def sign(self, doc, id, keyname):
   """sign element identified by *id* in *doc* (`lxml` etree) with the (first) key with *keyname*."""
   from dm.xmlsec.binding import dsig, DSigCtx, findNode, Error
   # will fail with ``IndexError`` when the id does not exist
   node = doc.xpath('//*[@ID="%s"]' % id)[0]
   node = findNode(node, dsig("Signature"))
   assert node is not None, "Missing signature element"
   sign_ctx = DSigCtx(None)
   sign_ctx.signKey = self.__keys_manager[keyname][0]
   try: sign_ctx.sign(node)
   except Error, e:
     raise SignError('signing failed', id, keyname, e)
Ejemplo n.º 2
0
    def sign_binary(self, data, algorithm, keyname):
        """sign *data* with *algorithm* and  the (first) key with *keyname*.

    *algorithm* is identified by its uri.
    """
        from dm.xmlsec.binding import DSigCtx, Error
        sign_ctx = DSigCtx()
        sign_ctx.signKey = self.__keys_manager[keyname][0]
        try:
            a = self.resolve_algorithm(algorithm)
            return sign_ctx.signBinary(data, a)
        except Error, e:
            raise SignError('signing failed', algorithm, e)
Ejemplo n.º 3
0
 def sign(self, doc, id, keyname):
     """sign element identified by *id* in *doc* (`lxml` etree) with the (first) key with *keyname*."""
     from dm.xmlsec.binding import dsig, DSigCtx, findNode, Error
     # will fail with ``IndexError`` when the id does not exist
     node = doc.xpath('//*[@ID="%s"]' % id)[0]
     node = findNode(node, dsig("Signature"))
     assert node is not None, "Missing signature element"
     sign_ctx = DSigCtx(None)
     sign_ctx.signKey = self.__keys_manager[keyname][0]
     try:
         sign_ctx.sign(node)
     except Error, e:
         raise SignError('signing failed', id, keyname, e)
  def sign_binary(self, data, algorithm, keyname):
    """sign *data* with *algorithm* and  the (first) key with *keyname*.

    *algorithm* is identified by its uri.
    """
    from dm.xmlsec.binding import DSigCtx, Error
    sign_ctx = DSigCtx()
    sign_ctx.signKey = self.__keys_manager[keyname][0]
    try:
      a = self.resolve_algorithm(algorithm)
      return sign_ctx.signBinary(data, a)
    except Error, e:
      raise SignError('signing failed', algorithm, e)
  def verify_binary(self, data, algorithm, signature, keyname):
    """verify *signature* for *data* with *algorithm* using a key associated with *keyname*.

    Raise ``VerifyError``, when the verification fails.

    *algorithm* is identified by its uri.
    """
    from dm.xmlsec.binding import DSigCtx, Error
    a = self.resolve_algorithm(algorithm) # may raise `Error`
    # now verify the signature: try each key in turn
    for key in self.__keys_manager.get(keyname, ()):
      verify_ctx = DSigCtx()
      verify_ctx.signKey = key
      try: verify_ctx.verifyBinary(data, a, signature)
      except VerificationError: pass
      else: return
    raise VerifyError('signature verification failed: %s' % keyname)
Ejemplo n.º 6
0
    def verify(self, doc, id, keyname):
        """verify the node identified by *id* in *doc* using a key associated with *keyname*.

    Raise ``VerifyError``, when the verification fails.

    We only allow a single reference. Its uri must either be empty or
    refer to the element we are verifying.
    In addition, we only allow the standard transforms.
    """
        from dm.xmlsec.binding import findNode, dsig, DSigCtx, \
             TransformExclC14N, TransformExclC14NWithComments, \
             TransformEnveloped, \
             VerificationError
        node = doc.xpath('//*[@ID="%s"]' % id)
        if len(node) != 1:
            raise VerifyError('id not unique or not found: %s %d' %
                              (id, len(nodes)))
        node = node[0]
        sig = findNode(node, dsig("Signature"))
        # verify the reference.
        refs = sig.xpath('ds:SignedInfo/ds:Reference', namespaces=dsigns)
        if len(refs) != 1:
            raise VerifyError('only a single reference is allowed: %d' %
                              len(refs))
        ref = refs[0]
        uris = ref.xpath('@URI')
        if not uris or uris[0] != '#' + id:
            raise VerifyError(
                'reference uri does not refer to signature parent', id)
        # now verify the signature: try each key in turn
        for key in self.__keys_manager.get(keyname, ()):
            verify_ctx = DSigCtx(None)
            for t in chain((TransformExclC14N, TransformExclC14NWithComments),
                           config.signature_transforms):
                verify_ctx.enableSignatureTransform(t)
            for t in chain((TransformExclC14N, TransformExclC14NWithComments,
                            TransformEnveloped), config.reference_transforms):
                verify_ctx.enableReferenceTransform(t)
            verify_ctx.signKey = key
            try:
                verify_ctx.verify(sig)
            except VerificationError:
                pass
            else:
                return
        raise VerifyError('signature verification failed: %s %s' %
                          (id, keyname))
Ejemplo n.º 7
0
    def verify_binary(self, data, algorithm, signature, keyname):
        """verify *signature* for *data* with *algorithm* using a key associated with *keyname*.

    Raise ``VerifyError``, when the verification fails.

    *algorithm* is identified by its uri.
    """
        from dm.xmlsec.binding import DSigCtx, Error
        a = self.resolve_algorithm(algorithm)  # may raise `Error`
        # now verify the signature: try each key in turn
        for key in self.__keys_manager.get(keyname, ()):
            verify_ctx = DSigCtx()
            verify_ctx.signKey = key
            try:
                verify_ctx.verifyBinary(data, a, signature)
            except VerificationError:
                pass
            else:
                return
        raise VerifyError('signature verification failed: %s' % keyname)
  def verify(self, doc, id, keyname):
    """verify the node identified by *id* in *doc* using a key associated with *keyname*.

    Raise ``VerifyError``, when the verification fails.

    We only allow a single reference. Its uri must either be empty or
    refer to the element we are verifying.
    In addition, we only allow the standard transforms.
    """
    from dm.xmlsec.binding import findNode, dsig, DSigCtx, \
         TransformExclC14N, TransformExclC14NWithComments, \
         TransformEnveloped, \
         VerificationError
    node = doc.xpath('//*[@ID="%s"]' % id)
    if len(node) != 1:
      raise VerifyError('id not unique or not found: %s %d' % (id, len(nodes)))
    node = node[0]
    sig = findNode(node, dsig("Signature"))
    # verify the reference.
    refs = sig.xpath('ds:SignedInfo/ds:Reference', namespaces=dsigns)
    if len(refs) != 1:
      raise VerifyError('only a single reference is allowed: %d' % len(refs))
    ref = refs[0]
    uris = ref.xpath('@URI')
    if not uris or uris[0] != '#' + id:
      raise VerifyError('reference uri does not refer to signature parent', id)
    # now verify the signature: try each key in turn
    for key in self.__keys_manager.get(keyname, ()):
      verify_ctx = DSigCtx(None)
      for t in chain((TransformExclC14N, TransformExclC14NWithComments), config.signature_transforms):
        verify_ctx.enableSignatureTransform(t)
      for t in chain((TransformExclC14N, TransformExclC14NWithComments, TransformEnveloped), config.reference_transforms):
        verify_ctx.enableReferenceTransform(t)
      verify_ctx.signKey = key
      try: verify_ctx.verify(sig)
      except VerificationError: pass
      else: return
    raise VerifyError('signature verification failed: %s %s' % (id, keyname))