def verify_xml(xml, key_file): doc = libxml2.parseDoc(xml) if doc is None or doc.getRootElement() is None: cleanup(doc) raise saml2.Error("Error: unable to parse file \"%s\"" % tmpl_file) # Find start node node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) # Create signature context, we don't need keys manager in this example dsig_ctx = xmlsec.DSigCtx() if dsig_ctx is None: cleanup(doc) raise saml2.Error("Error: failed to create signature context") # Load public key, assuming that there is not password if key_file.endswith(".der"): key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatDer, None, None, None) else: key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem, None, None, None) if key is None: cleanup(doc, dsig_ctx) raise saml2.Error("Error: failed to load public key from \"%s\"" % key_file) dsig_ctx.signKey = key # Set key name to the file name, this is just an example! if key.setName(key_file) < 0: cleanup(doc, dsig_ctx) raise saml2.Error("Error: failed to set key name for key from \"%s\"" % key_file) # Verify signature if dsig_ctx.verify(node) < 0: cleanup(doc, dsig_ctx) raise saml2.Error("Error: signature verify") # Print verification result to stdout if dsig_ctx.status == xmlsec.DSigStatusSucceeded: ret = 0 else: ret = -1 # Success cleanup(doc, dsig_ctx) return ret
def _antes_de_assinar_ou_verificar(self, raiz): # Converte etree para string xml = etree.tostring(raiz, xml_declaration=True, encoding='utf-8') # Ativa funções criptográficas self._ativar_funcoes_criptograficas() # Colocamos o texto no avaliador XML FIXME: descobrir forma de evitar o uso do libxml2 neste processo doc_xml = libxml2.parseMemory(xml, len(xml)) # Cria o contexto para manipulação do XML via sintaxe XPATH ctxt = doc_xml.xpathNewContext() ctxt.xpathRegisterNs(u'sig', NAMESPACE_SIG) # Separa o nó da assinatura noh_assinatura = ctxt.xpathEval(u'//*/sig:Signature')[0] # Buscamos a chave no arquivo do certificado chave = xmlsec.cryptoAppKeyLoad( filename=str(self.certificado.caminho_arquivo), format=xmlsec.KeyDataFormatPkcs12, pwd=str(self.senha), pwdCallback=None, pwdCallbackCtx=None, ) # Cria a variável de chamada (callable) da função de assinatura assinador = xmlsec.DSigCtx() # Atribui a chave ao assinador assinador.signKey = chave return doc_xml, ctxt, noh_assinatura, assinador
def _signXML(xml): dsigctx = None doc = None try: # initialization libxml2.initParser() libxml2.substituteEntitiesDefault(1) if xmlsec.init() < 0: raise SignatureError('xmlsec init failed') if xmlsec.checkVersion() != 1: raise SignatureError('incompatible xmlsec library version %s' % str(xmlsec.checkVersion())) if xmlsec.cryptoAppInit(None) < 0: raise SignatureError('crypto initialization failed') if xmlsec.cryptoInit() < 0: raise SignatureError('xmlsec-crypto initialization failed') # load the input doc = libxml2.parseDoc(xml) if not doc or not doc.getRootElement(): raise SignatureError('error parsing input xml') node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) if not node: raise SignatureError("couldn't find root node") dsigctx = xmlsec.DSigCtx() key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem, key_pwd, None, None) if not key: raise SignatureError('failed to load the private key %s' % key_file) dsigctx.signKey = key if key.setName(key_file) < 0: raise SignatureError('failed to set key name') if xmlsec.cryptoAppKeyCertLoad(key, cert_file, xmlsec.KeyDataFormatPem) < 0: print "Error: failed to load pem certificate \"%s\"" % cert_file return cleanup(doc, dsigctx) # sign if dsigctx.sign(node) < 0: raise SignatureError('signing failed') signed_xml = doc.serialize() finally: if dsigctx: dsigctx.destroy() if doc: doc.freeDoc() xmlsec.cryptoShutdown() xmlsec.shutdown() libxml2.cleanupParser() return signed_xml
def get_xmlsec_keyfile(plugin): signer_key = xmlsec.cryptoAppKeyLoad(plugin.keyfile, xmlsec.KeyDataFormatPem, plugin.pwd, plugin.pwdCallback, plugin.pwdCallbackCtx) if signer_key is None: raise RuntimeError('failed to load private pem key') else: return signer_key
def sign_xml(xml, key_file, cert_file=None): # Load template doc = libxml2.parseDoc(xml) if doc is None or doc.getRootElement() is None: cleanup(doc) raise saml2.Error("Error: unable to parse string \"%s\"" % xml) node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) if node is None: cleanup(doc) raise saml2.Error("Error: start node not found.") # Create signature context, we don't need keys manager in this example dsig_ctx = xmlsec.DSigCtx() if dsig_ctx is None: cleanup(doc) raise saml2.Error("Error: failed to create signature context") # Load private key, assuming that there is not password key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem, None, None, None) if key is None: cleanup(doc, dsig_ctx) raise saml2.Error( "Error: failed to load private pem key from \"%s\"" % key_file) dsig_ctx.signKey = key if cert_file is not None: if xmlsec.cryptoAppKeyCertLoad( dsig_ctx.signKey, cert_file, xmlsec.KeyDataFormatPem) < 0: cleanup(doc, dsig_ctx) raise saml2.Error( "Error: failed to load cert pem from \"%s\"" % cert_file) else: pass # Set key name to the file name, this is just an example! if key.setName(key_file) < 0: cleanup(doc, dsig_ctx) raise saml2.Error( "Error: failed to set key name for key from \"%s\"" % key_file) return cleanup(doc, dsig_ctx) # Sign the template if dsig_ctx.sign(node) < 0: cleanup(doc, dsig_ctx) raise saml2.Error("Error: signature failed") # signed document to string ret = doc.__str__() # Success cleanup(doc, dsig_ctx, 1) return ret
def sending(self, context): msgtype = "RacunZahtjev" if "PoslovniProstorZahtjev" in context.envelope: msgtype = "PoslovniProstorZahtjev" doc2 = libxml2.parseDoc(context.envelope) zahtjev = doc2.xpathEval('//*[local-name()="%s"]' % msgtype)[0] doc2.setRootElement(zahtjev) x = doc2.getRootElement().newNs('http://www.apis-it.hr/fin/2012/types/f73', 'tns') for i in doc2.xpathEval('//*'): i.setNs(x) libxml2.initParser() libxml2.substituteEntitiesDefault(1) xmlsec.init() xmlsec.cryptoAppInit(None) xmlsec.cryptoInit() doc2.getRootElement().setProp('Id', msgtype) xmlsec.addIDs(doc2, doc2.getRootElement(), ['Id']) signNode = xmlsec.TmplSignature(doc2, xmlsec.transformExclC14NId(), xmlsec.transformRsaSha1Id(), None) doc2.getRootElement().addChild(signNode) refNode = signNode.addReference(xmlsec.transformSha1Id(), None, None, None) refNode.setProp('URI', '#%s' % msgtype) refNode.addTransform(xmlsec.transformEnvelopedId()) refNode.addTransform(xmlsec.transformExclC14NId()) dsig_ctx = xmlsec.DSigCtx() key = xmlsec.cryptoAppKeyLoad(keyFile, xmlsec.KeyDataFormatPem, None, None, None) dsig_ctx.signKey = key xmlsec.cryptoAppKeyCertLoad(key, certFile, xmlsec.KeyDataFormatPem) key.setName(keyFile) keyInfoNode = signNode.ensureKeyInfo(None) x509DataNode = keyInfoNode.addX509Data() xmlsec.addChild(x509DataNode, "X509IssuerSerial") xmlsec.addChild(x509DataNode, "X509Certificate") dsig_ctx.sign(signNode) if dsig_ctx is not None: dsig_ctx.destroy() context.envelope = """<?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body>""" + doc2.serialize().replace('<?xml version="1.0" encoding="UTF-8"?>','') + """</soapenv:Body></soapenv:Envelope>""" # Ugly hack # Shutdown xmlsec-crypto library, ako ne radi HTTPS onda ovo treba zakomentirati da ga ne ugasi prije reda xmlsec.cryptoShutdown() xmlsec.shutdown() libxml2.cleanupParser() return context
def verify_file(self, xml_file, key_file): assert(xml_file) assert(key_file) # Load XML file if not self.check_filename(xml_file): return -1 doc = libxml2.parseFile(xml_file) if doc is None or doc.getRootElement() is None: log.error(" unable to parse file \"%s\"" % tmpl_file) return self.cleanup(doc) # Find start node node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) # Create signature context, we don't need keys manager in this example dsig_ctx = xmlsec.DSigCtx() if dsig_ctx is None: log.error("Failed to create signature context") return self.cleanup(doc) # Load private key, assuming that there is not password key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem, None, None, None) if key is None: log.error("Failed to load private pem key from \"%s\"" % key_file) return self.cleanup(doc, dsig_ctx) dsig_ctx.signKey = key # Set key name to the file name, this is just an example! if not self.check_filename(key_file): return self.cleanup(doc, dsig_ctx) if key.setName(key_file) < 0: log.error("Failed to set key name for key from \"%s\"" % key_file) return self.cleanup(doc, dsig_ctx) # Verify signature if dsig_ctx.verify(node) < 0: log.error("Signature verify failed") return self.cleanup(doc, dsig_ctx) # Print verification result to stdout if dsig_ctx.status == xmlsec.DSigStatusSucceeded: log.debug("Signature is OK") else: log.error("Signature is INVALID") # Success return self.cleanup(doc, dsig_ctx, 1)
def assina_xml(self, xml): self._checar_certificado() self._inicializar_cripto() try: doc_xml = libxml2.parseMemory(xml.encode('utf-8'), len(xml.encode('utf-8'))) signNode = xmlsec.TmplSignature(doc_xml, xmlsec.transformInclC14NId(), xmlsec.transformRsaSha1Id(), None) doc_xml.getRootElement().addChild(signNode) refNode = signNode.addReference( xmlsec.transformSha1Id(), None, '#NFe43150602261542000143550010000000761792265342', None) refNode.addTransform(xmlsec.transformEnvelopedId()) refNode.addTransform(xmlsec.transformInclC14NId()) keyInfoNode = signNode.ensureKeyInfo() keyInfoNode.addX509Data() dsig_ctx = xmlsec.DSigCtx() chave = xmlsec.cryptoAppKeyLoad(filename=str(self.arquivo), format=xmlsec.KeyDataFormatPkcs12, pwd=str(self.senha), pwdCallback=None, pwdCallbackCtx=None) dsig_ctx.signKey = chave dsig_ctx.sign(signNode) status = dsig_ctx.status dsig_ctx.destroy() if status != xmlsec.DSigStatusSucceeded: raise RuntimeError( 'Erro ao realizar a assinatura do arquivo; status: "' + str(status) + '"') xpath = doc_xml.xpathNewContext() xpath.xpathRegisterNs('sig', NAMESPACE_SIG) certificados = xpath.xpathEval( '//sig:X509Data/sig:X509Certificate') for i in range(len(certificados) - 1): certificados[i].unlinkNode() certificados[i].freeNode() xml = doc_xml.serialize() return xml finally: doc_xml.freeDoc() self._finalizar_cripto()
def assina_xml(self, xml, reference): self._checar_certificado() self._inicializar_cripto() try: doc_xml = libxml2.parseMemory( xml, len(xml)) signNode = xmlsec.TmplSignature(doc_xml, xmlsec.transformInclC14NId(), xmlsec.transformRsaSha1Id(), None) doc_xml.getRootElement().addChild(signNode) refNode = signNode.addReference(xmlsec.transformSha1Id(), None, reference, None) refNode.addTransform(xmlsec.transformEnvelopedId()) refNode.addTransform(xmlsec.transformInclC14NId()) keyInfoNode = signNode.ensureKeyInfo() keyInfoNode.addX509Data() dsig_ctx = xmlsec.DSigCtx() chave = xmlsec.cryptoAppKeyLoad(filename=str(self.arquivo), format=xmlsec.KeyDataFormatPkcs12, pwd=str(self.senha), pwdCallback=None, pwdCallbackCtx=None) dsig_ctx.signKey = chave dsig_ctx.sign(signNode) status = dsig_ctx.status dsig_ctx.destroy() if status != xmlsec.DSigStatusSucceeded: raise RuntimeError( 'Erro ao realizar a assinatura do arquivo; status: "' + str(status) + '"') xpath = doc_xml.xpathNewContext() xpath.xpathRegisterNs('sig', NAMESPACE_SIG) certificados = xpath.xpathEval( '//sig:X509Data/sig:X509Certificate') for i in range(len(certificados) - 1): certificados[i].unlinkNode() certificados[i].freeNode() xml = doc_xml.serialize() return xml finally: doc_xml.freeDoc()
def load_key(self, path, password=None, name=None, cert_path=None, key_format='pem', cert_format='pem'): """Loads a key into the key store of the class. path -- The path to a keyfile used to sign the XML. password -- The key password, or None if no password is set. name -- The name to be set for the key, or None if none should be set cert_path -- The path to the certificate belonging to this key, or None key_format -- The format of the key as string. Defaults to pem cert_format-- The format of the certificate as string. Defaults to pem """ key_format = XMLDSIG._determine_key_format(key_format) cert_format = XMLDSIG._determine_key_format(cert_format) try: # Load key key = xmlsec.cryptoAppKeyLoad(path, key_format, password, None, None) if key is None: raise XMLDSIGError('Failed loading private key %s' % path) # Set key name if name and key.setName(name) < 0: raise XMLDSIGError('Failed setting key name of %s to %s' % (path, name)) # Link certificate to key if cert_path and xmlsec.cryptoAppKeyCertLoad( key, cert_path, cert_format) < 0: raise XMLDSIGError('Failed loading certificate %s' % cert_path) # Load certificate into store if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(self.key_manager, key) < 0: raise XMLDSIGError("Failed loading key %s into key manager." % path) except XMLDSIGError: raise except Exception as e: raise XMLDSIGError('Something went wrong loading key %s: %s' % (path, e))
def sign_file(tmpl_file, key_file): assert(tmpl_file) assert(key_file) # Load template doc = libxml2.parseFile(tmpl_file) if doc is None or doc.getRootElement() is None: print "Error: unable to parse file \"%s\"" % tmpl_file return -1 # Find start node node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) if node is None: print "Error: start node not found in \"%s\"" % tmpl_file return cleanup(doc) # Create signature context, we don't need keys manager in this example dsig_ctx = xmlsec.DSigCtx() if dsig_ctx is None: print "Error: failed to create signature context" return cleanup(doc) # Load private key, assuming that there is not password key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem, None, None, None) if key is None: print "Error: failed to load private pem key from \"%s\"" % key_file return cleanup(doc, dsig_ctx) dsig_ctx.signKey = key # Set key name to the file name, this is just an example! if key.setName(key_file) < 0: print "Error: failed to set key name for key from \"%s\"" % key_file return cleanup(doc, dsig_ctx) # Sign the template if dsig_ctx.sign(node) < 0: print "Error: signature failed" return cleanup(doc, dsig_ctx) # Print signed document to stdout doc.dump("-") # Success return cleanup(doc, dsig_ctx, 1)
def sign_file(tmpl_file, key_file): assert (tmpl_file) assert (key_file) # Load template doc = libxml2.parseFile(tmpl_file) if doc is None or doc.getRootElement() is None: print "Error: unable to parse file \"%s\"" % tmpl_file return -1 # Find start node node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) if node is None: print "Error: start node not found in \"%s\"" % tmpl_file return cleanup(doc) # Create signature context, we don't need keys manager in this example dsig_ctx = xmlsec.DSigCtx() if dsig_ctx is None: print "Error: failed to create signature context" return cleanup(doc) # Load private key, assuming that there is not password key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem, None, None, None) if key is None: print "Error: failed to load private pem key from \"%s\"" % key_file return cleanup(doc, dsig_ctx) dsig_ctx.signKey = key # Set key name to the file name, this is just an example! if key.setName(key_file) < 0: print "Error: failed to set key name for key from \"%s\"" % key_file return cleanup(doc, dsig_ctx) # Sign the template if dsig_ctx.sign(node) < 0: print "Error: signature failed" return cleanup(doc, dsig_ctx) # Print signed document to stdout doc.dump("-") # Success return cleanup(doc, dsig_ctx, 1)
def load(self, key_file=None, cert_file=None, password='', key_name=None): """ load a private key and/or a public certificate for signature and verification - key_file: str, filename of PEM file containing the private key. (the file should NOT be password-protected) - cert_file: str, filename of PEM file containing the X509 certificate. (optional: can be None) - password: str, password to open key file, or None if no password. """ #TODO: try except block to destroy key if error if key_file is not None: # Load private key, with optional password #print 'PASSWORD: %s' % password key = xmlsec.cryptoAppKeyLoad(filename=key_file, format=xmlsec.KeyDataFormatPem, pwd=password, pwdCallback=None, pwdCallbackCtx=None) # API references: # http://pyxmlsec.labs.libre-entreprise.org/docs/html/xmlsec-module.html#cryptoAppKeyLoad # http://www.aleksey.com/xmlsec/api/xmlsec-app.html#XMLSECCRYPTOAPPKEYLOAD # http://www.aleksey.com/xmlsec/api/xmlsec-keysdata.html#XMLSECKEYDATAFORMAT if key is None: raise RuntimeError, "Error: failed to load private PEM key from \"%s\"" % key_file if key_name is not None: # Set key name if key.setName(key_name) < 0: raise RuntimeError, "Error: failed to set key name to \"%s\"" % key_name if cert_file is not None: # Load certificate and add to the key if xmlsec.cryptoAppKeyCertLoad(key, cert_file, xmlsec.KeyDataFormatPem) < 0: raise RuntimeError, "Error: failed to load PEM certificate \"%s\"" % cert_file # load key into manager: if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(self.keysmngr, key) < 0: raise RuntimeError, "Error: failed to load key into keys manager" elif cert_file is not None: # case when we only want to load a cert without private key if self.keysmngr.certLoad(cert_file, xmlsec.KeyDataFormatPem, xmlsec.KeyDataTypeTrusted) < 0: # is it better to keep the keys manager if an error occurs? #self.keysmngr.destroy() raise RuntimeError, "Error: failed to load PEM certificate from \"%s\"" % cert_file
def load_keys(files, files_size): assert(files) assert(files_size > 0) # Create and initialize keys manager, we use a simple list based # keys manager, implement your own KeysStore klass if you need # something more sophisticated mngr = xmlsec.KeysMngr() if mngr is None: print "Error: failed to create keys manager." return None if xmlsec.cryptoAppDefaultKeysMngrInit(mngr) < 0: print "Error: failed to initialize keys manager." mngr.destroy() return None for file in files: # Load key if not check_filename(file): mngr.destroy() return None key = xmlsec.cryptoAppKeyLoad(file, xmlsec.KeyDataFormatPem, None, None, None) if key == None: print "Error: failed to load pem key from " + file mngr.destroy() return None # Set key name to the file name, this is just an example! if key.setName(file) < 0: print "Error: failed to set key name for key from " + file key.destroy() mngr.destroy() return None # Add key to keys manager, from now on keys manager is responsible # for destroying key if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0: print "Error: failed to add key from \"%s\" to keys manager" % file key.destroy() mngr.destroy() return None return mngr
def load_keys(files, files_size): assert (files) assert (files_size > 0) # Create and initialize keys manager, we use a simple list based # keys manager, implement your own KeysStore klass if you need # something more sophisticated mngr = xmlsec.KeysMngr() if mngr is None: print "Error: failed to create keys manager." return None if xmlsec.cryptoAppDefaultKeysMngrInit(mngr) < 0: print "Error: failed to initialize keys manager." mngr.destroy() return None for file in files: # Load key if not check_filename(file): mngr.destroy() return None key = xmlsec.cryptoAppKeyLoad(file, xmlsec.KeyDataFormatPem, None, None, None) if key == None: print "Error: failed to load pem key from " + file mngr.destroy() return None # Set key name to the file name, this is just an example! if key.setName(file) < 0: print "Error: failed to set key name for key from " + file key.destroy() mngr.destroy() return None # Add key to keys manager, from now on keys manager is responsible # for destroying key if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0: print "Error: failed to add key from \"%s\" to keys manager" % file key.destroy() mngr.destroy() return None return mngr
def load_key(self, path, password=None, name=None, cert_path=None, key_format='pem', cert_format='pem'): """Loads a key into the key store of the class. path -- The path to a keyfile used to sign the XML. password -- The key password, or None if no password is set. name -- The name to be set for the key, or None if none should be set cert_path -- The path to the certificate belonging to this key, or None key_format -- The format of the key as string. Defaults to pem cert_format-- The format of the certificate as string. Defaults to pem """ key_format = XMLDSIG._determine_key_format(key_format) cert_format = XMLDSIG._determine_key_format(cert_format) try: # Load key key = xmlsec.cryptoAppKeyLoad(path, key_format, password, None, None) if key is None: raise XMLDSIGError('Failed loading private key %s' % path) # Set key name if name and key.setName(name) < 0: raise XMLDSIGError('Failed setting key name of %s to %s' % (path, name)) # Link certificate to key if cert_path and xmlsec.cryptoAppKeyCertLoad(key, cert_path, cert_format) < 0: raise XMLDSIGError('Failed loading certificate %s' % cert_path) # Load certificate into store if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(self.key_manager, key) < 0: raise XMLDSIGError("Failed loading key %s into key manager." % path) except XMLDSIGError: raise except Exception as e: raise XMLDSIGError('Something went wrong loading key %s: %s' % (path, e))
def _verifyXML(self, xml): import libxml2 import xmlsec dsigctx = None doc = None try: # initialization libxml2.initParser() libxml2.substituteEntitiesDefault(1) if xmlsec.init() < 0: raise SignatureError('xmlsec init failed') if xmlsec.checkVersion() != 1: raise SignatureError('incompatible xmlsec library version %s' % str(xmlsec.checkVersion())) if xmlsec.cryptoAppInit(None) < 0: raise SignatureError('crypto initialization failed') if xmlsec.cryptoInit() < 0: raise SignatureError('xmlsec-crypto initialization failed') # load the input doc = libxml2.parseDoc(xml) if not doc or not doc.getRootElement(): raise SignatureError('error parsing input xml') node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) if not node: raise SignatureError("couldn't find root node") dsigctx = xmlsec.DSigCtx() key = xmlsec.cryptoAppKeyLoad(self.key_file, xmlsec.KeyDataFormatPem, self.key_pwd, None, None) if not key: raise SignatureError('failed to load the private key %s' % self.key_file) dsigctx.signKey = key if key.setName(self.key_file) < 0: raise SignatureError('failed to set key name') if xmlsec.cryptoAppKeyCertLoad(key, self.cert_file, xmlsec.KeyDataFormatPem) < 0: print "Error: failed to load pem certificate \"%s\"" % self.cert_file return self.cleanup(doc, dsigctx) # verify if dsigctx.verify(node) < 0: raise SignatureError('verification failed') if dsigctx.status == xmlsec.DSigStatusSucceeded: self.log("Signature is OK") is_valid = True else: self.log("***************** Signature is INVALID ********************") is_valid = False finally: if dsigctx: dsigctx.destroy() if doc: doc.freeDoc() xmlsec.cryptoShutdown() xmlsec.shutdown() libxml2.cleanupParser() return is_valid
def sign_file(xml_file, key_file): assert (xml_file) assert (key_file) # Load template doc = libxml2.parseFile(xml_file) if doc is None or doc.getRootElement() is None: print "Error: unable to parse file \"%s\"" % xml_file return cleanup(doc) # Create signature template for RSA-SHA1 enveloped signature signNode = xmlsec.TmplSignature(doc, xmlsec.transformExclC14NId(), xmlsec.transformRsaSha1Id(), None) if signNode is None: print "Error: failed to create signature template" return cleanup(doc) # Add <dsig:Signature/> node to the doc doc.getRootElement().addChild(signNode) # Add reference refNode = signNode.addReference(xmlsec.transformSha1Id(), None, None, None) if refNode is None: print "Error: failed to add reference to signature template" return cleanup(doc) # Add enveloped transform if refNode.addTransform(xmlsec.transformEnvelopedId()) is None: print "Error: failed to add enveloped transform to reference" return cleanup(doc) # Add <dsig:KeyInfo/> and <dsig:KeyName/> nodes to put key name # in the signed document keyInfoNode = signNode.ensureKeyInfo(None) if keyInfoNode is None: print "Error: failed to add key info" return cleanup(doc) keyNameInfo = keyInfoNode.addKeyName(None) if keyNameInfo is None: print "Error: failed to add key name" return cleanup(doc) # Create signature context, we don't need keys manager in this example dsig_ctx = xmlsec.DSigCtx() if dsig_ctx is None: print "Error: failed to create signature context" return cleanup(doc) # Load private key, assuming that there is not password key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem, None, None, None) if key is None: print "Error: failed to load private pem key from \"%s\"" % key_file return cleanup(doc, dsig_ctx) dsig_ctx.signKey = key # Set key name to the file name, this is just an example! if key.setName(key_file) < 0: print "Error: failed to set key name for key from \"%s\"" % key_file return cleanup(doc, dsig_ctx) # Sign the template if dsig_ctx.sign(signNode) < 0: print "Error: signature failed" return cleanup(doc, dsig_ctx) # Print signed document to stdout doc.dump("-") # Success return cleanup(doc, dsig_ctx, 1)
def assina_xml(self, xml): self._inicia_funcoes_externas() xml = self._prepara_doc_xml(xml) # # Colocamos o texto no avaliador XML # doc_xml = libxml2.parseMemory(xml.encode('utf-8'), len(xml.encode('utf-8'))) # # Separa o nó da assinatura # noh_assinatura = xmlsec.findNode(doc_xml.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) # # Cria a variável de chamada (callable) da função de assinatura # assinador = xmlsec.DSigCtx() # # Buscamos a chave no arquivo do certificado # chave = xmlsec.cryptoAppKeyLoad(filename=str(self.arquivo), format=xmlsec.KeyDataFormatPkcs12, pwd=str(self.senha), pwdCallback=None, pwdCallbackCtx=None) # # Atribui a chave ao assinador # assinador.signKey = chave # # Realiza a assinatura # assinador.sign(noh_assinatura) # # Guarda o status # status = assinador.status # # Libera a memória ocupada pelo assinador manualmente # assinador.destroy() if status != xmlsec.DSigStatusSucceeded: # # Libera a memória ocupada pelo documento xml manualmente # doc_xml.freeDoc() self._finaliza_funcoes_externas() raise RuntimeError('Erro ao realizar a assinatura do arquivo; status: "' + str(status) + '"') # # Elimina do xml assinado a cadeia certificadora, deixando somente # o certificado que assinou o documento # xpath = doc_xml.xpathNewContext() xpath.xpathRegisterNs('sig', NAMESPACE_SIG) certificados = xpath.xpathEval('//sig:X509Data/sig:X509Certificate') for i in range(len(certificados)-1): certificados[i].unlinkNode() certificados[i].freeNode() # # Retransforma o documento xml em texto # xml = doc_xml.serialize() # # Libera a memória ocupada pelo documento xml manualmente # doc_xml.freeDoc() self._finaliza_funcoes_externas() xml = self._finaliza_xml(xml) return xml
def signXml(xmlStr, key_file,cert_file, id=None ): init() result = None doc = libxml2.parseDoc(xmlStr) if doc is None or doc.getRootElement() is None: print "Error: unable to parse file \"%s\"" % xml_file cleanup(doc) return result # Create signature template for RSA-SHA1 enveloped signature signNode = xmlsec.TmplSignature(doc, xmlsec.transformExclC14NId(), xmlsec.transformRsaSha1Id(), id) #signNode.setNs('ds') if signNode is None: print "Error: failed to create signature template" cleanup(doc) return result # Add <dsig:Signature/> node to the doc doc.getRootElement().addChild(signNode) # Add reference refNode = signNode.addReference(xmlsec.transformSha1Id(), None, None, None) if refNode is None: print "Error: failed to add reference to signature template" cleanup(doc) return result # Add enveloped transform if refNode.addTransform(xmlsec.transformEnvelopedId()) is None: print "Error: failed to add enveloped transform to reference" cleanup(doc) return result # Add <dsig:KeyInfo/> and <dsig:X509Data/> keyInfoNode = signNode.ensureKeyInfo(None) if keyInfoNode is None: print "Error: failed to add key info" cleanup(doc) return result if keyInfoNode.addX509Data() is None: print "Error: failed to add X509Data node" cleanup(doc) return result # Create signature context, we don't need keys manager in this example dsig_ctx = xmlsec.DSigCtx() if dsig_ctx is None: print "Error: failed to create signature context" cleanup(doc) return result # Load private key, assuming that there is not password key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem, None, None, None) if key is None: print "Error: failed to load private pem key from \"%s\"" % key_file cleanup(doc, dsig_ctx) return result dsig_ctx.signKey = key # Load certificate and add to the key if xmlsec.cryptoAppKeyCertLoad(key, cert_file, xmlsec.KeyDataFormatPem) < 0: print "Error: failed to load pem certificate \"%s\"" % cert_file cleanup(doc, dsig_ctx) return result # Set key name to the file name, this is just an example! #if key.setName(key_file) < 0: # print "Error: failed to set key name for key from \"%s\"" % key_file # cleanup(doc, dsig_ctx) # return result # Sign the template print signNode if dsig_ctx.sign(signNode) < 0: print "Error: signature failed" cleanup(doc, dsig_ctx) return result # Print signed document to stdout #doc.dump("-") result = doc.serialize() # Success cleanup(doc, dsig_ctx, 1) return result
def _signXML(self, xml): import libxml2 import xmlsec dsigctx = None doc = None try: # initialization libxml2.initParser() libxml2.substituteEntitiesDefault(1) if xmlsec.init() < 0: raise SignatureError('xmlsec init failed') if xmlsec.checkVersion() != 1: raise SignatureError('incompatible xmlsec library version %s' % str(xmlsec.checkVersion())) if xmlsec.cryptoAppInit(None) < 0: raise SignatureError('crypto initialization failed') if xmlsec.cryptoInit() < 0: raise SignatureError('xmlsec-crypto initialization failed') # load the input doc = libxml2.parseDoc(xml) if not doc or not doc.getRootElement(): raise SignatureError('error parsing input xml') node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) if not node: raise SignatureError("couldn't find root node") # load the private key key = xmlsec.cryptoAppKeyLoad(self.key_file, xmlsec.KeyDataFormatPem, self.key_pwd, None, None) if not key: raise SignatureError('failed to load the private key %s' % self.key_file) if xmlsec.cryptoAppKeyCertLoad(key, self.cert_file, xmlsec.KeyDataFormatPem) < 0: print "Error: failed to load pem certificate \"%s\"" % self.cert_file return self.cleanup(doc, dsigctx) keymngr = xmlsec.KeysMngr() xmlsec.cryptoAppDefaultKeysMngrInit(keymngr) xmlsec.cryptoAppDefaultKeysMngrAdoptKey(keymngr, key) dsigctx = xmlsec.DSigCtx(keymngr) if key.setName(self.key_file) < 0: raise SignatureError('failed to set key name') # sign if dsigctx.sign(node) < 0: raise SignatureError('signing failed') signed_xml = doc.serialize() finally: if dsigctx: dsigctx.destroy() if doc: doc.freeDoc() xmlsec.cryptoShutdown() xmlsec.shutdown() libxml2.cleanupParser() return signed_xml
def signRequest(file, request): keysmngr = xmlsec.KeysMngr() if keysmngr is None: raise RuntimeError, "Error: failed to create keys manager." if xmlsec.cryptoAppDefaultKeysMngrInit(keysmngr) < 0: keysmngr.destroy() raise RuntimeError, "Error: failed to initialize keys manager." key = xmlsec.cryptoAppKeyLoad(filename = file, pwd = None, format = xmlsec.KeyDataFormatPem, pwdCallback = None, pwdCallbackCtx = None) if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(keysmngr, key) < 0: keysmngr.destroy() raise RuntimeError, "Error: failed to load key into keys manager" dsig_ctx = xmlsec.DSigCtx(keysmngr) # Match the dtd and replace it. pat = re.compile("(^.*<!DOCTYPE.*distributionRequest[^>]*SYSTEM[ \t]*\")([^\"]*)(\"[^>]*>.*$)", re.DOTALL) m = pat.match(request) request = m.group(1)+"http://dmswww.stsci.edu/dtd/sso/distribution.dtd"+m.group(3) ctxt = libxml2.createMemoryParserCtxt(request, len(request)) ctxt.validate(1) ctxt.parseDocument() doc = ctxt.doc() if doc is None or doc.getRootElement() is None: keysmngr.destroy() raise RuntimeError, "Error: unable to parse XML data" # find the XML-DSig start node node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) if node is None: fragment = libxml2.parseDoc("""<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="#distributionRequest"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue></DigestValue> </Reference> </SignedInfo> <SignatureValue></SignatureValue> <KeyInfo> <KeyValue><RSAKeyValue> <Modulus></Modulus> <Exponent></Exponent> </RSAKeyValue></KeyValue> </KeyInfo> </Signature> """) # remove the xml header on the front of the document fragment fragment = fragment.getRootElement() # getElementsByTagName doesn't exist here for some reason, have to use xpath ctxt = doc.xpathNewContext() nodeList = ctxt.xpathEval("/distributionRequest") for child in nodeList: child.addChild(fragment) if child.prop('Id') == None: child.setProp('Id', 'distributionRequest') node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) # Remove passwords ctxt = doc.xpathNewContext() nodeList = ctxt.xpathEval('//requester') for child in nodeList: child.unsetProp('archivePassword') nodeList = ctxt.xpathEval('//ftp') for child in nodeList: if child.hasProp('loginPassword'): child.unsetProp('loginPassword') warnings.warn('ftp password is not allowed in user requests.') # Sign the template, or resign existing block status = dsig_ctx.sign(node) output = str(doc) doc.freeDoc() keysmngr.destroy() if status < 0: raise RuntimeError, "Error: signature failed" return output
def sign_file(xml_file, key_file, cert_file): assert(xml_file) assert(key_file) assert(cert_file) # Load template if not check_filename(xml_file): return -1 doc = libxml2.parseFile(xml_file) if doc is None or doc.getRootElement() is None: print "Error: unable to parse file \"%s\"" % xml_file return cleanup(doc) # Create signature template for RSA-SHA1 enveloped signature signNode = xmlsec.TmplSignature(doc, xmlsec.transformExclC14NId(), xmlsec.transformRsaSha1Id(), None) if signNode is None: print "Error: failed to create signature template" return cleanup(doc) # Add <dsig:Signature/> node to the doc doc.getRootElement().addChild(signNode) # Add reference refNode = signNode.addReference(xmlsec.transformSha1Id(), None, None, None) if refNode is None: print "Error: failed to add reference to signature template" return cleanup(doc) # Add enveloped transform if refNode.addTransform(xmlsec.transformEnvelopedId()) is None: print "Error: failed to add enveloped transform to reference" return cleanup(doc) # Add <dsig:KeyInfo/> and <dsig:X509Data/> keyInfoNode = signNode.ensureKeyInfo(None) if keyInfoNode is None: print "Error: failed to add key info" return cleanup(doc) if keyInfoNode.addX509Data() is None: print "Error: failed to add X509Data node" return cleanup(doc) # Create signature context, we don't need keys manager in this example dsig_ctx = xmlsec.DSigCtx() if dsig_ctx is None: print "Error: failed to create signature context" return cleanup(doc) # Load private key, assuming that there is not password if not check_filename(key_file): return cleanup(doc, dsig_ctx) key = xmlsec.cryptoAppKeyLoad(key_file, xmlsec.KeyDataFormatPem, None, None, None) if key is None: print "Error: failed to load private pem key from \"%s\"" % key_file return cleanup(doc, dsig_ctx) dsig_ctx.signKey = key # Load certificate and add to the key if not check_filename(cert_file): return cleanup(doc, dsig_ctx) if xmlsec.cryptoAppKeyCertLoad(key, cert_file, xmlsec.KeyDataFormatPem) < 0: print "Error: failed to load pem certificate \"%s\"" % cert_file return cleanup(doc, dsig_ctx) # Set key name to the file name, this is just an example! if key.setName(key_file) < 0: print "Error: failed to set key name for key from \"%s\"" % key_file return cleanup(doc, dsig_ctx) # Sign the template if dsig_ctx.sign(signNode) < 0: print "Error: signature failed" return cleanup(doc, dsig_ctx) # Print signed document to stdout doc.dump("-") # Success return cleanup(doc, dsig_ctx, 1)
def assina_xml(self, xml): self._inicia_funcoes_externas() xml = self._prepara_doc_xml(xml) # # Colocamos o texto no avaliador XML # doc_xml = libxml2.parseMemory(xml.encode("utf-8"), len(xml.encode("utf-8"))) # # Separa o nó da assinatura # noh_assinatura = xmlsec.findNode(doc_xml.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) # # Arquivos temporários são criados com o certificado no formato PEM # temp_chave = tempfile.NamedTemporaryFile("w") temp_chave.write(self.chave) temp_chave.flush() temp_certificado = tempfile.NamedTemporaryFile("w") temp_certificado.write(self.certificado) temp_certificado.flush() # # Buscamos chave e certificado no arquivo temporário e inserimos no "chaveiro" # chaveiro = xmlsec.KeysMngr() xmlsec.cryptoAppDefaultKeysMngrInit(chaveiro) chave = xmlsec.cryptoAppKeyLoad( filename=temp_chave.name, format=xmlsec.KeyDataFormatPem, pwd=None, pwdCallback=None, pwdCallbackCtx=None ) certificado = xmlsec.cryptoAppKeyCertLoad(chave, filename=temp_certificado.name, format=xmlsec.KeyDataFormatPem) xmlsec.cryptoAppDefaultKeysMngrAdoptKey(chaveiro, chave) # # Cria a variável de chamada (callable) da função de assinatura, usando o "chaveiro" # assinador = xmlsec.DSigCtx(chaveiro) # # Atribui a chave ao assinador # assinador.signKey = chave # # Realiza a assinatura # assinador.sign(noh_assinatura) # # Guarda o status # status = assinador.status # # Libera a memória ocupada pelo assinador manualmente # assinador.destroy() # # Arquivos temporários são deletados do disco # temp_chave.close() temp_certificado.close() if status != xmlsec.DSigStatusSucceeded: # # Libera a memória ocupada pelo documento xml manualmente # doc_xml.freeDoc() self._finaliza_funcoes_externas() raise RuntimeError('Erro ao realizar a assinatura do arquivo; status: "' + str(status) + '"') # # Elimina do xml assinado a cadeia certificadora, deixando somente # o certificado que assinou o documento # xpath = doc_xml.xpathNewContext() xpath.xpathRegisterNs(u"sig", NAMESPACE_SIG) certificados = xpath.xpathEval(u"//sig:X509Data/sig:X509Certificate") for i in range(len(certificados) - 1): certificados[i].unlinkNode() certificados[i].freeNode() # # Retransforma o documento xml em texto # xml = doc_xml.serialize() # # Libera a memória ocupada pelo documento xml manualmente # doc_xml.freeDoc() self._finaliza_funcoes_externas() xml = self._finaliza_xml(xml) return xml
def assina_xml(self, xml): self._inicia_funcoes_externas() xml = self._prepara_doc_xml(xml) # # Colocamos o texto no avaliador XML # doc_xml = libxml2.parseMemory(xml.encode('utf-8'), len(xml.encode('utf-8'))) # # Separa o nó da assinatura # noh_assinatura = xmlsec.findNode(doc_xml.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) # # Arquivos temporários são criados com o certificado no formato PEM # temp_chave = tempfile.NamedTemporaryFile('w') temp_chave.write(self.chave) temp_chave.flush() temp_certificado = tempfile.NamedTemporaryFile('w') temp_certificado.write(self.certificado) temp_certificado.flush() # # Buscamos chave e certificado no arquivo temporário e inserimos no "chaveiro" # chaveiro = xmlsec.KeysMngr() xmlsec.cryptoAppDefaultKeysMngrInit(chaveiro) chave = xmlsec.cryptoAppKeyLoad(filename=temp_chave.name, format=xmlsec.KeyDataFormatPem, pwd=None, pwdCallback=None, pwdCallbackCtx=None) certificado = xmlsec.cryptoAppKeyCertLoad( chave, filename=temp_certificado.name, format=xmlsec.KeyDataFormatPem) xmlsec.cryptoAppDefaultKeysMngrAdoptKey(chaveiro, chave) # # Cria a variável de chamada (callable) da função de assinatura, usando o "chaveiro" # assinador = xmlsec.DSigCtx(chaveiro) # # Atribui a chave ao assinador # assinador.signKey = chave # # Realiza a assinatura # assinador.sign(noh_assinatura) # # Guarda o status # status = assinador.status # # Libera a memória ocupada pelo assinador manualmente # assinador.destroy() # # Arquivos temporários são deletados do disco # temp_chave.close() temp_certificado.close() if status != xmlsec.DSigStatusSucceeded: # # Libera a memória ocupada pelo documento xml manualmente # doc_xml.freeDoc() self._finaliza_funcoes_externas() raise RuntimeError( 'Erro ao realizar a assinatura do arquivo; status: "' + str(status) + '"') # # Elimina do xml assinado a cadeia certificadora, deixando somente # o certificado que assinou o documento # xpath = doc_xml.xpathNewContext() xpath.xpathRegisterNs(u'sig', NAMESPACE_SIG) certificados = xpath.xpathEval(u'//sig:X509Data/sig:X509Certificate') for i in range(len(certificados) - 1): certificados[i].unlinkNode() certificados[i].freeNode() # # Retransforma o documento xml em texto # xml = doc_xml.serialize() # # Libera a memória ocupada pelo documento xml manualmente # doc_xml.freeDoc() self._finaliza_funcoes_externas() xml = self._finaliza_xml(xml) return xml
def signRequest(file, request, dtd="http://dmswww.stsci.edu/dtd/sso/distribution.dtd", cgi="https://archive.stsci.edu/cgi-bin/dads.cgi", mission='HST'): global usexml if usexml: try: keysmngr = xmlsec.KeysMngr() if keysmngr is None: raise RuntimeError("Error: failed to create keys manager.") if xmlsec.cryptoAppDefaultKeysMngrInit(keysmngr) < 0: keysmngr.destroy() raise RuntimeError("Error: failed to initialize keys manager.") key = xmlsec.cryptoAppKeyLoad(filename = file, pwd = None, format = xmlsec.KeyDataFormatPem, pwdCallback = None, pwdCallbackCtx = None) if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(keysmngr, key) < 0: keysmngr.destroy() raise RuntimeError("Error: failed to load key into keys manager") dsig_ctx = xmlsec.DSigCtx(keysmngr) # Match the dtd and replace it. pat = re.compile("(^.*<!DOCTYPE.*distributionRequest[^>]*SYSTEM[ \t]*\")([^\"]*)(\"[^>]*>.*$)", re.DOTALL) m = pat.match(request) request = m.group(1)+dtd+m.group(3) ctxt = libxml2.createMemoryParserCtxt(request, len(request)) ctxt.validate(1) ctxt.parseDocument() doc = ctxt.doc() if doc is None or doc.getRootElement() is None: keysmngr.destroy() raise RuntimeError("Error: unable to parse XML data") # find the XML-DSig start node node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) if node is None: fragment = libxml2.parseDoc("""<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="#distributionRequest"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue></DigestValue> </Reference> </SignedInfo> <SignatureValue></SignatureValue> <KeyInfo> <KeyValue><RSAKeyValue> <Modulus></Modulus> <Exponent></Exponent> </RSAKeyValue></KeyValue> </KeyInfo> </Signature> """) # remove the xml header on the front of the document fragment fragment = fragment.getRootElement() # getElementsByTagName doesn't exist here for some reason, have to use xpath ctxt = doc.xpathNewContext() nodeList = ctxt.xpathEval("/distributionRequest") for child in nodeList: child.addChild(fragment) if child.prop('Id') == None: child.setProp('Id', 'distributionRequest') node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) # Remove passwords ctxt = doc.xpathNewContext() nodeList = ctxt.xpathEval('//requester') for child in nodeList: child.unsetProp('archivePassword') nodeList = ctxt.xpathEval('//ftp') for child in nodeList: if child.hasProp('loginPassword'): child.unsetProp('loginPassword') warnings.warn('ftp password is not allowed in user requests.') # Sign the template, or resign existing block status = dsig_ctx.sign(node) output = str(doc) doc.freeDoc() keysmngr.destroy() if status < 0: raise RuntimeError("Error: signature failed") return output except: usexml=False return signRequest(file, request, dtd, cgi) else: values = {'request' : request, 'privatekey' : open(file).read(), 'mission' : mission } data = urlencode(values).encode("utf-8") req = Request(url=cgi, data=data) f = urlopen(req) return f.read()