def grab_suffix(record):
suffix = ''
if record[0] is None:
# col ref
suffix += get_column_letter(record[1])
if record[1] is None:
# row ref
suffix += str(record[0])
return suffix
def encode_interval(val):
"""
Encode a Interval into a XML-suitable string.
Args:
val (datetime.timedelta): the input.
Returns:
str: the result.
"""
return str(int(val.total_seconds()))
def encode_longinteger(val):
"""
Encode a LongInteger into a XML-suitable string.
Args:
val (ttv.LongInteger): the input.
Returns:
str: the result.
"""
return str(val)
def __str__(self):
s = 'TTV(tag={}, typ={}, value='.format(self.tag, self.typ)
if self.typ == enums.ItemType.Structure:
s += '[' + ', '.join(str(elem) for elem in self.value) + ']'
else:
if self.typ == enums.ItemType.ByteString:
s += json.encode_bytestring(self.value)
else:
s += repr(self.value)
s += ')'
return s
def _add_cert_to_store(store, cert):
from OpenSSL.crypto import X509StoreContext, X509StoreContextError, Error as OpenSSLCryptoError
# Added by Terry to capture cert expiry
cert_expired = False
try:
X509StoreContext(store, cert).verify_certificate()
except X509StoreContextError as e:
# Terry: If certificate has expired, change cert_expired status to update functions outside
if 'certificate has expired' in str(e):
cert_expired = True
else:
raise InvalidCertificate(e)
try:
# This has already been changed
store.add_cert(cert)
return (cert, cert_expired)
except OpenSSLCryptoError as e:
if e.args == ([('x509 certificate routines', 'X509_STORE_add_cert', 'cert already in hash table')],):
raise RedundantCert(e)
raise
def test_xmldsig_interop(self):
def resolver(uri):
if uri == "document.xml":
with open(
os.path.join(interop_dir, "phaos-xmldsig-three", uri),
"rb") as fh:
return fh.read()
elif uri == "http://www.ietf.org/rfc/rfc3161.txt":
with open(
os.path.join(os.path.dirname(__file__), "rfc3161.txt"),
"rb") as fh:
return fh.read()
return None
def get_x509_cert(signature_file):
if "windows_store_signature" in signature_file:
return open(
os.path.join(interop_dir, "xml-crypto",
"windows_store_certificate.pem")).read()
elif "pyXMLSecurity" in signature_file:
return open(
os.path.join(interop_dir, "pyXMLSecurity",
"test.pem")).read()
else:
return None
def get_ca_pem_file(signature_file):
if "signature-dsa" in signature_file:
ca_pem_file = os.path.join(interop_dir, "phaos-xmldsig-three",
"certs", "dsa-ca-cert.pem")
elif "signature-rsa" in signature_file:
ca_pem_file = os.path.join(interop_dir, "phaos-xmldsig-three",
"certs", "rsa-ca-cert.pem")
elif "aleksey-xmldsig-01-enveloped" in signature_file:
ca_pem_file = os.path.join(interop_dir,
"aleksey-xmldsig-01-enveloped",
"cacert.pem")
elif "aleksey" in signature_file:
ca_pem_file = os.path.join(interop_dir, "aleksey-xmldsig-01",
"cacert.pem")
elif "wsfederation_metadata" in signature_file:
ca_pem_file = os.path.join(interop_dir, "xml-crypto",
"wsfederation_metadata.pem")
elif "signature_with_inclusivenamespaces" in signature_file:
ca_pem_file = os.path.join(
interop_dir, "xml-crypto",
"signature_with_inclusivenamespaces.pem")
else:
return None
return ca_pem_file.encode("utf-8")
signature_files = glob(os.path.join(interop_dir, "*",
"signature*.xml"))
signature_files += glob(os.path.join(interop_dir, "aleksey*", "*.xml"))
signature_files += glob(
os.path.join(interop_dir, "xml-crypto", "*.xml"))
signature_files += glob(
os.path.join(interop_dir, "pyXMLSecurity", "*.xml"))
for signature_file in signature_files:
print("Verifying", signature_file)
with open(signature_file, "rb") as fh:
try:
sig = fh.read()
XMLVerifier().verify(
sig,
require_x509=False,
hmac_key="test"
if "phaos" in signature_file else "secret",
validate_schema=True,
uri_resolver=resolver,
x509_cert=get_x509_cert(signature_file),
ca_pem_file=get_ca_pem_file(signature_file))
decoded_sig = sig.decode("utf-8")
if "HMACOutputLength" in decoded_sig or "bad" in signature_file or "expired" in signature_file:
raise BaseException("Expected an exception to occur")
except Exception as e:
unsupported_cases = ("xpath-transform", "xslt-transform",
"xpointer", "x509-data-issuer-serial",
"x509-data-ski",
"x509-data-subject-name", "x509data",
"signature-x509-ski",
"signature-x509-is")
bad_interop_cases = ("signature-big",
"enveloping-dsa-x509chain",
"enveloping-sha512-hmac-sha512",
"enveloping-sha512-rsa-sha512",
"enveloping-rsa-x509chain",
"enveloping-sha1-rsa-sha1",
"enveloping-sha224-rsa-sha224",
"enveloping-sha256-rsa-sha256",
"enveloping-sha384-rsa-sha384")
if signature_file.endswith(
"expired-cert.xml") or signature_file.endswith(
"wsfederation_metadata.xml"): # noqa
with self.assertRaisesRegexp(
InvalidCertificate, "certificate has expired"):
raise
elif signature_file.endswith(
"invalid_enveloped_transform.xml"):
self.assertIsInstance(e, InvalidSignature)
# with self.assertRaisesRegexp(ValueError, "Can't remove the root signature node"):
# raise
elif "md5" in signature_file or "ripemd160" in signature_file:
self.assertIsInstance(e, InvalidInput)
# with self.assertRaisesRegexp(InvalidInput, "Algorithm .+ is not recognized"):
# raise
elif "HMACOutputLength" in sig.decode("utf-8"):
self.assertIsInstance(
e, (InvalidSignature, InvalidDigest))
elif signature_file.endswith(
"signature-rsa-enveloped-bad-digest-val.xml"):
# self.assertIsInstance(e, InvalidDigest)
self.assertIsInstance(e, InvalidCertificate)
elif signature_file.endswith(
"signature-rsa-detached-xslt-transform-bad-retrieval-method.xml"
):
self.assertIsInstance(e, InvalidInput)
elif signature_file.endswith(
"signature-rsa-enveloped-bad-sig.xml"):
self.assertIsInstance(e, etree.DocumentInvalid)
elif signature_file.endswith("signature-x509-crt.xml"):
self.assertIsInstance(e, InvalidCertificate)
elif signature_file.endswith("signature-keyname.xml"):
self.assertIsInstance(e, InvalidInput)
elif signature_file.endswith("signature-x509-sn.xml"):
self.assertIsInstance(e, InvalidInput)
elif signature_file.endswith("signature-x509-crt-crl.xml"):
self.assertIsInstance(e, InvalidCertificate)
elif signature_file.endswith(
"signature-retrievalmethod-rawx509crt.xml"):
self.assertIsInstance(e, InvalidInput)
elif signature_file.endswith(
"merlin-xmldsig-twenty-three/signature.xml"):
self.assertIsInstance(e, InvalidInput)
elif any(x in signature_file for x in unsupported_cases):
print("Unsupported test case:", type(e), e)
elif any(x in signature_file for x in bad_interop_cases
) or "Unable to resolve reference" in str(e):
print("Bad interop test case:", type(e), e)
elif "certificate has expired" in str(e) and (
"signature-dsa" in signature_file
or "signature-rsa" in signature_file): # noqa
print("IGNORED:", type(e), e)
else:
raise
def _generate_xades_ssp_elements(self, options_struct):
"""
Generates the sequence of SignedSignatureProperty elements for
inclusion into the SignedProperty element.
Deprecations as listed in ETSI EN 319 132-1 V1.1.1 (2016-04), Annex D
:param options_struct:
carries the runtime options of the current signing run.
:type options_struct: A :py:class:`signxml.xades.SignerOptions` object
:returns:
A :py:class:`list` of effectively generated SignedSignatureProperty
elements.`
"""
elements = []
# Item 1: SigningTime
elements.append(
XADES.SigningTime(datetime.now(self.xades_tz).isoformat()))
# Item 2: SigningCertificate or SigningCertificateV2
"""
The SigningCertificateV2 qualifying property shall be a signed
qualifying property that qualifies the signature.
The SigningCertificateV2 qualifying property shall contain one reference
to the signing certificate.
The SigningCertificateV2 qualifying property may contain references to
some of or all the certificates within
the signing certificate path, including one reference to the trust
anchor when this is a certificate.
"""
cert_elements = []
for cert in options_struct.CertChain:
if self.xades_legacy:
serial_element = XADES.IssuerSerial(
DS.X509IssuerName(cert.issuer.rfc4514_string()),
DS.X509SerialNumber(str(cert.serial_number)),
)
else:
"""
The content of IssuerSerialV2 element shall be the the base-64
encoding of one DER-encoded instance of type IssuerSerial type
defined in IETF RFC 5035 [17].
"""
raise NotImplementedError(
"Please make a PR if you know how to obtain in python a "
"'DER-encoded instance of type IssuerSerial type defined in "
"IETF RFC 5035'")
serial_element = XADES.IssuerSerialV2(
# TODO implement, wtf?
)
"""
The element CertDigest shall contain the digest of the referenced
certificate.
CertDigest‘s children elements satisfy the following requirements:
1) ds:DigestMethod element shall identify the digest algorithm. And
2) ds:DigestValue element shall contain the base-64 encoded value
of the digest computed on the DERencoded certificate.
"""
cert_digest = XADES.CertDigest(
DS.DigestMethod(
Algorithm=self.known_digest_tags[self.digest_alg]),
DS.DigestValue(
self._get_digest(
cert.public_bytes(Encoding.DER),
self._get_digest_method_by_tag(self.digest_alg))))
cert_elements.append(XADES.Cert(cert_digest, serial_element))
if self.xades_legacy:
elements.append(XADES.SigningCertificate(
*cert_elements)) # deprecated (legacy)
else:
elements.append(XADES.SigningCertificateV2(*cert_elements))
# Item 3: SignatureProductionPlace or SignatureProductionPlaceV2
"""
The SignatureProductionPlaceV2 qualifying property shall be a signed
qualifying property that qualifies the signer.
The SignatureProductionPlaceV2 qualifying property shall specify an
address associated with the signer at a particular geographical
(e.g. city) location.
"""
pp_elements = []
PP = options_struct.ProductionPlace
pa = pp_elements.append
pa(XADES.City(PP.City)) if PP.City else None
if not self.xades_legacy:
pa(XADES.StreetAddress(
PP.StreetAddress)) if PP.StreetAddress else None
pa(XADES.StateOrProvince(
PP.StateOrProvince)) if PP.StateOrProvince else None
pa(XADES.PostalCode(PP.PostalCode)) if PP.PostalCode else None
pa(XADES.CountryName(PP.CountryName)) if PP.CountryName else None
"""
Empty SignatureProductionPlaceV2 qualifying properties shall not be generated.
"""
pp_elements = self._clean_elements_from_black_list(pp_elements)
if self.xades_legacy and pp_elements:
elements.append(XADES.SignatureProductionPlace(
*pp_elements)) # deprecated (legacy)
elif pp_elements:
elements.append(XADES.SignatureProductionPlaceV2(*pp_elements))
# Item 4: SignaturePolicyIdentifier
"""
The SignaturePolicyIdentifier qualifying property shall be a signed
qualifying property qualifying the signature.
The SignaturePolicyIdentifier qualifying property shall contain either
an explicit identifier of a signature policy or an indication that
there is an implied signature policy that the relying party should
be aware of.
ETSI TS 119 172-1 specifies a framework for signature policies.
"""
spid_elements = []
sp = options_struct.SignaturePolicy
# digest method
pdm = self.known_digest_tags.get(self.digest_alg)
# digest value
pv = resolve_uri(sp.Identifier)
spid_elements.append(
XADES.SigPolicyId(XADES.Identifier(sp.Identifier),
XADES.Description(sp.Description)))
spid_elements.append(
XADES.SigPolicyHash(
DS.DigestMethod(Algorithm=pdm),
DS.DigestValue(
self._get_digest(
pv, self._get_digest_method_by_tag(self.digest_alg)))))
spid = XADES.SignaturePolicyId(*spid_elements)
spi_elements = []
spi_elements.append(spid)
elements.append(XADES.SignaturePolicyIdentifier(*spi_elements))
# Item 5: SignerRole or SignerRoleV2
"""
The SignerRoleV2 qualifying property shall be a signed qualifying
property that qualifies the signer.
The SignerRoleV2 qualifying property shall encapsulate signer attributes
(e.g. role). This qualifying property may encapsulate the following
types of attributes:
• attributes claimed by the signer;
• attributes certified in attribute certificates issued by an
Attribute Authority; or/and
• assertions signed by a third party.
"""
clr_elements = []
"""
The ClaimedRoles element shall contain a non-empty sequence of roles
claimed by the signer but which are not certified.
"""
for role in options_struct.ClaimedRoles:
if not isinstance(role, str):
"""
Additional content types *may* be defined on a domain application
basis and be part of this element.
"""
NotImplementedError(
"Role types different than strings, although permitted by "
"the schema, are not implemented. Use a placeholder and "
"post process the resulting element tree, instead!")
clr_elements.append(XADES.ClaimedRole(role))
ctr_elements = []
"""
The CertifiedRolesV2 element shall contain a non-empty sequence of
certified attributes, which shall be one of the following:
• the base-64 encoding of DER-encoded X509 attribute certificates
conformant to Recommendation ITU-T X.509 [4] issued to the signer,
within the X509AttributeCertificate element; or
• attribute certificates (issued, in consequence, by Attribute
Authorities) in different syntax than the one specified in
Recommendation ITU-T X.509 [4], within the
OtherAttributeCertificate element. The definition of specific
OtherAttributeCertificate is outside of the scope of the present
document
"""
if options_struct.CertifiedRoles and self.xades_legacy:
NotImplementedError(
"Legay certified roles wired as objects encoded in "
"EncapsulatedPKIDataType are not implemented.")
for role in options_struct.CertifiedRoles:
ctr_elements.append(
XADES.CertifiedRolesV2(
XADES.X509AttributeCertificate(
self._get_cert_encoded(role.X509AttributeCertificate)
) if role.X509AttributeCertificate else XADES.
OtherAttributeCertificate(
self._get_cert_encoded(role.OtherAttributeCertificate)
)))
"""
The SignedAssertions element shall contain a non-empty sequence of
assertions signed by a third party.
The definition of specific content types for SignedAssertions is outside
of the scope of the present document.
"""
sas_elements = options_struct.SignedAssertions
if not all(['SignedAssertions' in e.tag for e in sas_elements]):
raise InvalidInput(
"Input for signed assertions shall be all elements of type "
"'{https://uri.etsi.org/01903/v1.3.2#}SignedAssertions'")
sr_elements = []
if clr_elements:
sr_elements.append(XADES.ClaimedRoles(*clr_elements))
if ctr_elements and self.xades_legacy:
raise # already cached above, never hit
elif ctr_elements:
sr_elements.append(XADES.CertifiedRolesV2(*ctr_elements))
if sas_elements and not self.xades_legacy:
sr_elements.append(XADES.SignedAssertions(*sas_elements))
"""
Empty SignerRoleV2 qualifying properties shall not be generated.
"""
if not sr_elements:
pass
else:
sr_elements = self._clean_elements_from_black_list(sr_elements)
if self.xades_legacy:
elements.append(
XADES.SignerRole(*sr_elements)) # deprecated (legacy)
else:
elements.append(XADES.SignerRoleV2(*sr_elements))
# any ##other
return self._clean_elements_from_black_list(elements)
def __init__(self, tag, value, typ=None):
self.tag = tag
self.value = value
if typ is None:
if isinstance(value, types.LongInteger):
self.typ = enums.ItemType.LongInteger
elif isinstance(value, types.BigInteger):
self.typ = enums.ItemType.BigInteger
elif isinstance(value, _enums_types):
self.typ = enums.ItemType.Enumeration
elif isinstance(value, bool):
self.typ = enums.ItemType.Boolean
elif isinstance(value, str):
self.typ = enums.ItemType.TextString
elif isinstance(value, (bytes, bytearray)):
self.typ = enums.ItemType.ByteString
elif isinstance(value, datetime.datetime):
self.typ = enums.ItemType.DateTime
elif isinstance(value, datetime.timedelta):
self.typ = enums.ItemType.Interval
elif isinstance(value, list):
self.typ = enums.ItemType.Structure
elif isinstance(value, (types.Integer, ) + _integer_types):
self.typ = enums.ItemType.Integer
self.value = types.Integer(self.value)
else:
raise RuntimeError(
'Value {} does not correspond to a TTLV type'.format(
repr(value)))
else:
self.typ = typ
if self.typ == enums.ItemType.Integer:
if not isinstance(self.value,
(types.Integer, types.UnknownIntegerMask)):
self.value = types.Integer(self.value)
elif self.typ == enums.ItemType.LongInteger:
self.value = types.LongInteger(self.value)
elif self.typ == enums.ItemType.BigInteger:
self.value = types.BigInteger(self.value)
elif self.typ == enums.ItemType.Enumeration:
if isinstance(self.value, _integer_types):
self.value = types.UnknownEnumeration(self.value)
elif self.typ == enums.ItemType.Boolean:
self.value = bool(self.value)
elif self.typ == enums.ItemType.TextString:
self.value = str(self.value)
elif self.typ == enums.ItemType.ByteString:
self.value = bytes(self.value)
elif self.typ == enums.ItemType.DateTime:
if not isinstance(self.value, datetime.datetime):
raise RuntimeError(
'Value must be instance of datetime.datetime')
elif self.typ == enums.ItemType.Interval:
if not isinstance(self.value, datetime.timedelta):
raise RuntimeError(
'Value must be instance of datetime.timedelta')
if isinstance(self.value, types.Integer):
if not -(1 << 31) <= self.value <= (1 << 31) - 1:
raise RuntimeError('Integer out of range')
elif isinstance(self.value, types.LongInteger):
if not -(1 << 63) <= self.value <= (1 << 63) - 1:
raise RuntimeError('LongInteger out of range')
from __future__ import print_function, unicode_literals
from eight import input, str
from MSSP.exceptions import *
from re import match
from os.path import expanduser
from datetime import datetime
from openpyxl.utils import column_index_from_string, get_column_letter
selectors = ('Monitoring', 'Assessment', 'ControlRules')
defaultdir = expanduser('~') + '/Dropbox/' + str(datetime.today().year) + '/TNCWebTool/'
def check_sel(sel):
return sel in selectors
subject_regex = '^([MAC]).*:([A-Z]*)([0-9]*)$'
def convert_subject_to_reference(subject):
"""
:param subject: matches subject_regex
:return: (sel, record) dictionary key
"""
g = match(subject_regex, subject)
sel = [k for k in selectors if k[0] == g.groups()[0]]
if len(sel) < 1:
def test_xmldsig_interop(self):
interop_dir = os.path.join(os.path.dirname(__file__), "interop")
def resolver(uri):
if uri == "document.xml":
with open(os.path.join(interop_dir, "phaos-xmldsig-three", uri), "rb") as fh:
return fh.read()
elif uri == "http://www.ietf.org/rfc/rfc3161.txt":
with open(os.path.join(os.path.dirname(__file__), "rfc3161.txt"), "rb") as fh:
return fh.read()
return None
#from ssl import DER_cert_to_PEM_cert
#with open(os.path.join(os.path.dirname(__file__), "interop", "phaos-xmldsig-three", "certs", "dsa-ca-cert.der"), "rb") as fh:
# ca_pem_file = DER_cert_to_PEM_cert(fh.read())
# with open(os.path.join(os.path.dirname(__file__), "interop", "phaos-xmldsig-three", "certs", "dsa-ca-cert.pem"), "wb") as fh2:
# fh2.write(ca_pem_file)
def get_x509_cert(signature_file):
if "windows_store_signature" in signature_file:
return open(os.path.join(interop_dir, "xml-crypto", "windows_store_certificate.pem")).read()
elif "pyXMLSecurity" in signature_file:
return open(os.path.join(interop_dir, "pyXMLSecurity", "test.pem")).read()
else:
return None
def get_ca_pem_file(signature_file):
if "signature-dsa" in signature_file:
ca_pem_file = os.path.join(interop_dir, "phaos-xmldsig-three", "certs", "dsa-ca-cert.pem")
elif "signature-rsa" in signature_file:
ca_pem_file = os.path.join(interop_dir, "phaos-xmldsig-three", "certs", "rsa-ca-cert.pem")
elif "aleksey-xmldsig-01-enveloped" in signature_file:
ca_pem_file = os.path.join(interop_dir, "aleksey-xmldsig-01-enveloped", "cacert.pem")
elif "aleksey" in signature_file:
ca_pem_file = os.path.join(interop_dir, "aleksey-xmldsig-01", "cacert.pem")
elif "wsfederation_metadata" in signature_file:
ca_pem_file = os.path.join(interop_dir, "xml-crypto", "wsfederation_metadata.pem")
elif "signature_with_inclusivenamespaces" in signature_file:
ca_pem_file = os.path.join(interop_dir, "xml-crypto", "signature_with_inclusivenamespaces.pem")
else:
return None
return ca_pem_file.encode("utf-8")
signature_files = glob(os.path.join(interop_dir, "*", "signature*.xml"))
signature_files += glob(os.path.join(interop_dir, "aleksey*", "*.xml"))
signature_files += glob(os.path.join(interop_dir, "xml-crypto", "*.xml"))
signature_files += glob(os.path.join(interop_dir, "pyXMLSecurity", "*.xml"))
for signature_file in signature_files:
print("Verifying", signature_file)
with open(signature_file, "rb") as fh:
try:
sig = fh.read()
XMLVerifier().verify(sig,
require_x509=False,
hmac_key="test" if "phaos" in signature_file else "secret",
validate_schema=True,
uri_resolver=resolver,
x509_cert=get_x509_cert(signature_file),
ca_pem_file=get_ca_pem_file(signature_file))
if "HMACOutputLength" in sig.decode("utf-8") or "bad" in signature_file or "expired" in signature_file:
raise BaseException("Expected an exception to occur")
except Exception as e:
unsupported_cases = ("xpath-transform", "xslt-transform", "xpointer",
"x509-data-issuer-serial", "x509-data-ski", "x509-data-subject-name",
"x509data", "signature-x509-ski", "signature-x509-is")
todo_cases = ("signature-big", "enveloping-dsa-x509chain",
"enveloping-sha512-hmac-sha512", "enveloping-sha512-rsa-sha512")
if signature_file.endswith("expired-cert.xml"):
with self.assertRaisesRegexp(InvalidCertificate, "certificate has expired"):
raise
elif signature_file.endswith("invalid_enveloped_transform.xml"):
self.assertIsInstance(e, InvalidSignature)
#with self.assertRaisesRegexp(ValueError, "Can't remove the root signature node"):
# raise
elif "md5" in signature_file or "ripemd160" in signature_file:
self.assertIsInstance(e, InvalidInput)
#with self.assertRaisesRegexp(InvalidInput, "Algorithm .+ is not recognized"):
# raise
elif "HMACOutputLength" in sig.decode("utf-8"):
self.assertIsInstance(e, (InvalidSignature, InvalidDigest))
elif signature_file.endswith("signature-rsa-enveloped-bad-digest-val.xml"):
#self.assertIsInstance(e, InvalidDigest)
self.assertIsInstance(e, InvalidCertificate)
elif signature_file.endswith("signature-rsa-detached-xslt-transform-bad-retrieval-method.xml"):
self.assertIsInstance(e, InvalidInput)
elif signature_file.endswith("signature-rsa-enveloped-bad-sig.xml"):
self.assertIsInstance(e, etree.DocumentInvalid)
elif signature_file.endswith("signature-x509-crt.xml"):
self.assertIsInstance(e, InvalidCertificate)
elif signature_file.endswith("signature-keyname.xml"):
self.assertIsInstance(e, InvalidInput)
elif signature_file.endswith("signature-x509-sn.xml"):
self.assertIsInstance(e, InvalidInput)
elif signature_file.endswith("signature-x509-crt-crl.xml"):
self.assertIsInstance(e, InvalidCertificate)
elif signature_file.endswith("signature-retrievalmethod-rawx509crt.xml"):
self.assertIsInstance(e, InvalidInput)
elif any(x in signature_file for x in unsupported_cases) or "EntitiesForbidden" in str(e):
print("Unsupported test case:", type(e), e)
elif any(x in signature_file for x in todo_cases) or "Unable to resolve reference" in str(e):
print("IGNORED test case:", type(e), e)
elif "certificate has expired" in str(e) and ("signature-dsa" in signature_file or "signature-rsa" in signature_file):
print("IGNORED:", type(e), e)
else:
raise
