def grab_suffix(record): suffix = '' if record[0] is None: # col ref suffix += get_column_letter(record[1]) if record[1] is None: # row ref suffix += str(record[0]) return suffix
def encode_interval(val): """ Encode a Interval into a XML-suitable string. Args: val (datetime.timedelta): the input. Returns: str: the result. """ return str(int(val.total_seconds()))
def encode_longinteger(val): """ Encode a LongInteger into a XML-suitable string. Args: val (ttv.LongInteger): the input. Returns: str: the result. """ return str(val)
def __str__(self): s = 'TTV(tag={}, typ={}, value='.format(self.tag, self.typ) if self.typ == enums.ItemType.Structure: s += '[' + ', '.join(str(elem) for elem in self.value) + ']' else: if self.typ == enums.ItemType.ByteString: s += json.encode_bytestring(self.value) else: s += repr(self.value) s += ')' return s
def _add_cert_to_store(store, cert): from OpenSSL.crypto import X509StoreContext, X509StoreContextError, Error as OpenSSLCryptoError # Added by Terry to capture cert expiry cert_expired = False try: X509StoreContext(store, cert).verify_certificate() except X509StoreContextError as e: # Terry: If certificate has expired, change cert_expired status to update functions outside if 'certificate has expired' in str(e): cert_expired = True else: raise InvalidCertificate(e) try: # This has already been changed store.add_cert(cert) return (cert, cert_expired) except OpenSSLCryptoError as e: if e.args == ([('x509 certificate routines', 'X509_STORE_add_cert', 'cert already in hash table')],): raise RedundantCert(e) raise
def test_xmldsig_interop(self): def resolver(uri): if uri == "document.xml": with open( os.path.join(interop_dir, "phaos-xmldsig-three", uri), "rb") as fh: return fh.read() elif uri == "http://www.ietf.org/rfc/rfc3161.txt": with open( os.path.join(os.path.dirname(__file__), "rfc3161.txt"), "rb") as fh: return fh.read() return None def get_x509_cert(signature_file): if "windows_store_signature" in signature_file: return open( os.path.join(interop_dir, "xml-crypto", "windows_store_certificate.pem")).read() elif "pyXMLSecurity" in signature_file: return open( os.path.join(interop_dir, "pyXMLSecurity", "test.pem")).read() else: return None def get_ca_pem_file(signature_file): if "signature-dsa" in signature_file: ca_pem_file = os.path.join(interop_dir, "phaos-xmldsig-three", "certs", "dsa-ca-cert.pem") elif "signature-rsa" in signature_file: ca_pem_file = os.path.join(interop_dir, "phaos-xmldsig-three", "certs", "rsa-ca-cert.pem") elif "aleksey-xmldsig-01-enveloped" in signature_file: ca_pem_file = os.path.join(interop_dir, "aleksey-xmldsig-01-enveloped", "cacert.pem") elif "aleksey" in signature_file: ca_pem_file = os.path.join(interop_dir, "aleksey-xmldsig-01", "cacert.pem") elif "wsfederation_metadata" in signature_file: ca_pem_file = os.path.join(interop_dir, "xml-crypto", "wsfederation_metadata.pem") elif "signature_with_inclusivenamespaces" in signature_file: ca_pem_file = os.path.join( interop_dir, "xml-crypto", "signature_with_inclusivenamespaces.pem") else: return None return ca_pem_file.encode("utf-8") signature_files = glob(os.path.join(interop_dir, "*", "signature*.xml")) signature_files += glob(os.path.join(interop_dir, "aleksey*", "*.xml")) signature_files += glob( os.path.join(interop_dir, "xml-crypto", "*.xml")) signature_files += glob( os.path.join(interop_dir, "pyXMLSecurity", "*.xml")) for signature_file in signature_files: print("Verifying", signature_file) with open(signature_file, "rb") as fh: try: sig = fh.read() XMLVerifier().verify( sig, require_x509=False, hmac_key="test" if "phaos" in signature_file else "secret", validate_schema=True, uri_resolver=resolver, x509_cert=get_x509_cert(signature_file), ca_pem_file=get_ca_pem_file(signature_file)) decoded_sig = sig.decode("utf-8") if "HMACOutputLength" in decoded_sig or "bad" in signature_file or "expired" in signature_file: raise BaseException("Expected an exception to occur") except Exception as e: unsupported_cases = ("xpath-transform", "xslt-transform", "xpointer", "x509-data-issuer-serial", "x509-data-ski", "x509-data-subject-name", "x509data", "signature-x509-ski", "signature-x509-is") bad_interop_cases = ("signature-big", "enveloping-dsa-x509chain", "enveloping-sha512-hmac-sha512", "enveloping-sha512-rsa-sha512", "enveloping-rsa-x509chain", "enveloping-sha1-rsa-sha1", "enveloping-sha224-rsa-sha224", "enveloping-sha256-rsa-sha256", "enveloping-sha384-rsa-sha384") if signature_file.endswith( "expired-cert.xml") or signature_file.endswith( "wsfederation_metadata.xml"): # noqa with self.assertRaisesRegexp( InvalidCertificate, "certificate has expired"): raise elif signature_file.endswith( "invalid_enveloped_transform.xml"): self.assertIsInstance(e, InvalidSignature) # with self.assertRaisesRegexp(ValueError, "Can't remove the root signature node"): # raise elif "md5" in signature_file or "ripemd160" in signature_file: self.assertIsInstance(e, InvalidInput) # with self.assertRaisesRegexp(InvalidInput, "Algorithm .+ is not recognized"): # raise elif "HMACOutputLength" in sig.decode("utf-8"): self.assertIsInstance( e, (InvalidSignature, InvalidDigest)) elif signature_file.endswith( "signature-rsa-enveloped-bad-digest-val.xml"): # self.assertIsInstance(e, InvalidDigest) self.assertIsInstance(e, InvalidCertificate) elif signature_file.endswith( "signature-rsa-detached-xslt-transform-bad-retrieval-method.xml" ): self.assertIsInstance(e, InvalidInput) elif signature_file.endswith( "signature-rsa-enveloped-bad-sig.xml"): self.assertIsInstance(e, etree.DocumentInvalid) elif signature_file.endswith("signature-x509-crt.xml"): self.assertIsInstance(e, InvalidCertificate) elif signature_file.endswith("signature-keyname.xml"): self.assertIsInstance(e, InvalidInput) elif signature_file.endswith("signature-x509-sn.xml"): self.assertIsInstance(e, InvalidInput) elif signature_file.endswith("signature-x509-crt-crl.xml"): self.assertIsInstance(e, InvalidCertificate) elif signature_file.endswith( "signature-retrievalmethod-rawx509crt.xml"): self.assertIsInstance(e, InvalidInput) elif signature_file.endswith( "merlin-xmldsig-twenty-three/signature.xml"): self.assertIsInstance(e, InvalidInput) elif any(x in signature_file for x in unsupported_cases): print("Unsupported test case:", type(e), e) elif any(x in signature_file for x in bad_interop_cases ) or "Unable to resolve reference" in str(e): print("Bad interop test case:", type(e), e) elif "certificate has expired" in str(e) and ( "signature-dsa" in signature_file or "signature-rsa" in signature_file): # noqa print("IGNORED:", type(e), e) else: raise
def _generate_xades_ssp_elements(self, options_struct): """ Generates the sequence of SignedSignatureProperty elements for inclusion into the SignedProperty element. Deprecations as listed in ETSI EN 319 132-1 V1.1.1 (2016-04), Annex D :param options_struct: carries the runtime options of the current signing run. :type options_struct: A :py:class:`signxml.xades.SignerOptions` object :returns: A :py:class:`list` of effectively generated SignedSignatureProperty elements.` """ elements = [] # Item 1: SigningTime elements.append( XADES.SigningTime(datetime.now(self.xades_tz).isoformat())) # Item 2: SigningCertificate or SigningCertificateV2 """ The SigningCertificateV2 qualifying property shall be a signed qualifying property that qualifies the signature. The SigningCertificateV2 qualifying property shall contain one reference to the signing certificate. The SigningCertificateV2 qualifying property may contain references to some of or all the certificates within the signing certificate path, including one reference to the trust anchor when this is a certificate. """ cert_elements = [] for cert in options_struct.CertChain: if self.xades_legacy: serial_element = XADES.IssuerSerial( DS.X509IssuerName(cert.issuer.rfc4514_string()), DS.X509SerialNumber(str(cert.serial_number)), ) else: """ The content of IssuerSerialV2 element shall be the the base-64 encoding of one DER-encoded instance of type IssuerSerial type defined in IETF RFC 5035 [17]. """ raise NotImplementedError( "Please make a PR if you know how to obtain in python a " "'DER-encoded instance of type IssuerSerial type defined in " "IETF RFC 5035'") serial_element = XADES.IssuerSerialV2( # TODO implement, wtf? ) """ The element CertDigest shall contain the digest of the referenced certificate. CertDigest‘s children elements satisfy the following requirements: 1) ds:DigestMethod element shall identify the digest algorithm. And 2) ds:DigestValue element shall contain the base-64 encoded value of the digest computed on the DERencoded certificate. """ cert_digest = XADES.CertDigest( DS.DigestMethod( Algorithm=self.known_digest_tags[self.digest_alg]), DS.DigestValue( self._get_digest( cert.public_bytes(Encoding.DER), self._get_digest_method_by_tag(self.digest_alg)))) cert_elements.append(XADES.Cert(cert_digest, serial_element)) if self.xades_legacy: elements.append(XADES.SigningCertificate( *cert_elements)) # deprecated (legacy) else: elements.append(XADES.SigningCertificateV2(*cert_elements)) # Item 3: SignatureProductionPlace or SignatureProductionPlaceV2 """ The SignatureProductionPlaceV2 qualifying property shall be a signed qualifying property that qualifies the signer. The SignatureProductionPlaceV2 qualifying property shall specify an address associated with the signer at a particular geographical (e.g. city) location. """ pp_elements = [] PP = options_struct.ProductionPlace pa = pp_elements.append pa(XADES.City(PP.City)) if PP.City else None if not self.xades_legacy: pa(XADES.StreetAddress( PP.StreetAddress)) if PP.StreetAddress else None pa(XADES.StateOrProvince( PP.StateOrProvince)) if PP.StateOrProvince else None pa(XADES.PostalCode(PP.PostalCode)) if PP.PostalCode else None pa(XADES.CountryName(PP.CountryName)) if PP.CountryName else None """ Empty SignatureProductionPlaceV2 qualifying properties shall not be generated. """ pp_elements = self._clean_elements_from_black_list(pp_elements) if self.xades_legacy and pp_elements: elements.append(XADES.SignatureProductionPlace( *pp_elements)) # deprecated (legacy) elif pp_elements: elements.append(XADES.SignatureProductionPlaceV2(*pp_elements)) # Item 4: SignaturePolicyIdentifier """ The SignaturePolicyIdentifier qualifying property shall be a signed qualifying property qualifying the signature. The SignaturePolicyIdentifier qualifying property shall contain either an explicit identifier of a signature policy or an indication that there is an implied signature policy that the relying party should be aware of. ETSI TS 119 172-1 specifies a framework for signature policies. """ spid_elements = [] sp = options_struct.SignaturePolicy # digest method pdm = self.known_digest_tags.get(self.digest_alg) # digest value pv = resolve_uri(sp.Identifier) spid_elements.append( XADES.SigPolicyId(XADES.Identifier(sp.Identifier), XADES.Description(sp.Description))) spid_elements.append( XADES.SigPolicyHash( DS.DigestMethod(Algorithm=pdm), DS.DigestValue( self._get_digest( pv, self._get_digest_method_by_tag(self.digest_alg))))) spid = XADES.SignaturePolicyId(*spid_elements) spi_elements = [] spi_elements.append(spid) elements.append(XADES.SignaturePolicyIdentifier(*spi_elements)) # Item 5: SignerRole or SignerRoleV2 """ The SignerRoleV2 qualifying property shall be a signed qualifying property that qualifies the signer. The SignerRoleV2 qualifying property shall encapsulate signer attributes (e.g. role). This qualifying property may encapsulate the following types of attributes: • attributes claimed by the signer; • attributes certified in attribute certificates issued by an Attribute Authority; or/and • assertions signed by a third party. """ clr_elements = [] """ The ClaimedRoles element shall contain a non-empty sequence of roles claimed by the signer but which are not certified. """ for role in options_struct.ClaimedRoles: if not isinstance(role, str): """ Additional content types *may* be defined on a domain application basis and be part of this element. """ NotImplementedError( "Role types different than strings, although permitted by " "the schema, are not implemented. Use a placeholder and " "post process the resulting element tree, instead!") clr_elements.append(XADES.ClaimedRole(role)) ctr_elements = [] """ The CertifiedRolesV2 element shall contain a non-empty sequence of certified attributes, which shall be one of the following: • the base-64 encoding of DER-encoded X509 attribute certificates conformant to Recommendation ITU-T X.509 [4] issued to the signer, within the X509AttributeCertificate element; or • attribute certificates (issued, in consequence, by Attribute Authorities) in different syntax than the one specified in Recommendation ITU-T X.509 [4], within the OtherAttributeCertificate element. The definition of specific OtherAttributeCertificate is outside of the scope of the present document """ if options_struct.CertifiedRoles and self.xades_legacy: NotImplementedError( "Legay certified roles wired as objects encoded in " "EncapsulatedPKIDataType are not implemented.") for role in options_struct.CertifiedRoles: ctr_elements.append( XADES.CertifiedRolesV2( XADES.X509AttributeCertificate( self._get_cert_encoded(role.X509AttributeCertificate) ) if role.X509AttributeCertificate else XADES. OtherAttributeCertificate( self._get_cert_encoded(role.OtherAttributeCertificate) ))) """ The SignedAssertions element shall contain a non-empty sequence of assertions signed by a third party. The definition of specific content types for SignedAssertions is outside of the scope of the present document. """ sas_elements = options_struct.SignedAssertions if not all(['SignedAssertions' in e.tag for e in sas_elements]): raise InvalidInput( "Input for signed assertions shall be all elements of type " "'{https://uri.etsi.org/01903/v1.3.2#}SignedAssertions'") sr_elements = [] if clr_elements: sr_elements.append(XADES.ClaimedRoles(*clr_elements)) if ctr_elements and self.xades_legacy: raise # already cached above, never hit elif ctr_elements: sr_elements.append(XADES.CertifiedRolesV2(*ctr_elements)) if sas_elements and not self.xades_legacy: sr_elements.append(XADES.SignedAssertions(*sas_elements)) """ Empty SignerRoleV2 qualifying properties shall not be generated. """ if not sr_elements: pass else: sr_elements = self._clean_elements_from_black_list(sr_elements) if self.xades_legacy: elements.append( XADES.SignerRole(*sr_elements)) # deprecated (legacy) else: elements.append(XADES.SignerRoleV2(*sr_elements)) # any ##other return self._clean_elements_from_black_list(elements)
def __init__(self, tag, value, typ=None): self.tag = tag self.value = value if typ is None: if isinstance(value, types.LongInteger): self.typ = enums.ItemType.LongInteger elif isinstance(value, types.BigInteger): self.typ = enums.ItemType.BigInteger elif isinstance(value, _enums_types): self.typ = enums.ItemType.Enumeration elif isinstance(value, bool): self.typ = enums.ItemType.Boolean elif isinstance(value, str): self.typ = enums.ItemType.TextString elif isinstance(value, (bytes, bytearray)): self.typ = enums.ItemType.ByteString elif isinstance(value, datetime.datetime): self.typ = enums.ItemType.DateTime elif isinstance(value, datetime.timedelta): self.typ = enums.ItemType.Interval elif isinstance(value, list): self.typ = enums.ItemType.Structure elif isinstance(value, (types.Integer, ) + _integer_types): self.typ = enums.ItemType.Integer self.value = types.Integer(self.value) else: raise RuntimeError( 'Value {} does not correspond to a TTLV type'.format( repr(value))) else: self.typ = typ if self.typ == enums.ItemType.Integer: if not isinstance(self.value, (types.Integer, types.UnknownIntegerMask)): self.value = types.Integer(self.value) elif self.typ == enums.ItemType.LongInteger: self.value = types.LongInteger(self.value) elif self.typ == enums.ItemType.BigInteger: self.value = types.BigInteger(self.value) elif self.typ == enums.ItemType.Enumeration: if isinstance(self.value, _integer_types): self.value = types.UnknownEnumeration(self.value) elif self.typ == enums.ItemType.Boolean: self.value = bool(self.value) elif self.typ == enums.ItemType.TextString: self.value = str(self.value) elif self.typ == enums.ItemType.ByteString: self.value = bytes(self.value) elif self.typ == enums.ItemType.DateTime: if not isinstance(self.value, datetime.datetime): raise RuntimeError( 'Value must be instance of datetime.datetime') elif self.typ == enums.ItemType.Interval: if not isinstance(self.value, datetime.timedelta): raise RuntimeError( 'Value must be instance of datetime.timedelta') if isinstance(self.value, types.Integer): if not -(1 << 31) <= self.value <= (1 << 31) - 1: raise RuntimeError('Integer out of range') elif isinstance(self.value, types.LongInteger): if not -(1 << 63) <= self.value <= (1 << 63) - 1: raise RuntimeError('LongInteger out of range')
from __future__ import print_function, unicode_literals from eight import input, str from MSSP.exceptions import * from re import match from os.path import expanduser from datetime import datetime from openpyxl.utils import column_index_from_string, get_column_letter selectors = ('Monitoring', 'Assessment', 'ControlRules') defaultdir = expanduser('~') + '/Dropbox/' + str(datetime.today().year) + '/TNCWebTool/' def check_sel(sel): return sel in selectors subject_regex = '^([MAC]).*:([A-Z]*)([0-9]*)$' def convert_subject_to_reference(subject): """ :param subject: matches subject_regex :return: (sel, record) dictionary key """ g = match(subject_regex, subject) sel = [k for k in selectors if k[0] == g.groups()[0]] if len(sel) < 1:
def test_xmldsig_interop(self): interop_dir = os.path.join(os.path.dirname(__file__), "interop") def resolver(uri): if uri == "document.xml": with open(os.path.join(interop_dir, "phaos-xmldsig-three", uri), "rb") as fh: return fh.read() elif uri == "http://www.ietf.org/rfc/rfc3161.txt": with open(os.path.join(os.path.dirname(__file__), "rfc3161.txt"), "rb") as fh: return fh.read() return None #from ssl import DER_cert_to_PEM_cert #with open(os.path.join(os.path.dirname(__file__), "interop", "phaos-xmldsig-three", "certs", "dsa-ca-cert.der"), "rb") as fh: # ca_pem_file = DER_cert_to_PEM_cert(fh.read()) # with open(os.path.join(os.path.dirname(__file__), "interop", "phaos-xmldsig-three", "certs", "dsa-ca-cert.pem"), "wb") as fh2: # fh2.write(ca_pem_file) def get_x509_cert(signature_file): if "windows_store_signature" in signature_file: return open(os.path.join(interop_dir, "xml-crypto", "windows_store_certificate.pem")).read() elif "pyXMLSecurity" in signature_file: return open(os.path.join(interop_dir, "pyXMLSecurity", "test.pem")).read() else: return None def get_ca_pem_file(signature_file): if "signature-dsa" in signature_file: ca_pem_file = os.path.join(interop_dir, "phaos-xmldsig-three", "certs", "dsa-ca-cert.pem") elif "signature-rsa" in signature_file: ca_pem_file = os.path.join(interop_dir, "phaos-xmldsig-three", "certs", "rsa-ca-cert.pem") elif "aleksey-xmldsig-01-enveloped" in signature_file: ca_pem_file = os.path.join(interop_dir, "aleksey-xmldsig-01-enveloped", "cacert.pem") elif "aleksey" in signature_file: ca_pem_file = os.path.join(interop_dir, "aleksey-xmldsig-01", "cacert.pem") elif "wsfederation_metadata" in signature_file: ca_pem_file = os.path.join(interop_dir, "xml-crypto", "wsfederation_metadata.pem") elif "signature_with_inclusivenamespaces" in signature_file: ca_pem_file = os.path.join(interop_dir, "xml-crypto", "signature_with_inclusivenamespaces.pem") else: return None return ca_pem_file.encode("utf-8") signature_files = glob(os.path.join(interop_dir, "*", "signature*.xml")) signature_files += glob(os.path.join(interop_dir, "aleksey*", "*.xml")) signature_files += glob(os.path.join(interop_dir, "xml-crypto", "*.xml")) signature_files += glob(os.path.join(interop_dir, "pyXMLSecurity", "*.xml")) for signature_file in signature_files: print("Verifying", signature_file) with open(signature_file, "rb") as fh: try: sig = fh.read() XMLVerifier().verify(sig, require_x509=False, hmac_key="test" if "phaos" in signature_file else "secret", validate_schema=True, uri_resolver=resolver, x509_cert=get_x509_cert(signature_file), ca_pem_file=get_ca_pem_file(signature_file)) if "HMACOutputLength" in sig.decode("utf-8") or "bad" in signature_file or "expired" in signature_file: raise BaseException("Expected an exception to occur") except Exception as e: unsupported_cases = ("xpath-transform", "xslt-transform", "xpointer", "x509-data-issuer-serial", "x509-data-ski", "x509-data-subject-name", "x509data", "signature-x509-ski", "signature-x509-is") todo_cases = ("signature-big", "enveloping-dsa-x509chain", "enveloping-sha512-hmac-sha512", "enveloping-sha512-rsa-sha512") if signature_file.endswith("expired-cert.xml"): with self.assertRaisesRegexp(InvalidCertificate, "certificate has expired"): raise elif signature_file.endswith("invalid_enveloped_transform.xml"): self.assertIsInstance(e, InvalidSignature) #with self.assertRaisesRegexp(ValueError, "Can't remove the root signature node"): # raise elif "md5" in signature_file or "ripemd160" in signature_file: self.assertIsInstance(e, InvalidInput) #with self.assertRaisesRegexp(InvalidInput, "Algorithm .+ is not recognized"): # raise elif "HMACOutputLength" in sig.decode("utf-8"): self.assertIsInstance(e, (InvalidSignature, InvalidDigest)) elif signature_file.endswith("signature-rsa-enveloped-bad-digest-val.xml"): #self.assertIsInstance(e, InvalidDigest) self.assertIsInstance(e, InvalidCertificate) elif signature_file.endswith("signature-rsa-detached-xslt-transform-bad-retrieval-method.xml"): self.assertIsInstance(e, InvalidInput) elif signature_file.endswith("signature-rsa-enveloped-bad-sig.xml"): self.assertIsInstance(e, etree.DocumentInvalid) elif signature_file.endswith("signature-x509-crt.xml"): self.assertIsInstance(e, InvalidCertificate) elif signature_file.endswith("signature-keyname.xml"): self.assertIsInstance(e, InvalidInput) elif signature_file.endswith("signature-x509-sn.xml"): self.assertIsInstance(e, InvalidInput) elif signature_file.endswith("signature-x509-crt-crl.xml"): self.assertIsInstance(e, InvalidCertificate) elif signature_file.endswith("signature-retrievalmethod-rawx509crt.xml"): self.assertIsInstance(e, InvalidInput) elif any(x in signature_file for x in unsupported_cases) or "EntitiesForbidden" in str(e): print("Unsupported test case:", type(e), e) elif any(x in signature_file for x in todo_cases) or "Unable to resolve reference" in str(e): print("IGNORED test case:", type(e), e) elif "certificate has expired" in str(e) and ("signature-dsa" in signature_file or "signature-rsa" in signature_file): print("IGNORED:", type(e), e) else: raise