Class: WSDL::Security::Verifier::ReferenceValidator

Inherits:

Base

• Object
• Base
• WSDL::Security::Verifier::ReferenceValidator

Defined in:

lib/wsdl/security/verifier/reference_validator.rb

Overview

Validates ds:Reference elements by verifying digests of signed content.

This validator performs per-reference validation including:

• Finding referenced elements by ID
• Validating element positions (XSW protection)
• Computing and comparing digests using timing-safe comparison

Examples:

Validating references

validator = ReferenceValidator.new(document, signed_info_node)
if validator.valid?
  puts "All #{validator.reference_count} references verified"
else
  puts validator.errors
end

See Also:

• https://www.w3.org/TR/xmldsig-core1/#sec-Reference

Constant Summary

C14N =

Local alias for canonicalization algorithm constants

Constants::Algorithms::Canonicalization

VALID_ID_PATTERN =

Pattern for valid XML element IDs (NCName production). This prevents XPath injection by rejecting IDs containing quotes, brackets, operators, or other characters that could alter XPath semantics.

See Also:

• https://www.w3.org/TR/xml-id/

/\A[a-zA-Z_][a-zA-Z0-9_.-]*\z/

Constants inherited from Base

Base::SOAPNS, Base::SOAP_NAMESPACES, Base::SecurityNS, Base::SignatureNS

Instance Attribute Summary

Attributes inherited from Base

#errors

Instance Method Summary

• #initialize(document, signed_info_node) ⇒ ReferenceValidator constructor

  Creates a new reference validator.

• #reference_count ⇒ Integer

  Returns the number of references being validated.

• #referenced_ids ⇒ Array<String>

  Returns the IDs of all referenced elements.

• #valid? ⇒ Boolean

  Validates all references in the SignedInfo element.

Constructor Details

#initialize(document, signed_info_node) ⇒ ReferenceValidator

Creates a new reference validator.

Parameters:

• document (Nokogiri::XML::Document) —

  the SOAP document

• signed_info_node (Nokogiri::XML::Element) —

  the ds:SignedInfo element

# File 'lib/wsdl/security/verifier/reference_validator.rb', line 44

def initialize(document, signed_info_node)
  super()
  @document = document
  @signed_info_node = signed_info_node
end

Instance Method Details

#reference_count ⇒ Integer

Returns the number of references being validated.

Returns:

• (Integer) —

  the reference count

# File 'lib/wsdl/security/verifier/reference_validator.rb', line 67

def reference_count
  references.size
end

#referenced_ids ⇒ Array<String>

Returns the IDs of all referenced elements.

Returns:

• (Array<String>) —

  element IDs (without # prefix)

# File 'lib/wsdl/security/verifier/reference_validator.rb', line 74

def referenced_ids
  references.filter_map { |ref| extract_reference_id(ref) }
end

#valid? ⇒ Boolean

Validates all references in the SignedInfo element.

In addition to digest integrity, this enforces WS-Security's "only what is signed is protected" guidance by requiring that the SOAP Body is explicitly referenced.

Returns:

• (Boolean) —

  true if all references are valid and SOAP Body is signed

# File 'lib/wsdl/security/verifier/reference_validator.rb', line 57

def valid?
  return add_failure('SignedInfo must contain at least one ds:Reference') if references.empty?
  return false unless references.all? { |ref| validate_single_reference(ref) }

  ensure_body_is_signed
end