Class: WSDL::Security::Verifier::CertificateResolver

Inherits:
Base
  • Object
show all
Defined in:
lib/wsdl/security/verifier/certificate_resolver.rb

Overview

Resolves and normalizes X.509 certificates for signature verification.

This class handles certificate extraction from SOAP messages and normalization of certificate formats. It supports:

  • Extracting certificates from BinarySecurityToken elements
  • Resolving certificates from KeyInfo/SecurityTokenReference (IssuerSerial and SubjectKeyIdentifier)
  • Using externally provided certificates
  • Normalizing PEM strings to OpenSSL::X509::Certificate objects

Examples:

Extracting certificate from document

resolver = CertificateResolver.new(document, security_node)
if resolver.resolve
  cert = resolver.certificate
else
  puts resolver.errors
end

Using a provided certificate

resolver = CertificateResolver.new(document, security_node, provided: pem_string)
resolver.resolve
cert = resolver.certificate

Constant Summary collapse

MAX_ENCODED_TOKEN_SIZE =

Maximum size in bytes for Base64-encoded BinarySecurityToken content. X.509 certificates are typically 1-4 KB; 100 KB is extremely generous.

100_000
VALID_ID_PATTERN =

Pattern for valid XML element IDs (NCName production).

This is used before interpolating IDs into XPath expressions to prevent XPath injection.

See Also:

/\A[a-zA-Z_][a-zA-Z0-9_.-]*\z/

Constants inherited from Base

Base::SOAPNS, Base::SOAP_NAMESPACES, Base::SecurityNS, Base::SignatureNS

Instance Attribute Summary collapse

Attributes inherited from Base

#errors

Instance Method Summary collapse

Constructor Details

#initialize(document, security_node, signature_node: nil, provided: nil, trust_store: nil) ⇒ CertificateResolver

Creates a new certificate resolver.

Parameters:

  • document (Nokogiri::XML::Document)

    the SOAP document

  • security_node (Nokogiri::XML::Element, nil)

    the wsse:Security element

  • signature_node (Nokogiri::XML::Element, nil) (defaults to: nil)

    the ds:Signature element

  • provided (OpenSSL::X509::Certificate, String, nil) (defaults to: nil)

    optional certificate to use instead of extracting from the document

  • trust_store (OpenSSL::X509::Store, Symbol, String, Array, nil) (defaults to: nil)

    trust material used to resolve external certificate references



59
60
61
62
63
64
65
66
67
 
# File 'lib/wsdl/security/verifier/certificate_resolver.rb', line 59

def initialize(document, security_node, signature_node: nil, provided: nil, trust_store: nil)
  super()
  @document = document
  @security_node = security_node
  @signature_node = signature_node
  @provided = provided
  @trust_store = trust_store
  @certificate = nil
end

Instance Attribute Details

#certificateOpenSSL::X509::Certificate? (readonly)

Returns the resolved certificate.

Returns:

  • (OpenSSL::X509::Certificate, nil)

    the resolved certificate



48
49
50
 
# File 'lib/wsdl/security/verifier/certificate_resolver.rb', line 48

def certificate
  @certificate
end

Instance Method Details

#resolveBoolean

Resolves the certificate for verification.

If a certificate was provided at initialization, it is normalized and used. Otherwise, the certificate is resolved from the signature's SecurityTokenReference.

Returns:

  • (Boolean)

    true if a certificate was successfully resolved



76
77
78
79
80
81
82
83
84
85
86
 
# File 'lib/wsdl/security/verifier/certificate_resolver.rb', line 76

def resolve
  @certificate = if @provided
    normalize_provided_certificate
  else
    extract_from_document
  end

  return true if @certificate

  add_failure('No certificate found for verification')
end

#valid?Boolean

Alias for consistency with other validators.

Returns:

  • (Boolean)

    true if certificate was resolved



91
92
93
 
# File 'lib/wsdl/security/verifier/certificate_resolver.rb', line 91

def valid?
  resolve
end