xmldsig 0.2.1 → 0.2.2

data/CHANGELOG.md

@@ -0,0 +1,4 @@
+# Changelog
+
+v0.2.2 3-8-2013
+- added default canonicalization

data/lib/xmldsig/canonicalizer.rb

@@ -2,7 +2,7 @@ module Xmldsig
   class Canonicalizer
     attr_accessor :node, :method, :inclusive_namespaces
 
-    def initialize(node, method, inclusive_namespaces = [])
+    def initialize(node, method = nil, inclusive_namespaces = [])
       @node = node
       @method = method
       @inclusive_namespaces = inclusive_namespaces
@@ -22,6 +22,8 @@ module Xmldsig
           Nokogiri::XML::XML_C14N_1_0
         when "http://www.w3.org/2006/12/xml-c14n11"
           Nokogiri::XML::XML_C14N_1_1
+        else
+          Nokogiri::XML::XML_C14N_1_0
       end
     end
   end

data/lib/xmldsig/reference.rb

@@ -2,7 +2,8 @@ module Xmldsig
   class Reference
     attr_accessor :reference, :errors
 
-    class ReferencedNodeNotFound < Exception; end
+    class ReferencedNodeNotFound < Exception;
+    end
 
     def initialize(reference)
       @reference = reference
@@ -24,8 +25,8 @@ module Xmldsig
           ref
         else
           raise(
-            ReferencedNodeNotFound,
-            "Could not find the referenced node #{id}'"
+              ReferencedNodeNotFound,
+              "Could not find the referenced node #{id}'"
           )
         end
       else
@@ -42,8 +43,13 @@ module Xmldsig
     end
 
     def calculate_digest_value
-      node = transforms.apply(referenced_node)
-      digest_method.digest node
+      transformed = transforms.apply(referenced_node)
+      case transformed
+        when String
+          digest_method.digest transformed
+        when Nokogiri::XML::Node
+          digest_method.digest Canonicalizer.new(transformed).canonicalize
+      end
     end
 
     def digest_method
@@ -58,7 +64,7 @@ module Xmldsig
 
     def digest_value=(digest_value)
       reference.at_xpath("descendant::ds:DigestValue", NAMESPACES).content =
-        Base64.encode64(digest_value).chomp
+          Base64.encode64(digest_value).chomp
     end
 
     def transforms

data/lib/xmldsig/version.rb

@@ -1,3 +1,3 @@
 module Xmldsig
-  VERSION = '0.2.1'
+  VERSION = '0.2.2'
 end

data/signing_service.rb

@@ -0,0 +1,133 @@
+require 'base64'
+
+class SigningService
+
+  class << self
+    def create_redirect_params(xml, relay_state = "")
+      relay_state = relay_state ? "&RelayState=#{CGI.escape(relay_state)}" : ""
+
+      encoded_xml     = Saml::Encoding.to_http_redirect_binding_param(xml)
+      response_params = "SAMLResponse=#{encoded_xml}#{relay_state}&SigAlg=#{CGI.escape('http://www.w3.org/2000/09/xmldsig#rsa-sha1')}"
+      signature       = CGI.escape(sign_params(:params => response_params, :private_key => Saml::Config.private_key))
+
+      "#{response_params}&Signature=#{signature}"
+    end
+
+    def parse_signature_params(query)
+      params = {}
+      query.split(/[&;]/).each do |pairs|
+        key, value = pairs.split('=',2)
+        params[key] = value
+      end
+
+      relay_state       = params["RelayState"] ? "&RelayState=#{params['RelayState']}" : ""
+      "SAMLRequest=#{params['SAMLRequest']}#{relay_state}&SigAlg=#{params['SigAlg']}"
+    end
+
+    def sign_params(options={})
+      key = OpenSSL::PKey::RSA.new options[:private_key]
+      Base64.encode64(key.sign(OpenSSL::Digest::SHA1.new, options[:params])).gsub("\n", '')
+    end
+
+    def verify_params(options={})
+      cert = OpenSSL::X509::Certificate.new(options[:cert_pem])
+      key  = OpenSSL::PKey::RSA.new cert.public_key
+      key.verify(OpenSSL::Digest::SHA1.new, Base64.decode64(options[:signature]), parse_signature_params(options[:query_string]))
+    end
+
+    def sign!(xml, options={})
+      raise "Missing :id_attr option" if options[:id_attr].nil?
+      in_tmp_dir do
+        options[:private_key_path] = create_tmp_file(options[:private_key])
+        xml_file_path              = create_tmp_file xml
+        command                    = sign_command(xml_file_path, options)
+        result, exitstatus         = run command
+        if exitstatus == 0
+          result
+        else
+          run sign_command(xml_file_path, options.merge(:debug => true))
+          raise "unable to sign xml: #{command}\ngot error #{exitstatus}:\n#{result}"
+        end
+      end
+    end
+
+    # You can add --pubkey rsapub.pem or --trusted rootcert.pem to check that signature
+    # is actually valid. See http://www.aleksey.com/pipermail/xmlsec/2003/001120.html
+    def verify_signature!(xml, options={})
+      in_tmp_dir do
+        if options[:id_attr].blank?
+          raise "Missing :id_attr option"
+        end
+        if options[:cert_pem].blank?
+          raise "Missing :cert_pem option"
+        else
+          options[:cert_path] = create_tmp_file(options[:cert_pem])
+        end
+        command            = verify_command(create_tmp_file(xml), options)
+        result, exitstatus = run command
+        if (exitstatus) != 0
+          raise "unable to validate xml signature: #{command}\ngot error #{exitstatus}:\n#{result}"
+        end
+        result
+      end
+    end
+  end
+
+  def self.logger
+    @logger ||= Logger.new('test.log')
+  end
+
+  private #------------------------------------------------------------------------------
+
+  class << self
+    def in_tmp_dir
+      Dir.mktmpdir do |dir|
+        Dir.chdir(dir) do
+          yield
+        end
+      end
+    end
+
+    def create_tmp_file contents
+      file_path = "signing_tmp_#{Time.now.to_f}_#{::SecureRandom.hex}"
+      File.open(file_path, 'w+') do |f|
+        f.puts contents.to_s.strip
+      end
+      file_path
+    end
+
+    def run command
+      result     = `#{command}`
+      exitstatus = $?.exitstatus
+      if exitstatus != 0
+        logger.error "Got exitstatus '#{exitstatus}' when running #{command}:\n#{result}"
+      end
+      [result, exitstatus]
+    end
+
+    def sign_command(xml_file_path, options)
+      command = xml_sec_command
+      command << " --sign "
+      command << " --print-debug " if options[:debug]
+      command << " --id-attr:#{options[:id_attr]} " if options[:id_attr]
+      command << " --enabled-reference-uris empty,same-doc,local "
+      command << " --privkey-pem #{options[:private_key_path]} " if options[:private_key_path]
+      command << " #{xml_file_path}"
+      command
+    end
+
+    def verify_command(xml_file_path, options)
+      command = xml_sec_command
+      command << " --verify "
+      command << " --print-debug " if options[:debug]
+      command << " --id-attr:#{options[:id_attr]} " if options[:id_attr]
+      command << " --enabled-reference-uris empty,same-doc,local "
+      command << " --pubkey-cert-pem #{options[:cert_path]}" if options[:cert_path]
+      command << " #{xml_file_path} 2>&1"
+    end
+
+    def xml_sec_command
+      "xmlsec1"
+    end
+  end
+end

data/spec/fixtures/signed/ideal.cert

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm8CBgE4cUAd7DANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMCREUxDzANBgNVBAgT
+Bkhlc3NlbjEaMBgGA1UEBxMRRnJhbmtmdXJ0IGFtIE1haW4xDTALBgNVBAoTBFJBQk8xHTAbBgNV
+BAsTFE1lcmNoYW50IFhNTCBTaWduaW5nMRwwGgYDVQQDExNBdG9zIFdvcmxkbGluZSBHbWJIMB4X
+DTEyMDYzMDIyMDAwMFoXDTE3MDcwMTEwMDAwMFowgYYxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZI
+ZXNzZW4xGjAYBgNVBAcTEUZyYW5rZnVydCBhbSBNYWluMQ0wCwYDVQQKEwRSQUJPMR0wGwYDVQQL
+ExRNZXJjaGFudCBYTUwgU2lnbmluZzEcMBoGA1UEAxMTQXRvcyBXb3JsZGxpbmUgR21iSDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL+hIul8xb811QmqLg9mzkoHh+0BdnQJZCqyHyFM
+eY7tkFOW8vwi13OxSMGLFzNnehjitMievsx2s5yQW/3NrjG3xLw/18PJrSIgulngs6Cjw9mmIRSn
+FZp3ViZR5aEmjP3aHGxIT7MTqt/AzU6TVaOYur55WmiOFJSA15AN+Onf3U+H06y/kbZlj9+QwKxe
+6jEZnaMlfSyhct5elswqEKjencUUU6qdRmsH8nSXmyrFJstXKlZsygDBJQSWxHqNE4r6lnYmpflC
+76KMNcW1xsp58Qa8axlpZ3UjL+nVtBKw4t+R2ebQcz12N+vv/8TBJd8ckZ+YwW4Cm2fGGcc2CcEC
+AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAaLXoT+EezVl4YFcFTWI58Zg7C7WujRn+pTSFGN8MLFtx
+MKfujLAMRh3YPVzXr2yE1kdMiMbq7IKtsKpb3PPgD3rb6YrP7zcwzDRxkXs802BgVxCPmdYrsa1i
+PdJReq2VVTKoBHXSiKWowwBQFPOOc1XjFHcJ3Nq5WgssGEjk+puRW+i8GLaIv1KdwVlWLyHNArTs
+W5JCcdtBhnMDz/g3/fRMu4EAnVFVmM75KNztVvgqkt+mZVuXfHfTCSv2RVFbrJvm/xrCmGk1VxDE
+t4zSMdFEi98xh8DOC1oIhMf6JDImL1JyHqTljOIjBCo2uE5TFqQ/QZiOk0IC8Rb9y3lb2g==
+-----END CERTIFICATE-----

data/spec/fixtures/signed/ideal.txt

@@ -0,0 +1,41 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48RGlyZWN0
+b3J5UmVzIHhtbG5zPSJodHRwOi8vd3d3LmlkZWFsZGVzay5jb20vaWRlYWwv
+bWVzc2FnZXMvbWVyLWFjcS8zLjMuMSIgeG1sbnM6bnMyPSJodHRwOi8vd3d3
+LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIiB2ZXJzaW9uPSIzLjMuMSI+CiAg
+ICA8Y3JlYXRlRGF0ZVRpbWVzdGFtcD4yMDEzLTA3LTExVDEwOjA2OjU5Ljg3
+Nlo8L2NyZWF0ZURhdGVUaW1lc3RhbXA+CiAgICA8QWNxdWlyZXI+CiAgICAg
+ICAgPGFjcXVpcmVySUQ+MDAyMDwvYWNxdWlyZXJJRD4KICAgIDwvQWNxdWly
+ZXI+CiAgICA8RGlyZWN0b3J5PgogICAgICAgIDxkaXJlY3RvcnlEYXRlVGlt
+ZXN0YW1wPjIwMTMtMDctMTFUMTA6MDY6NTkuODc2WjwvZGlyZWN0b3J5RGF0
+ZVRpbWVzdGFtcD4KICAgICAgICA8Q291bnRyeT4KICAgICAgICAgICAgPGNv
+dW50cnlOYW1lcz5EZXV0c2NobGFuZDwvY291bnRyeU5hbWVzPgogICAgICAg
+ICAgICA8SXNzdWVyPgogICAgICAgICAgICAgICAgPGlzc3VlcklEPklOR0JO
+TDJBPC9pc3N1ZXJJRD4KICAgICAgICAgICAgICAgIDxpc3N1ZXJOYW1lPklz
+c3VlciBTaW11bGF0aW9uIFYzIC0gSU5HPC9pc3N1ZXJOYW1lPgogICAgICAg
+ICAgICA8L0lzc3Vlcj4KICAgICAgICAgICAgPElzc3Vlcj4KICAgICAgICAg
+ICAgICAgIDxpc3N1ZXJJRD5SQUJPTkwyVTwvaXNzdWVySUQ+CiAgICAgICAg
+ICAgICAgICA8aXNzdWVyTmFtZT5Jc3N1ZXIgU2ltdWxhdGlvbiBWMyAtIFJB
+Qk88L2lzc3Vlck5hbWU+CiAgICAgICAgICAgIDwvSXNzdWVyPgogICAgICAg
+IDwvQ291bnRyeT4KICAgIDwvRGlyZWN0b3J5Pgo8U2lnbmF0dXJlIHhtbG5z
+PSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48U2lnbmVk
+SW5mbz48Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6
+Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxTaWduYXR1
+cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0
+L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2Ii8+PFJlZmVyZW5jZSBVUkk9IiI+
+PFRyYW5zZm9ybXM+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cu
+dzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+
+PC9UcmFuc2Zvcm1zPjxEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8v
+d3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48RGlnZXN0VmFs
+dWU+a2NnajNnSWppMFk1OEJ4MlhTTUFNZytUNmhqa21HbWhTNWFRc21IUW4r
+MD08L0RpZ2VzdFZhbHVlPjwvUmVmZXJlbmNlPjwvU2lnbmVkSW5mbz48U2ln
+bmF0dXJlVmFsdWU+bHNXOUo2bXVPWWpFMVJpMGgwZHNFYVRqTU96MEs0RnFv
+bnlOamNIbkFONTE2Um9HOTZDcGxvQWJRdHBhUlAva0trajBlRUh4UWVXeQoy
+WFZHcHliYjRTUjNqdU96ZlM3b21rcHhoeXZqZkJVSStjNUZrUTBma1dmOHFB
+YVRxeUxoSXhhVGtGZHpNZ0xvKy9CU3QvNExuenFZClVmcDRLR1hlQmpDZHRU
+Mmg0R2F3eFo4c0Y1cUlXQzg5SUl5UkNwMXhuVmUzQlVlTkc3RmNSN3dlV1dY
+MGhIZDZhaHF6aUxTMnFWYW8KRUZZdmRaK003ajVWZ0hndUt2aWtlK01tKzlW
+Mmo0UlVuMVJobWg5R2ZsR1VzK2c4SWtWRmtibkdQQ3JJVm5HOElUOWYrOSsr
+cFQzegpPMGJ5NzZKWXVRRDdnWFFrMnZ3dFBkVjFMTHBRMHdoMjJ2UUtrUT09
+PC9TaWduYXR1cmVWYWx1ZT48S2V5SW5mbz48S2V5TmFtZT5GQzBBMTdBN0FC
+RDcyMzY5NzI2RUE0RDREQkVGOTgzODEyOEE3Qzc4PC9LZXlOYW1lPjwvS2V5
+SW5mbz48L1NpZ25hdHVyZT48L0RpcmVjdG9yeVJlcz4=

data/spec/fixtures/unsigned/without_canonicalization.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
+  <foo:Bar>bar</foo:Bar>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="#foo">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue></ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue></ds:SignatureValue>
+  </ds:Signature>
+</foo:Foo>

data/spec/lib/xmldsig_spec.rb

@@ -9,16 +9,37 @@ describe Xmldsig do
       describe "#{document}" do
         let(:unsigned_xml) { File.read(document) }
         let(:unsigned_document) { Xmldsig::SignedDocument.new(unsigned_xml) }
+        let(:signed_document) { unsigned_document.sign(private_key) }
 
         it "should be signable an validateable" do
-          signed_document = unsigned_document.sign(private_key)
           Xmldsig::SignedDocument.new(signed_document).validate(certificate).should be_true
         end
-        
+
         it 'should have a signature element' do
-          signed_document = unsigned_document.sign(private_key)
           Xmldsig::SignedDocument.new(signed_document).signatures.count.should == 1
         end
+
+        # TODO: remove this verification step when library matures
+        #it 'matches the result from xmlsec1' do
+        #  result = `xmlsec1 --sign --id-attr:ID http://example.com/foo#:Foo --privkey-pem spec/fixtures/key.pem #{document}`
+        #  result.gsub!("\n", '')
+        #  signed_document.gsub!("\n", '')
+        #  result.should == signed_document
+        #end
+      end
+    end
+  end
+
+  describe "Verify signed documents" do
+    Dir["spec/fixtures/signed/*.txt"].each do |document|
+      describe "#{document}" do
+        let(:signed_xml) { Base64.decode64(File.read(document)) }
+        let(:signed_document) { Xmldsig::SignedDocument.new(signed_xml) }
+        let(:certificate) { OpenSSL::X509::Certificate.new(File.read(document.gsub('.txt', '.cert'))) }
+
+        it "should be validateable" do
+          signed_document.validate(certificate).should be_true
+        end
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: xmldsig
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.2.2
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-07-10 00:00:00.000000000 Z
+date: 2013-08-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -37,6 +37,7 @@ files:
 - .gitignore
 - .rspec
 - .travis.yaml
+- CHANGELOG.md
 - Gemfile
 - Guardfile
 - LICENSE
@@ -52,16 +53,20 @@ files:
 - lib/xmldsig/transforms/enveloped_signature.rb
 - lib/xmldsig/transforms/transform.rb
 - lib/xmldsig/version.rb
+- signing_service.rb
 - spec/fixtures/certificate.cer
 - spec/fixtures/certificate2.cer
 - spec/fixtures/key.pem
 - spec/fixtures/signed.xml
+- spec/fixtures/signed/ideal.cert
+- spec/fixtures/signed/ideal.txt
 - spec/fixtures/unsigned.xml
 - spec/fixtures/unsigned/canonicalizer_1_0.xml
 - spec/fixtures/unsigned/canonicalizer_1_1.xml
 - spec/fixtures/unsigned/canonicalizer_exc.xml
 - spec/fixtures/unsigned/digest_sha1.xml
 - spec/fixtures/unsigned/with_soap_envelope.xml
+- spec/fixtures/unsigned/without_canonicalization.xml
 - spec/fixtures/unsigned/without_namespace_prefix.xml
 - spec/fixtures/unsigned/without_reference_uri.xml
 - spec/fixtures/unsigned_multiple_references.xml
@@ -103,12 +108,15 @@ test_files:
 - spec/fixtures/certificate2.cer
 - spec/fixtures/key.pem
 - spec/fixtures/signed.xml
+- spec/fixtures/signed/ideal.cert
+- spec/fixtures/signed/ideal.txt
 - spec/fixtures/unsigned.xml
 - spec/fixtures/unsigned/canonicalizer_1_0.xml
 - spec/fixtures/unsigned/canonicalizer_1_1.xml
 - spec/fixtures/unsigned/canonicalizer_exc.xml
 - spec/fixtures/unsigned/digest_sha1.xml
 - spec/fixtures/unsigned/with_soap_envelope.xml
+- spec/fixtures/unsigned/without_canonicalization.xml
 - spec/fixtures/unsigned/without_namespace_prefix.xml
 - spec/fixtures/unsigned/without_reference_uri.xml
 - spec/fixtures/unsigned_multiple_references.xml