Exemple #1
0
def test_verify_fail(cert_and_signed):
    cert, xml = cert_and_signed
    broken = xml.replace(
        b"<test:content>Value</test:content>",
        b"<test:content>Changed Value</test:content>",
    )
    with pytest.raises(VerificationFailed):
        extract_verified_element(xml=broken, certificate=cert)
Exemple #2
0
def test_verification_failed2(cert_and_signed):
    cert, xml = cert_and_signed
    root = utils.deserialize_xml(xml)
    signature_value = root.find(
        ".//{http://www.w3.org/2000/09/xmldsig#}SignatureValue")
    signature_value.text = signature_value.text + "x"
    xml = utils.serialize_xml(root)
    with pytest.raises(binascii.Error):
        extract_verified_element(xml=xml, certificate=cert)
Exemple #3
0
def test_double_reference_fails(key_and_cert):
    target = E.tag("Target", ID="same")
    E.root(target, E.tag("Other", ID="same"))
    signed_data = sign(
        element=target,
        private_key=key_and_cert.private_key,
        certificate=key_and_cert.certificate,
    )
    with pytest.raises(MultipleElementsFound):
        extract_verified_element(xml=signed_data,
                                 certificate=key_and_cert.certificate)
Exemple #4
0
def test_verify_fails_with_different_certificate(key_and_cert, key_factory):
    ns = ElementMaker(namespace="urn:test", nsmap={"test": "urn:test"})
    element_to_sign = ns.signed(ns.content("Value"), ID="test")
    ns.root(element_to_sign)
    signed_data = sign(
        element=element_to_sign,
        private_key=key_and_cert.private_key,
        certificate=key_and_cert.certificate,
    )
    _, other = key_factory()
    with pytest.raises(CertificateMismatch):
        extract_verified_element(xml=signed_data, certificate=other)
Exemple #5
0
def test_double_signature_fails(key_and_cert):
    element = E.tag("Value", ID="Test")
    signed_data = sign(
        element=element,
        private_key=key_and_cert.private_key,
        certificate=key_and_cert.certificate,
    )
    element = utils.deserialize_xml(signed_data)
    signed_data = sign(
        element=element,
        private_key=key_and_cert.private_key,
        certificate=key_and_cert.certificate,
    )
    with pytest.raises(MultipleElementsFound):
        extract_verified_element(xml=signed_data,
                                 certificate=key_and_cert.certificate)
Exemple #6
0
def test_verify_config(key_and_cert):
    ns = ElementMaker(namespace="urn:test", nsmap={"test": "urn:test"})
    element_to_sign = ns.signed(ns.content("Value"), ID="test")
    ns.root(element_to_sign)
    config = SigningConfig(signature_method=hashes.SHA1(),
                           digest_method=hashes.SHA1())
    signed_data = sign(
        element=element_to_sign,
        private_key=key_and_cert.private_key,
        certificate=key_and_cert.certificate,
        config=config,
    )
    with pytest.raises(UnsupportedAlgorithm):
        extract_verified_element(
            xml=signed_data,
            certificate=key_and_cert.certificate,
            config=VerifyConfig(
                allowed_signature_method={hashes.SHA256},
                allowed_digest_method={hashes.SHA256},
            ),
        )
Exemple #7
0
def test_roundtrip(key_and_cert):
    ns = ElementMaker(namespace="urn:test", nsmap={"test": "urn:test"})
    element_to_sign = ns.signed(ns.content("Value"), ID="test")
    ns.root(element_to_sign)
    unsigned_data = utils.serialize_xml(element_to_sign)
    config = SigningConfig.default()
    signed_data = sign(
        element=element_to_sign,
        private_key=key_and_cert.private_key,
        certificate=key_and_cert.certificate,
        config=config,
    )
    verified_element = extract_verified_element(
        xml=signed_data, certificate=key_and_cert.certificate)
    assert unsigned_data == utils.serialize_xml(verified_element)
Exemple #8
0
def roundtrip() -> None:
    """
    Create a super simple XML document:
        <tag ID='hoge'>Value</tag>
    Then sign that tag with a randomly generated key/cert pair.
    Then verify the resulting signed document.
    """
    key, cert = make_key_and_cert()
    element = E.tag("Value", ID="hoge")
    print("Unsigned:")
    print(serialize_xml(element).decode("utf-8"))
    signed = sign(element=element, private_key=key, certificate=cert)
    print("=" * 70)
    print("Signed:")
    print(signed.decode("utf-8"))
    verified = extract_verified_element(xml=signed, certificate=cert)
    print("=" * 70)
    print("Verified:")
    print(serialize_xml(verified).decode("utf-8"))
Exemple #9
0
def test_verify(xmlsec1, tmp_path, cert_and_signed):
    cert, xml = cert_and_signed

    signed = tmp_path / "signed.xml"
    cert_pem = tmp_path / "cert.pem"
    with signed.open("wb") as fobj:
        fobj.write(xml)
    with cert_pem.open("wb") as fobj:
        fobj.write(cert.public_bytes(encoding=Encoding.PEM))

    xmlsec1(
        "verify",
        "--pubkey-cert-pem",
        str(cert_pem),
        "--id-attr:ID",
        "signed",
        str(signed),
    )

    verified_element = extract_verified_element(xml=xml, certificate=cert)
    assert verified_element is not None
    assert verified_element.tag == "{urn:test}signed"
    assert verified_element.attrib["ID"] == "test"