Module: XMLSecurity

Defined in:
lib/xml_security.rb,
lib/xml_security/c/libc.rb,
lib/xml_security/c/lib_xml.rb,
lib/xml_security/c/xml_sec.rb

Defined Under Namespace

Modules: C

Constant Summary collapse

NAMESPACES = 
{
  "xenc" => "http://www.w3.org/2001/04/xmlenc#",
  "ds" => "http://www.w3.org/2000/09/xmldsig#"
}

Class Method Summary collapse

Class Method Details

._dump_doc(doc) ⇒ Object 



224
225
226
227
228
229
230
231
232
233
234
235
236
 
# File 'lib/xml_security.rb', line 224

def self._dump_doc(doc)
  ptr = FFI::MemoryPointer.new(:pointer, 1)
  sizeptr = FFI::MemoryPointer.new(:pointer, 1)
  C::LibXML.xmlDocDumpFormatMemory(doc, ptr, sizeptr, 1)
  strptr = ptr.read_pointer
  result = strptr.null? ? nil : strptr.read_string

  result
ensure
  ptr.free if defined?(ptr) && ptr
  sizeptr.free if defined?(sizeptr) && sizeptr
  C::LibXML.xmlFree(strptr) if defined?(strptr) && strptr && !strptr.null?
end

._fingerprint_matches?(expected_fingerprint, cert) ⇒ Boolean

Returns:

  • (Boolean) 


218
219
220
221
222
 
# File 'lib/xml_security.rb', line 218

def self._fingerprint_matches?(expected_fingerprint, cert)
  cert_fingerprint = Digest::SHA1.hexdigest(cert)
  expected_fingerprint = expected_fingerprint.gsub(":", "").downcase
  return cert_fingerprint == expected_fingerprint
end

._init_keys_managerObject 



207
208
209
210
211
212
213
214
215
216
 
# File 'lib/xml_security.rb', line 207

def self._init_keys_manager
  keys_manager = C::XMLSec.xmlSecKeysMngrCreate
  raise "failed to create keys manager" if keys_manager.null?

  if C::XMLSec.xmlSecOpenSSLAppDefaultKeysMngrInit(keys_manager) < 0
    raise "failed to init and load default openssl keys into keys manager"
  end

  keys_manager
end

.decrypt(encrypted_xml, private_key) ⇒ Object 



172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
 
# File 'lib/xml_security.rb', line 172

def self.decrypt(encrypted_xml, private_key)
  init

  keys_manager = _init_keys_manager

  key = C::XMLSec.xmlSecOpenSSLAppKeyLoad(private_key, :xmlSecKeyDataFormatPem, nil, nil, nil)
  raise "failed to load private pem ley from #{private_key}" if key.null?

  key_add_result = C::XMLSec.xmlSecOpenSSLAppDefaultKeysMngrAdoptKey(keys_manager, key)
  raise "failed to add key to keys manager" if key_add_result < 0

  doc = C::LibXML.xmlParseMemory(encrypted_xml, encrypted_xml.size)
  raise "could not parse XML document" if doc.null?

  doc_root = C::LibXML.xmlDocGetRootElement(doc)
  raise "could not get root element" if doc_root.null?

  start_node = C::XMLSec.xmlSecFindNode(doc_root, C::XMLSec.xmlSecNodeEncryptedData, C::XMLSec.xmlSecEncNs)
  raise "start node not found" if start_node.null?

  encryption_context = C::XMLSec.xmlSecEncCtxCreate(keys_manager)
  raise "failed to create encryption context" if encryption_context.null?

  encryption_result = C::XMLSec.xmlSecEncCtxDecrypt(encryption_context, start_node)
  raise "decryption failed" if (encryption_result < 0)

  _dump_doc(doc)
end

.initObject 



42
43
44
45
46
47
48
 
# File 'lib/xml_security.rb', line 42

def self.init
  unless initialized?
    C::LibXML.init
    C::XMLSec.init
    @initialized = true
  end
end

.initialized?Boolean

Returns:

  • (Boolean) 


58
59
60
 
# File 'lib/xml_security.rb', line 58

def self.initialized?
  !!@initialized
end

.mute(&block) ⇒ Object 



201
202
203
204
205
 
# File 'lib/xml_security.rb', line 201

def self.mute(&block)
  C::XMLSec.xmlSecErrorsDefaultCallbackEnableOutput(false)
  block.call
  C::XMLSec.xmlSecErrorsDefaultCallbackEnableOutput(true)
end

.shutdownObject 



50
51
52
53
54
55
56
 
# File 'lib/xml_security.rb', line 50

def self.shutdown
  if initialized?
    C::XMLSec.shutdown
    C::LibXML.shutdown
    @initialized = false
  end
end

.sign(xml_document, private_key) ⇒ Object 



62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
 
# File 'lib/xml_security.rb', line 62

def self.sign(xml_document, private_key)
  init

  doc = C::LibXML.xmlParseMemory(xml_document, xml_document.size)
  raise "could not parse XML document" if doc.null?

  canonicalization_method_id = C::XMLSec.xmlSecTransformExclC14NGetKlass
  sign_method_id = C::XMLSec.xmlSecOpenSSLTransformRsaSha1GetKlass

  sign_node = C::XMLSec.xmlSecTmplSignatureCreate(doc, canonicalization_method_id, sign_method_id, nil)

  raise "failed to create signature template" if sign_node.null?
  C::LibXML.xmlAddChild(C::LibXML.xmlDocGetRootElement(doc), sign_node)

  ref_node = C::XMLSec.xmlSecTmplSignatureAddReference(sign_node, C::XMLSec.xmlSecOpenSSLTransformSha1GetKlass, nil, nil, nil)
  raise "failed to add a reference" if ref_node.null?

  envelope_result = C::XMLSec.xmlSecTmplReferenceAddTransform(ref_node, C::XMLSec.xmlSecTransformEnvelopedGetKlass)
  raise "failed to add envelope transform to reference" if envelope_result.null?

  key_info_node = C::XMLSec.xmlSecTmplSignatureEnsureKeyInfo(sign_node, nil)
  raise "failed to add key info" if key_info_node.null?

  digital_signature_context = C::XMLSec.xmlSecDSigCtxCreate(nil)
  raise "failed to create signature context" if digital_signature_context.null?

  digital_signature_context[:signKey] = C::XMLSec.xmlSecOpenSSLAppKeyLoad(private_key, :xmlSecKeyDataFormatPem, nil, nil, nil)
  raise "failed to load private pem ley from #{private_key}" if digital_signature_context[:signKey].null?

  if C::XMLSec.xmlSecKeySetName(digital_signature_context[:signKey], File.basename(private_key)) < 0
    raise "failed to set key name for key of #{private_key}"
  end

  if C::XMLSec.xmlSecTmplKeyInfoAddKeyName(key_info_node, nil).null?
    raise "failed to add key info"
  end

  if C::XMLSec.xmlSecDSigCtxSign(digital_signature_context, sign_node) < 0
    raise "signature failed!"
  end

  _dump_doc(doc)
ensure
  C::LibXML.xmlFreeDoc(doc) if defined?(doc) && !doc.null?
  C::XMLSec.xmlSecDSigCtxDestroy(digital_signature_context) if defined?(digital_signature_context) && !digital_signature_context.null?
end

.verify_signature(signed_xml_document, options = {}) ⇒ Object 



109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
 
# File 'lib/xml_security.rb', line 109

def self.verify_signature(signed_xml_document, options={})
  init

  doc = C::LibXML.xmlParseMemory(signed_xml_document, signed_xml_document.size)
  raise "could not parse XML document" if doc.null?

  doc_root = C::LibXML.xmlDocGetRootElement(doc)
  raise "could not get doc root" if doc_root.null?

  # add the ID attribute as an id. yeah, hacky
  idary = FFI::MemoryPointer.new(:pointer, 2)
  idary[0].put_pointer(0, FFI::MemoryPointer.from_string("ID"))
  idary[1].put_pointer(0, nil)
  C::XMLSec.xmlSecAddIDs(doc, doc_root, idary)

  keys_manager = _init_keys_manager

  digital_signature_context = C::XMLSec.xmlSecDSigCtxCreate(keys_manager)
  raise "failed to create signature context" if digital_signature_context.null?

  key_info_context = C::XMLSec.xmlSecKeyInfoCtxCreate(keys_manager)
  raise "could not create key info context" if key_info_context.null?

  signature_node = C::XMLSec.xmlSecFindNode(doc_root, C::XMLSec.xmlSecNodeSignature, C::XMLSec.xmlSecDSigNs)
  raise "signature node not found" if signature_node.null?

  certificate_node = C::XMLSec.xmlSecFindNode(signature_node, C::XMLSec.xmlSecNodeX509Certificate, C::XMLSec.xmlSecDSigNs)
  raise "certificate node not found" if certificate_node.null?

  key = C::XMLSec.xmlSecKeyCreate
  raise "error while allocating security key" if key.null?

  cert64ptr = C::LibXML.xmlNodeGetContent(certificate_node)
  raise "error while reading certificate node" if cert64ptr.null?
  cert64 = cert64ptr.read_string
  C::LibXML.xmlFree(cert64ptr)

  cert = Base64.decode64(cert64)

  if options.has_key? :cert_fingerprint
    return false unless _fingerprint_matches?(options[:cert_fingerprint], cert)
  end

  if options.has_key? :as_of
    digital_signature_context[:keyInfoReadCtx][:certsVerificationTime] = Time.parse(options[:as_of]).to_i
  end

  key_add_result = C::XMLSec.xmlSecOpenSSLAppKeysMngrCertLoadMemory(keys_manager, cert, cert.size, :xmlSecKeyDataFormatCertDer, C::XMLSec.xmlSecKeyDataTypeTrusted)
  raise "failed to add key to keys manager" if key_add_result < 0

  if C::XMLSec.xmlSecDSigCtxVerify(digital_signature_context, signature_node) < 0
    raise "error during signature verification"
  end

  digital_signature_context[:status] == :xmlSecDSigStatusSucceeded
ensure
  C::LibXML.xmlFreeDoc(doc) if defined?(doc) && doc && !doc.null?
  C::XMLSec.xmlSecDSigCtxDestroy(digital_signature_context) if defined?(digital_signature_context) && digital_signature_context && !digital_signature_context.null?
  C::XMLSec.xmlSecKeysMngrDestroy(keys_manager) if defined?(keys_manager) && keys_manager && !keys_manager.null?
  C::XMLSec.xmlSecKeyInfoCtxDestroy(key_info_context) if defined?(key_info_context) && key_info_context && !key_info_context.null?
  C::XMLSec.xmlSecKeyDestroy(key) if defined?(key) && key && !key.null?
end