Merge 6e9b346 into 1e0caf9

openlogic · Oct 10, 2016 · a39de55 · a39de55
2 parents 1e0caf9 + 6e9b346
commit a39de55
Show file tree

Hide file tree

Showing 3 changed files with 126 additions and 7 deletions.
diff --git a/lib/signed_xml/digest_method_resolution.rb b/lib/signed_xml/digest_method_resolution.rb
@@ -4,12 +4,60 @@ module SignedXml
   module DigestMethodResolution
     include OpenSSL
 
+    # The XML Signature Syntax and Processing (Second Edition) specification defines IDs for algorithms which must be
+    # supported by implementations. It also defines IDs for some algorithms which it recommends be supported. See
+    # https://www.w3.org/TR/xmldsig-core/#sec-AlgID.
+    #
+    # The XML Encryption Syntax and Processing Version 1.1 specification defines IDs for its own set of required and
+    # recommended algorithms, and some of these have been seen in signed XML docs in the wild. See
+    # https://www.w3.org/TR/xmlenc-core1/#sec-AlgID
+    #
+    # RFC 6931 defines IDs for yet more algorithms which have also been encountered in the wild. See
+    # https://tools.ietf.org/html/rfc6931.
+    #
+    # Note that some of these are encryption algorithms, of which the digest or hashing algorithm is only one component.
+    # Nevertheless, it is the only component this method aims to identify.
+
+    SHA1_IDS = %w(
+      http://www.w3.org/2000/09/xmldsig#sha1
+      http://www.w3.org/2000/09/xmldsig#dsa-sha1
+      http://www.w3.org/2000/09/xmldsig#rsa-sha1
+    )
+
+    SHA224_IDS = %w(
+      http://www.w3.org/2001/04/xmldsig-more#sha224
+    )
+
+    SHA256_IDS = %w(
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+      http://www.w3.org/2001/04/xmlenc#sha256
+    )
+
+    SHA384_IDS = %w(
+      http://www.w3.org/2001/04/xmldsig-more#sha384
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
+      http://www.w3.org/2001/04/xmlenc#sha384
+    )
+
+    SHA512_IDS = %w(
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
+      http://www.w3.org/2001/04/xmlenc#sha512
+    )
+
     def new_digester_for_id(id)
       case id
-      when "http://www.w3.org/2000/09/xmldsig#sha1","http://www.w3.org/2000/09/xmldsig#rsa-sha1"
-        Digest::SHA1.new
-      else
-        raise ArgumentError, "unknown digest method #{id}"
+        when *SHA1_IDS
+          Digest::SHA1.new
+        when *SHA224_IDS
+          Digest::SHA224.new
+        when *SHA256_IDS
+          Digest::SHA256.new
+        when *SHA384_IDS
+          Digest::SHA384.new
+        when *SHA512_IDS
+          Digest::SHA512.new
+        else
+          raise ArgumentError, "unknown digest method #{id}"
       end
     end
   end

diff --git a/lib/signed_xml/digest_transform.rb b/lib/signed_xml/digest_transform.rb
@@ -4,14 +4,14 @@ module SignedXml
   class DigestTransform
     include DigestMethodResolution
 
-    attr_reader :digest
+    attr_reader :digester
 
     def initialize(method_id)
-      @digest = new_digester_for_id(method_id)
+      @digester = new_digester_for_id(method_id)
     end
 
     def apply(input)
-      digest.digest(input)
+      digester.digest(input)
     end
   end
 end
diff --git a/spec/digest_method_resolution_spec.rb b/spec/digest_method_resolution_spec.rb
@@ -0,0 +1,71 @@
+require 'spec_helper'
+
+describe SignedXml::DigestMethodResolution do
+  include SignedXml::DigestMethodResolution
+
+  let(:sha1_ids) do
+    %w(
+      http://www.w3.org/2000/09/xmldsig#sha1
+      http://www.w3.org/2000/09/xmldsig#dsa-sha1
+      http://www.w3.org/2000/09/xmldsig#rsa-sha1
+    )
+  end
+
+  let(:sha224_ids) do
+    %w(
+      http://www.w3.org/2001/04/xmldsig-more#sha224
+    )
+  end
+
+  let(:sha256_ids) do
+    %w(
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+      http://www.w3.org/2001/04/xmlenc#sha256
+    )
+  end
+
+  let(:sha384_ids) do
+    %w(
+      http://www.w3.org/2001/04/xmldsig-more#sha384
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
+      http://www.w3.org/2001/04/xmlenc#sha384
+    )
+  end
+
+  let(:sha512_ids) do
+    %w(
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
+      http://www.w3.org/2001/04/xmlenc#sha512
+    )
+  end
+
+  it 'works for known SHA-1 IDs' do
+    sha1_ids.each do |id|
+      expect(new_digester_for_id(id).class).to eq OpenSSL::Digest::SHA1
+    end
+  end
+
+  it 'works for known SHA-224 IDs' do
+    sha224_ids.each do |id|
+      expect(new_digester_for_id(id).class).to eq OpenSSL::Digest::SHA224
+    end
+  end
+
+  it 'works for known SHA-256 IDs' do
+    sha256_ids.each do |id|
+      expect(new_digester_for_id(id).class).to eq OpenSSL::Digest::SHA256
+    end
+  end
+
+  it 'works for known SHA-384 IDs' do
+    sha384_ids.each do |id|
+      expect(new_digester_for_id(id).class).to eq OpenSSL::Digest::SHA384
+    end
+  end
+
+  it 'works for known SHA-512 IDs' do
+    sha512_ids.each do |id|
+      expect(new_digester_for_id(id).class).to eq OpenSSL::Digest::SHA512
+    end
+  end
+end