xmldsig 0.6.5 → 0.6.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a9796692edf2edbf8dc5b0b3e034e72c110b9632
-  data.tar.gz: 987fa5579e92b79490237b25eb01bdea3fb9e7db
+  metadata.gz: df1410861d55968a7bca96a9c3ea4a3610938f91
+  data.tar.gz: 839b63410739fca62890f35bb03890523c192bf1
 SHA512:
-  metadata.gz: 36cc6186cf9d51dbd483c2d64d31bd81f3c7411e53fa43be74463ca7613dd107efc679893fa9510f985230ad40289bc0fb50b73ae83d389d13e5e40482452f1e
-  data.tar.gz: aafbdeb71da7b102eb054f6ae9db0e590ddda376cca8a85056279511d03b85a4b426a83fd1511c2cc6451a68b5d817c2665a9c89cd7c972edf1800009327dc6f
+  metadata.gz: f57cc44c4425d043a97d55af347f8bc9e4c89ae8352b5ff5c74b1fc44c6031ec6277775ea3eb097956d7e042c872c8ecb91b69c94d046e8c952174cd1f4dba59
+  data.tar.gz: a001df00e557acf52e267b4a267aa8e0ed69af44ee21a62b5e84310427024b8755efe240c90c9c15f28731ac1166a39e13b5ed28484d21938da839f737c84d2e

data/CHANGELOG.md

@@ -1,4 +1,8 @@
 # Changelog
+v0.6.6
+- Add support for cid references to external documents. (iterateNZ)
+- Add support for http://www.w3.org/TR/1999/REC-xpath-19991116 transforms (iterateNZ)
+
 v0.6.5
 - Added inclusive namespace prefix list for canonicalization method (jmhooper)
 

data/README.md

@@ -24,6 +24,9 @@ unsigned_xml = <<-XML
 <?xml version="1.0" encoding="UTF-8"?>
 <foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
   <foo:Bar>bar</foo:Bar>
+  <foo:Baz>
+    <foo:Qux>quuz</foo:Qux>
+  </foo:Baz>
   <ds:Signature>
     <ds:SignedInfo>
       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
@@ -31,6 +34,9 @@ unsigned_xml = <<-XML
       <ds:Reference URI="#foo">
         <ds:Transforms>
           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
+            <ds:XPath>not(ancestor-or-self::foo:Baz)</ds:XPath>
+          </ds:Transform>
           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
             <ec:InclusiveNamespaces PrefixList="foo"/>
           </ds:Transform>

data/lib/xmldsig.rb

@@ -25,6 +25,7 @@ require "xmldsig/signed_document"
 require "xmldsig/transforms/transform"
 require "xmldsig/transforms/canonicalize"
 require "xmldsig/transforms/enveloped_signature"
+require "xmldsig/transforms/xpath"
 require "xmldsig/transforms"
 require "xmldsig/reference"
 require "xmldsig/signature"

data/lib/xmldsig/reference.rb

@@ -5,10 +5,11 @@ module Xmldsig
     class ReferencedNodeNotFound < Exception;
     end
 
-    def initialize(reference, id_attr = nil)
+    def initialize(reference, id_attr = nil, referenced_documents = {})
       @reference = reference
       @errors    = []
       @id_attr = id_attr
+      @referenced_documents = referenced_documents
     end
 
     def document
@@ -21,16 +22,28 @@ module Xmldsig
 
     def referenced_node
       if reference_uri && reference_uri != ""
-        id = reference_uri[1..-1]
-        referenced_node_xpath = @id_attr ? "//*[@#{@id_attr}=$uri]" : "//*[@ID=$uri or @wsu:Id=$uri]"
-        variable_bindings = { 'uri' => id }
-        if ref = document.dup.at_xpath(referenced_node_xpath, NAMESPACES, variable_bindings)
-          ref
+        if @id_attr.nil? && reference_uri.start_with?("cid:")
+          content_id = reference_uri[4..-1]
+          if @referenced_documents.has_key?(content_id)
+            @referenced_documents[content_id].dup
+          else
+            raise(
+                ReferencedNodeNotFound,
+                "Could not find referenced document with ContentId #{content_id}"
+            )
+          end
         else
-          raise(
-              ReferencedNodeNotFound,
-              "Could not find the referenced node #{id}'"
-          )
+          id = reference_uri[1..-1]
+          referenced_node_xpath = @id_attr ? "//*[@#{@id_attr}=$uri]" : "//*[@ID=$uri or @wsu:Id=$uri]"
+          variable_bindings = { 'uri' => id }
+          if ref = document.dup.at_xpath(referenced_node_xpath, NAMESPACES, variable_bindings)
+            ref
+          else
+            raise(
+                ReferencedNodeNotFound,
+                "Could not find the referenced node #{id}'"
+            )
+          end
         end
       else
         document.dup.root

data/lib/xmldsig/signature.rb

@@ -2,14 +2,15 @@ module Xmldsig
   class Signature
     attr_accessor :signature
 
-    def initialize(signature, id_attr = nil)
+    def initialize(signature, id_attr = nil, referenced_documents = {})
       @signature = signature
       @id_attr = id_attr
+      @referenced_documents = referenced_documents
     end
 
     def references
       @references ||= signature.xpath("descendant::ds:Reference", NAMESPACES).map do |node|
-        Reference.new(node, @id_attr)
+        Reference.new(node, @id_attr, @referenced_documents)
       end
     end
 

data/lib/xmldsig/signed_document.rb

@@ -1,6 +1,6 @@
 module Xmldsig
   class SignedDocument
-    attr_accessor :document, :id_attr, :force
+    attr_accessor :document, :id_attr, :force, :referenced_documents
 
     def initialize(document, options = {})
       @document = if document.kind_of?(Nokogiri::XML::Document)
@@ -10,6 +10,7 @@ module Xmldsig
       end
       @id_attr  = options[:id_attr] if options[:id_attr]
       @force    = options[:force]
+      @referenced_documents = options.fetch(:referenced_documents, {})
     end
 
     def validate(certificate = nil, schema = nil, &block)
@@ -35,7 +36,7 @@ module Xmldsig
     def signatures
       document.xpath("//ds:Signature", NAMESPACES).
           sort { |left, right| left.ancestors.size <=> right.ancestors.size }.
-          collect { |node| Signature.new(node, @id_attr) } || []
+          collect { |node| Signature.new(node, @id_attr, referenced_documents) } || []
     end
   end
 end

data/lib/xmldsig/transforms.rb

@@ -21,6 +21,8 @@ module Xmldsig
           Transforms::Canonicalize.new(node, transform_node)
         when "http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
           Transforms::Canonicalize.new(node, transform_node, true)
+        when "http://www.w3.org/TR/1999/REC-xpath-19991116"
+          Transforms::XPath.new(node, transform_node)
       end
     end
 

data/lib/xmldsig/transforms/xpath.rb

@@ -0,0 +1,22 @@
+module Xmldsig
+  class Transforms < Array
+    class XPath < Transform
+      attr_reader :xpath_query
+
+      REC_XPATH_1991116_QUERY = "(//. | //@* | //namespace::*)"
+
+      def initialize(node, transform_node)
+        @xpath_query = transform_node.at_xpath("ds:XPath", NAMESPACES).text
+        super(node, transform_node)
+      end
+
+      def transform
+        node.xpath(REC_XPATH_1991116_QUERY)
+          .reject { |n| !n.respond_to?(:xpath) }
+          .reject { |n| n.xpath(@xpath_query, node.namespaces) }
+          .each(&:remove)
+        node
+      end
+    end
+  end
+end

data/lib/xmldsig/version.rb

@@ -1,3 +1,3 @@
 module Xmldsig
-  VERSION = '0.6.5'
+  VERSION = '0.6.6'
 end

data/spec/fixtures/signed_with_cid_reference.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" ID="foo">
+  <foo:Bar>bar</foo:Bar>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="cid:fooDocument">
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue>tdQEXD9Gb6kf4sxqvnkjKhpXzfEE96JucW4KHieJ33g=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>JI5XLfznf8BsNA5vtm0kPG5kni983qrJV1EFx4oZnb6tPvARvPbtR1oEaxnB5ROQJ6xzBuuxDsUFT1BNNUR8vL1S2qPk80USXwNhl0Cfa4mDULNw1rRhN6q82VEvAC/Hb32mvgKDLlJZymdafZhUUeEmaQj+YHsTU54kPCY5w+E=</ds:SignatureValue>
+  </ds:Signature>
+</foo:Foo>

data/spec/fixtures/unsigned/with_xpath_algorithm.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
+  <soapenv:Body>
+    <samlp:ArtifactResponse xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" ID="_91e79cb2e8cded9a7fd4d68dc480b49d2d1adf88" Version="2.0" IssueInstant="2013-01-17T09:02:44Z">
+      <ds:Signature>
+        <ds:SignedInfo>
+          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+          <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+          <ds:Reference>
+            <ds:Transforms>
+              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+              <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
+                <ds:XPath>not(ancestor-or-self::samlp:Status)</ds:XPath>
+              </ds:Transform>
+              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+                <ec:InclusiveNamespaces PrefixList="ds saml samlp xs"/>
+              </ds:Transform>
+            </ds:Transforms>
+            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+            <ds:DigestValue></ds:DigestValue>
+          </ds:Reference>
+        </ds:SignedInfo>
+        <ds:SignatureValue></ds:SignatureValue>
+      </ds:Signature>
+      <samlp:Status>
+        <samlp:StatusCode/>
+      </samlp:Status>
+      <samlp:Response ID="_5a88b4aeb1d290c86073874278e5ef302da66739" Version="2.0" IssueInstant="2013-01-17T09:02:44Z">
+        <samlp:Status>
+          <samlp:StatusCode/>
+        </samlp:Status>
+      </samlp:Response>
+    </samlp:ArtifactResponse>
+  </soapenv:Body>
+</soapenv:Envelope>

data/spec/fixtures/unsigned_with_cid_reference.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<foo:Foo xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" ID="foo">
+  <foo:Bar>bar</foo:Bar>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="cid:fooDocument">
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue></ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue></ds:SignatureValue>
+  </ds:Signature>
+</foo:Foo>

data/spec/lib/xmldsig/reference_spec.rb

@@ -78,6 +78,30 @@ describe Xmldsig::Reference do
       expect { malicious_reference.referenced_node }.
         to raise_error(Xmldsig::Reference::ReferencedNodeNotFound)
     end
+
+    context "when the referenced node is prefixed with 'cid:'" do
+      let(:document) { Nokogiri::XML::Document.parse File.read("spec/fixtures/unsigned_with_cid_reference.xml") }
+      let(:foo_document) { "<test><ing>present</ing></test>" }
+      let(:referenced_documents) { { "fooDocument" => foo_document } }
+      let(:reference) { Xmldsig::Reference.new(document.at_xpath('//ds:Reference', Xmldsig::NAMESPACES), nil, referenced_documents) }
+
+      it "has the correct reference_uri" do
+        expect(reference.reference_uri).to eq "cid:fooDocument"
+      end
+
+      it "returns the document referenced by the content id" do
+        expect(reference.referenced_node).to eq foo_document
+      end
+
+      context "when the document has no referenced_documents matching the referenced name" do
+        let(:referenced_documents) { Hash.new }
+
+        it "raises ReferencedNodeNotFound" do
+          expect { reference.referenced_node }.
+            to raise_error(Xmldsig::Reference::ReferencedNodeNotFound)
+        end
+      end
+    end
   end
 
   describe "#reference_uri" do

data/spec/lib/xmldsig/transforms/xpath_spec.rb

@@ -0,0 +1,18 @@
+require 'spec_helper'
+
+describe Xmldsig::Transforms::XPath do
+  let(:expected_xpath_query) { "not(ancestor-or-self::samlp:Status)" }
+  let(:unsigned_xml) { File.read('spec/fixtures/unsigned/with_xpath_algorithm.xml') }
+  let(:unsigned_document) { Xmldsig::SignedDocument.new(unsigned_xml) }
+  let(:transform_node) { unsigned_document.signatures.first.references.first.transforms[1] }
+  subject(:xpath_transform) { described_class.new(unsigned_document.document, transform_node) }
+
+  it 'reads the xpath' do
+    expect(xpath_transform.xpath_query).to eq expected_xpath_query
+  end
+
+  it 'filters out the nodes matching the xpath expression' do
+    transformed_node = xpath_transform.transform
+    expect(transform_node.children).to all(satisfy { |n| n.xpath(expected_xpath_query, unsigned_document.document.namespaces) })
+  end
+end

data/spec/lib/xmldsig_spec.rb

@@ -81,4 +81,31 @@ describe Xmldsig do
       end
     end
   end
+
+  describe "Allows passing referenced documents" do
+    let(:referenced_documents) { { 'fooDocument' => 'ABC' } }
+
+    describe "an unsigned document" do
+      let(:unsigned_xml) { File.read("spec/fixtures/unsigned_with_cid_reference.xml") }
+      let(:unsigned_document) { Xmldsig::SignedDocument.new(unsigned_xml, referenced_documents: referenced_documents) }
+      let(:signed_document) { unsigned_document.sign(private_key) }
+
+      it "should be signable an validateable" do
+        expect(Xmldsig::SignedDocument.new(signed_document, referenced_documents: referenced_documents).validate(certificate)).to eq(true)
+      end
+
+      it 'should have at least 1 signature element' do
+        expect(Xmldsig::SignedDocument.new(signed_document).signatures.count).to be >= 1
+      end
+    end
+
+    context "a signed document" do
+      let(:signed_xml) { File.read("spec/fixtures/signed_with_cid_reference.xml") }
+      let(:signed_document) { Xmldsig::SignedDocument.new(signed_xml, referenced_documents: referenced_documents) }
+
+      it "should be validateable" do
+        expect(signed_document.validate(certificate)).to eq(true)
+      end
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: xmldsig
 version: !ruby/object:Gem::Version
-  version: 0.6.5
+  version: 0.6.6
 platform: ruby
 authors:
 - benoist
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-11-30 00:00:00.000000000 Z
+date: 2018-03-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -55,6 +55,7 @@ files:
 - lib/xmldsig/transforms/canonicalize.rb
 - lib/xmldsig/transforms/enveloped_signature.rb
 - lib/xmldsig/transforms/transform.rb
+- lib/xmldsig/transforms/xpath.rb
 - lib/xmldsig/version.rb
 - lib/xmldsig/xmldsig-core-schema-x509-serial-fix.xsd
 - lib/xmldsig/xmldsig-core-schema.xsd
@@ -70,6 +71,7 @@ files:
 - spec/fixtures/signed/shib.xml
 - spec/fixtures/signed_custom_attribute_id.xml
 - spec/fixtures/signed_signature_namespace.xml
+- spec/fixtures/signed_with_cid_reference.xml
 - spec/fixtures/signed_xml-exc-c14n#with_comments.xml
 - spec/fixtures/unsigned-invalid.xml
 - spec/fixtures/unsigned-malicious.xml
@@ -87,6 +89,7 @@ files:
 - spec/fixtures/unsigned/unsigned_nested_signature_at_bottom.xml
 - spec/fixtures/unsigned/unsigned_nested_signature_at_top.xml
 - spec/fixtures/unsigned/with_soap_envelope.xml
+- spec/fixtures/unsigned/with_xpath_algorithm.xml
 - spec/fixtures/unsigned/without_canonicalization.xml
 - spec/fixtures/unsigned/without_namespace_prefix.xml
 - spec/fixtures/unsigned/without_reference_uri.xml
@@ -95,11 +98,13 @@ files:
 - spec/fixtures/unsigned_nested_signature.xml
 - spec/fixtures/unsigned_nested_signed_signature.xml
 - spec/fixtures/unsigned_signature_namespace.xml
+- spec/fixtures/unsigned_with_cid_reference.xml
 - spec/lib/xmldsig/reference_spec.rb
 - spec/lib/xmldsig/signature_spec.rb
 - spec/lib/xmldsig/signed_document_spec.rb
 - spec/lib/xmldsig/transforms/enveloped_signature_spec.rb
 - spec/lib/xmldsig/transforms/transform_spec.rb
+- spec/lib/xmldsig/transforms/xpath_spec.rb
 - spec/lib/xmldsig_spec.rb
 - spec/spec_helper.rb
 - xmldsig.gemspec
@@ -139,6 +144,7 @@ test_files:
 - spec/fixtures/signed/shib.xml
 - spec/fixtures/signed_custom_attribute_id.xml
 - spec/fixtures/signed_signature_namespace.xml
+- spec/fixtures/signed_with_cid_reference.xml
 - spec/fixtures/signed_xml-exc-c14n#with_comments.xml
 - spec/fixtures/unsigned-invalid.xml
 - spec/fixtures/unsigned-malicious.xml
@@ -156,6 +162,7 @@ test_files:
 - spec/fixtures/unsigned/unsigned_nested_signature_at_bottom.xml
 - spec/fixtures/unsigned/unsigned_nested_signature_at_top.xml
 - spec/fixtures/unsigned/with_soap_envelope.xml
+- spec/fixtures/unsigned/with_xpath_algorithm.xml
 - spec/fixtures/unsigned/without_canonicalization.xml
 - spec/fixtures/unsigned/without_namespace_prefix.xml
 - spec/fixtures/unsigned/without_reference_uri.xml
@@ -164,10 +171,12 @@ test_files:
 - spec/fixtures/unsigned_nested_signature.xml
 - spec/fixtures/unsigned_nested_signed_signature.xml
 - spec/fixtures/unsigned_signature_namespace.xml
+- spec/fixtures/unsigned_with_cid_reference.xml
 - spec/lib/xmldsig/reference_spec.rb
 - spec/lib/xmldsig/signature_spec.rb
 - spec/lib/xmldsig/signed_document_spec.rb
 - spec/lib/xmldsig/transforms/enveloped_signature_spec.rb
 - spec/lib/xmldsig/transforms/transform_spec.rb
+- spec/lib/xmldsig/transforms/xpath_spec.rb
 - spec/lib/xmldsig_spec.rb
 - spec/spec_helper.rb