xmldsig 0.2.7 → 0.2.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d8048f4065afca9b20df461f7731e4e40616efd1
-  data.tar.gz: 57000ef34e2df31dbe91635b81fe5456928b4095
+  metadata.gz: 0cc1b756bb07e55a09690b94d94fc3994032311b
+  data.tar.gz: 3ad4f0aa9cc2ce9abc66857bdf31c530656f207c
 SHA512:
-  metadata.gz: 62153a54678fbfe19b71b05211bc8bcb488ce382934868c9c08000fe49793e87871c18cf49f5b5dee5c85bc87c4f4c350fed0dcb5030ed960b0573f28f7262e2
-  data.tar.gz: 9655ca3667ca5011b492a2b858c7c7f9ae3254b433b498e38cbaccca66fa46995c0a1e2844de7c0481b2c7c2e00c2cf7969e28cf35924d19b208ffaa2326ee58
+  metadata.gz: 3639d76dddac3500ada6699b86e4eb23a4a9bc7f701b1ed94eb80e841b624d71a8c4a924783c9711f85af47e8bc81878524a047f6942850c6fbd463bfc5e405a
+  data.tar.gz: 497cb5e9810215ad95f49c0e0ac0d24c91144993c99b050d933faec696a5af0a221149fd8262234a4ed31eb1cda3004ee7f6b5112fb5544f4dd9339abf4e37fb

data/README.md

@@ -65,6 +65,10 @@ signed_document = Xmldsig::SignedDocument.new(signed_xml)
 signed_document.validate do |signature_value, data|
   certificate.public_key.verify(OpenSSL::Digest::SHA256.new, signature_value, data)
 end
+
+# Custom ID attribute
+signed_document = Xmldsig::SignedDocument.new(signed_xml, id_attr: "MyID")
+signed_document.validate(certificate)
 ```
 
 ## Known issues

data/lib/xmldsig/signed_document.rb

@@ -16,7 +16,7 @@ module Xmldsig
     end
 
     def sign(private_key = nil, instruct = true, &block)
-      signatures.each { |signature| signature.sign(private_key, &block) }
+      signatures.reverse.each { |signature| signature.sign(private_key, &block) }
       instruct ? @document.to_s : @document.root.to_s
     end
 
@@ -25,7 +25,9 @@ module Xmldsig
     end
 
     def signatures
-      document.xpath("//ds:Signature", NAMESPACES).reverse.collect { |node| Signature.new(node, @id_attr) } || []
+      document.xpath("//ds:Signature", NAMESPACES).
+          sort { |left, right| left.ancestors.size <=> right.ancestors.size }.
+          collect { |node| Signature.new(node, @id_attr) } || []
     end
   end
 end

data/lib/xmldsig/transforms/enveloped_signature.rb

@@ -2,7 +2,10 @@ module Xmldsig
   class Transforms < Array
     class EnvelopedSignature < Transform
       def transform
-        node.xpath("descendant::ds:Signature", Xmldsig::NAMESPACES).first.remove
+        signatures = node.xpath("descendant::ds:Signature", Xmldsig::NAMESPACES).
+            sort { |left, right| left.ancestors.size <=> right.ancestors.size }
+
+        signatures.first.remove
         node
       end
     end

data/lib/xmldsig/version.rb

@@ -1,3 +1,3 @@
 module Xmldsig
-  VERSION = '0.2.7'
+  VERSION = '0.2.8'
 end

data/spec/fixtures/signed/shib.cert

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRDCCAiygAwIBAgIVAOBBjAUVutk42CWL0RcirPc0cv9/MA0GCSqGSIb3DQEB
+BQUAMCExHzAdBgNVBAMTFnNoaWJib2xldGgudmFncmFudC5kZXYwHhcNMTUwNDIw
+MDcyOTQ1WhcNMzUwNDIwMDcyOTQ1WjAhMR8wHQYDVQQDExZzaGliYm9sZXRoLnZh
+Z3JhbnQuZGV2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmyH0D44r
+QzlgYzHr7RvfhYwcPhYS+GaFGpBj2AZ5152NyTLn7L4UH/ljWvirJ16K5Qhl4S0v
+EdCnrtPB6HUfzw9h8iZABfvQ4O1VEkKIeJGskqKleItXdlWYR45d9ATGqFbgwIpU
+cUYkpnepi8pJd1etPxEVoDT6kFuabrQBXorJ/Q59+eHfFH8oYG8mEVS0bWwyxFu7
+Rz8GBRcmKmzVeObnGQY5izY69/drLK/NbEX1MZRVOpT2L6LbmLXEZZQ7jd/L2mfE
+jzDBxfQaTs8Fgnl6vqhbMe1l3ci5SyJObZ3UwXkFy4LDnezs7ghENoSzP6Ah/Sq5
+8kwvWwJ5JTE/QwIDAQABo3MwcTBQBgNVHREESTBHghZzaGliYm9sZXRoLnZhZ3Jh
+bnQuZGV2hi1odHRwczovL3NoaWJib2xldGgudmFncmFudC5kZXYvaWRwL3NoaWJi
+b2xldGgwHQYDVR0OBBYEFHSLABA1TYmg3IH2qUa/2E3yFh4XMA0GCSqGSIb3DQEB
+BQUAA4IBAQCMrVvvrEcLtlKZXAV03waZjopDeiq5ByVqLjbyHnmuPixFzvxGDfvR
+H3rRITBTENNHoB6xDnYrw48F+RKtz58b01/SyMvVSQ6UAEtwq1aCxJdWdbfVeBEg
+bKcPAERQuOZdm13RKod2iAu+jlfLIqwVlSgo9YPqw7cfZzXB6ZrKFtjA8SHEmv26
+Y67EXAUkXd8nXOwXV2MJehfhBwUAwLxnC7RuVcdR2LRgf7oXbgwiyCJXdNP8S93s
+2tdLb7+K+Em8iaw4c3wfrBMUWs00P1iUs0KJaCTdG++LODBKt9wGUIB/AJiV+o4W
+qRh/jxiybmCVSlNUqoAP8t05jrtm6clF
+-----END CERTIFICATE-----

data/spec/fixtures/signed/shib.xml

@@ -0,0 +1,22 @@
+<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://lvh.me:3000/saml/consume" ID="_70566d518f1655ba37985b23f7169298" InResponseTo="_9a0411fe3d0cf28644525a3e39469a23368c082e" IssueInstant="2015-04-20T07:37:25.323Z" Version="2.0">
+  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://shibboleth.vagrant.dev/idp/shibboleth
+  </saml2:Issuer>
+  <saml2p:Status>
+    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </saml2p:Status>
+  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" ID="_f3be21a4420268b5a4d0f362b59079a4" IssueInstant="2015-04-20T07:37:25.323Z" Version="2.0"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://shibboleth.vagrant.dev/idp/shibboleth</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_f3be21a4420268b5a4d0f362b59079a4"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>HZfcJ8WkEGokMWQj00MKOUFSTu0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>eEL7t2VTTgSoUTzIpf+OYm3CrTJq6A+EEIRAyNLxVEJkjNRY6abKRBhPNharJGBbsbEh9yVW0sRuIU9HFaidzNaFok2oFoX7gm5nMhBL3n3bEmijWFastoc3PQOKYnATXziCfnyRq44rVaqrjKfYOdvifhZ8gjiBExEBHCoJkRp7jiMvbPqy31qAsNzL/IHZLDv5QILCi8iqjVdhNvdOh/2ajKYLrEiSUEb6Wv/8SxOWjMeSrkTLGJ7l0oWaJWeSCCwE3+2+ssBxWsHLOUTf7x9dRsR9RkliTA1zp22EpUpzTgBRnFrnxpLwCG5Iod0/pP+/klpoZ5pnS0U8c0fObg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDRDCCAiygAwIBAgIVAOBBjAUVutk42CWL0RcirPc0cv9/MA0GCSqGSIb3DQEBBQUAMCExHzAd
+BgNVBAMTFnNoaWJib2xldGgudmFncmFudC5kZXYwHhcNMTUwNDIwMDcyOTQ1WhcNMzUwNDIwMDcy
+OTQ1WjAhMR8wHQYDVQQDExZzaGliYm9sZXRoLnZhZ3JhbnQuZGV2MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAmyH0D44rQzlgYzHr7RvfhYwcPhYS+GaFGpBj2AZ5152NyTLn7L4UH/lj
+WvirJ16K5Qhl4S0vEdCnrtPB6HUfzw9h8iZABfvQ4O1VEkKIeJGskqKleItXdlWYR45d9ATGqFbg
+wIpUcUYkpnepi8pJd1etPxEVoDT6kFuabrQBXorJ/Q59+eHfFH8oYG8mEVS0bWwyxFu7Rz8GBRcm
+KmzVeObnGQY5izY69/drLK/NbEX1MZRVOpT2L6LbmLXEZZQ7jd/L2mfEjzDBxfQaTs8Fgnl6vqhb
+Me1l3ci5SyJObZ3UwXkFy4LDnezs7ghENoSzP6Ah/Sq58kwvWwJ5JTE/QwIDAQABo3MwcTBQBgNV
+HREESTBHghZzaGliYm9sZXRoLnZhZ3JhbnQuZGV2hi1odHRwczovL3NoaWJib2xldGgudmFncmFu
+dC5kZXYvaWRwL3NoaWJib2xldGgwHQYDVR0OBBYEFHSLABA1TYmg3IH2qUa/2E3yFh4XMA0GCSqG
+SIb3DQEBBQUAA4IBAQCMrVvvrEcLtlKZXAV03waZjopDeiq5ByVqLjbyHnmuPixFzvxGDfvRH3rR
+ITBTENNHoB6xDnYrw48F+RKtz58b01/SyMvVSQ6UAEtwq1aCxJdWdbfVeBEgbKcPAERQuOZdm13R
+Kod2iAu+jlfLIqwVlSgo9YPqw7cfZzXB6ZrKFtjA8SHEmv26Y67EXAUkXd8nXOwXV2MJehfhBwUA
+wLxnC7RuVcdR2LRgf7oXbgwiyCJXdNP8S93s2tdLb7+K+Em8iaw4c3wfrBMUWs00P1iUs0KJaCTd
+G++LODBKt9wGUIB/AJiV+o4WqRh/jxiybmCVSlNUqoAP8t05jrtm6clF</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://shibboleth.vagrant.dev/idp/shibboleth">shibadmin</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData Address="192.168.66.1" InResponseTo="_9a0411fe3d0cf28644525a3e39469a23368c082e" NotOnOrAfter="2015-04-20T07:42:25.323Z" Recipient="http://lvh.me:3000/saml/consume"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2015-04-20T07:37:25.323Z" NotOnOrAfter="2015-04-20T07:42:25.323Z"><saml2:AudienceRestriction><saml2:Audience>urn:testing:app</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2015-04-20T07:31:04.345Z" SessionIndex="_a2388aad0bff623245c6ae72576004e6"><saml2:SubjectLocality Address="192.168.66.1"/><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion>
+</saml2p:Response>

data/spec/fixtures/unsigned/unsigned_nested_signature_at_bottom.xml

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:baz="http://example.com/baz#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
+  <foo:Bar>bar</foo:Bar>
+  <baz:Baz ID="baz">
+    <ds:Signature>
+      <ds:SignedInfo>
+        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+        <ds:Reference URI="#baz">
+          <ds:Transforms>
+            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+              <ec:InclusiveNamespaces PrefixList="foo baz"/>
+            </ds:Transform>
+          </ds:Transforms>
+          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+          <ds:DigestValue></ds:DigestValue>
+        </ds:Reference>
+      </ds:SignedInfo>
+      <ds:SignatureValue></ds:SignatureValue>
+    </ds:Signature>
+  </baz:Baz>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="#foo">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+            <ec:InclusiveNamespaces PrefixList="foo baz"/>
+          </ds:Transform>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue></ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue></ds:SignatureValue>
+  </ds:Signature>
+</foo:Foo>

data/spec/fixtures/unsigned/unsigned_nested_signature_at_top.xml

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:baz="http://example.com/baz#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
+  <foo:Bar>bar</foo:Bar>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="#foo">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+            <ec:InclusiveNamespaces PrefixList="foo baz"/>
+          </ds:Transform>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue></ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue></ds:SignatureValue>
+  </ds:Signature>
+  <baz:Baz ID="baz">
+    <ds:Signature>
+      <ds:SignedInfo>
+        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+        <ds:Reference URI="#baz">
+          <ds:Transforms>
+            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+              <ec:InclusiveNamespaces PrefixList="foo baz"/>
+            </ds:Transform>
+          </ds:Transforms>
+          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+          <ds:DigestValue></ds:DigestValue>
+        </ds:Reference>
+      </ds:SignedInfo>
+      <ds:SignatureValue></ds:SignatureValue>
+    </ds:Signature>
+  </baz:Baz>
+</foo:Foo>

data/spec/lib/xmldsig/signed_document_spec.rb

@@ -42,8 +42,8 @@ describe Xmldsig::SignedDocument do
       signed_document.signatures.should be_all { |signature| signature.is_a?(Xmldsig::Signature) }
     end
 
-    it "returns the nested signatures first" do
-      unsigned_document.signatures.first.references.first.reference_uri.should == '#baz'
+    it "returns the outer signatures first" do
+      unsigned_document.signatures.first.references.first.reference_uri.should == '#foo'
     end
   end
 

data/spec/lib/xmldsig/transforms/enveloped_signature_spec.rb

@@ -4,8 +4,8 @@ describe Xmldsig::Transforms::EnvelopedSignature do
   let(:unsigned_xml) { File.read('spec/fixtures/unsigned_nested_signature.xml') }
   let(:unsigned_document) { Xmldsig::SignedDocument.new(unsigned_xml) }
 
-  it 'only removes the first signature element' do
-    node_with_nested_signature = unsigned_document.signatures.last.references.first.referenced_node
+  it 'only removes the outer most signature element' do
+    node_with_nested_signature = unsigned_document.signatures.first.references.first.referenced_node
 
     described_class.new(node_with_nested_signature, nil).transform
 

data/spec/lib/xmldsig_spec.rb

@@ -15,17 +15,18 @@ describe Xmldsig do
           Xmldsig::SignedDocument.new(signed_document).validate(certificate).should be == true
         end
 
-        it 'should have a signature element' do
-          Xmldsig::SignedDocument.new(signed_document).signatures.count.should == 1
+        it 'should have at least 1 signature element' do
+          Xmldsig::SignedDocument.new(signed_document).signatures.count.should >= 1
         end
 
         # TODO: remove this verification step when library matures
-        #it 'matches the result from xmlsec1' do
+        # it 'matches the result from xmlsec1' do
         #  result = `xmlsec1 --sign --id-attr:ID http://example.com/foo#:Foo --privkey-pem spec/fixtures/key.pem #{document}`
         #  result.gsub!("\n", '')
         #  signed_document.gsub!("\n", '')
+        #  puts result
         #  result.should == signed_document
-        #end
+        # end
       end
     end
   end
@@ -42,6 +43,17 @@ describe Xmldsig do
         end
       end
     end
+    Dir["spec/fixtures/signed/*.xml"].each do |document|
+      describe "#{document}" do
+        let(:signed_xml) { File.read(document) }
+        let(:signed_document) { Xmldsig::SignedDocument.new(signed_xml) }
+        let(:certificate) { OpenSSL::X509::Certificate.new(File.read(document.gsub('.xml', '.cert'))) }
+
+        it "should be validateable" do
+          expect(signed_document.validate(certificate)).to be == true
+        end
+      end
+    end
   end
 
   describe "Allows specifying a custom id attribute" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: xmldsig
 version: !ruby/object:Gem::Version
-  version: 0.2.7
+  version: 0.2.8
 platform: ruby
 authors:
 - benoist
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-03-02 00:00:00.000000000 Z
+date: 2015-05-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -57,12 +57,16 @@ files:
 - spec/fixtures/signed.xml
 - spec/fixtures/signed/ideal.cert
 - spec/fixtures/signed/ideal.txt
+- spec/fixtures/signed/shib.cert
+- spec/fixtures/signed/shib.xml
 - spec/fixtures/signed_custom_attribute_id.xml
 - spec/fixtures/unsigned.xml
 - spec/fixtures/unsigned/canonicalizer_1_0.xml
 - spec/fixtures/unsigned/canonicalizer_1_1.xml
 - spec/fixtures/unsigned/canonicalizer_exc.xml
 - spec/fixtures/unsigned/digest_sha1.xml
+- spec/fixtures/unsigned/unsigned_nested_signature_at_bottom.xml
+- spec/fixtures/unsigned/unsigned_nested_signature_at_top.xml
 - spec/fixtures/unsigned/with_soap_envelope.xml
 - spec/fixtures/unsigned/without_canonicalization.xml
 - spec/fixtures/unsigned/without_namespace_prefix.xml
@@ -98,7 +102,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.4.6
 signing_key: 
 specification_version: 4
 summary: This gem is a (partial) implementation of the XMLDsig specification (http://www.w3.org/TR/xmldsig-core)
@@ -109,12 +113,16 @@ test_files:
 - spec/fixtures/signed.xml
 - spec/fixtures/signed/ideal.cert
 - spec/fixtures/signed/ideal.txt
+- spec/fixtures/signed/shib.cert
+- spec/fixtures/signed/shib.xml
 - spec/fixtures/signed_custom_attribute_id.xml
 - spec/fixtures/unsigned.xml
 - spec/fixtures/unsigned/canonicalizer_1_0.xml
 - spec/fixtures/unsigned/canonicalizer_1_1.xml
 - spec/fixtures/unsigned/canonicalizer_exc.xml
 - spec/fixtures/unsigned/digest_sha1.xml
+- spec/fixtures/unsigned/unsigned_nested_signature_at_bottom.xml
+- spec/fixtures/unsigned/unsigned_nested_signature_at_top.xml
 - spec/fixtures/unsigned/with_soap_envelope.xml
 - spec/fixtures/unsigned/without_canonicalization.xml
 - spec/fixtures/unsigned/without_namespace_prefix.xml