How to do xml signing in ruby

Question

I need to sign xml using ruby, someone know any method or lib for that?

My xml skeleton is:

<?xml version="1.0" encoding="ISO-8859-1"?>
<Message>
    <MessageId> 
        <ServiceId>service</ServiceId> 
        <Version>1.0</Version> 
        <MsgDesc>Service Description</MsgDesc> 
        <Code>4</Code> 
        <FromAddress>from</FromAddress> 
        <ToAddress>to</ToAddress> 
        <Date>2012-10-29</Date> 
    </MessageId> 
    <MessageBody/> 

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <Reference URI="">
    <Transforms>
      <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue>??????</DigestValue>
    </Reference>
  </SignedInfo>

  <SignatureValue>????????????</SignatureValue>
  <KeyInfo>
    <X509Data>
      <X509Certificate>????????</X509Certificate>
    </X509Data>
  </KeyInfo>
</Signature>
</message>

I tried this code for DigestValue and I have tested it, comparing it with my java example, but DigestValue is not matching with the response of my java example:

require 'base64'
require 'openssl'

to_sign_xml = File.read 'service.xml'
digest = OpenSSL::Digest::SHA1.digest(to_sign_xml)

digest = Base64.encode64(digest.to_s).gsub(/\n/, '')
raise digest.inspect

My file service.xml contain that:

<Message>
    <MessageId> 
        <ServiceId>service</ServiceId> 
        <Version>1.0</Version> 
        <MsgDesc>Service Description</MsgDesc> 
        <Code>4</Code> 
        <FromAddress>from</FromAddress> 
        <ToAddress>to</ToAddress> 
        <Date>2012-10-29</Date> 
    </MessageId> 
    <MessageBody/>
<Message>

Answer 1

If you're still interested I made this gem a week ago. It's still in development but the basic stuff is implemented. This gem is tested against signatures created with the xmlsec library. http://www.aleksey.com/xmlsec/

I'm actively working with this gem at the moment so bugs should be fixed relatively quick.

https://rubygems.org/gems/xmldsig

Answer 2

Unfortunately, XML signature creation and verification is very complicated. Details may be found in the spec. I started implementing it to propose as an addition to stdlib some time ago, but then stopped because another project became more important and Nokogiri started to offer the Canonicalization features that I needed and had unfortunately already implemented using libxml directly. You might want to have a look there to see what's needed, and then port the ideas to plain Nokogiri code.

Using those, it should be possible to completely implement XML-DSIG in Ruby. But be prepared, it's not an easy thing to do, lots and lots of small details that have great potential to drive you nuts...

You might be better off by switching to JRuby, and by integrating the default implementation of XML-DSIG that ships with the Java standard libraries.

Answer 3

Here is a usable gem for signing/digesting, however I still have some problem with canonicalization and probably that's why I don't get the proper digests: https://github.com/ebeigarts/signer