xmldsig 0.2.10 → 0.3.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 227a4b8476b3589a1daedcb5fcf290f0aecf8188
4
- data.tar.gz: 3617f08f692df2042ae4b29e630d481162add76b
3
+ metadata.gz: c660b351f5875742f3eadd11bee9e6db8cb52c5e
4
+ data.tar.gz: 9ca1137b37ea2fd0571caf180818f690a387847d
5
5
  SHA512:
6
- metadata.gz: 948280bdfbd54908b3c5955b2c164512983b24b4c7852436e36ec76b861bd603ad3f72b591e9a5c8471a6ca1231de57aa83631cf5ce6acc1f433101a7a6d0a49
7
- data.tar.gz: 28edb78b29c0792616bd82e351edf30156726469db9413a93b701f1007da1b0b26b0a3c32e203e2ad42f4e229ada259a901731fb1a2ba817cf868330ae6830a5
6
+ metadata.gz: bbe25b7ed1e30ff825dac52c101b74dbb3337112c54d539b869460c7833e8a2d19d67801abed19d118f044cfeb9d7689295f74d0496c3a8695f1420e83216ab7
7
+ data.tar.gz: be13b6062f6d168b5605e3d4048c8b7eb0d5f111d919a9781e95b92abb545eb8d11f3f0ce3ae909ee709ce5cde433532324d27531f0e5eefb41fb133d8af877c
data/lib/xmldsig.rb CHANGED
@@ -17,4 +17,12 @@ module Xmldsig
17
17
  "ec" => "http://www.w3.org/2001/10/xml-exc-c14n#",
18
18
  "wsu" => "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
19
19
  }
20
+
21
+ class Error < StandardError
22
+ end
23
+
24
+ class SchemaError < Error
25
+ end
26
+
27
+ XSD_FILE = File.read(File.expand_path('../xmldsig/xmldsig-core-schema.xsd', __FILE__))
20
28
  end
@@ -33,6 +33,7 @@ module Xmldsig
33
33
  def valid?(certificate = nil, &block)
34
34
  @errors = []
35
35
  references.each { |r| r.errors = [] }
36
+ validate_schema
36
37
  validate_digest_values
37
38
  validate_signature_value(certificate, &block)
38
39
  errors.empty?
@@ -75,6 +76,12 @@ module Xmldsig
75
76
  Base64.encode64(signature_value).chomp
76
77
  end
77
78
 
79
+ def validate_schema
80
+ doc = Nokogiri::XML::Document.parse(signature.canonicalize)
81
+ errors = Nokogiri::XML::Schema.new(Xmldsig::XSD_FILE).validate(doc)
82
+ raise Xmldsig::SchemaError.new(errors.first.message) if errors.any?
83
+ end
84
+
78
85
  def validate_digest_values
79
86
  references.each(&:validate_digest_value)
80
87
  end
@@ -1,3 +1,3 @@
1
1
  module Xmldsig
2
- VERSION = '0.2.10'
2
+ VERSION = '0.3.0'
3
3
  end
@@ -0,0 +1,262 @@
1
+ <?xml version="1.0" encoding="utf-8"?>
2
+ <!--
3
+ <!DOCTYPE schema
4
+ PUBLIC "-//W3C//DTD XMLSchema 200102//EN" "http://www.w3.org/2001/XMLSchema.dtd"
5
+ [
6
+ <!ATTLIST schema
7
+ xmlns:ds CDATA #FIXED "http://www.w3.org/2000/09/xmldsig#">
8
+ <!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'>
9
+ <!ENTITY % p ''>
10
+ <!ENTITY % s ''>
11
+ ]>
12
+ -->
13
+ <!-- Schema for XML Signatures
14
+ http://www.w3.org/2000/09/xmldsig#
15
+ $Revision: 4 $ on $Date: 2004-12-16 12:08:17 -0500 (Thu, 16 Dec 2004) $ by $Author: marcgratacos $
16
+ Copyright 2001 The Internet Society and W3C (Massachusetts Institute
17
+ of Technology, Institut National de Recherche en Informatique et en
18
+ Automatique, Keio University). All Rights Reserved.
19
+ http://www.w3.org/Consortium/Legal/
20
+ This document is governed by the W3C Software License [1] as described
21
+ in the FAQ [2].
22
+ [1] http://www.w3.org/Consortium/Legal/copyright-software-19980720
23
+ [2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD
24
+ -->
25
+ <schema elementFormDefault="qualified" targetNamespace="http://www.w3.org/2000/09/xmldsig#" version="0.1" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
26
+ <!-- Basic Types Defined for Signatures -->
27
+ <simpleType name="CryptoBinary">
28
+ <restriction base="base64Binary" />
29
+ </simpleType>
30
+ <!-- Start Signature -->
31
+ <element name="Signature" type="ds:SignatureType" />
32
+ <complexType name="SignatureType">
33
+ <sequence>
34
+ <element ref="ds:SignedInfo" />
35
+ <element ref="ds:SignatureValue" />
36
+ <element minOccurs="0" ref="ds:KeyInfo" />
37
+ <element maxOccurs="unbounded" minOccurs="0" ref="ds:Object" />
38
+ </sequence>
39
+ <attribute name="Id" type="ID" use="optional" />
40
+ </complexType>
41
+ <element name="SignatureValue" type="ds:SignatureValueType" />
42
+ <complexType name="SignatureValueType">
43
+ <simpleContent>
44
+ <extension base="base64Binary">
45
+ <attribute name="Id" type="ID" use="optional" />
46
+ </extension>
47
+ </simpleContent>
48
+ </complexType>
49
+ <!-- Start SignedInfo -->
50
+ <element name="SignedInfo" type="ds:SignedInfoType" />
51
+ <complexType name="SignedInfoType">
52
+ <sequence>
53
+ <element ref="ds:CanonicalizationMethod" />
54
+ <element ref="ds:SignatureMethod" />
55
+ <element maxOccurs="unbounded" ref="ds:Reference" />
56
+ </sequence>
57
+ <attribute name="Id" type="ID" use="optional" />
58
+ </complexType>
59
+ <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType" />
60
+ <complexType mixed="true" name="CanonicalizationMethodType">
61
+ <sequence>
62
+ <any maxOccurs="unbounded" minOccurs="0" namespace="##any" />
63
+ <!-- (0,unbounded) elements from (1,1) namespace -->
64
+ </sequence>
65
+ <attribute name="Algorithm" type="anyURI" use="required" />
66
+ </complexType>
67
+ <element name="SignatureMethod" type="ds:SignatureMethodType" />
68
+ <complexType mixed="true" name="SignatureMethodType">
69
+ <sequence>
70
+ <element minOccurs="0" name="HMACOutputLength" type="ds:HMACOutputLengthType" />
71
+ <any maxOccurs="unbounded" minOccurs="0" namespace="##other" />
72
+ <!-- (0,unbounded) elements from (1,1) external namespace -->
73
+ </sequence>
74
+ <attribute name="Algorithm" type="anyURI" use="required" />
75
+ </complexType>
76
+ <!-- Start Reference -->
77
+ <element name="Reference" type="ds:ReferenceType" />
78
+ <complexType name="ReferenceType">
79
+ <sequence>
80
+ <element minOccurs="0" ref="ds:Transforms" />
81
+ <element ref="ds:DigestMethod" />
82
+ <element ref="ds:DigestValue" />
83
+ </sequence>
84
+ <attribute name="Id" type="ID" use="optional" />
85
+ <attribute name="URI" type="anyURI" use="optional" />
86
+ <attribute name="Type" type="anyURI" use="optional" />
87
+ </complexType>
88
+ <element name="Transforms" type="ds:TransformsType" />
89
+ <complexType name="TransformsType">
90
+ <sequence>
91
+ <element maxOccurs="unbounded" ref="ds:Transform" />
92
+ </sequence>
93
+ </complexType>
94
+ <element name="Transform" type="ds:TransformType" />
95
+ <complexType mixed="true" name="TransformType">
96
+ <choice maxOccurs="unbounded" minOccurs="0">
97
+ <any namespace="##other" processContents="lax" />
98
+ <!-- (1,1) elements from (0,unbounded) namespaces -->
99
+ <element name="XPath" type="string" />
100
+ </choice>
101
+ <attribute name="Algorithm" type="anyURI" use="required" />
102
+ </complexType>
103
+ <!-- End Reference -->
104
+ <element name="DigestMethod" type="ds:DigestMethodType" />
105
+ <complexType mixed="true" name="DigestMethodType">
106
+ <sequence>
107
+ <any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="lax" />
108
+ </sequence>
109
+ <attribute name="Algorithm" type="anyURI" use="required" />
110
+ </complexType>
111
+ <element name="DigestValue" type="ds:DigestValueType" />
112
+ <simpleType name="DigestValueType">
113
+ <restriction base="base64Binary" />
114
+ </simpleType>
115
+ <!-- End SignedInfo -->
116
+ <!-- Start KeyInfo -->
117
+ <element name="KeyInfo" type="ds:KeyInfoType" />
118
+ <complexType mixed="true" name="KeyInfoType">
119
+ <choice maxOccurs="unbounded">
120
+ <element ref="ds:KeyName" />
121
+ <element ref="ds:KeyValue" />
122
+ <element ref="ds:RetrievalMethod" />
123
+ <element ref="ds:X509Data" />
124
+ <element ref="ds:PGPData" />
125
+ <element ref="ds:SPKIData" />
126
+ <element ref="ds:MgmtData" />
127
+ <any namespace="##other" processContents="lax" />
128
+ <!-- (1,1) elements from (0,unbounded) namespaces -->
129
+ </choice>
130
+ <attribute name="Id" type="ID" use="optional" />
131
+ </complexType>
132
+ <element name="KeyName" type="string" />
133
+ <element name="MgmtData" type="string" />
134
+ <element name="KeyValue" type="ds:KeyValueType" />
135
+ <complexType mixed="true" name="KeyValueType">
136
+ <choice>
137
+ <element ref="ds:DSAKeyValue" />
138
+ <element ref="ds:RSAKeyValue" />
139
+ <any namespace="##other" processContents="lax" />
140
+ </choice>
141
+ </complexType>
142
+ <element name="RetrievalMethod" type="ds:RetrievalMethodType" />
143
+ <complexType name="RetrievalMethodType">
144
+ <sequence>
145
+ <element minOccurs="0" ref="ds:Transforms" />
146
+ </sequence>
147
+ <attribute name="URI" type="anyURI" />
148
+ <attribute name="Type" type="anyURI" use="optional" />
149
+ </complexType>
150
+ <!-- Start X509Data -->
151
+ <element name="X509Data" type="ds:X509DataType" />
152
+ <complexType name="X509DataType">
153
+ <sequence maxOccurs="unbounded">
154
+ <choice>
155
+ <element name="X509IssuerSerial" type="ds:X509IssuerSerialType" />
156
+ <element name="X509SKI" type="base64Binary" />
157
+ <element name="X509SubjectName" type="string" />
158
+ <element name="X509Certificate" type="base64Binary" />
159
+ <element name="X509CRL" type="base64Binary" />
160
+ <any namespace="##other" processContents="lax" />
161
+ </choice>
162
+ </sequence>
163
+ </complexType>
164
+ <complexType name="X509IssuerSerialType">
165
+ <sequence>
166
+ <element name="X509IssuerName" type="string" />
167
+ <element name="X509SerialNumber" type="integer" />
168
+ </sequence>
169
+ </complexType>
170
+ <!-- End X509Data -->
171
+ <!-- Begin PGPData -->
172
+ <element name="PGPData" type="ds:PGPDataType" />
173
+ <complexType name="PGPDataType">
174
+ <choice>
175
+ <sequence>
176
+ <element name="PGPKeyID" type="base64Binary" />
177
+ <element minOccurs="0" name="PGPKeyPacket" type="base64Binary" />
178
+ <any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="lax" />
179
+ </sequence>
180
+ <sequence>
181
+ <element name="PGPKeyPacket" type="base64Binary" />
182
+ <any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="lax" />
183
+ </sequence>
184
+ </choice>
185
+ </complexType>
186
+ <!-- End PGPData -->
187
+ <!-- Begin SPKIData -->
188
+ <element name="SPKIData" type="ds:SPKIDataType" />
189
+ <complexType name="SPKIDataType">
190
+ <sequence maxOccurs="unbounded">
191
+ <element name="SPKISexp" type="base64Binary" />
192
+ <any minOccurs="0" namespace="##other" processContents="lax" />
193
+ </sequence>
194
+ </complexType>
195
+ <!-- End SPKIData -->
196
+ <!-- End KeyInfo -->
197
+ <!-- Start Object (Manifest, SignatureProperty) -->
198
+ <element name="Object" type="ds:ObjectType" />
199
+ <complexType mixed="true" name="ObjectType">
200
+ <sequence maxOccurs="unbounded" minOccurs="0">
201
+ <any namespace="##any" processContents="lax" />
202
+ </sequence>
203
+ <attribute name="Id" type="ID" use="optional" />
204
+ <attribute name="MimeType" type="string" use="optional" />
205
+ <attribute name="Encoding" type="anyURI" use="optional" />
206
+ <!-- add a grep facet -->
207
+ </complexType>
208
+ <element name="Manifest" type="ds:ManifestType" />
209
+ <complexType name="ManifestType">
210
+ <sequence>
211
+ <element maxOccurs="unbounded" ref="ds:Reference" />
212
+ </sequence>
213
+ <attribute name="Id" type="ID" use="optional" />
214
+ </complexType>
215
+ <element name="SignatureProperties" type="ds:SignaturePropertiesType" />
216
+ <complexType name="SignaturePropertiesType">
217
+ <sequence>
218
+ <element maxOccurs="unbounded" ref="ds:SignatureProperty" />
219
+ </sequence>
220
+ <attribute name="Id" type="ID" use="optional" />
221
+ </complexType>
222
+ <element name="SignatureProperty" type="ds:SignaturePropertyType" />
223
+ <complexType mixed="true" name="SignaturePropertyType">
224
+ <choice maxOccurs="unbounded">
225
+ <any namespace="##other" processContents="lax" />
226
+ <!-- (1,1) elements from (1,unbounded) namespaces -->
227
+ </choice>
228
+ <attribute name="Target" type="anyURI" use="required" />
229
+ <attribute name="Id" type="ID" use="optional" />
230
+ </complexType>
231
+ <!-- End Object (Manifest, SignatureProperty) -->
232
+ <!-- Start Algorithm Parameters -->
233
+ <simpleType name="HMACOutputLengthType">
234
+ <restriction base="integer" />
235
+ </simpleType>
236
+ <!-- Start KeyValue Element-types -->
237
+ <element name="DSAKeyValue" type="ds:DSAKeyValueType" />
238
+ <complexType name="DSAKeyValueType">
239
+ <sequence>
240
+ <sequence minOccurs="0">
241
+ <element name="P" type="ds:CryptoBinary" />
242
+ <element name="Q" type="ds:CryptoBinary" />
243
+ </sequence>
244
+ <element minOccurs="0" name="G" type="ds:CryptoBinary" />
245
+ <element name="Y" type="ds:CryptoBinary" />
246
+ <element minOccurs="0" name="J" type="ds:CryptoBinary" />
247
+ <sequence minOccurs="0">
248
+ <element name="Seed" type="ds:CryptoBinary" />
249
+ <element name="PgenCounter" type="ds:CryptoBinary" />
250
+ </sequence>
251
+ </sequence>
252
+ </complexType>
253
+ <element name="RSAKeyValue" type="ds:RSAKeyValueType" />
254
+ <complexType name="RSAKeyValueType">
255
+ <sequence>
256
+ <element name="Modulus" type="ds:CryptoBinary" />
257
+ <element name="Exponent" type="ds:CryptoBinary" />
258
+ </sequence>
259
+ </complexType>
260
+ <!-- End KeyValue Element-types -->
261
+ <!-- End Signature -->
262
+ </schema>
@@ -0,0 +1,24 @@
1
+ <?xml version="1.0" encoding="UTF-8"?>
2
+ <foo:Foo xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" ID="foo">
3
+ <ds:Signature>
4
+ <ds:SignedInfo>
5
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
6
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
7
+ <ds:Reference URI="#foo">
8
+ <ds:Transforms>
9
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
10
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
11
+ <ec:InclusiveNamespaces PrefixList="foo"/>
12
+ </ds:Transform>
13
+ </ds:Transforms>
14
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
15
+ <ds:DigestValue>Uxo8ZyDAavNIsXjJZAp1K8T30aXSXrXMUYof7ZHVwQk=</ds:DigestValue>
16
+ </ds:Reference>
17
+ </ds:SignedInfo>
18
+ <ds:SignatureValue>NggRouxW4kOlLalQuu32YB3RMm92qXbLjZlRpyZiCjKl/WGVfkFbzZwH6frn
19
+ bSnQWA2Nmof5Rb28D5hFRZP8kd2Bs5AzjuiHP0XeCOX1WRo8YQDMuhns8Nn8
20
+ 7ouSojTb206NG9c0yHdRlmCQSQlV/rCLSBOj1BTT1oEQjBlxJM0=</ds:SignatureValue>
21
+ <foo:Bar>bar</foo:Bar>
22
+ </ds:Signature>
23
+ <foo:Bar>bar</foo:Bar>
24
+ </foo:Foo>
@@ -18,7 +18,6 @@
18
18
  </ds:Reference>
19
19
  </ds:SignedInfo>
20
20
  <ds:SignatureValue></ds:SignatureValue>
21
- <ds:KeyInfo/>
22
21
  </ds:Signature>
23
22
  <samlp:Status>
24
23
  <samlp:StatusCode/>
@@ -30,4 +29,4 @@
30
29
  </samlp:Response>
31
30
  </samlp:ArtifactResponse>
32
31
  </soapenv:Body>
33
- </soapenv:Envelope>
32
+ </soapenv:Envelope>
@@ -18,15 +18,6 @@ describe Xmldsig do
18
18
  it 'should have at least 1 signature element' do
19
19
  Xmldsig::SignedDocument.new(signed_document).signatures.count.should >= 1
20
20
  end
21
-
22
- # TODO: remove this verification step when library matures
23
- # it 'matches the result from xmlsec1' do
24
- # result = `xmlsec1 --sign --id-attr:ID http://example.com/foo#:Foo --privkey-pem spec/fixtures/key.pem #{document}`
25
- # result.gsub!("\n", '')
26
- # signed_document.gsub!("\n", '')
27
- # puts result
28
- # result.should == signed_document
29
- # end
30
21
  end
31
22
  end
32
23
  end
@@ -54,6 +45,16 @@ describe Xmldsig do
54
45
  end
55
46
  end
56
47
  end
48
+
49
+ context "with invalid xsd signature elemements" do
50
+ let(:signed_xml) { File.read('spec/fixtures/signed-with-xsd-error.xml') }
51
+ let(:signed_document) { Xmldsig::SignedDocument.new(signed_xml) }
52
+ let(:certificate) { OpenSSL::X509::Certificate.new(File.read('spec/fixtures/certificate.cer')) }
53
+
54
+ it "raises schema error" do
55
+ expect{ signed_document.validate(certificate) }.to raise_error(Xmldsig::SchemaError)
56
+ end
57
+ end
57
58
  end
58
59
 
59
60
  describe "Allows specifying a custom id attribute" do
@@ -69,15 +70,6 @@ describe Xmldsig do
69
70
  it 'should have a signature element' do
70
71
  Xmldsig::SignedDocument.new(signed_document, :id_attr => 'MyID').signatures.count.should == 1
71
72
  end
72
-
73
- # TODO: remove this verification step when library matures
74
- # it 'matches the result from xmlsec1' do
75
- # document = "spec/fixtures/unsigned_custom_attribute_id.xml"
76
- # result = `xmlsec1 --sign --privkey-pem spec/fixtures/key.pem --id-attr:MyID Foo #{document}`
77
- # result.gsub!("\n", '')
78
- # signed_document.gsub!("\n", '')
79
- # result.should == signed_document
80
- # end
81
73
  end
82
74
 
83
75
  context "a signed document" do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: xmldsig
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.10
4
+ version: 0.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - benoist
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-10-30 00:00:00.000000000 Z
11
+ date: 2015-11-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nokogiri
@@ -50,10 +50,12 @@ files:
50
50
  - lib/xmldsig/transforms/enveloped_signature.rb
51
51
  - lib/xmldsig/transforms/transform.rb
52
52
  - lib/xmldsig/version.rb
53
+ - lib/xmldsig/xmldsig-core-schema.xsd
53
54
  - signing_service.rb
54
55
  - spec/fixtures/certificate.cer
55
56
  - spec/fixtures/certificate2.cer
56
57
  - spec/fixtures/key.pem
58
+ - spec/fixtures/signed-with-xsd-error.xml
57
59
  - spec/fixtures/signed.xml
58
60
  - spec/fixtures/signed/ideal.cert
59
61
  - spec/fixtures/signed/ideal.txt
@@ -112,6 +114,7 @@ test_files:
112
114
  - spec/fixtures/certificate.cer
113
115
  - spec/fixtures/certificate2.cer
114
116
  - spec/fixtures/key.pem
117
+ - spec/fixtures/signed-with-xsd-error.xml
115
118
  - spec/fixtures/signed.xml
116
119
  - spec/fixtures/signed/ideal.cert
117
120
  - spec/fixtures/signed/ideal.txt