def genAuthnResponse(self, responsetoid, acs_url, issuer, name_id=""):
cert_pem = self.pemcert
key_pem = self.pemkey
format = {
"timenow":
datetime.datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ"),
"generated_id":
"_92c76e8d097344229ba1b13200f15fe6",
"generated_assertion_id":
"_f2bee8431dda412c90ac584a5afa342d",
"expirytime":
(datetime.datetime.utcnow() +
datetime.timedelta(minutes=15)).strftime("%Y-%m-%dT%H:%M:%SZ"),
"acs_url":
acs_url,
"issuer":
issuer,
"responsetoid":
responsetoid,
"name_id":
name_id,
"sp_name":
acs_url.split(
'/')[2][4:], # tamad: derive qualified SP name from acs_url
"audience":
acs_url.split('/')[2][
4:] # tamad: derive audience name from acs_url
}
tree = etree.fromstring(self.__canonicalize(XML_TEMPLATE % format))
assertion_tree = tree.find("{%s}Assertion" % SAML_ASSERTION_NS)
signed_assertion_tree = XMLSigner(
signature_algorithm='rsa-sha1',
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/2001/10/xml-exc-c14n#').sign(
assertion_tree, key=key_pem, cert=cert_pem)
self.__reorder_signature(signed_assertion_tree)
# awkward replacement
tree.remove(assertion_tree)
tree.append(signed_assertion_tree)
# return etree.tostring(XMLSigner(signature_algorithm='rsa-sha1',digest_algorithm='sha1').sign(tree,key=pemkey,cert=pemcert));
treeRes = XMLSigner(
signature_algorithm='rsa-sha1',
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/2001/10/xml-exc-c14n#').sign(
tree, key=key_pem, cert=cert_pem)
self.__reorder_signature(treeRes)
#rVal = etree.tostring(treeRes);
return self.__canonicalize(etree.tostring(treeRes))
def test_reference_uris_and_custom_key_info(self):
with open(os.path.join(os.path.dirname(__file__), "example.pem"), "rb") as fh:
crt = fh.read()
with open(os.path.join(os.path.dirname(__file__), "example.key"), "rb") as fh:
key = fh.read()
# Both ID and Id formats. XPath 1 doesn't have case insensitive attribute search
for d in ['''<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="responseId">
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="assertionId">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="placeholder" />
</saml:Assertion>
</samlp:Response>''',
'''<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Id="responseId">
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" Id="assertionId">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="placeholder" />
</saml:Assertion>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" Id="assertion2">
</saml:Assertion>
</samlp:Response>''']:
data = etree.fromstring(d)
reference_uri = ["assertionId", "assertion2"] if "assertion2" in d else "assertionId"
signed_root = XMLSigner().sign(data, reference_uri=reference_uri, key=key, cert=crt)
signed_data_root = XMLVerifier().verify(etree.tostring(signed_root), x509_cert=crt, expect_references=True)[1]
ref = signed_root.xpath('/samlp:Response/saml:Assertion/ds:Signature/ds:SignedInfo/ds:Reference',
namespaces={"ds": "http://www.w3.org/2000/09/xmldsig#",
"saml": "urn:oasis:names:tc:SAML:2.0:assertion",
"samlp": "urn:oasis:names:tc:SAML:2.0:protocol"})
self.assertEqual("assertionId", ref[0].attrib['URI'][1:])
self.assertEqual("{urn:oasis:names:tc:SAML:2.0:assertion}Assertion", signed_data_root.tag)
# Also test with detached signing
for c14_transform_option in include_c14_transformation:
XMLSigner(method=methods.detached,
include_c14n_transform=c14_transform_option
).sign(data, reference_uri=reference_uri, key=key, cert=crt)
# Test setting custom key info
custom_key_info = etree.fromstring('''
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-639b8970-7644-4f9e-9bc4-9c2e367808fc-1"/>
</wsse:SecurityTokenReference>''')
XMLSigner().sign(data, reference_uri=reference_uri, key=key, cert=crt, key_info=custom_key_info)
def assina_xml(self, xml_element, reference):
cert, key = extract_cert_and_key_from_pfx(self.arquivo, self.senha)
for element in xml_element.iter("*"):
if element.text is not None and not element.text.strip():
element.text = None
signer = XMLSigner(
method=signxml.methods.enveloped,
signature_algorithm="rsa-sha1",
digest_algorithm="sha1",
c14n_algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
)
ns = {}
ns[None] = signer.namespaces["ds"]
signer.namespaces = ns
ref_uri = ("#%s" % reference) if reference else None
signed_root = signer.sign(xml_element,
key=key.encode(),
cert=cert.encode(),
reference_uri=ref_uri)
if reference:
element_signed = signed_root.find(".//*[@Id='%s']" % reference)
signature = (signed_root.find(".//*[@URI='#%s']" %
reference).getparent().getparent())
if element_signed is not None and signature is not None:
parent = element_signed.getparent()
parent.append(signature)
return etree.tostring(signed_root, encoding=str)
def assinar(self, xml, retorna_string=False):
# busca tag que tem id(reference_uri), logo nao importa se tem namespace
reference = xml.find(".//*[@Id]").attrib['Id']
# retira acentos
xml_str = remover_acentos(
etree.tostring(xml, encoding="unicode", pretty_print=False))
xml = etree.fromstring(xml_str)
signer = XMLSigner(
method=signxml.methods.enveloped,
signature_algorithm="rsa-sha1",
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
ns = {None: signer.namespaces['ds']}
signer.namespaces = ns
ref_uri = ('#%s' % reference) if reference else None
signed_root = signer.sign(xml,
key=self.key,
cert=self.cert,
reference_uri=ref_uri)
ns = {'ns': NAMESPACE_SIG}
# coloca o certificado na tag X509Data/X509Certificate
tagX509Data = signed_root.find('.//ns:X509Data', namespaces=ns)
etree.SubElement(tagX509Data, 'X509Certificate').text = self.cert
if retorna_string:
return etree.tostring(signed_root,
encoding="unicode",
pretty_print=False)
else:
return signed_root
def sign_http_post(xmlstr, key, cert, message=False, assertion=True):
logger.debug('http-post signing')
signer = XMLSigner(
signature_algorithm='rsa-sha256',
digest_algorithm='sha256',
c14n_algorithm='http://www.w3.org/2001/10/xml-exc-c14n#',
)
root = fromstring(xmlstr)
if assertion:
logger.debug('signing assertion')
assertions = root.findall('{%s}Assertion' % SAML)
for assertion in assertions:
issuer = assertion.find('{%s}Issuer' % SAML)
issuer.addnext(
fromstring(
'<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="placeholder"></ds:Signature>'
))
root = signer.sign(root,
reference_uri=assertion.attrib['ID'],
key=key,
cert=cert)
if message:
issuer = root.find('{%s}Issuer' % SAML)
issuer.addnext(
fromstring(
'<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="placeholder"></ds:Signature>'
))
root = signer.sign(root, key=key, cert=cert)
return tostring(root, pretty_print=False)
def assina_xml(self, xml_element, reference, key_name=None):
cert, key = extract_cert_and_key_from_pfx(self.arquivo, self.senha)
for element in xml_element.iter("*"):
if element.text is not None and not element.text.strip():
element.text = None
signer = XMLSigner(
method=signxml.methods.enveloped,
signature_algorithm="rsa-sha1",
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
ns = {}
ns[None] = signer.namespaces['ds']
signer.namespaces = ns
ref_uri = ('#%s' % reference) if reference else None
signed_root = signer.sign(xml_element,
key=key,
cert=cert,
reference_uri=ref_uri,
key_name=key_name)
if reference:
element_signed = signed_root.find(".//*[@Id='%s']" % reference)
signature = signed_root.find(
".//{http://www.w3.org/2000/09/xmldsig#}Signature")
if element_signed is not None and signature is not None:
parent = element_signed.getparent()
parent.append(signature)
return etree.tostring(signed_root)
def test_x509_certs(self):
from OpenSSL.crypto import load_certificate, FILETYPE_PEM, Error as OpenSSLCryptoError
tree = etree.parse(self.example_xml_files[0])
ca_pem_file = os.path.join(os.path.dirname(__file__), "example-ca.pem").encode("utf-8")
with open(os.path.join(os.path.dirname(__file__), "example.pem"), "rb") as fh:
crt = fh.read()
with open(os.path.join(os.path.dirname(__file__), "example.key"), "rb") as fh:
key = fh.read()
for hash_alg in "sha1", "sha256":
for method in methods.enveloped, methods.enveloping:
for c14_transform_option in include_c14_transformation:
print(hash_alg, method)
data = tree.getroot()
reset_tree(data, method)
signer = XMLSigner(method=method, signature_algorithm="rsa-" + hash_alg,
include_c14n_transform=c14_transform_option)
signed = signer.sign(data, key=key, cert=crt)
signed_data = etree.tostring(signed)
XMLVerifier().verify(signed_data, ca_pem_file=ca_pem_file)
XMLVerifier().verify(signed_data, x509_cert=crt)
XMLVerifier().verify(signed_data, x509_cert=load_certificate(FILETYPE_PEM, crt))
XMLVerifier().verify(signed_data, x509_cert=crt, cert_subject_name="*.example.com")
with self.assertRaises(OpenSSLCryptoError):
XMLVerifier().verify(signed_data, x509_cert=crt[::-1])
with self.assertRaises(InvalidSignature):
XMLVerifier().verify(signed_data, x509_cert=crt, cert_subject_name="test")
with self.assertRaisesRegexp(InvalidCertificate, "unable to get local issuer certificate"):
XMLVerifier().verify(signed_data)
def signXML(self, fiskXML, elementToSign):
"""
signs xml template acording to XML Signature Syntax and Processing
returns signed xml
fiskXMLTemplate - Element (from ElementTree) xml template to sign
elementToSign - string - name tag of element to sign inside xml template
"""
if (self.init_error):
raise FiskXMLEleSignerError(self.init_error)
root = fiskXML
#print(et.tostring(root))
RequestElement = None
for child in root.iter(elementToSign):
if (child.tag == elementToSign):
RequestElement = child
break
if (RequestElement == None):
raise FiskXMLEleSignerError("Coudl not find element to sign")
#dodavanje Signature taga
namespace = "{http://www.w3.org/2000/09/xmldsig#}"
Signature = et.SubElement(RequestElement, namespace + "Signature",
{'Id': 'placeholder'})
#signer = xmldsig(RequestElement, digest_algorithm="sha1")
signed_root = XMLSigner(
signature_algorithm="rsa-sha1",
digest_algorithm="sha1",
c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#").sign(
root,
key=self.key,
passphrase=self.password,
cert=self.certificate,
reference_uri="#" + RequestElement.get("Id"))
#signxml does not fill correctly certificate data so we need to do it manualy
sslcert = load_certificate(FILETYPE_PEM, self.certificate)
child = signed_root.find(".//" + namespace + "X509Data")
if (child != None):
isuerserial = et.SubElement(child, namespace + "X509IssuerSerial")
name = et.SubElement(isuerserial, namespace + "X509IssuerName")
issuer = sslcert.get_issuer()
# issuer.CN is not present in some certificates
name.text = ','.join(
filter(None, [
issuer.CN and "CN=" + issuer.CN, issuer.OU
and "OU=" + issuer.OU, issuer.O and "O=" + issuer.O,
issuer.C and "C=" + issuer.C
]))
serial = et.SubElement(isuerserial, namespace + "X509SerialNumber")
serial.text = '{:d}'.format(sslcert.get_serial_number())
return et.tostring(signed_root)
def sign_seed(self, message, privkey, cert):
doc = etree.fromstring(message)
signed_node = XMLSigner(method=methods.enveloped, digest_algorithm='sha1').sign(
doc, key=privkey.encode('ascii'), cert=cert)
msg = etree.tostring(
signed_node, pretty_print=True).decode().replace('ds:', '')
return msg
def sign(name):
try:
et = fromstring(XML_TEMPLATE.format(name))
signed = XMLSigner().sign(et, key=key, cert=cert)
return HTML_TEMPLATE.format(ET.tostring(signed))
except:
return
def assina_xml(self, xml_element, reference):
cert, key = extract_cert_and_key_from_pfx(self.arquivo, self.senha)
for element in xml_element.iter("*"):
if element.text is not None and not element.text.strip():
element.text = None
signer = XMLSigner(
method=signxml.methods.enveloped, signature_algorithm=u"rsa-sha1",
digest_algorithm=u'sha1',
c14n_algorithm=u'http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
ns = {}
ns[None] = signer.namespaces['ds']
signer.namespaces = ns
element_to_be_signed = xml_element.getchildren()[0].getchildren()[0]
signed_root = signer.sign(
element_to_be_signed, key=key.encode(), cert=cert.encode())
if reference:
element_signed = signed_root.find(".//*[@Id='%s']" % reference)
signature = signed_root.find(
".//{http://www.w3.org/2000/09/xmldsig#}Signature")
if element_signed is not None and signature is not None:
parent = xml_element.getchildren()[0]
parent.append(signature)
return etree.tostring(xml_element, encoding=str)
def assina_xml(self, xml_element):
cert, key = extract_cert_and_key_from_pfx(self.arquivo, self.senha)
for element in xml_element.iter("*"):
if element.text is not None and not element.text.strip():
element.text = None
signer = XMLSigner(
method=methods.enveloped,
signature_algorithm=u"rsa-sha1",
digest_algorithm=u"sha1",
c14n_algorithm=u"http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
)
ns = {}
ns[None] = signer.namespaces["ds"]
signer.namespaces = ns
element_signed = xml_element.find(".//{http://nfse.goiania.go.gov.br/xsd/nfse_gyn_v02.xsd}Rps")
signed_root = signer.sign(
xml_element, key=key.encode(), cert=cert.encode()
)
signature = signed_root.find(
".//{http://www.w3.org/2000/09/xmldsig#}Signature"
)
if element_signed is not None and signature is not None:
parent = xml_element.getchildren()[0]
parent.append(signature)
return etree.tostring(xml_element, encoding=str)
def assinar_efdreinf(xml):
from lxml import etree
from emensageriapro.settings import FORCE_PRODUCAO_RESTRITA, BASE_DIR
from signxml import XMLSigner, methods
from emensageriapro.settings import CERT, CERT_HOST, CERT_PASS, CERT_PEM_FILE, KEY_PEM_FILE
CERT_HOST = BASE_DIR + '/' + CERT_HOST
CERT_PEM_FILE = CERT_PEM_FILE
KEY_PEM_FILE = KEY_PEM_FILE
# a = executar_sql("""
# SELECT efdreinf_certificado, efdreinf_senha
# FROM public.transmissores where id=%s;
# """ % transmissor_id, True)
if FORCE_PRODUCAO_RESTRITA:
xml = xml.replace('<tpAmb>1</tpAmb>','<tpAmb>2</tpAmb>')
identidade = get_identidade_evento(xml)
create_pem_files(CERT_HOST, CERT_PASS, CERT_PEM_FILE, KEY_PEM_FILE)
cert_str = ler_arquivo(CERT_PEM_FILE)
key_str = ler_arquivo(KEY_PEM_FILE)
root = etree.fromstring(xml)
signed_root = XMLSigner(
method=methods.enveloped,
signature_algorithm=u'rsa-sha256',
digest_algorithm=u'sha256',
c14n_algorithm=u'http://www.w3.org/TR/2001/REC-xml-c14n-20010315'
).sign(root,
reference_uri='#' + identidade,
key=key_str,
cert=cert_str)
return etree.tostring(signed_root)
def signWithCert(self, stringXml, key, returnString=True):
xmlBuffer = etree.fromstring(stringXml)
tree = etree.fromstring(stringXml)
reference = tree.findall(".//*[@Id]")
cert = self.extractCertContent()
key = open(key, "rb").read()
signer = XMLSigner(
method=signxml.methods.enveloped, signature_algorithm="rsa-sha1",
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
ns = {None: signer.namespaces['ds']}
signer.namespaces = ns
refUri = ('#%s' % reference) if reference else None
signedRoot = signer.sign(
xmlBuffer, key=key, cert=cert, reference_uri=refUri)
ns = {'ns': NAMESPACE_SIG}
# Insert the cert file buffered data (content) into specified tags X509Data/X509Certificate
tagX509Data = signedRoot.find('.//ns:X509Data', namespaces=ns)
etree.SubElement(tagX509Data, 'X509Certificate').text = cert
if returnString:
xmlEnvelope = etree.tostring(signedRoot, encoding="unicode", pretty_print=False)
return xmlEnvelope
else:
return signedRoot
def assinar_efdreinf(xml):
from lxml import etree
from emensageriapro.settings import FORCE_PRODUCAO_RESTRITA, BASE_DIR
from signxml import XMLSigner, methods
from emensageriapro.settings import CERT_HOST, CERT_PASS, CERT_PEM_FILE, KEY_PEM_FILE
cert_host = BASE_DIR + '/' + CERT_HOST
cert_pem_file = CERT_PEM_FILE
key_pem_file = KEY_PEM_FILE
if FORCE_PRODUCAO_RESTRITA:
xml = xml.replace('<tpAmb>1</tpAmb>','<tpAmb>2</tpAmb>')
identidade = get_identidade_evento(xml)
create_pem_files(cert_host, CERT_PASS, cert_pem_file, key_pem_file)
cert_str = ler_arquivo(cert_pem_file)
key_str = ler_arquivo(key_pem_file)
root = etree.fromstring(xml)
signed_root = XMLSigner(
method=methods.enveloped,
signature_algorithm=u'rsa-sha256',
digest_algorithm=u'sha256',
c14n_algorithm=u'http://www.w3.org/TR/2001/REC-xml-c14n-20010315'
).sign(root,
reference_uri='#' + identidade,
key=key_str,
cert=cert_str)
return etree.tostring(signed_root)
def test_signxml_changing_signature_namespace_prefix(self):
data = etree.parse(self.example_xml_files[0]).getroot()
signer = XMLSigner()
signer.namespaces = dict(digi_sign=namespaces['ds'])
signed = signer.sign(data, key=self.keys["rsa"])
signed_data = etree.tostring(signed)
expected_match = ("<digi_sign:Signature xmlns:"
"digi_sign=\"%s\">") % namespaces['ds']
self.assertTrue(re.search(expected_match.encode('ascii'), signed_data))
def sign(self, data, reference_uri):
signer = XMLSigner(
method=methods.detached,
signature_algorithm="rsa-sha1",
digest_algorithm="sha1",
c14n_algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
)
return signer.sign(data=data, key=self.key, cert=self.cert, reference_uri="#{}".format(reference_uri))
def assinar_efdreinf(request, xml, transmissor_id):
from lxml import etree
from emensageriapro.settings import BASE_DIR
from signxml import XMLSigner, methods
from emensageriapro.mensageiro.functions.funcoes import get_identidade_evento, create_pem_files, ler_arquivo
if transmissor_id:
tra = TransmissorLoteEfdreinf.objects. \
get(id=transmissor_id)
if tra.transmissor:
if tra.transmissor.certificado:
cert_host = '%s/certificado/%s' % (
BASE_DIR, tra.transmissor.certificado.certificado)
cert_pass = tra.transmissor.certificado.senha
cert_pem_file = '/certificado/cert_%s.pem' % tra.transmissor.certificado.id
key_pem_file = '/certificado/key_%s.pem' % tra.transmissor.certificado.id
create_pem_files(cert_host, cert_pass, cert_pem_file,
key_pem_file)
cert_str = ler_arquivo(cert_pem_file)
key_str = ler_arquivo(key_pem_file)
root = etree.fromstring(xml)
identidade = get_identidade_evento(xml)
signed_root = XMLSigner(
method=methods.enveloped,
signature_algorithm=u'rsa-sha256',
digest_algorithm=u'sha256',
c14n_algorithm=
u'http://www.w3.org/TR/2001/REC-xml-c14n-20010315').sign(
root,
reference_uri='#' + identidade,
key=key_str,
cert=cert_str)
return etree.tostring(signed_root)
else:
messages.error(
request, '''O certificado não está configurado,
configure pelo menos um transmissor para o respectivo empregador!'''
)
else:
messages.error(request, '''O transmissor não está configurado!''')
return xml
def sign(self):
_logger.debug('Firma de XML : ')
cert = open(templateXML+ os.sep +'myr.cer').read()
privkey = open(templateXML+ os.sep +'myr.key').read()
root = etree.fromstring(self._xml.encode('ISO-8859-1'), parser=etree.XMLParser(encoding='ISO-8859-1'))
_logger.debug(root)
signed_root = XMLSigner(method=methods.enveloped, signature_algorithm='rsa-sha1', digest_algorithm='sha1', c14n_algorithm=u'http://www.w3.org/TR/2001/REC-xml-c14n-20010315').sign(root, key=privkey, cert=cert)
self._xml = etree.tostring(signed_root,encoding='ISO-8859-1')
assertion_data = XMLVerifier().verify(signed_root,x509_cert=cert).signed_xml
_logger.debug(assertion_data)
_logger.debug(self._xml)
def __init__(self, certificado, chave, namespace):
self.cert = certificado
self.key = chave
self.NAMESPACE = namespace
self._assinador = XMLSigner(
method=methods.detached,
signature_algorithm="rsa-sha1",
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
def sign(node, key_path, cert_path, get_object=False):
key = import_key(key_path)
cert = import_key(cert_path)
signer = XMLSigner(
method=methods.enveloped,
signature_algorithm='rsa-sha1',
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
signed_node = signer.sign(node, key=key, cert=cert)
if get_object is True:
return signed_node
return etree.tostring(signed_node)
def make_saml_response():
key = readfile("resources/privatekey.pem").encode('ascii')
cert = readfile("resources/idp.crt").encode('ascii')
saml_response_template = readfile("resources/saml-response-template.xml")
saml_response = saml_response_template \
.replace("issue-instant-field", format_time(datetime.utcnow())) \
.replace("session-not-on-or-after-field", format_time(datetime.utcnow() + timedelta(days=1))) \
.replace("not-on-or-after-field", format_time(datetime.utcnow() + timedelta(minutes=5))) \
.replace("auth-user-field", auth_user)
root = etree.fromstring(saml_response)
signed_root = XMLSigner().sign(root, key=key, cert=cert)
return base64.b64encode(etree.tostring(signed_root)).decode()
def sign_assertion(assertion, key, cert, reference_uri):
signer = XMLSigner(signature_algorithm="rsa-sha1",
digest_algorithm="sha1",
c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#")
signed_assertion_element = signer.sign(assertion,
key=key,
cert=cert,
reference_uri=reference_uri)
return signed_assertion_element
def sign(xml, cert_data):
signer = XMLSigner(
method=signxml.methods.enveloped,
signature_algorithm='rsa-sha256',
digest_algorithm='sha256',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315'
)
xml_root = None
if not isinstance(xml, etree._ElementTree):
xml = load_fromfile(xml)
xml_root = xml.getroot()
signed_root = signer.sign(xml_root, key=cert_data['key_str'], cert=cert_data['cert_str'])
return etree.ElementTree(signed_root)
def get_signed_value(self, str_xml):
cert = self.get_pem_certificate()
key = self.get_pem_private_key()
ET.register_namespace("ds", "http://www.w3.org/2000/09/xmldsig#")
xml2 = str_xml.encode('utf -8')
root = etree.fromstring(xml2)
signed_root = XMLSigner().sign(root, key=key, cert=cert)
data_serialized = lxml_ET.tostring(signed_root)
data_parsed = ET.fromstring(data_serialized)
tree = ET.ElementTree(data_parsed)
# tree.write("/Users/mac/Dropbox/new_signed_file4.xml")
tree.write("c:\\tmp\\new_signed_file4.xml")
def sign(element, reference_uri, certificate_data, key_data):
signer = XMLSigner(
signature_algorithm="rsa-sha1",
digest_algorithm="sha1",
c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#")
# Sign XML.
signed_element = signer.sign(element,
key=key_data,
cert=certificate_data,
reference_uri=reference_uri)
return signed_element
def sign_assertions(response_str):
""" Return signed response string """
response_element = etree.fromstring(response_str)
cert = read_bytes("keys/cert.pem")
key = read_bytes("keys/key.pem")
for e in response_element.findall(
'{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'):
signer = XMLSigner(
c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#",
signature_algorithm='rsa-sha1',
digest_algorithm='sha1')
signed_e = signer.sign(e, key=key, cert=cert)
response_element.replace(e, signed_e)
return etree.tostring(response_element, pretty_print=True)
def createSigniature(student, key):
root = ElementTree.Element("Student")
username = ElementTree.SubElement(root, "Username")
username.text = student["username"]
fakulteti = ElementTree.SubElement(root, "Fakulteti")
fakulteti.text = student["fakulteti"]
nota = ElementTree.SubElement(root, "Nota")
nota.text = student["nota"]
viti = ElementTree.SubElement(root, "Viti")
viti.text = student["viti"]
signedXML = XMLSigner().sign(root, key=PRIVATEKEY)
xmlStr = tostring(signedXML)
message = {"cmd": "SIGNIATURE", "data": xmlStr.decode()}
message = json.dumps(message)
return MessageToSend(key, message)
def assina_xml(self, xml):
##Modificado para utilizar o signxml ao inves do libxml2 e xmlsec
from signxml import XMLSigner
from signxml import methods
xml = self._prepara_doc_xml(xml)
doc_xml = lxml.etree.fromstring(xml.encode('utf-8'))
#buscando chave de acesso no documento e retiranto TAG Signature
chave_de_acesso = self._ler_chave_acesso(doc_xml)
if chave_de_acesso is None:
raise ValueError(
'Nao foi possivel encontrar a Tag para a assinatura.')
#String para bytes para a leitura no signxml
chave = self.chave.encode('utf-8')
certificado = self.certificado.encode('utf-8')
signer = XMLSigner(
method=methods.enveloped,
signature_algorithm='rsa-sha1',
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
#Retirar os prefixos ds: da assinatura
ns = {}
ns[None] = signer.namespaces['ds']
signer.namespaces = ns
#Assina o documento
signed_doc = signer.sign(doc_xml,
key=chave,
cert=certificado,
reference_uri='#{0}'.format(chave_de_acesso))
#Selecionar apenas a tag Signature do documento.
signature_tag = None
for child in signed_doc:
if 'Signature' in child.tag:
signature_tag = child
if signature_tag is None:
raise ("Assinatura nao encontrada.")
signature_tag = lxml.etree.tostring(signature_tag).decode('utf-8')
signature_tag = self._finaliza_xml(signature_tag)
return signature_tag
def sign_seed(message, privkey, cert):
"""
@author: Daniel Blanco Martin (daniel[at]blancomartin.cl)
@version: 2016-06-01
"""
_logger.info('SIGNING WITH SIGN_SEED ##### ------ #####')
doc = etree.fromstring(message)
signed_node = XMLSigner(
method=methods.enveloped, signature_algorithm=u'rsa-sha1',
digest_algorithm=u'sha1').sign(
doc, key=privkey.encode('ascii'), passphrase=None, cert=cert,
key_name=None, key_info=None, id_attribute=None)
msg = etree.tostring(
signed_node, pretty_print=True).replace(b'ds:', b'')
_logger.info('message: {}'.format(msg))
return msg