def _verify_envelope_with_key(envelope, key):
soap_env = detect_soap_env(envelope)
header = envelope.find(QName(soap_env, 'Header'))
if header is None:
raise SignatureVerificationFailed()
security = header.find(QName(ns.WSSE, 'Security'))
signature = security.find(QName(ns.DS, 'Signature'))
ctx = xmlsec.SignatureContext()
# Find each signed element and register its ID with the signing context.
refs = signature.xpath('ds:SignedInfo/ds:Reference',
namespaces={'ds': ns.DS})
for ref in refs:
# Get the reference URI and cut off the initial '#'
referenced_id = ref.get('URI')[1:]
referenced = envelope.xpath(
"//*[@wsu:Id='%s']" % referenced_id,
namespaces={'wsu': ns.WSU},
)[0]
ctx.register_id(referenced, 'Id', ns.WSU)
ctx.key = key
try:
ctx.verify(signature)
except xmlsec.Error:
# Sadly xmlsec gives us no details about the reason for the failure, so
# we have nothing to pass on except that verification failed.
raise SignatureVerificationFailed()
def _verify_envelope_with_key(envelope, key):
soap_env = detect_soap_env(envelope)
header = envelope.find(QName(soap_env, "Header"))
if header is None:
raise SignatureVerificationFailed()
security = header.find(QName(ns.WSSE, "Security"))
signature = security.find(QName(ns.DS, "Signature"))
# la DIAN no cumple a cabalidad token-profile 1.0
if signature is None:
return SignatureVerificationFailed()
ctx = xmlsec.SignatureContext()
# Find each signed element and register its ID with the signing context.
refs = signature.xpath("ds:SignedInfo/ds:Reference",
namespaces={"ds": ns.DS})
for ref in refs:
# Get the reference URI and cut off the initial '#'
referenced_id = ref.get("URI")[1:]
referenced = envelope.xpath("//*[@wsu:Id='%s']" % referenced_id,
namespaces={"wsu": ns.WSU})[0]
ctx.register_id(referenced, "Id", ns.WSU)
ctx.key = key
try:
ctx.verify(signature)
except xmlsec.Error:
# Sadly xmlsec gives us no details about the reason for the failure, so
# we have nothing to pass on except that verification failed.
raise SignatureVerificationFailed()
def verify_envelope(envelope, cert):
"""Verify WS-Security signature on given SOAP envelope with given cert.
Expects a document like that found in the sample XML in the ``sign()``
docstring.
Raise SignatureVerificationFailed on failure, silent on success.
"""
soap_env = detect_soap_env(envelope)
header = envelope.find(QName(soap_env, "Header"))
if header is None:
raise SignatureVerificationFailed()
security = header.find(QName(ns.WSSE, "Security"))
signature = security.find(QName(ns.DS, "Signature"))
key_text = security.find(QName(ns.WSSE, "BinarySecurityToken")).text
key = x509.load_der_x509_certificate(base64.b64decode(key_text))
ctx = xmlsig.SignatureContext()
ctx.public_key = key.public_key()
try:
ctx.verify(signature)
except Exception:
# Sadly xmlsec gives us no details about the reason for the failure, so
# we have nothing to pass on except that verification failed.
raise SignatureVerificationFailed() from None
def verify_envelope(envelope, certfile, cert_format=None):
"""Verify WS-Security signature on given SOAP envelope with given cert.
Expects a document like that found in the sample XML in the ``sign()``
docstring.
Raise SignatureVerificationFailed on failure, silent on success.
"""
soap_env = detect_soap_env(envelope)
header = envelope.find(QName(soap_env, 'Header'))
if not header:
raise SignatureVerificationFailed()
security = header.find(QName(ns.WSSE, 'Security'))
signature = security.find(QName(ns.DS, 'Signature'))
ctx = xmlsec.SignatureContext()
# Find each signed element and register its ID with the signing context.
refs = signature.xpath('ds:SignedInfo/ds:Reference',
namespaces={'ds': ns.DS})
for ref in refs:
# Get the reference URI and cut off the initial '#'
referenced_id = ref.get('URI')[1:]
referenced = envelope.xpath(
"//*[@wsu:Id='%s']" % referenced_id,
namespaces={'wsu': ns.WSU},
)[0]
ctx.register_id(referenced, 'Id', ns.WSU)
if not cert_format:
cert_format = xmlsec.KeyFormat.CERT_PEM
key = xmlsec.Key.from_file(certfile, cert_format, None)
ctx.key = key
try:
ctx.verify(signature)
except xmlsec.Error:
# Sadly xmlsec gives us no details about the reason for the failure, so
# we have nothing to pass on except that verification failed.
raise SignatureVerificationFailed()
def _verify_envelope_with_key(envelope, key):
"""Verify WS-Security signature on given SOAP envelope with given cert.
Copy from zeep.wsse.signature except it does bail out if no signature is found.
"""
soap_env = detect_soap_env(envelope)
header = envelope.find(QName(soap_env, 'Header'))
if header is None:
raise SignatureVerificationFailed()
security = header.find(QName(ns.WSSE, 'Security'))
if security is None:
raise SignatureVerificationFailed()
signature = security.find(QName(ns.DS, 'Signature'))
# Skip signature validation if not present, otherwise call the library function
if signature is None:
return
else:
zeep_verify_envelope(envelope, key)
