在 Ruby 中规范化 XML
我正在使用 Ruby/Rails 开发 SAML 网关,并尝试编写一些代码来验证 针对原始服务的 x509 证书传入的 SAML 响应的 xml 数字签名。
我的问题:签名取决于经过哈希处理然后签名的 XML 规范化版本,并且我无法找到一个 ruby lib/gem 来规范化 XML 规范。我在 rubyforge 上发现了一个超级古老的宝石,那是一团糟,但我会更感兴趣,如果像 nokogiri 这样的东西支持这种功能(从 nokogiri 文档来看,它不支持)。
我在谷歌上进行了广泛的搜索,但我想在我尝试编写自己的版本或重写现有的 c14n-r 库之前,我应该在这里询问是否有人有任何好的见解。
I'm working on a SAML gateway using Ruby/Rails and I'm attempting to write some code that validates the xml digital signature of the incoming SAML response against the x509 cert of the originating service.
My problem: the signature depends on a canonicalized version of the XML that is hashed and then signed and I'm having trouble finding a ruby lib/gem that will canonicalize XML per the spec. I found a super old gem on rubyforge that is a mess but I'd be more interested if something like nokogiri supported this kind of functionality (from the nokogiri docs, it doesn't).
I've googled extensively but thought I'd ask around here to see if anyone has any good insights before I go and try to write my own version or rework the existing c14n-r library.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
尝试一下这两个宝石:
http://rubygems.org/gems/coupa-libxml-ruby< /a>
http://rubygems.org/gems/xmlsec-ruby
我写它们是为了SAML 项目。第一个修补 libxml-ruby 以添加基础 C 库中 canonicalize 函数的绑定。
后者是 xmlsec 的 ruby 绑定。现在,唯一有效的就是签名验证,这就是我该项目所需的全部内容,但听起来它也适合您的需求。
我建议使用 xmlsec,因为尝试编写自己的 XML 签名验证代码是徒劳的。等到你必须处理多个封装的签名、嵌入的证书等等。让 xmlsec 处理这些废话。
Give these two gems a shot:
http://rubygems.org/gems/coupa-libxml-ruby
http://rubygems.org/gems/xmlsec-ruby
I wrote them for a SAML project. The first patches libxml-ruby to add a binding for the canonicalize function in the base C library.
The latter is ruby binding for xmlsec. Right now all that works is signature verification, which was all I needed for the project, but it sounds like it'd fit your needs too.
I'd recommend going with xmlsec because trying to write your own XML signature verification code is an exercise in futility. Just wait til you have to deal with multiple enveloped signatures, embedded certificates, gah. Let xmlsec handle that crap.
环顾四周后,我发现 nokogiri 已将 c14n 支持放在 下一个版本。我不知道更多了——但截至 2010 年 6 月,似乎还没有广泛使用的 XML 库支持 c14n。我将关闭此内容,因为没有真正弹出任何内容。
After looking around some more I've found that nokogiri has put c14n support on the todo list for the next release. Don't know more than that-- but it appears that no widely used XML library supports c14n as of June 2010. I'll close this out since nothing really popped up.
xmlcanonicalizer 遇到问题。
xmlstarlet 为我工作:
had problems with xmlcanonicalizer.
xmlstarlet worked for me:
我有一个 ruby/rails 服务提供商和一个 .NET (ComponentSoft) IDP,
这对我有用(我对 XML 的规范化版本没有任何问题):
I have a ruby/rails Service Provider and a .NET (ComponentSoft) IDP
this worked for me ( I had no issues with the canonicalized version of the XML):
xmlcanonicalizer gem 似乎是最新的 ruby 规范化器:
https://github.com/andrewferk/ xmlcanonicalizer
然而,它确实有一个错误,这使得它在规范化某些 XML 树时毫无用处。有人提交了补丁,但尚未应用:
https://github.com /andrewferk/xmlcanonicalizer/pull/1
这个修补过的 gem 加上 ruby-saml 可以解决问题(如果您尝试实现 SAML SSO,还可以添加更多内容:
https://github.com/onelogin/ruby-saml
希望能帮助别人节省我浪费在让事情正常运转上的三天时间!:)
The xmlcanonicalizer gem seems to be the most up-to-date ruby canonicaliser available:
https://github.com/andrewferk/xmlcanonicalizer
It does have a bug however, that makes it useless at canonicalising some XML trees. Some kind person has submitted a patch but it hasn't been applied yet:
https://github.com/andrewferk/xmlcanonicalizer/pull/1
This patched gem plus ruby-saml does the trick (plus more, if you're trying to implement SAML SSO:
https://github.com/onelogin/ruby-saml
Hope that helps someone save the 3 days I wasted trying to get things to work! :)
可能有点晚了,不太理想,但是 这个分支 通过命令行使用 XMLStarlet 进行规范化。
Probably a little late and not really ideal, but this fork uses XMLStarlet via command line for canonicalization.