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
19
19
  }
20
+
21
+ class Error < StandardError
22
+ end
23
+
24
+ class SchemaError < Error
25
+ end
26
+
27
+ XSD_FILE = File.read(File.expand_path('../xmldsig/xmldsig-core-schema.xsd', __FILE__))
20
28
  end
@@ -33,6 +33,7 @@ module Xmldsig
33
33
  def valid?(certificate = nil, &block)
34
34
  @errors = []
35
35
  references.each { |r| r.errors = [] }
36
+ validate_schema
36
37
  validate_digest_values
37
38
  validate_signature_value(certificate, &block)
38
39
  errors.empty?
@@ -75,6 +76,12 @@ module Xmldsig
75
76
  Base64.encode64(signature_value).chomp
76
77
  end
77
78
 
79
+ def validate_schema
80
+ doc = Nokogiri::XML::Document.parse(signature.canonicalize)
81
+ errors = Nokogiri::XML::Schema.new(Xmldsig::XSD_FILE).validate(doc)
82
+ raise Xmldsig::SchemaError.new(errors.first.message) if errors.any?
83
+ end
84
+
78
85
  def validate_digest_values
79
86
  references.each(&:validate_digest_value)
80
87
  end
@@ -1,3 +1,3 @@
1
1
  module Xmldsig
2
- VERSION = '0.2.10'
2
+ VERSION = '0.3.0'
3
3
  end
@@ -0,0 +1,262 @@
1
+ <?xml version="1.0" encoding="utf-8"?>
2
+ <!--
3
+ <!DOCTYPE schema
4
+ PUBLIC "-//W3C//DTD XMLSchema 200102//EN" "http://www.w3.org/2001/XMLSchema.dtd"
5
+ [
6
+ <!ATTLIST schema
7
+ xmlns:ds CDATA #FIXED "http://www.w3.org/2000/09/xmldsig#">
8
+ <!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'>
9
+ <!ENTITY % p ''>
10
+ <!ENTITY % s ''>
11
+ ]>
12
+ -->
13
+ <!-- Schema for XML Signatures
14
+ http://www.w3.org/2000/09/xmldsig#
15
+ $Revision: 4 $ on $Date: 2004-12-16 12:08:17 -0500 (Thu, 16 Dec 2004) $ by $Author: marcgratacos $
16
+ Copyright 2001 The Internet Society and W3C (Massachusetts Institute
17
+ of Technology, Institut National de Recherche en Informatique et en
18
+ Automatique, Keio University). All Rights Reserved.
19
+ http://www.w3.org/Consortium/Legal/
20
+ This document is governed by the W3C Software License [1] as described
21
+ in the FAQ [2].
22
+ [1] http://www.w3.org/Consortium/Legal/copyright-software-19980720
23
+ [2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD
24
+ -->
25
+ <schema elementFormDefault="qualified" targetNamespace="http://www.w3.org/2000/09/xmldsig#" version="0.1" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
26
+ <!-- Basic Types Defined for Signatures -->
27
+ <simpleType name="CryptoBinary">
28
+ <restriction base="base64Binary" />
29
+ </simpleType>
30
+ <!-- Start Signature -->
31
+ <element name="Signature" type="ds:SignatureType" />
32
+ <complexType name="SignatureType">
33
+ <sequence>
34
+ <element ref="ds:SignedInfo" />
35
+ <element ref="ds:SignatureValue" />
36
+ <element minOccurs="0" ref="ds:KeyInfo" />
37
+ <element maxOccurs="unbounded" minOccurs="0" ref="ds:Object" />
38
+ </sequence>
39
+ <attribute name="Id" type="ID" use="optional" />
40
+ </complexType>
41
+ <element name="SignatureValue" type="ds:SignatureValueType" />
42
+ <complexType name="SignatureValueType">
43
+ <simpleContent>
44
+ <extension base="base64Binary">
45
+ <attribute name="Id" type="ID" use="optional" />
46
+ </extension>
47
+ </simpleContent>
48
+ </complexType>
49
+ <!-- Start SignedInfo -->
50
+ <element name="SignedInfo" type="ds:SignedInfoType" />
51
+ <complexType name="SignedInfoType">
52
+ <sequence>
53
+ <element ref="ds:CanonicalizationMethod" />
54
+ <element ref="ds:SignatureMethod" />
55
+ <element maxOccurs="unbounded" ref="ds:Reference" />
56
+ </sequence>
57
+ <attribute name="Id" type="ID" use="optional" />
58
+ </complexType>
59
+ <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType" />
60
+ <complexType mixed="true" name="CanonicalizationMethodType">
61
+ <sequence>
62
+ <any maxOccurs="unbounded" minOccurs="0" namespace="##any" />
63
+ <!-- (0,unbounded) elements from (1,1) namespace -->
64
+ </sequence>
65
+ <attribute name="Algorithm" type="anyURI" use="required" />
66
+ </complexType>
67
+ <element name="SignatureMethod" type="ds:SignatureMethodType" />
68
+ <complexType mixed="true" name="SignatureMethodType">
69
+ <sequence>
70
+ <element minOccurs="0" name="HMACOutputLength" type="ds:HMACOutputLengthType" />
71
+ <any maxOccurs="unbounded" minOccurs="0" namespace="##other" />
72
+ <!-- (0,unbounded) elements from (1,1) external namespace -->
73
+ </sequence>
74
+ <attribute name="Algorithm" type="anyURI" use="required" />
75
+ </complexType>
76
+ <!-- Start Reference -->
77
+ <element name="Reference" type="ds:ReferenceType" />
78
+ <complexType name="ReferenceType">
79
+ <sequence>
80
+ <element minOccurs="0" ref="ds:Transforms" />
81
+ <element ref="ds:DigestMethod" />
82
+ <element ref="ds:DigestValue" />
83
+ </sequence>
84
+ <attribute name="Id" type="ID" use="optional" />
85
+ <attribute name="URI" type="anyURI" use="optional" />
86
+ <attribute name="Type" type="anyURI" use="optional" />
87
+ </complexType>
88
+ <element name="Transforms" type="ds:TransformsType" />
89
+ <complexType name="TransformsType">
90
+ <sequence>
91
+ <element maxOccurs="unbounded" ref="ds:Transform" />
92
+ </sequence>
93
+ </complexType>
94
+ <element name="Transform" type="ds:TransformType" />
95
+ <complexType mixed="true" name="TransformType">
96
+ <choice maxOccurs="unbounded" minOccurs="0">
97
+ <any namespace="##other" processContents="lax" />
98
+ <!-- (1,1) elements from (0,unbounded) namespaces -->
99
+ <element name="XPath" type="string" />
100
+ </choice>
101
+ <attribute name="Algorithm" type="anyURI" use="required" />
102
+ </complexType>
103
+ <!-- End Reference -->
104
+ <element name="DigestMethod" type="ds:DigestMethodType" />
105
+ <complexType mixed="true" name="DigestMethodType">
106
+ <sequence>
107
+ <any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="lax" />
108
+ </sequence>
109
+ <attribute name="Algorithm" type="anyURI" use="required" />
110
+ </complexType>
111
+ <element name="DigestValue" type="ds:DigestValueType" />
112
+ <simpleType name="DigestValueType">
113
+ <restriction base="base64Binary" />
114
+ </simpleType>
115
+ <!-- End SignedInfo -->
116
+ <!-- Start KeyInfo -->
117
+ <element name="KeyInfo" type="ds:KeyInfoType" />
118
+ <complexType mixed="true" name="KeyInfoType">
119
+ <choice maxOccurs="unbounded">
120
+ <element ref="ds:KeyName" />
121
+ <element ref="ds:KeyValue" />
122
+ <element ref="ds:RetrievalMethod" />
123
+ <element ref="ds:X509Data" />
124
+ <element ref="ds:PGPData" />
125
+ <element ref="ds:SPKIData" />
126
+ <element ref="ds:MgmtData" />
127
+ <any namespace="##other" processContents="lax" />
128
+ <!-- (1,1) elements from (0,unbounded) namespaces -->
129
+ </choice>
130
+ <attribute name="Id" type="ID" use="optional" />
131
+ </complexType>
132
+ <element name="KeyName" type="string" />
133
+ <element name="MgmtData" type="string" />
134
+ <element name="KeyValue" type="ds:KeyValueType" />
135
+ <complexType mixed="true" name="KeyValueType">
136
+ <choice>
137
+ <element ref="ds:DSAKeyValue" />
138
+ <element ref="ds:RSAKeyValue" />
139
+ <any namespace="##other" processContents="lax" />
140
+ </choice>
141
+ </complexType>
142
+ <element name="RetrievalMethod" type="ds:RetrievalMethodType" />
143
+ <complexType name="RetrievalMethodType">
144
+ <sequence>
145
+ <element minOccurs="0" ref="ds:Transforms" />
146
+ </sequence>
147
+ <attribute name="URI" type="anyURI" />
148
+ <attribute name="Type" type="anyURI" use="optional" />
149
+ </complexType>
150
+ <!-- Start X509Data -->
151
+ <element name="X509Data" type="ds:X509DataType" />
152
+ <complexType name="X509DataType">
153
+ <sequence maxOccurs="unbounded">
154
+ <choice>
155
+ <element name="X509IssuerSerial" type="ds:X509IssuerSerialType" />
156
+ <element name="X509SKI" type="base64Binary" />
157
+ <element name="X509SubjectName" type="string" />
158
+ <element name="X509Certificate" type="base64Binary" />
159
+ <element name="X509CRL" type="base64Binary" />
160
+ <any namespace="##other" processContents="lax" />
161
+ </choice>
162
+ </sequence>
163
+ </complexType>
164
+ <complexType name="X509IssuerSerialType">
165
+ <sequence>
166
+ <element name="X509IssuerName" type="string" />
167
+ <element name="X509SerialNumber" type="integer" />
168
+ </sequence>
169
+ </complexType>
170
+ <!-- End X509Data -->
171
+ <!-- Begin PGPData -->
172
+ <element name="PGPData" type="ds:PGPDataType" />
173
+ <complexType name="PGPDataType">
174
+ <choice>
175
+ <sequence>
176
+ <element name="PGPKeyID" type="base64Binary" />
177
+ <element minOccurs="0" name="PGPKeyPacket" type="base64Binary" />
178
+ <any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="lax" />
179
+ </sequence>
180
+ <sequence>
181
+ <element name="PGPKeyPacket" type="base64Binary" />
182
+ <any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="lax" />
183
+ </sequence>
184
+ </choice>
185
+ </complexType>
186
+ <!-- End PGPData -->
187
+ <!-- Begin SPKIData -->
188
+ <element name="SPKIData" type="ds:SPKIDataType" />
189
+ <complexType name="SPKIDataType">
190
+ <sequence maxOccurs="unbounded">
191
+ <element name="SPKISexp" type="base64Binary" />
192
+ <any minOccurs="0" namespace="##other" processContents="lax" />
193
+ </sequence>
194
+ </complexType>
195
+ <!-- End SPKIData -->
196
+ <!-- End KeyInfo -->
197
+ <!-- Start Object (Manifest, SignatureProperty) -->
198
+ <element name="Object" type="ds:ObjectType" />
199
+ <complexType mixed="true" name="ObjectType">
200
+ <sequence maxOccurs="unbounded" minOccurs="0">
201
+ <any namespace="##any" processContents="lax" />
202
+ </sequence>
203
+ <attribute name="Id" type="ID" use="optional" />
204
+ <attribute name="MimeType" type="string" use="optional" />
205
+ <attribute name="Encoding" type="anyURI" use="optional" />
206
+ <!-- add a grep facet -->
207
+ </complexType>
208
+ <element name="Manifest" type="ds:ManifestType" />
209
+ <complexType name="ManifestType">
210
+ <sequence>
211
+ <element maxOccurs="unbounded" ref="ds:Reference" />
212
+ </sequence>
213
+ <attribute name="Id" type="ID" use="optional" />
214
+ </complexType>
215
+ <element name="SignatureProperties" type="ds:SignaturePropertiesType" />
216
+ <complexType name="SignaturePropertiesType">
217
+ <sequence>
218
+ <element maxOccurs="unbounded" ref="ds:SignatureProperty" />
219
+ </sequence>
220
+ <attribute name="Id" type="ID" use="optional" />
221
+ </complexType>
222
+ <element name="SignatureProperty" type="ds:SignaturePropertyType" />
223
+ <complexType mixed="true" name="SignaturePropertyType">
224
+ <choice maxOccurs="unbounded">
225
+ <any namespace="##other" processContents="lax" />
226
+ <!-- (1,1) elements from (1,unbounded) namespaces -->
227
+ </choice>
228
+ <attribute name="Target" type="anyURI" use="required" />
229
+ <attribute name="Id" type="ID" use="optional" />
230
+ </complexType>
231
+ <!-- End Object (Manifest, SignatureProperty) -->
232
+ <!-- Start Algorithm Parameters -->
233
+ <simpleType name="HMACOutputLengthType">
234
+ <restriction base="integer" />
235
+ </simpleType>
236
+ <!-- Start KeyValue Element-types -->
237
+ <element name="DSAKeyValue" type="ds:DSAKeyValueType" />
238
+ <complexType name="DSAKeyValueType">
239
+ <sequence>
240
+ <sequence minOccurs="0">
241
+ <element name="P" type="ds:CryptoBinary" />
242
+ <element name="Q" type="ds:CryptoBinary" />
243
+ </sequence>
244
+ <element minOccurs="0" name="G" type="ds:CryptoBinary" />
245
+ <element name="Y" type="ds:CryptoBinary" />
246
+ <element minOccurs="0" name="J" type="ds:CryptoBinary" />
247
+ <sequence minOccurs="0">
248
+ <element name="Seed" type="ds:CryptoBinary" />
249
+ <element name="PgenCounter" type="ds:CryptoBinary" />
250
+ </sequence>
251
+ </sequence>
252
+ </complexType>
253
+ <element name="RSAKeyValue" type="ds:RSAKeyValueType" />
254
+ <complexType name="RSAKeyValueType">
255
+ <sequence>
256
+ <element name="Modulus" type="ds:CryptoBinary" />
257
+ <element name="Exponent" type="ds:CryptoBinary" />
258
+ </sequence>
259
+ </complexType>
260
+ <!-- End KeyValue Element-types -->
261
+ <!-- End Signature -->
262
+ </schema>
@@ -0,0 +1,24 @@
1
+ <?xml version="1.0" encoding="UTF-8"?>
2
+ <foo:Foo xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" ID="foo">
3
+ <ds:Signature>
4
+ <ds:SignedInfo>
5
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
6
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
7
+ <ds:Reference URI="#foo">
8
+ <ds:Transforms>
9
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
10
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
11
+ <ec:InclusiveNamespaces PrefixList="foo"/>
12
+ </ds:Transform>
13
+ </ds:Transforms>
14
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
15
+ <ds:DigestValue>Uxo8ZyDAavNIsXjJZAp1K8T30aXSXrXMUYof7ZHVwQk=</ds:DigestValue>
16
+ </ds:Reference>
17
+ </ds:SignedInfo>
18
+ <ds:SignatureValue>NggRouxW4kOlLalQuu32YB3RMm92qXbLjZlRpyZiCjKl/WGVfkFbzZwH6frn
19
+ bSnQWA2Nmof5Rb28D5hFRZP8kd2Bs5AzjuiHP0XeCOX1WRo8YQDMuhns8Nn8
20
+ 7ouSojTb206NG9c0yHdRlmCQSQlV/rCLSBOj1BTT1oEQjBlxJM0=</ds:SignatureValue>
21
+ <foo:Bar>bar</foo:Bar>
22
+ </ds:Signature>
23
+ <foo:Bar>bar</foo:Bar>
24
+ </foo:Foo>
@@ -18,7 +18,6 @@
18
18
  </ds:Reference>
19
19
  </ds:SignedInfo>
20
20
  <ds:SignatureValue></ds:SignatureValue>
21
- <ds:KeyInfo/>
22
21
  </ds:Signature>
23
22
  <samlp:Status>
24
23
  <samlp:StatusCode/>
@@ -30,4 +29,4 @@
30
29
  </samlp:Response>
31
30
  </samlp:ArtifactResponse>
32
31
  </soapenv:Body>
33
- </soapenv:Envelope>
32
+ </soapenv:Envelope>
@@ -18,15 +18,6 @@ describe Xmldsig do
18
18
  it 'should have at least 1 signature element' do
19
19
  Xmldsig::SignedDocument.new(signed_document).signatures.count.should >= 1
20
20
  end
21
-
22
- # TODO: remove this verification step when library matures
23
- # it 'matches the result from xmlsec1' do
24
- # result = `xmlsec1 --sign --id-attr:ID http://example.com/foo#:Foo --privkey-pem spec/fixtures/key.pem #{document}`
25
- # result.gsub!("\n", '')
26
- # signed_document.gsub!("\n", '')
27
- # puts result
28
- # result.should == signed_document
29
- # end
30
21
  end
31
22
  end
32
23
  end
@@ -54,6 +45,16 @@ describe Xmldsig do
54
45
  end
55
46
  end
56
47
  end
48
+
49
+ context "with invalid xsd signature elemements" do
50
+ let(:signed_xml) { File.read('spec/fixtures/signed-with-xsd-error.xml') }
51
+ let(:signed_document) { Xmldsig::SignedDocument.new(signed_xml) }
52
+ let(:certificate) { OpenSSL::X509::Certificate.new(File.read('spec/fixtures/certificate.cer')) }
53
+
54
+ it "raises schema error" do
55
+ expect{ signed_document.validate(certificate) }.to raise_error(Xmldsig::SchemaError)
56
+ end
57
+ end
57
58
  end
58
59
 
59
60
  describe "Allows specifying a custom id attribute" do
@@ -69,15 +70,6 @@ describe Xmldsig do
69
70
  it 'should have a signature element' do
70
71
  Xmldsig::SignedDocument.new(signed_document, :id_attr => 'MyID').signatures.count.should == 1
71
72
  end
72
-
73
- # TODO: remove this verification step when library matures
74
- # it 'matches the result from xmlsec1' do
75
- # document = "spec/fixtures/unsigned_custom_attribute_id.xml"
76
- # result = `xmlsec1 --sign --privkey-pem spec/fixtures/key.pem --id-attr:MyID Foo #{document}`
77
- # result.gsub!("\n", '')
78
- # signed_document.gsub!("\n", '')
79
- # result.should == signed_document
80
- # end
81
73
  end
82
74
 
83
75
  context "a signed document" do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: xmldsig
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.10
4
+ version: 0.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - benoist
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-10-30 00:00:00.000000000 Z
11
+ date: 2015-11-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nokogiri
@@ -50,10 +50,12 @@ files:
50
50
  - lib/xmldsig/transforms/enveloped_signature.rb
51
51
  - lib/xmldsig/transforms/transform.rb
52
52
  - lib/xmldsig/version.rb
53
+ - lib/xmldsig/xmldsig-core-schema.xsd
53
54
  - signing_service.rb
54
55
  - spec/fixtures/certificate.cer
55
56
  - spec/fixtures/certificate2.cer
56
57
  - spec/fixtures/key.pem
58
+ - spec/fixtures/signed-with-xsd-error.xml
57
59
  - spec/fixtures/signed.xml
58
60
  - spec/fixtures/signed/ideal.cert
59
61
  - spec/fixtures/signed/ideal.txt
@@ -112,6 +114,7 @@ test_files:
112
114
  - spec/fixtures/certificate.cer
113
115
  - spec/fixtures/certificate2.cer
114
116
  - spec/fixtures/key.pem
117
+ - spec/fixtures/signed-with-xsd-error.xml
115
118
  - spec/fixtures/signed.xml
116
119
  - spec/fixtures/signed/ideal.cert
117
120
  - spec/fixtures/signed/ideal.txt