def load_trusted_certs(files, files_size): assert (files) assert (files_size > 0) # Create and initialize keys manager, we use a simple list based # keys manager, implement your own KeysStore klass if you need # something more sophisticated mngr = xmlsec.KeysMngr() if mngr is None: print "Error: failed to create keys manager." return None if xmlsec.cryptoAppDefaultKeysMngrInit(mngr) < 0: print "Error: failed to initialize keys manager." mngr.destroy() return None for file in files: if not check_filename(file): mngr.destroy() return None # Load trusted cert if mngr.certLoad(file, xmlsec.KeyDataFormatPem, xmlsec.KeyDataTypeTrusted) < 0: print "Error: failed to load pem certificate from \"%s\"", file mngr.destroy() return None return mngr
def create_files_keys_mngr(): # Create files based keys store storeId = xmlsec.KeyStoreId(0, 0, "files-based-keys-store", None, None, files_keys_store_find_key) keysStore = xmlsec.KeyStore(storeId) if keysStore is None: print "Error: failed to create keys store." return None # Create keys manager mngr = xmlsec.KeysMngr() if mngr is None: print "Error: failed to create keys manager." keysStore.destroy() return None # Add store to keys manager, from now on keys manager destroys the store # if needed if mngr.adoptKeysStore(keysStore) < 0: print "Error: failed to add keys store to keys manager." keysStore.destroy() mngr.destroy() return None # Initialize crypto library specific data in keys manager if xmlsec.cryptoKeysMngrInit(mngr) < 0: print "Error: failed to initialize crypto data in keys manager." keysStore.destroy() mngr.destroy() return None # Set the get key callback mngr.getKey = getKeyCallback return mngr
def __init__(self, key_file=None, cert_file=None, password='', key_name=None): """ - key_file: str, filename of PEM file containing the private key. (the file should NOT be password-protected) - cert_file: str, filename of PEM file containing the X509 certificate. (optional: can be None) - password: str, password to open key file, or None if no password. - key_name: str, name for the key in the signature, or None if omitted. """ self.dsig_ctx = None # TEST: single key self.key = None # Create and initialize keys manager self.keysmngr = xmlsec.KeysMngr() if self.keysmngr is None: raise RuntimeError, "Error: failed to create keys manager." if xmlsec.cryptoAppDefaultKeysMngrInit(self.keysmngr) < 0: self.keysmngr.destroy() raise RuntimeError, "Error: failed to initialize keys manager." # load key self.load(key_file, cert_file, password, key_name)
def received(self, context): self.poruka_odgovor = context.reply libxml2.initParser() libxml2.substituteEntitiesDefault(1) xmlsec.init() xmlsec.cryptoAppInit(None) xmlsec.cryptoInit() mngr = xmlsec.KeysMngr() xmlsec.cryptoAppDefaultKeysMngrInit(mngr) mngr.certLoad(verifyCertFile, xmlsec.KeyDataFormatPem, xmlsec.KeyDataTypeTrusted) doc = libxml2.parseDoc(context.reply) xmlsec.addIDs(doc, doc.getRootElement(), ['Id']) node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) dsig_ctx = xmlsec.DSigCtx(mngr) dsig_ctx.verify(node) if (dsig_ctx.status == xmlsec.DSigStatusSucceeded): self.valid_signature = 1 xmlsec.cryptoShutdown() xmlsec.cryptoAppShutdown() xmlsec.shutdown() libxml2.cleanupParser() return context
def load_des_keys(files, files_size): assert (files) assert (files_size > 0) # Create and initialize keys manager, we use a simple list based # keys manager, implement your own KeysStore klass if you need # something more sophisticated mngr = xmlsec.KeysMngr() if mngr is None: print "Error: failed to create keys manager." return None if xmlsec.cryptoAppDefaultKeysMngrInit(mngr) < 0: print "Error: failed to initialize keys manager." mngr.destroy() return None for file in files: if not check_filename(file): mngr.destroy() return None # Load DES key key = xmlsec.keyReadBinaryFile(xmlsec.keyDataDesId(), file) if key is None: print "Error: failed to load des key from binary file \"%s\"" % file mngr.destroy() return None # Add key to keys manager, from now on keys manager is responsible # for destroying key if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0: print "Error: failed to add key from \"%s\" to keys manager" % file key.destroy() mngr.destroy() return None return mngr
def __init__(self): """Creates a new XMLDSIG object. It will instantiate a local key manager. """ # Initialize the key manager self.key_manager = xmlsec.KeysMngr() if xmlsec.cryptoAppDefaultKeysMngrInit(self.key_manager) < 0: raise XMLDSIGError("Failed initializing the key manager")
def load_keys(files, files_size): assert (files) assert (files_size > 0) # Create and initialize keys manager, we use a simple list based # keys manager, implement your own KeysStore klass if you need # something more sophisticated mngr = xmlsec.KeysMngr() if mngr is None: print "Error: failed to create keys manager." return None if xmlsec.cryptoAppDefaultKeysMngrInit(mngr) < 0: print "Error: failed to initialize keys manager." mngr.destroy() return None for file in files: # Load key if not check_filename(file): mngr.destroy() return None key = xmlsec.cryptoAppKeyLoad(file, xmlsec.KeyDataFormatPem, None, None, None) if key == None: print "Error: failed to load pem key from " + file mngr.destroy() return None # Set key name to the file name, this is just an example! if key.setName(file) < 0: print "Error: failed to set key name for key from " + file key.destroy() mngr.destroy() return None # Add key to keys manager, from now on keys manager is responsible # for destroying key if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0: print "Error: failed to add key from \"%s\" to keys manager" % file key.destroy() mngr.destroy() return None return mngr
def verifica_assinatura_xml(self, xml): self._inicia_funcoes_externas() xml = self._prepara_doc_xml(xml) # # Colocamos o texto no avaliador XML # doc_xml = libxml2.parseMemory(xml.encode('utf-8'), len(xml.encode('utf-8'))) # # Separa o nó da assinatura # noh_assinatura = xmlsec.findNode(doc_xml.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) # # Prepara o gerenciador dos certificados confiáveis para verificação # certificados_confiaveis = xmlsec.KeysMngr() xmlsec.cryptoAppDefaultKeysMngrInit(certificados_confiaveis) # # Prepara a cadeia certificadora # certificados = os.listdir(DIRNAME + '/cadeia-certificadora/certificados') certificados.sort() for certificado in certificados: certificados_confiaveis.certLoad(filename=str(DIRNAME + '/cadeia-certificadora/certificados/' + certificado), format=xmlsec.KeyDataFormatPem, type=xmlsec.KeyDataTypeTrusted) # # Cria a variável de chamada (callable) da função de assinatura/verificação, # agora passando quais autoridades certificadoras são consideradas # confiáveis # verificador = xmlsec.DSigCtx(certificados_confiaveis) # # Separa o certificado que assinou o arquivo, e prepara a instância # com os dados desse certificado # certificado = xmlsec.findNode(noh_assinatura, xmlsec.NodeX509Certificate, xmlsec.DSigNs).content self.prepara_certificado_txt(certificado) # # Recupera a chave do certificado que assinou o documento, e altera # a data que será usada para fazer a verificação, para que a assinatura # seja validada mesmo que o certificado já tenha expirado # Para isso, define a data de validação para a data de início da validade # do certificado # Essa data deve ser informada como um inteiro tipo "unixtime" # noh_chave = xmlsec.findNode(noh_assinatura, xmlsec.NodeKeyInfo, xmlsec.DSigNs) manipulador_chave = xmlsec.KeyInfoCtx(mngr=certificados_confiaveis) manipulador_chave.certsVerificationTime = mktime(self.data_inicio_validade.timetuple()) # # Cria uma chave vazia e recupera a chave, dizendo ao verificador que # é essa a chave que deve ser usada na validação da assinatura # verificador.signKey = xmlsec.Key() xmlsec.keyInfoNodeRead(noh_chave, verificador.signKey, manipulador_chave) # # Realiza a verificação # verificador.verify(noh_assinatura) # # Guarda o status # status = verificador.status resultado = status == xmlsec.DSigStatusSucceeded # # Libera a memória ocupada pelo verificador manualmente # verificador.destroy() certificados_confiaveis.destroy() if status != xmlsec.DSigStatusSucceeded: # # Libera a memória ocupada pelo documento xml manualmente # doc_xml.freeDoc() self._finaliza_funcoes_externas() raise RuntimeError('Erro ao validar a assinatura do arquivo; status: "' + str(status) + '"') # # Libera a memória ocupada pelo documento xml manualmente # doc_xml.freeDoc() self._finaliza_funcoes_externas() return resultado
def assina_xml(self, xml): self._inicia_funcoes_externas() xml = self._prepara_doc_xml(xml) # # Colocamos o texto no avaliador XML # doc_xml = libxml2.parseMemory(xml.encode('utf-8'), len(xml.encode('utf-8'))) # # Separa o nó da assinatura # noh_assinatura = xmlsec.findNode(doc_xml.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) # # Arquivos temporários são criados com o certificado no formato PEM # temp_chave = tempfile.NamedTemporaryFile('w') temp_chave.write(self.chave) temp_chave.flush() temp_certificado = tempfile.NamedTemporaryFile('w') temp_certificado.write(self.certificado) temp_certificado.flush() # # Buscamos chave e certificado no arquivo temporário e inserimos no "chaveiro" # chaveiro = xmlsec.KeysMngr() xmlsec.cryptoAppDefaultKeysMngrInit(chaveiro) chave = xmlsec.cryptoAppKeyLoad(filename=temp_chave.name, format=xmlsec.KeyDataFormatPem, pwd=None, pwdCallback=None, pwdCallbackCtx=None) certificado = xmlsec.cryptoAppKeyCertLoad( chave, filename=temp_certificado.name, format=xmlsec.KeyDataFormatPem) xmlsec.cryptoAppDefaultKeysMngrAdoptKey(chaveiro, chave) # # Cria a variável de chamada (callable) da função de assinatura, usando o "chaveiro" # assinador = xmlsec.DSigCtx(chaveiro) # # Atribui a chave ao assinador # assinador.signKey = chave # # Realiza a assinatura # assinador.sign(noh_assinatura) # # Guarda o status # status = assinador.status # # Libera a memória ocupada pelo assinador manualmente # assinador.destroy() # # Arquivos temporários são deletados do disco # temp_chave.close() temp_certificado.close() if status != xmlsec.DSigStatusSucceeded: # # Libera a memória ocupada pelo documento xml manualmente # doc_xml.freeDoc() self._finaliza_funcoes_externas() raise RuntimeError( 'Erro ao realizar a assinatura do arquivo; status: "' + str(status) + '"') # # Elimina do xml assinado a cadeia certificadora, deixando somente # o certificado que assinou o documento # xpath = doc_xml.xpathNewContext() xpath.xpathRegisterNs(u'sig', NAMESPACE_SIG) certificados = xpath.xpathEval(u'//sig:X509Data/sig:X509Certificate') for i in range(len(certificados) - 1): certificados[i].unlinkNode() certificados[i].freeNode() # # Retransforma o documento xml em texto # xml = doc_xml.serialize() # # Libera a memória ocupada pelo documento xml manualmente # doc_xml.freeDoc() self._finaliza_funcoes_externas() xml = self._finaliza_xml(xml) return xml
import libxml2 import xmlsec import os DIRNAME = os.path.dirname(__file__) if __name__ == u'__main__': certificados = os.listdir(DIRNAME + 'certificados') certificados.sort() # ????? # Ativa as funções da API de criptografia xmlsec.init() xmlsec.cryptoAppInit(None) xmlsec.cryptoInit() # # Prepara o gerenciador dos certificados confiáveis # certificados_confiaveis = xmlsec.KeysMngr() xmlsec.cryptoAppDefaultKeysMngrInit(certificados_confiaveis) for certificado in certificados: certificados_confiaveis.certLoad( filename=str(DIRNAME + 'certificados/' + certificado), format=xmlsec.KeyDataFormatPem, type=xmlsec.KeyDataTypeTrusted) xmlsec.cryptoShutdown() xmlsec.cryptoAppShutdown() xmlsec.shutdown()
def _signXML(self, xml): import libxml2 import xmlsec dsigctx = None doc = None try: # initialization libxml2.initParser() libxml2.substituteEntitiesDefault(1) if xmlsec.init() < 0: raise SignatureError('xmlsec init failed') if xmlsec.checkVersion() != 1: raise SignatureError('incompatible xmlsec library version %s' % str(xmlsec.checkVersion())) if xmlsec.cryptoAppInit(None) < 0: raise SignatureError('crypto initialization failed') if xmlsec.cryptoInit() < 0: raise SignatureError('xmlsec-crypto initialization failed') # load the input doc = libxml2.parseDoc(xml) if not doc or not doc.getRootElement(): raise SignatureError('error parsing input xml') node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) if not node: raise SignatureError("couldn't find root node") # load the private key key = xmlsec.cryptoAppKeyLoad(self.key_file, xmlsec.KeyDataFormatPem, self.key_pwd, None, None) if not key: raise SignatureError('failed to load the private key %s' % self.key_file) if xmlsec.cryptoAppKeyCertLoad(key, self.cert_file, xmlsec.KeyDataFormatPem) < 0: print "Error: failed to load pem certificate \"%s\"" % self.cert_file return self.cleanup(doc, dsigctx) keymngr = xmlsec.KeysMngr() xmlsec.cryptoAppDefaultKeysMngrInit(keymngr) xmlsec.cryptoAppDefaultKeysMngrAdoptKey(keymngr, key) dsigctx = xmlsec.DSigCtx(keymngr) if key.setName(self.key_file) < 0: raise SignatureError('failed to set key name') # sign if dsigctx.sign(node) < 0: raise SignatureError('signing failed') signed_xml = doc.serialize() finally: if dsigctx: dsigctx.destroy() if doc: doc.freeDoc() xmlsec.cryptoShutdown() xmlsec.shutdown() libxml2.cleanupParser() return signed_xml
def signRequest(file, request, dtd="http://dmswww.stsci.edu/dtd/sso/distribution.dtd", cgi="https://archive.stsci.edu/cgi-bin/dads.cgi", mission='HST'): global usexml if usexml: try: keysmngr = xmlsec.KeysMngr() if keysmngr is None: raise RuntimeError("Error: failed to create keys manager.") if xmlsec.cryptoAppDefaultKeysMngrInit(keysmngr) < 0: keysmngr.destroy() raise RuntimeError("Error: failed to initialize keys manager.") key = xmlsec.cryptoAppKeyLoad(filename = file, pwd = None, format = xmlsec.KeyDataFormatPem, pwdCallback = None, pwdCallbackCtx = None) if xmlsec.cryptoAppDefaultKeysMngrAdoptKey(keysmngr, key) < 0: keysmngr.destroy() raise RuntimeError("Error: failed to load key into keys manager") dsig_ctx = xmlsec.DSigCtx(keysmngr) # Match the dtd and replace it. pat = re.compile("(^.*<!DOCTYPE.*distributionRequest[^>]*SYSTEM[ \t]*\")([^\"]*)(\"[^>]*>.*$)", re.DOTALL) m = pat.match(request) request = m.group(1)+dtd+m.group(3) ctxt = libxml2.createMemoryParserCtxt(request, len(request)) ctxt.validate(1) ctxt.parseDocument() doc = ctxt.doc() if doc is None or doc.getRootElement() is None: keysmngr.destroy() raise RuntimeError("Error: unable to parse XML data") # find the XML-DSig start node node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) if node is None: fragment = libxml2.parseDoc("""<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="#distributionRequest"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue></DigestValue> </Reference> </SignedInfo> <SignatureValue></SignatureValue> <KeyInfo> <KeyValue><RSAKeyValue> <Modulus></Modulus> <Exponent></Exponent> </RSAKeyValue></KeyValue> </KeyInfo> </Signature> """) # remove the xml header on the front of the document fragment fragment = fragment.getRootElement() # getElementsByTagName doesn't exist here for some reason, have to use xpath ctxt = doc.xpathNewContext() nodeList = ctxt.xpathEval("/distributionRequest") for child in nodeList: child.addChild(fragment) if child.prop('Id') == None: child.setProp('Id', 'distributionRequest') node = xmlsec.findNode(doc.getRootElement(), xmlsec.NodeSignature, xmlsec.DSigNs) # Remove passwords ctxt = doc.xpathNewContext() nodeList = ctxt.xpathEval('//requester') for child in nodeList: child.unsetProp('archivePassword') nodeList = ctxt.xpathEval('//ftp') for child in nodeList: if child.hasProp('loginPassword'): child.unsetProp('loginPassword') warnings.warn('ftp password is not allowed in user requests.') # Sign the template, or resign existing block status = dsig_ctx.sign(node) output = str(doc) doc.freeDoc() keysmngr.destroy() if status < 0: raise RuntimeError("Error: signature failed") return output except: usexml=False return signRequest(file, request, dtd, cgi) else: values = {'request' : request, 'privatekey' : open(file).read(), 'mission' : mission } data = urlencode(values).encode("utf-8") req = Request(url=cgi, data=data) f = urlopen(req) return f.read()