tags:

views:

91

answers:

2
+2  Q: 

Canonicalizing XML in Ruby

I'm working on a SAML gateway using Ruby/Rails and I'm attempting to write some code that validates the xml digital signature of the incoming SAML response against the x509 cert of the originating service.

My problem: the signature depends on a canonicalized version of the XML that is hashed and then signed and I'm having trouble finding a ruby lib/gem that will canonicalize XML per the spec. I found a super old gem on rubyforge that is a mess but I'd be more interested if something like nokogiri supported this kind of functionality (from the nokogiri docs, it doesn't).

I've googled extensively but thought I'd ask around here to see if anyone has any good insights before I go and try to write my own version or rework the existing c14n-r library.

A: 

I have a ruby/rails Service Provider and a .NET (ComponentSoft) IDP

this worked for me ( I had no issues with the canonicalized version of the XML):

received_certificate = XPath.first(response_document,"//samlp:Response//Signature//KeyInfo//X509Data//X509Certificate").text

def self.verify_signature(received_certificate, idp_certificate_path)
  certificate ||= OpenSSL::X509::Certificate.new(File.read(idp_certificate_path))
  cert_decoded = Base64.decode64(received_certificate)
  cert = OpenSSL::X509::Certificate.new(cert_decoded)
  certificate.verify(cert.public_key)
end
Mada  2010-06-15 15:52:18
I guess this was not your problem...
Mada  2010-06-15 17:10:09
True-- I need to validate the signed <SignatureValue> content against the digested <SignedInfo> contents using the X509 cert. The above code will validate that the X509 cert matches what it says it does, but unless you verify the <SignatureValue> then you don't know if the message originated from that cert.
whazzmaster  2010-06-15 21:30:35
I found few links that might help:http://github.com/onelogin/ruby-saml/blob/master/lib/xml_sec.rbhttp://rubygems.org/gems/XMLCanonicalizerhttp://rubygems.org/gems/saml2ruby
Mada  2010-06-17 18:59:08
A: 

After looking around some more I've found that nokogiri has put c14n support on the todo list for the next release. Don't know more than that-- but it appears that no widely used XML library supports c14n as of June 2010. I'll close this out since nothing really popped up.

whazzmaster  2010-06-16 16:01:37

related questions

Best place to get Ruby on Vista up and running as dev environment
How can I encode xml files to xfdl (base64-gzip)?
What is the best way to learn Ruby?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a Class using the Singleton Design Pattern in Ruby?
How do I update Ruby Gems from behind a Proxy (ISA-NTLM)
Why Should I Learn Ruby?
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
How do I rake tasks within a ruby script?
Ruby On Rails with Windows Vista - Best Setup?
Mapping values from two array in Ruby
Reverse DNS in Ruby?
Text Editor For Linux (Besides Vi)?
What is good forum software to add to an existing Rails application?
Calling Bash Commands From Ruby
How can I modify .xfdl files? (Update #1)
How do I use (n)curses in Ruby?
Open Source Ruby Projects
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
When to use lambda, when to use Proc.new?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.
.NET Migrations Engine
How do I add existing comments to RDoc in Ruby?