def verify_xml(xml, key_file):
doc = libxml2.parseDoc(xml)
if doc is None or doc.getRootElement() is None:
cleanup(doc)
raise saml2.Error("Error: unable to parse file \"%s\"" % tmpl_file)
# Find start node
node = xmlsec.findNode(doc.getRootElement(),
xmlsec.NodeSignature, xmlsec.DSigNs)
# Create signature context, we don't need keys manager in this example
dsig_ctx = xmlsec.DSigCtx()
if dsig_ctx is None:
cleanup(doc)
raise saml2.Error("Error: failed to create signature context")
# Load public key, assuming that there is not password
if key_file.endswith(".der"):
key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatDer,
None, None, None)
else:
key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem,
None, None, None)
if key is None:
cleanup(doc, dsig_ctx)
raise saml2.Error("Error: failed to load public key from \"%s\"" % key_file)
dsig_ctx.signKey = key
# Set key name to the file name, this is just an example!
if key.setName(key_file) < 0:
cleanup(doc, dsig_ctx)
raise saml2.Error("Error: failed to set key name for key from \"%s\"" % key_file)
# Verify signature
if dsig_ctx.verify(node) < 0:
cleanup(doc, dsig_ctx)
raise saml2.Error("Error: signature verify")
# Print verification result to stdout
if dsig_ctx.status == xmlsec.DSigStatusSucceeded:
ret = 0
else:
ret = -1
# Success
cleanup(doc, dsig_ctx)
return ret
def _antes_de_assinar_ou_verificar(self, raiz):
# Converte etree para string
xml = etree.tostring(raiz, xml_declaration=True, encoding='utf-8')
# Ativa funções criptográficas
self._ativar_funcoes_criptograficas()
# Colocamos o texto no avaliador XML FIXME: descobrir forma de evitar o uso do libxml2 neste processo
doc_xml = libxml2.parseMemory(xml, len(xml))
# Cria o contexto para manipulação do XML via sintaxe XPATH
ctxt = doc_xml.xpathNewContext()
ctxt.xpathRegisterNs(u'sig', NAMESPACE_SIG)
# Separa o nó da assinatura
noh_assinatura = ctxt.xpathEval(u'//*/sig:Signature')[0]
# Buscamos a chave no arquivo do certificado
chave = xmlsec.cryptoAppKeyLoad(
filename=str(self.certificado.caminho_arquivo),
format=xmlsec.KeyDataFormatPkcs12,
pwd=str(self.senha),
pwdCallback=None,
pwdCallbackCtx=None,
)
# Cria a variável de chamada (callable) da função de assinatura
assinador = xmlsec.DSigCtx()
# Atribui a chave ao assinador
assinador.signKey = chave
return doc_xml, ctxt, noh_assinatura, assinador
def _antes_de_assinar_ou_verificar(self, raiz):
# Converte etree para string
xml = etree.tostring(raiz, xml_declaration=True, encoding='utf-8')
# Ativa funções criptográficas
self._ativar_funcoes_criptograficas()
# Colocamos o texto no avaliador XML FIXME: descobrir forma de evitar o uso do libxml2 neste processo
doc_xml = libxml2.parseMemory(xml, len(xml))
# Cria o contexto para manipulação do XML via sintaxe XPATH
ctxt = doc_xml.xpathNewContext()
ctxt.xpathRegisterNs(u'sig', NAMESPACE_SIG)
# Separa o nó da assinatura
noh_assinatura = ctxt.xpathEval(u'//*/sig:Signature')[0]
# Buscamos a chave no arquivo do certificado
chave = xmlsec.cryptoAppKeyLoad(
filename=str(self.certificado.caminho_arquivo),
format=xmlsec.KeyDataFormatPkcs12,
pwd=str(self.senha),
pwdCallback=None,
pwdCallbackCtx=None,
)
# Cria a variável de chamada (callable) da função de assinatura
assinador = xmlsec.DSigCtx()
# Atribui a chave ao assinador
assinador.signKey = chave
return doc_xml, ctxt, noh_assinatura, assinador
def _signXML(xml):
dsigctx = None
doc = None
try:
# initialization
libxml2.initParser()
libxml2.substituteEntitiesDefault(1)
if xmlsec.init() < 0:
raise SignatureError('xmlsec init failed')
if xmlsec.checkVersion() != 1:
raise SignatureError('incompatible xmlsec library version %s' %
str(xmlsec.checkVersion()))
if xmlsec.cryptoAppInit(None) < 0:
raise SignatureError('crypto initialization failed')
if xmlsec.cryptoInit() < 0:
raise SignatureError('xmlsec-crypto initialization failed')
# load the input
doc = libxml2.parseDoc(xml)
if not doc or not doc.getRootElement():
raise SignatureError('error parsing input xml')
node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature,
xmlsec.DSigNs)
if not node:
raise SignatureError("couldn't find root node")
dsigctx = xmlsec.DSigCtx()
key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem,
key_pwd, None, None)
if not key:
raise SignatureError('failed to load the private key %s' %
key_file)
dsigctx.signKey = key
if key.setName(key_file) < 0:
raise SignatureError('failed to set key name')
if xmlsec.cryptoAppKeyCertLoad(key, cert_file,
xmlsec.KeyDataFormatPem) < 0:
print "Error: failed to load pem certificate \"%s\"" % cert_file
return cleanup(doc, dsigctx)
# sign
if dsigctx.sign(node) < 0:
raise SignatureError('signing failed')
signed_xml = doc.serialize()
finally:
if dsigctx:
dsigctx.destroy()
if doc:
doc.freeDoc()
xmlsec.cryptoShutdown()
xmlsec.shutdown()
libxml2.cleanupParser()
return signed_xml
def get_xmlsec_keyfile(plugin):
signer_key = xmlsec.cryptoAppKeyLoad(plugin.keyfile,
xmlsec.KeyDataFormatPem, plugin.pwd, plugin.pwdCallback,
plugin.pwdCallbackCtx)
if signer_key is None:
raise RuntimeError('failed to load private pem key')
else:
return signer_key
def sign_xml(xml, key_file, cert_file=None):
# Load template
doc = libxml2.parseDoc(xml)
if doc is None or doc.getRootElement() is None:
cleanup(doc)
raise saml2.Error("Error: unable to parse string \"%s\"" % xml)
node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature,
xmlsec.DSigNs)
if node is None:
cleanup(doc)
raise saml2.Error("Error: start node not found.")
# Create signature context, we don't need keys manager in this example
dsig_ctx = xmlsec.DSigCtx()
if dsig_ctx is None:
cleanup(doc)
raise saml2.Error("Error: failed to create signature context")
# Load private key, assuming that there is not password
key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem,
None, None, None)
if key is None:
cleanup(doc, dsig_ctx)
raise saml2.Error(
"Error: failed to load private pem key from \"%s\"" % key_file)
dsig_ctx.signKey = key
if cert_file is not None:
if xmlsec.cryptoAppKeyCertLoad(
dsig_ctx.signKey, cert_file, xmlsec.KeyDataFormatPem) < 0:
cleanup(doc, dsig_ctx)
raise saml2.Error(
"Error: failed to load cert pem from \"%s\"" % cert_file)
else:
pass
# Set key name to the file name, this is just an example!
if key.setName(key_file) < 0:
cleanup(doc, dsig_ctx)
raise saml2.Error(
"Error: failed to set key name for key from \"%s\"" % key_file)
return cleanup(doc, dsig_ctx)
# Sign the template
if dsig_ctx.sign(node) < 0:
cleanup(doc, dsig_ctx)
raise saml2.Error("Error: signature failed")
# signed document to string
ret = doc.__str__()
# Success
cleanup(doc, dsig_ctx, 1)
return ret
def sending(self, context):
msgtype = "RacunZahtjev"
if "PoslovniProstorZahtjev" in context.envelope: msgtype = "PoslovniProstorZahtjev"
doc2 = libxml2.parseDoc(context.envelope)
zahtjev = doc2.xpathEval('//*[local-name()="%s"]' % msgtype)[0]
doc2.setRootElement(zahtjev)
x = doc2.getRootElement().newNs('http://www.apis-it.hr/fin/2012/types/f73', 'tns')
for i in doc2.xpathEval('//*'):
i.setNs(x)
libxml2.initParser()
libxml2.substituteEntitiesDefault(1)
xmlsec.init()
xmlsec.cryptoAppInit(None)
xmlsec.cryptoInit()
doc2.getRootElement().setProp('Id', msgtype)
xmlsec.addIDs(doc2, doc2.getRootElement(), ['Id'])
signNode = xmlsec.TmplSignature(doc2, xmlsec.transformExclC14NId(), xmlsec.transformRsaSha1Id(), None)
doc2.getRootElement().addChild(signNode)
refNode = signNode.addReference(xmlsec.transformSha1Id(), None, None, None)
refNode.setProp('URI', '#%s' % msgtype)
refNode.addTransform(xmlsec.transformEnvelopedId())
refNode.addTransform(xmlsec.transformExclC14NId())
dsig_ctx = xmlsec.DSigCtx()
key = xmlsec.cryptoAppKeyLoad(keyFile, xmlsec.KeyDataFormatPem, None, None, None)
dsig_ctx.signKey = key
xmlsec.cryptoAppKeyCertLoad(key, certFile, xmlsec.KeyDataFormatPem)
key.setName(keyFile)
keyInfoNode = signNode.ensureKeyInfo(None)
x509DataNode = keyInfoNode.addX509Data()
xmlsec.addChild(x509DataNode, "X509IssuerSerial")
xmlsec.addChild(x509DataNode, "X509Certificate")
dsig_ctx.sign(signNode)
if dsig_ctx is not None: dsig_ctx.destroy()
context.envelope = """<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>""" + doc2.serialize().replace('<?xml version="1.0" encoding="UTF-8"?>','') + """</soapenv:Body></soapenv:Envelope>""" # Ugly hack
# Shutdown xmlsec-crypto library, ako ne radi HTTPS onda ovo treba zakomentirati da ga ne ugasi prije reda
xmlsec.cryptoShutdown()
xmlsec.shutdown()
libxml2.cleanupParser()
return context
def sending(self, context):
msgtype = "RacunZahtjev"
if "PoslovniProstorZahtjev" in context.envelope: msgtype = "PoslovniProstorZahtjev"
doc2 = libxml2.parseDoc(context.envelope)
zahtjev = doc2.xpathEval('//*[local-name()="%s"]' % msgtype)[0]
doc2.setRootElement(zahtjev)
x = doc2.getRootElement().newNs('http://www.apis-it.hr/fin/2012/types/f73', 'tns')
for i in doc2.xpathEval('//*'):
i.setNs(x)
libxml2.initParser()
libxml2.substituteEntitiesDefault(1)
xmlsec.init()
xmlsec.cryptoAppInit(None)
xmlsec.cryptoInit()
doc2.getRootElement().setProp('Id', msgtype)
xmlsec.addIDs(doc2, doc2.getRootElement(), ['Id'])
signNode = xmlsec.TmplSignature(doc2, xmlsec.transformExclC14NId(), xmlsec.transformRsaSha1Id(), None)
doc2.getRootElement().addChild(signNode)
refNode = signNode.addReference(xmlsec.transformSha1Id(), None, None, None)
refNode.setProp('URI', '#%s' % msgtype)
refNode.addTransform(xmlsec.transformEnvelopedId())
refNode.addTransform(xmlsec.transformExclC14NId())
dsig_ctx = xmlsec.DSigCtx()
key = xmlsec.cryptoAppKeyLoad(keyFile, xmlsec.KeyDataFormatPem, None, None, None)
dsig_ctx.signKey = key
xmlsec.cryptoAppKeyCertLoad(key, certFile, xmlsec.KeyDataFormatPem)
key.setName(keyFile)
keyInfoNode = signNode.ensureKeyInfo(None)
x509DataNode = keyInfoNode.addX509Data()
xmlsec.addChild(x509DataNode, "X509IssuerSerial")
xmlsec.addChild(x509DataNode, "X509Certificate")
dsig_ctx.sign(signNode)
if dsig_ctx is not None: dsig_ctx.destroy()
context.envelope = """<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>""" + doc2.serialize().replace('<?xml version="1.0" encoding="UTF-8"?>','') + """</soapenv:Body></soapenv:Envelope>""" # Ugly hack
# Shutdown xmlsec-crypto library, ako ne radi HTTPS onda ovo treba zakomentirati da ga ne ugasi prije reda
xmlsec.cryptoShutdown()
xmlsec.shutdown()
libxml2.cleanupParser()
return context
def get_xmlsec_keyfile(plugin):
signer_key = xmlsec.cryptoAppKeyLoad(plugin.keyfile,
xmlsec.KeyDataFormatPem, plugin.pwd,
plugin.pwdCallback,
plugin.pwdCallbackCtx)
if signer_key is None:
raise RuntimeError('failed to load private pem key')
else:
return signer_key
def verify_file(self, xml_file, key_file):
assert(xml_file)
assert(key_file)
# Load XML file
if not self.check_filename(xml_file):
return -1
doc = libxml2.parseFile(xml_file)
if doc is None or doc.getRootElement() is None:
log.error(" unable to parse file \"%s\"" % tmpl_file)
return self.cleanup(doc)
# Find start node
node = xmlsec.findNode(doc.getRootElement(),
xmlsec.NodeSignature, xmlsec.DSigNs)
# Create signature context, we don't need keys manager in this example
dsig_ctx = xmlsec.DSigCtx()
if dsig_ctx is None:
log.error("Failed to create signature context")
return self.cleanup(doc)
# Load private key, assuming that there is not password
key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem,
None, None, None)
if key is None:
log.error("Failed to load private pem key from \"%s\"" % key_file)
return self.cleanup(doc, dsig_ctx)
dsig_ctx.signKey = key
# Set key name to the file name, this is just an example!
if not self.check_filename(key_file):
return self.cleanup(doc, dsig_ctx)
if key.setName(key_file) < 0:
log.error("Failed to set key name for key from \"%s\"" % key_file)
return self.cleanup(doc, dsig_ctx)
# Verify signature
if dsig_ctx.verify(node) < 0:
log.error("Signature verify failed")
return self.cleanup(doc, dsig_ctx)
# Print verification result to stdout
if dsig_ctx.status == xmlsec.DSigStatusSucceeded:
log.debug("Signature is OK")
else:
log.error("Signature is INVALID")
# Success
return self.cleanup(doc, dsig_ctx, 1)
def assina_xml(self, xml):
self._checar_certificado()
self._inicializar_cripto()
try:
doc_xml = libxml2.parseMemory(xml.encode('utf-8'),
len(xml.encode('utf-8')))
signNode = xmlsec.TmplSignature(doc_xml,
xmlsec.transformInclC14NId(),
xmlsec.transformRsaSha1Id(), None)
doc_xml.getRootElement().addChild(signNode)
refNode = signNode.addReference(
xmlsec.transformSha1Id(), None,
'#NFe43150602261542000143550010000000761792265342', None)
refNode.addTransform(xmlsec.transformEnvelopedId())
refNode.addTransform(xmlsec.transformInclC14NId())
keyInfoNode = signNode.ensureKeyInfo()
keyInfoNode.addX509Data()
dsig_ctx = xmlsec.DSigCtx()
chave = xmlsec.cryptoAppKeyLoad(filename=str(self.arquivo),
format=xmlsec.KeyDataFormatPkcs12,
pwd=str(self.senha),
pwdCallback=None,
pwdCallbackCtx=None)
dsig_ctx.signKey = chave
dsig_ctx.sign(signNode)
status = dsig_ctx.status
dsig_ctx.destroy()
if status != xmlsec.DSigStatusSucceeded:
raise RuntimeError(
'Erro ao realizar a assinatura do arquivo; status: "' +
str(status) + '"')
xpath = doc_xml.xpathNewContext()
xpath.xpathRegisterNs('sig', NAMESPACE_SIG)
certificados = xpath.xpathEval(
'//sig:X509Data/sig:X509Certificate')
for i in range(len(certificados) - 1):
certificados[i].unlinkNode()
certificados[i].freeNode()
xml = doc_xml.serialize()
return xml
finally:
doc_xml.freeDoc()
self._finalizar_cripto()
def assina_xml(self, xml, reference):
self._checar_certificado()
self._inicializar_cripto()
try:
doc_xml = libxml2.parseMemory(
xml, len(xml))
signNode = xmlsec.TmplSignature(doc_xml,
xmlsec.transformInclC14NId(),
xmlsec.transformRsaSha1Id(), None)
doc_xml.getRootElement().addChild(signNode)
refNode = signNode.addReference(xmlsec.transformSha1Id(),
None, reference, None)
refNode.addTransform(xmlsec.transformEnvelopedId())
refNode.addTransform(xmlsec.transformInclC14NId())
keyInfoNode = signNode.ensureKeyInfo()
keyInfoNode.addX509Data()
dsig_ctx = xmlsec.DSigCtx()
chave = xmlsec.cryptoAppKeyLoad(filename=str(self.arquivo),
format=xmlsec.KeyDataFormatPkcs12,
pwd=str(self.senha),
pwdCallback=None,
pwdCallbackCtx=None)
dsig_ctx.signKey = chave
dsig_ctx.sign(signNode)
status = dsig_ctx.status
dsig_ctx.destroy()
if status != xmlsec.DSigStatusSucceeded:
raise RuntimeError(
'Erro ao realizar a assinatura do arquivo; status: "' +
str(status) +
'"')
xpath = doc_xml.xpathNewContext()
xpath.xpathRegisterNs('sig', NAMESPACE_SIG)
certificados = xpath.xpathEval(
'//sig:X509Data/sig:X509Certificate')
for i in range(len(certificados) - 1):
certificados[i].unlinkNode()
certificados[i].freeNode()
xml = doc_xml.serialize()
return xml
finally:
doc_xml.freeDoc()
def load_key(self,
path,
password=None,
name=None,
cert_path=None,
key_format='pem',
cert_format='pem'):
"""Loads a key into the key store of the class.
path -- The path to a keyfile used to sign the XML.
password -- The key password, or None if no password is set.
name -- The name to be set for the key, or None if none should be set
cert_path -- The path to the certificate belonging to this key, or None
key_format -- The format of the key as string. Defaults to pem
cert_format-- The format of the certificate as string. Defaults to pem
"""
key_format = XMLDSIG._determine_key_format(key_format)
cert_format = XMLDSIG._determine_key_format(cert_format)
try:
# Load key
key = xmlsec.cryptoAppKeyLoad(path, key_format, password, None,
None)
if key is None:
raise XMLDSIGError('Failed loading private key %s' % path)
# Set key name
if name and key.setName(name) < 0:
raise XMLDSIGError('Failed setting key name of %s to %s' %
(path, name))
# Link certificate to key
if cert_path and xmlsec.cryptoAppKeyCertLoad(
key, cert_path, cert_format) < 0:
raise XMLDSIGError('Failed loading certificate %s' % cert_path)
# Load certificate into store
if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(self.key_manager,
key) < 0:
raise XMLDSIGError("Failed loading key %s into key manager." %
path)
except XMLDSIGError:
raise
except Exception as e:
raise XMLDSIGError('Something went wrong loading key %s: %s' %
(path, e))
def sign_file(tmpl_file, key_file):
assert(tmpl_file)
assert(key_file)
# Load template
doc = libxml2.parseFile(tmpl_file)
if doc is None or doc.getRootElement() is None:
print "Error: unable to parse file \"%s\"" % tmpl_file
return -1
# Find start node
node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature,
xmlsec.DSigNs)
if node is None:
print "Error: start node not found in \"%s\"" % tmpl_file
return cleanup(doc)
# Create signature context, we don't need keys manager in this example
dsig_ctx = xmlsec.DSigCtx()
if dsig_ctx is None:
print "Error: failed to create signature context"
return cleanup(doc)
# Load private key, assuming that there is not password
key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem,
None, None, None)
if key is None:
print "Error: failed to load private pem key from \"%s\"" % key_file
return cleanup(doc, dsig_ctx)
dsig_ctx.signKey = key
# Set key name to the file name, this is just an example!
if key.setName(key_file) < 0:
print "Error: failed to set key name for key from \"%s\"" % key_file
return cleanup(doc, dsig_ctx)
# Sign the template
if dsig_ctx.sign(node) < 0:
print "Error: signature failed"
return cleanup(doc, dsig_ctx)
# Print signed document to stdout
doc.dump("-")
# Success
return cleanup(doc, dsig_ctx, 1)
def sign_file(tmpl_file, key_file):
assert (tmpl_file)
assert (key_file)
# Load template
doc = libxml2.parseFile(tmpl_file)
if doc is None or doc.getRootElement() is None:
print "Error: unable to parse file \"%s\"" % tmpl_file
return -1
# Find start node
node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature,
xmlsec.DSigNs)
if node is None:
print "Error: start node not found in \"%s\"" % tmpl_file
return cleanup(doc)
# Create signature context, we don't need keys manager in this example
dsig_ctx = xmlsec.DSigCtx()
if dsig_ctx is None:
print "Error: failed to create signature context"
return cleanup(doc)
# Load private key, assuming that there is not password
key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem, None,
None, None)
if key is None:
print "Error: failed to load private pem key from \"%s\"" % key_file
return cleanup(doc, dsig_ctx)
dsig_ctx.signKey = key
# Set key name to the file name, this is just an example!
if key.setName(key_file) < 0:
print "Error: failed to set key name for key from \"%s\"" % key_file
return cleanup(doc, dsig_ctx)
# Sign the template
if dsig_ctx.sign(node) < 0:
print "Error: signature failed"
return cleanup(doc, dsig_ctx)
# Print signed document to stdout
doc.dump("-")
# Success
return cleanup(doc, dsig_ctx, 1)
def load(self, key_file=None, cert_file=None, password='', key_name=None):
"""
load a private key and/or a public certificate for signature and verification
- key_file: str, filename of PEM file containing the private key.
(the file should NOT be password-protected)
- cert_file: str, filename of PEM file containing the X509 certificate.
(optional: can be None)
- password: str, password to open key file, or None if no password.
"""
#TODO: try except block to destroy key if error
if key_file is not None:
# Load private key, with optional password
#print 'PASSWORD: %s' % password
key = xmlsec.cryptoAppKeyLoad(filename=key_file,
format=xmlsec.KeyDataFormatPem,
pwd=password,
pwdCallback=None,
pwdCallbackCtx=None)
# API references:
# http://pyxmlsec.labs.libre-entreprise.org/docs/html/xmlsec-module.html#cryptoAppKeyLoad
# http://www.aleksey.com/xmlsec/api/xmlsec-app.html#XMLSECCRYPTOAPPKEYLOAD
# http://www.aleksey.com/xmlsec/api/xmlsec-keysdata.html#XMLSECKEYDATAFORMAT
if key is None:
raise RuntimeError, "Error: failed to load private PEM key from \"%s\"" % key_file
if key_name is not None:
# Set key name
if key.setName(key_name) < 0:
raise RuntimeError, "Error: failed to set key name to \"%s\"" % key_name
if cert_file is not None:
# Load certificate and add to the key
if xmlsec.cryptoAppKeyCertLoad(key, cert_file,
xmlsec.KeyDataFormatPem) < 0:
raise RuntimeError, "Error: failed to load PEM certificate \"%s\"" % cert_file
# load key into manager:
if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(self.keysmngr, key) < 0:
raise RuntimeError, "Error: failed to load key into keys manager"
elif cert_file is not None:
# case when we only want to load a cert without private key
if self.keysmngr.certLoad(cert_file, xmlsec.KeyDataFormatPem,
xmlsec.KeyDataTypeTrusted) < 0:
# is it better to keep the keys manager if an error occurs?
#self.keysmngr.destroy()
raise RuntimeError, "Error: failed to load PEM certificate from \"%s\"" % cert_file
def load_keys(files, files_size):
assert(files)
assert(files_size > 0)
# Create and initialize keys manager, we use a simple list based
# keys manager, implement your own KeysStore klass if you need
# something more sophisticated
mngr = xmlsec.KeysMngr()
if mngr is None:
print "Error: failed to create keys manager."
return None
if xmlsec.cryptoAppDefaultKeysMngrInit(mngr) < 0:
print "Error: failed to initialize keys manager."
mngr.destroy()
return None
for file in files:
# Load key
if not check_filename(file):
mngr.destroy()
return None
key = xmlsec.cryptoAppKeyLoad(file, xmlsec.KeyDataFormatPem,
None, None, None)
if key == None:
print "Error: failed to load pem key from " + file
mngr.destroy()
return None
# Set key name to the file name, this is just an example!
if key.setName(file) < 0:
print "Error: failed to set key name for key from " + file
key.destroy()
mngr.destroy()
return None
# Add key to keys manager, from now on keys manager is responsible
# for destroying key
if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0:
print "Error: failed to add key from \"%s\" to keys manager" % file
key.destroy()
mngr.destroy()
return None
return mngr
def load_keys(files, files_size):
assert (files)
assert (files_size > 0)
# Create and initialize keys manager, we use a simple list based
# keys manager, implement your own KeysStore klass if you need
# something more sophisticated
mngr = xmlsec.KeysMngr()
if mngr is None:
print "Error: failed to create keys manager."
return None
if xmlsec.cryptoAppDefaultKeysMngrInit(mngr) < 0:
print "Error: failed to initialize keys manager."
mngr.destroy()
return None
for file in files:
# Load key
if not check_filename(file):
mngr.destroy()
return None
key = xmlsec.cryptoAppKeyLoad(file, xmlsec.KeyDataFormatPem, None,
None, None)
if key == None:
print "Error: failed to load pem key from " + file
mngr.destroy()
return None
# Set key name to the file name, this is just an example!
if key.setName(file) < 0:
print "Error: failed to set key name for key from " + file
key.destroy()
mngr.destroy()
return None
# Add key to keys manager, from now on keys manager is responsible
# for destroying key
if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0:
print "Error: failed to add key from \"%s\" to keys manager" % file
key.destroy()
mngr.destroy()
return None
return mngr
def load_key(self, path, password=None, name=None,
cert_path=None, key_format='pem', cert_format='pem'):
"""Loads a key into the key store of the class.
path -- The path to a keyfile used to sign the XML.
password -- The key password, or None if no password is set.
name -- The name to be set for the key, or None if none should be set
cert_path -- The path to the certificate belonging to this key, or None
key_format -- The format of the key as string. Defaults to pem
cert_format-- The format of the certificate as string. Defaults to pem
"""
key_format = XMLDSIG._determine_key_format(key_format)
cert_format = XMLDSIG._determine_key_format(cert_format)
try:
# Load key
key = xmlsec.cryptoAppKeyLoad(path, key_format, password, None, None)
if key is None:
raise XMLDSIGError('Failed loading private key %s' % path)
# Set key name
if name and key.setName(name) < 0:
raise XMLDSIGError('Failed setting key name of %s to %s' % (path, name))
# Link certificate to key
if cert_path and xmlsec.cryptoAppKeyCertLoad(key, cert_path, cert_format) < 0:
raise XMLDSIGError('Failed loading certificate %s' % cert_path)
# Load certificate into store
if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(self.key_manager, key) < 0:
raise XMLDSIGError("Failed loading key %s into key manager." % path)
except XMLDSIGError:
raise
except Exception as e:
raise XMLDSIGError('Something went wrong loading key %s: %s' % (path, e))
def _verifyXML(self, xml):
import libxml2
import xmlsec
dsigctx = None
doc = None
try:
# initialization
libxml2.initParser()
libxml2.substituteEntitiesDefault(1)
if xmlsec.init() < 0:
raise SignatureError('xmlsec init failed')
if xmlsec.checkVersion() != 1:
raise SignatureError('incompatible xmlsec library version %s' %
str(xmlsec.checkVersion()))
if xmlsec.cryptoAppInit(None) < 0:
raise SignatureError('crypto initialization failed')
if xmlsec.cryptoInit() < 0:
raise SignatureError('xmlsec-crypto initialization failed')
# load the input
doc = libxml2.parseDoc(xml)
if not doc or not doc.getRootElement():
raise SignatureError('error parsing input xml')
node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature,
xmlsec.DSigNs)
if not node:
raise SignatureError("couldn't find root node")
dsigctx = xmlsec.DSigCtx()
key = xmlsec.cryptoAppKeyLoad(self.key_file, xmlsec.KeyDataFormatPem,
self.key_pwd, None, None)
if not key:
raise SignatureError('failed to load the private key %s' % self.key_file)
dsigctx.signKey = key
if key.setName(self.key_file) < 0:
raise SignatureError('failed to set key name')
if xmlsec.cryptoAppKeyCertLoad(key, self.cert_file, xmlsec.KeyDataFormatPem) < 0:
print "Error: failed to load pem certificate \"%s\"" % self.cert_file
return self.cleanup(doc, dsigctx)
# verify
if dsigctx.verify(node) < 0:
raise SignatureError('verification failed')
if dsigctx.status == xmlsec.DSigStatusSucceeded:
self.log("Signature is OK")
is_valid = True
else:
self.log("***************** Signature is INVALID ********************")
is_valid = False
finally:
if dsigctx:
dsigctx.destroy()
if doc:
doc.freeDoc()
xmlsec.cryptoShutdown()
xmlsec.shutdown()
libxml2.cleanupParser()
return is_valid
def sign_file(xml_file, key_file):
assert (xml_file)
assert (key_file)
# Load template
doc = libxml2.parseFile(xml_file)
if doc is None or doc.getRootElement() is None:
print "Error: unable to parse file \"%s\"" % xml_file
return cleanup(doc)
# Create signature template for RSA-SHA1 enveloped signature
signNode = xmlsec.TmplSignature(doc, xmlsec.transformExclC14NId(),
xmlsec.transformRsaSha1Id(), None)
if signNode is None:
print "Error: failed to create signature template"
return cleanup(doc)
# Add <dsig:Signature/> node to the doc
doc.getRootElement().addChild(signNode)
# Add reference
refNode = signNode.addReference(xmlsec.transformSha1Id(), None, None, None)
if refNode is None:
print "Error: failed to add reference to signature template"
return cleanup(doc)
# Add enveloped transform
if refNode.addTransform(xmlsec.transformEnvelopedId()) is None:
print "Error: failed to add enveloped transform to reference"
return cleanup(doc)
# Add <dsig:KeyInfo/> and <dsig:KeyName/> nodes to put key name
# in the signed document
keyInfoNode = signNode.ensureKeyInfo(None)
if keyInfoNode is None:
print "Error: failed to add key info"
return cleanup(doc)
keyNameInfo = keyInfoNode.addKeyName(None)
if keyNameInfo is None:
print "Error: failed to add key name"
return cleanup(doc)
# Create signature context, we don't need keys manager in this example
dsig_ctx = xmlsec.DSigCtx()
if dsig_ctx is None:
print "Error: failed to create signature context"
return cleanup(doc)
# Load private key, assuming that there is not password
key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem, None,
None, None)
if key is None:
print "Error: failed to load private pem key from \"%s\"" % key_file
return cleanup(doc, dsig_ctx)
dsig_ctx.signKey = key
# Set key name to the file name, this is just an example!
if key.setName(key_file) < 0:
print "Error: failed to set key name for key from \"%s\"" % key_file
return cleanup(doc, dsig_ctx)
# Sign the template
if dsig_ctx.sign(signNode) < 0:
print "Error: signature failed"
return cleanup(doc, dsig_ctx)
# Print signed document to stdout
doc.dump("-")
# Success
return cleanup(doc, dsig_ctx, 1)
def assina_xml(self, xml):
self._inicia_funcoes_externas()
xml = self._prepara_doc_xml(xml)
#
# Colocamos o texto no avaliador XML
#
doc_xml = libxml2.parseMemory(xml.encode('utf-8'), len(xml.encode('utf-8')))
#
# Separa o nó da assinatura
#
noh_assinatura = xmlsec.findNode(doc_xml.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs)
#
# Cria a variável de chamada (callable) da função de assinatura
#
assinador = xmlsec.DSigCtx()
#
# Buscamos a chave no arquivo do certificado
#
chave = xmlsec.cryptoAppKeyLoad(filename=str(self.arquivo), format=xmlsec.KeyDataFormatPkcs12, pwd=str(self.senha), pwdCallback=None, pwdCallbackCtx=None)
#
# Atribui a chave ao assinador
#
assinador.signKey = chave
#
# Realiza a assinatura
#
assinador.sign(noh_assinatura)
#
# Guarda o status
#
status = assinador.status
#
# Libera a memória ocupada pelo assinador manualmente
#
assinador.destroy()
if status != xmlsec.DSigStatusSucceeded:
#
# Libera a memória ocupada pelo documento xml manualmente
#
doc_xml.freeDoc()
self._finaliza_funcoes_externas()
raise RuntimeError('Erro ao realizar a assinatura do arquivo; status: "' + str(status) + '"')
#
# Elimina do xml assinado a cadeia certificadora, deixando somente
# o certificado que assinou o documento
#
xpath = doc_xml.xpathNewContext()
xpath.xpathRegisterNs('sig', NAMESPACE_SIG)
certificados = xpath.xpathEval('//sig:X509Data/sig:X509Certificate')
for i in range(len(certificados)-1):
certificados[i].unlinkNode()
certificados[i].freeNode()
#
# Retransforma o documento xml em texto
#
xml = doc_xml.serialize()
#
# Libera a memória ocupada pelo documento xml manualmente
#
doc_xml.freeDoc()
self._finaliza_funcoes_externas()
xml = self._finaliza_xml(xml)
return xml
def signXml(xmlStr, key_file,cert_file, id=None ):
init()
result = None
doc = libxml2.parseDoc(xmlStr)
if doc is None or doc.getRootElement() is None:
print "Error: unable to parse file \"%s\"" % xml_file
cleanup(doc)
return result
# Create signature template for RSA-SHA1 enveloped signature
signNode = xmlsec.TmplSignature(doc, xmlsec.transformExclC14NId(),
xmlsec.transformRsaSha1Id(), id)
#signNode.setNs('ds')
if signNode is None:
print "Error: failed to create signature template"
cleanup(doc)
return result
# Add <dsig:Signature/> node to the doc
doc.getRootElement().addChild(signNode)
# Add reference
refNode = signNode.addReference(xmlsec.transformSha1Id(),
None, None, None)
if refNode is None:
print "Error: failed to add reference to signature template"
cleanup(doc)
return result
# Add enveloped transform
if refNode.addTransform(xmlsec.transformEnvelopedId()) is None:
print "Error: failed to add enveloped transform to reference"
cleanup(doc)
return result
# Add <dsig:KeyInfo/> and <dsig:X509Data/>
keyInfoNode = signNode.ensureKeyInfo(None)
if keyInfoNode is None:
print "Error: failed to add key info"
cleanup(doc)
return result
if keyInfoNode.addX509Data() is None:
print "Error: failed to add X509Data node"
cleanup(doc)
return result
# Create signature context, we don't need keys manager in this example
dsig_ctx = xmlsec.DSigCtx()
if dsig_ctx is None:
print "Error: failed to create signature context"
cleanup(doc)
return result
# Load private key, assuming that there is not password
key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem,
None, None, None)
if key is None:
print "Error: failed to load private pem key from \"%s\"" % key_file
cleanup(doc, dsig_ctx)
return result
dsig_ctx.signKey = key
# Load certificate and add to the key
if xmlsec.cryptoAppKeyCertLoad(key, cert_file, xmlsec.KeyDataFormatPem) < 0:
print "Error: failed to load pem certificate \"%s\"" % cert_file
cleanup(doc, dsig_ctx)
return result
# Set key name to the file name, this is just an example!
#if key.setName(key_file) < 0:
# print "Error: failed to set key name for key from \"%s\"" % key_file
# cleanup(doc, dsig_ctx)
# return result
# Sign the template
print signNode
if dsig_ctx.sign(signNode) < 0:
print "Error: signature failed"
cleanup(doc, dsig_ctx)
return result
# Print signed document to stdout
#doc.dump("-")
result = doc.serialize()
# Success
cleanup(doc, dsig_ctx, 1)
return result
def _signXML(self, xml):
import libxml2
import xmlsec
dsigctx = None
doc = None
try:
# initialization
libxml2.initParser()
libxml2.substituteEntitiesDefault(1)
if xmlsec.init() < 0:
raise SignatureError('xmlsec init failed')
if xmlsec.checkVersion() != 1:
raise SignatureError('incompatible xmlsec library version %s' %
str(xmlsec.checkVersion()))
if xmlsec.cryptoAppInit(None) < 0:
raise SignatureError('crypto initialization failed')
if xmlsec.cryptoInit() < 0:
raise SignatureError('xmlsec-crypto initialization failed')
# load the input
doc = libxml2.parseDoc(xml)
if not doc or not doc.getRootElement():
raise SignatureError('error parsing input xml')
node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature,
xmlsec.DSigNs)
if not node:
raise SignatureError("couldn't find root node")
# load the private key
key = xmlsec.cryptoAppKeyLoad(self.key_file, xmlsec.KeyDataFormatPem,
self.key_pwd, None, None)
if not key:
raise SignatureError('failed to load the private key %s' % self.key_file)
if xmlsec.cryptoAppKeyCertLoad(key, self.cert_file, xmlsec.KeyDataFormatPem) < 0:
print "Error: failed to load pem certificate \"%s\"" % self.cert_file
return self.cleanup(doc, dsigctx)
keymngr = xmlsec.KeysMngr()
xmlsec.cryptoAppDefaultKeysMngrInit(keymngr)
xmlsec.cryptoAppDefaultKeysMngrAdoptKey(keymngr, key)
dsigctx = xmlsec.DSigCtx(keymngr)
if key.setName(self.key_file) < 0:
raise SignatureError('failed to set key name')
# sign
if dsigctx.sign(node) < 0:
raise SignatureError('signing failed')
signed_xml = doc.serialize()
finally:
if dsigctx:
dsigctx.destroy()
if doc:
doc.freeDoc()
xmlsec.cryptoShutdown()
xmlsec.shutdown()
libxml2.cleanupParser()
return signed_xml
def signRequest(file, request):
keysmngr = xmlsec.KeysMngr()
if keysmngr is None:
raise RuntimeError, "Error: failed to create keys manager."
if xmlsec.cryptoAppDefaultKeysMngrInit(keysmngr) < 0:
keysmngr.destroy()
raise RuntimeError, "Error: failed to initialize keys manager."
key = xmlsec.cryptoAppKeyLoad(filename = file, pwd = None,
format = xmlsec.KeyDataFormatPem, pwdCallback = None,
pwdCallbackCtx = None)
if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(keysmngr, key) < 0:
keysmngr.destroy()
raise RuntimeError, "Error: failed to load key into keys manager"
dsig_ctx = xmlsec.DSigCtx(keysmngr)
# Match the dtd and replace it.
pat = re.compile("(^.*<!DOCTYPE.*distributionRequest[^>]*SYSTEM[ \t]*\")([^\"]*)(\"[^>]*>.*$)", re.DOTALL)
m = pat.match(request)
request = m.group(1)+"http://dmswww.stsci.edu/dtd/sso/distribution.dtd"+m.group(3)
ctxt = libxml2.createMemoryParserCtxt(request, len(request))
ctxt.validate(1)
ctxt.parseDocument()
doc = ctxt.doc()
if doc is None or doc.getRootElement() is None:
keysmngr.destroy()
raise RuntimeError, "Error: unable to parse XML data"
# find the XML-DSig start node
node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature,
xmlsec.DSigNs)
if node is None:
fragment = libxml2.parseDoc("""<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#distributionRequest">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue></SignatureValue>
<KeyInfo>
<KeyValue><RSAKeyValue>
<Modulus></Modulus>
<Exponent></Exponent>
</RSAKeyValue></KeyValue>
</KeyInfo>
</Signature>
""")
# remove the xml header on the front of the document fragment
fragment = fragment.getRootElement()
# getElementsByTagName doesn't exist here for some reason, have to use xpath
ctxt = doc.xpathNewContext()
nodeList = ctxt.xpathEval("/distributionRequest")
for child in nodeList:
child.addChild(fragment)
if child.prop('Id') == None:
child.setProp('Id', 'distributionRequest')
node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature,
xmlsec.DSigNs)
# Remove passwords
ctxt = doc.xpathNewContext()
nodeList = ctxt.xpathEval('//requester')
for child in nodeList:
child.unsetProp('archivePassword')
nodeList = ctxt.xpathEval('//ftp')
for child in nodeList:
if child.hasProp('loginPassword'):
child.unsetProp('loginPassword')
warnings.warn('ftp password is not allowed in user requests.')
# Sign the template, or resign existing block
status = dsig_ctx.sign(node)
output = str(doc)
doc.freeDoc()
keysmngr.destroy()
if status < 0:
raise RuntimeError, "Error: signature failed"
return output
def sign_file(xml_file, key_file, cert_file):
assert(xml_file)
assert(key_file)
assert(cert_file)
# Load template
if not check_filename(xml_file):
return -1
doc = libxml2.parseFile(xml_file)
if doc is None or doc.getRootElement() is None:
print "Error: unable to parse file \"%s\"" % xml_file
return cleanup(doc)
# Create signature template for RSA-SHA1 enveloped signature
signNode = xmlsec.TmplSignature(doc, xmlsec.transformExclC14NId(),
xmlsec.transformRsaSha1Id(), None)
if signNode is None:
print "Error: failed to create signature template"
return cleanup(doc)
# Add <dsig:Signature/> node to the doc
doc.getRootElement().addChild(signNode)
# Add reference
refNode = signNode.addReference(xmlsec.transformSha1Id(),
None, None, None)
if refNode is None:
print "Error: failed to add reference to signature template"
return cleanup(doc)
# Add enveloped transform
if refNode.addTransform(xmlsec.transformEnvelopedId()) is None:
print "Error: failed to add enveloped transform to reference"
return cleanup(doc)
# Add <dsig:KeyInfo/> and <dsig:X509Data/>
keyInfoNode = signNode.ensureKeyInfo(None)
if keyInfoNode is None:
print "Error: failed to add key info"
return cleanup(doc)
if keyInfoNode.addX509Data() is None:
print "Error: failed to add X509Data node"
return cleanup(doc)
# Create signature context, we don't need keys manager in this example
dsig_ctx = xmlsec.DSigCtx()
if dsig_ctx is None:
print "Error: failed to create signature context"
return cleanup(doc)
# Load private key, assuming that there is not password
if not check_filename(key_file):
return cleanup(doc, dsig_ctx)
key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem,
None, None, None)
if key is None:
print "Error: failed to load private pem key from \"%s\"" % key_file
return cleanup(doc, dsig_ctx)
dsig_ctx.signKey = key
# Load certificate and add to the key
if not check_filename(cert_file):
return cleanup(doc, dsig_ctx)
if xmlsec.cryptoAppKeyCertLoad(key, cert_file, xmlsec.KeyDataFormatPem) < 0:
print "Error: failed to load pem certificate \"%s\"" % cert_file
return cleanup(doc, dsig_ctx)
# Set key name to the file name, this is just an example!
if key.setName(key_file) < 0:
print "Error: failed to set key name for key from \"%s\"" % key_file
return cleanup(doc, dsig_ctx)
# Sign the template
if dsig_ctx.sign(signNode) < 0:
print "Error: signature failed"
return cleanup(doc, dsig_ctx)
# Print signed document to stdout
doc.dump("-")
# Success
return cleanup(doc, dsig_ctx, 1)
def assina_xml(self, xml):
self._inicia_funcoes_externas()
xml = self._prepara_doc_xml(xml)
#
# Colocamos o texto no avaliador XML
#
doc_xml = libxml2.parseMemory(xml.encode("utf-8"), len(xml.encode("utf-8")))
#
# Separa o nó da assinatura
#
noh_assinatura = xmlsec.findNode(doc_xml.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs)
#
# Arquivos temporários são criados com o certificado no formato PEM
#
temp_chave = tempfile.NamedTemporaryFile("w")
temp_chave.write(self.chave)
temp_chave.flush()
temp_certificado = tempfile.NamedTemporaryFile("w")
temp_certificado.write(self.certificado)
temp_certificado.flush()
#
# Buscamos chave e certificado no arquivo temporário e inserimos no "chaveiro"
#
chaveiro = xmlsec.KeysMngr()
xmlsec.cryptoAppDefaultKeysMngrInit(chaveiro)
chave = xmlsec.cryptoAppKeyLoad(
filename=temp_chave.name, format=xmlsec.KeyDataFormatPem, pwd=None, pwdCallback=None, pwdCallbackCtx=None
)
certificado = xmlsec.cryptoAppKeyCertLoad(chave, filename=temp_certificado.name, format=xmlsec.KeyDataFormatPem)
xmlsec.cryptoAppDefaultKeysMngrAdoptKey(chaveiro, chave)
#
# Cria a variável de chamada (callable) da função de assinatura, usando o "chaveiro"
#
assinador = xmlsec.DSigCtx(chaveiro)
#
# Atribui a chave ao assinador
#
assinador.signKey = chave
#
# Realiza a assinatura
#
assinador.sign(noh_assinatura)
#
# Guarda o status
#
status = assinador.status
#
# Libera a memória ocupada pelo assinador manualmente
#
assinador.destroy()
#
# Arquivos temporários são deletados do disco
#
temp_chave.close()
temp_certificado.close()
if status != xmlsec.DSigStatusSucceeded:
#
# Libera a memória ocupada pelo documento xml manualmente
#
doc_xml.freeDoc()
self._finaliza_funcoes_externas()
raise RuntimeError('Erro ao realizar a assinatura do arquivo; status: "' + str(status) + '"')
#
# Elimina do xml assinado a cadeia certificadora, deixando somente
# o certificado que assinou o documento
#
xpath = doc_xml.xpathNewContext()
xpath.xpathRegisterNs(u"sig", NAMESPACE_SIG)
certificados = xpath.xpathEval(u"//sig:X509Data/sig:X509Certificate")
for i in range(len(certificados) - 1):
certificados[i].unlinkNode()
certificados[i].freeNode()
#
# Retransforma o documento xml em texto
#
xml = doc_xml.serialize()
#
# Libera a memória ocupada pelo documento xml manualmente
#
doc_xml.freeDoc()
self._finaliza_funcoes_externas()
xml = self._finaliza_xml(xml)
return xml
def assina_xml(self, xml):
self._inicia_funcoes_externas()
xml = self._prepara_doc_xml(xml)
#
# Colocamos o texto no avaliador XML
#
doc_xml = libxml2.parseMemory(xml.encode('utf-8'),
len(xml.encode('utf-8')))
#
# Separa o nó da assinatura
#
noh_assinatura = xmlsec.findNode(doc_xml.getRootElement(),
xmlsec.NodeSignature, xmlsec.DSigNs)
#
# Arquivos temporários são criados com o certificado no formato PEM
#
temp_chave = tempfile.NamedTemporaryFile('w')
temp_chave.write(self.chave)
temp_chave.flush()
temp_certificado = tempfile.NamedTemporaryFile('w')
temp_certificado.write(self.certificado)
temp_certificado.flush()
#
# Buscamos chave e certificado no arquivo temporário e inserimos no "chaveiro"
#
chaveiro = xmlsec.KeysMngr()
xmlsec.cryptoAppDefaultKeysMngrInit(chaveiro)
chave = xmlsec.cryptoAppKeyLoad(filename=temp_chave.name,
format=xmlsec.KeyDataFormatPem,
pwd=None,
pwdCallback=None,
pwdCallbackCtx=None)
certificado = xmlsec.cryptoAppKeyCertLoad(
chave,
filename=temp_certificado.name,
format=xmlsec.KeyDataFormatPem)
xmlsec.cryptoAppDefaultKeysMngrAdoptKey(chaveiro, chave)
#
# Cria a variável de chamada (callable) da função de assinatura, usando o "chaveiro"
#
assinador = xmlsec.DSigCtx(chaveiro)
#
# Atribui a chave ao assinador
#
assinador.signKey = chave
#
# Realiza a assinatura
#
assinador.sign(noh_assinatura)
#
# Guarda o status
#
status = assinador.status
#
# Libera a memória ocupada pelo assinador manualmente
#
assinador.destroy()
#
# Arquivos temporários são deletados do disco
#
temp_chave.close()
temp_certificado.close()
if status != xmlsec.DSigStatusSucceeded:
#
# Libera a memória ocupada pelo documento xml manualmente
#
doc_xml.freeDoc()
self._finaliza_funcoes_externas()
raise RuntimeError(
'Erro ao realizar a assinatura do arquivo; status: "' +
str(status) + '"')
#
# Elimina do xml assinado a cadeia certificadora, deixando somente
# o certificado que assinou o documento
#
xpath = doc_xml.xpathNewContext()
xpath.xpathRegisterNs(u'sig', NAMESPACE_SIG)
certificados = xpath.xpathEval(u'//sig:X509Data/sig:X509Certificate')
for i in range(len(certificados) - 1):
certificados[i].unlinkNode()
certificados[i].freeNode()
#
# Retransforma o documento xml em texto
#
xml = doc_xml.serialize()
#
# Libera a memória ocupada pelo documento xml manualmente
#
doc_xml.freeDoc()
self._finaliza_funcoes_externas()
xml = self._finaliza_xml(xml)
return xml
def signRequest(file, request, dtd="http://dmswww.stsci.edu/dtd/sso/distribution.dtd", cgi="https://archive.stsci.edu/cgi-bin/dads.cgi", mission='HST'):
global usexml
if usexml:
try:
keysmngr = xmlsec.KeysMngr()
if keysmngr is None:
raise RuntimeError("Error: failed to create keys manager.")
if xmlsec.cryptoAppDefaultKeysMngrInit(keysmngr) < 0:
keysmngr.destroy()
raise RuntimeError("Error: failed to initialize keys manager.")
key = xmlsec.cryptoAppKeyLoad(filename = file, pwd = None,
format = xmlsec.KeyDataFormatPem, pwdCallback = None,
pwdCallbackCtx = None)
if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(keysmngr, key) < 0:
keysmngr.destroy()
raise RuntimeError("Error: failed to load key into keys manager")
dsig_ctx = xmlsec.DSigCtx(keysmngr)
# Match the dtd and replace it.
pat = re.compile("(^.*<!DOCTYPE.*distributionRequest[^>]*SYSTEM[ \t]*\")([^\"]*)(\"[^>]*>.*$)", re.DOTALL)
m = pat.match(request)
request = m.group(1)+dtd+m.group(3)
ctxt = libxml2.createMemoryParserCtxt(request, len(request))
ctxt.validate(1)
ctxt.parseDocument()
doc = ctxt.doc()
if doc is None or doc.getRootElement() is None:
keysmngr.destroy()
raise RuntimeError("Error: unable to parse XML data")
# find the XML-DSig start node
node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature,
xmlsec.DSigNs)
if node is None:
fragment = libxml2.parseDoc("""<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#distributionRequest">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue></SignatureValue>
<KeyInfo>
<KeyValue><RSAKeyValue>
<Modulus></Modulus>
<Exponent></Exponent>
</RSAKeyValue></KeyValue>
</KeyInfo>
</Signature>
""")
# remove the xml header on the front of the document fragment
fragment = fragment.getRootElement()
# getElementsByTagName doesn't exist here for some reason, have to use xpath
ctxt = doc.xpathNewContext()
nodeList = ctxt.xpathEval("/distributionRequest")
for child in nodeList:
child.addChild(fragment)
if child.prop('Id') == None:
child.setProp('Id', 'distributionRequest')
node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature,
xmlsec.DSigNs)
# Remove passwords
ctxt = doc.xpathNewContext()
nodeList = ctxt.xpathEval('//requester')
for child in nodeList:
child.unsetProp('archivePassword')
nodeList = ctxt.xpathEval('//ftp')
for child in nodeList:
if child.hasProp('loginPassword'):
child.unsetProp('loginPassword')
warnings.warn('ftp password is not allowed in user requests.')
# Sign the template, or resign existing block
status = dsig_ctx.sign(node)
output = str(doc)
doc.freeDoc()
keysmngr.destroy()
if status < 0:
raise RuntimeError("Error: signature failed")
return output
except:
usexml=False
return signRequest(file, request, dtd, cgi)
else:
values = {'request' : request, 'privatekey' : open(file).read(), 'mission' : mission }
data = urlencode(values).encode("utf-8")
req = Request(url=cgi, data=data)
f = urlopen(req)
return f.read()
