Module: WSDL::Security::AlgorithmMapper

Defined in:

lib/wsdl/security/algorithm_mapper.rb

Overview

Maps XML Digital Signature algorithm URIs to internal symbols.

This module centralizes the logic for converting algorithm URIs found in XML signatures to the symbols used by Canonicalizer, Digester, and other internal classes.

Security: This module raises UnsupportedAlgorithmError for unknown or missing algorithms. It never silently defaults to a fallback algorithm, as this could mask algorithm confusion attacks.

Examples:

Map a digest algorithm

AlgorithmMapper.digest_algorithm('http://www.w3.org/2001/04/xmlenc#sha256')
# => :sha256

Handle unknown algorithm

AlgorithmMapper.digest_algorithm('http://attacker.com/fake')
# => raises UnsupportedAlgorithmError

See Also:

• https://www.w3.org/TR/xmldsig-core1/
• https://www.w3.org/TR/xmldsig-bestpractices/

Constant Summary

C14N_MAPPINGS =

Canonicalization algorithm URI patterns to symbols. Order matters: more specific patterns (with comments) must come first.

[
  # Exclusive C14N 1.0
  [/xml-exc-c14n#WithComments/i, :exclusive_1_0_with_comments],
  [/xml-exc-c14n/i, :exclusive_1_0],
  # Canonical XML 1.1
  [/xml-c14n11#WithComments/i, :inclusive_1_1_with_comments],
  [/xml-c14n11/i, :inclusive_1_1],
  # Canonical XML 1.0
  [/REC-xml-c14n-20010315#WithComments/i, :inclusive_1_0_with_comments],
  [/REC-xml-c14n-20010315/i, :inclusive_1_0]
].freeze

DIGEST_MAPPINGS =

Digest algorithm URI patterns to symbols. Order matters: longer matches (sha512) must come before shorter (sha1).

[
  [/sha512/i, :sha512],
  [/sha384/i, :sha384],
  [/sha256/i, :sha256],
  [/sha224/i, :sha224],
  [/sha1/i, :sha1]
].freeze

SIGNATURE_DIGEST_MAPPINGS =

Signature algorithm URI patterns to OpenSSL digest names. Supports RSA, ECDSA, and DSA algorithms. Order matters: longer matches must come before shorter ones.

[
  # RSA algorithms
  [/rsa-sha512/i, 'SHA512'],
  [/rsa-sha384/i, 'SHA384'],
  [/rsa-sha256/i, 'SHA256'],
  [/rsa-sha224/i, 'SHA224'],
  [/rsa-sha1/i, 'SHA1'],
  # ECDSA algorithms
  [/ecdsa-sha512/i, 'SHA512'],
  [/ecdsa-sha384/i, 'SHA384'],
  [/ecdsa-sha256/i, 'SHA256'],
  [/ecdsa-sha224/i, 'SHA224'],
  [/ecdsa-sha1/i, 'SHA1'],
  # DSA algorithms (legacy)
  [/dsa-sha256/i, 'SHA256'],
  [/dsa-sha1/i, 'SHA1']
].freeze

Class Method Summary

• .c14n_algorithm(uri) ⇒ Symbol

  Maps a canonicalization algorithm URI to an internal symbol.

• .digest_algorithm(uri) ⇒ Symbol

  Maps a digest algorithm URI to an internal symbol.

• .signature_digest(uri) ⇒ String

  Maps a signature algorithm URI to an OpenSSL digest name.

• .supported?(uri, type:) ⇒ Boolean

  Checks if an algorithm URI is supported without raising.

Class Method Details

.c14n_algorithm(uri) ⇒ Symbol

Maps a canonicalization algorithm URI to an internal symbol.

For canonicalization, a nil or empty URI defaults to Exclusive C14N 1.0, which is the most commonly used and safest default for WS-Security.

Examples:

AlgorithmMapper.c14n_algorithm('http://www.w3.org/2001/10/xml-exc-c14n#')
# => :exclusive_1_0

Parameters:

• uri (String, nil) —

  the algorithm URI

Returns:

• (Symbol) —

  the canonicalization algorithm symbol

Raises:

• (UnsupportedAlgorithmError) —

  if the URI is not recognized

# File 'lib/wsdl/security/algorithm_mapper.rb', line 86

def c14n_algorithm(uri)
  # Default to Exclusive C14N when not specified (safe default)
  return :exclusive_1_0 if uri.nil? || uri.empty?

  find_algorithm(uri, C14N_MAPPINGS) ||
    raise_unsupported(:canonicalization, uri)
end

.digest_algorithm(uri) ⇒ Symbol

Maps a digest algorithm URI to an internal symbol.

Examples:

AlgorithmMapper.digest_algorithm('http://www.w3.org/2001/04/xmlenc#sha256')
# => :sha256

Parameters:

• uri (String, nil) —

  the algorithm URI

Returns:

• (Symbol) —

  the digest algorithm symbol

Raises:

• (UnsupportedAlgorithmError) —

  if the URI is nil, empty, or not recognized

# File 'lib/wsdl/security/algorithm_mapper.rb', line 104

def digest_algorithm(uri)
  raise_missing(:digest) if uri.nil? || uri.empty?

  find_algorithm(uri, DIGEST_MAPPINGS) ||
    raise_unsupported(:digest, uri)
end

.signature_digest(uri) ⇒ String

Maps a signature algorithm URI to an OpenSSL digest name.

Examples:

AlgorithmMapper.signature_digest('http://www.w3.org/2001/04/xmldsig-more#rsa-sha256')
# => 'SHA256'

Parameters:

• uri (String, nil) —

  the algorithm URI

Returns:

• (String) —

  the OpenSSL digest name (e.g., 'SHA256')

Raises:

• (UnsupportedAlgorithmError) —

  if the URI is nil, empty, or not recognized

# File 'lib/wsdl/security/algorithm_mapper.rb', line 121

def signature_digest(uri)
  raise_missing(:signature) if uri.nil? || uri.empty?

  find_algorithm(uri, SIGNATURE_DIGEST_MAPPINGS) ||
    raise_unsupported(:signature, uri)
end

.supported?(uri, type:) ⇒ Boolean

Checks if an algorithm URI is supported without raising.

Examples:

AlgorithmMapper.supported?('http://www.w3.org/2001/04/xmlenc#sha256', type: :digest)
# => true

AlgorithmMapper.supported?('http://unknown/alg', type: :digest)
# => false

Parameters:

• uri (String) —

  the algorithm URI

• type (Symbol) —

  the algorithm type (:digest, :signature, :canonicalization)

Returns:

• (Boolean) —

  true if the algorithm is supported

# File 'lib/wsdl/security/algorithm_mapper.rb', line 141

def supported?(uri, type:)
  return false if uri.nil? || uri.empty?

  mappings = case type
  when :digest then DIGEST_MAPPINGS
  when :signature then SIGNATURE_DIGEST_MAPPINGS
  when :canonicalization then C14N_MAPPINGS
  else return false
  end

  !find_algorithm(uri, mappings).nil?
end