def test_verify_fail(cert_and_signed):
cert, xml = cert_and_signed
broken = xml.replace(
b"<test:content>Value</test:content>",
b"<test:content>Changed Value</test:content>",
)
with pytest.raises(VerificationFailed):
extract_verified_element(xml=broken, certificate=cert)
def test_verification_failed2(cert_and_signed):
cert, xml = cert_and_signed
root = utils.deserialize_xml(xml)
signature_value = root.find(
".//{http://www.w3.org/2000/09/xmldsig#}SignatureValue")
signature_value.text = signature_value.text + "x"
xml = utils.serialize_xml(root)
with pytest.raises(binascii.Error):
extract_verified_element(xml=xml, certificate=cert)
def test_double_reference_fails(key_and_cert):
target = E.tag("Target", ID="same")
E.root(target, E.tag("Other", ID="same"))
signed_data = sign(
element=target,
private_key=key_and_cert.private_key,
certificate=key_and_cert.certificate,
)
with pytest.raises(MultipleElementsFound):
extract_verified_element(xml=signed_data,
certificate=key_and_cert.certificate)
def test_verify_fails_with_different_certificate(key_and_cert, key_factory):
ns = ElementMaker(namespace="urn:test", nsmap={"test": "urn:test"})
element_to_sign = ns.signed(ns.content("Value"), ID="test")
ns.root(element_to_sign)
signed_data = sign(
element=element_to_sign,
private_key=key_and_cert.private_key,
certificate=key_and_cert.certificate,
)
_, other = key_factory()
with pytest.raises(CertificateMismatch):
extract_verified_element(xml=signed_data, certificate=other)
def test_double_signature_fails(key_and_cert):
element = E.tag("Value", ID="Test")
signed_data = sign(
element=element,
private_key=key_and_cert.private_key,
certificate=key_and_cert.certificate,
)
element = utils.deserialize_xml(signed_data)
signed_data = sign(
element=element,
private_key=key_and_cert.private_key,
certificate=key_and_cert.certificate,
)
with pytest.raises(MultipleElementsFound):
extract_verified_element(xml=signed_data,
certificate=key_and_cert.certificate)
def test_verify_config(key_and_cert):
ns = ElementMaker(namespace="urn:test", nsmap={"test": "urn:test"})
element_to_sign = ns.signed(ns.content("Value"), ID="test")
ns.root(element_to_sign)
config = SigningConfig(signature_method=hashes.SHA1(),
digest_method=hashes.SHA1())
signed_data = sign(
element=element_to_sign,
private_key=key_and_cert.private_key,
certificate=key_and_cert.certificate,
config=config,
)
with pytest.raises(UnsupportedAlgorithm):
extract_verified_element(
xml=signed_data,
certificate=key_and_cert.certificate,
config=VerifyConfig(
allowed_signature_method={hashes.SHA256},
allowed_digest_method={hashes.SHA256},
),
)
def test_roundtrip(key_and_cert):
ns = ElementMaker(namespace="urn:test", nsmap={"test": "urn:test"})
element_to_sign = ns.signed(ns.content("Value"), ID="test")
ns.root(element_to_sign)
unsigned_data = utils.serialize_xml(element_to_sign)
config = SigningConfig.default()
signed_data = sign(
element=element_to_sign,
private_key=key_and_cert.private_key,
certificate=key_and_cert.certificate,
config=config,
)
verified_element = extract_verified_element(
xml=signed_data, certificate=key_and_cert.certificate)
assert unsigned_data == utils.serialize_xml(verified_element)
def roundtrip() -> None:
"""
Create a super simple XML document:
<tag ID='hoge'>Value</tag>
Then sign that tag with a randomly generated key/cert pair.
Then verify the resulting signed document.
"""
key, cert = make_key_and_cert()
element = E.tag("Value", ID="hoge")
print("Unsigned:")
print(serialize_xml(element).decode("utf-8"))
signed = sign(element=element, private_key=key, certificate=cert)
print("=" * 70)
print("Signed:")
print(signed.decode("utf-8"))
verified = extract_verified_element(xml=signed, certificate=cert)
print("=" * 70)
print("Verified:")
print(serialize_xml(verified).decode("utf-8"))
def test_verify(xmlsec1, tmp_path, cert_and_signed):
cert, xml = cert_and_signed
signed = tmp_path / "signed.xml"
cert_pem = tmp_path / "cert.pem"
with signed.open("wb") as fobj:
fobj.write(xml)
with cert_pem.open("wb") as fobj:
fobj.write(cert.public_bytes(encoding=Encoding.PEM))
xmlsec1(
"verify",
"--pubkey-cert-pem",
str(cert_pem),
"--id-attr:ID",
"signed",
str(signed),
)
verified_element = extract_verified_element(xml=xml, certificate=cert)
assert verified_element is not None
assert verified_element.tag == "{urn:test}signed"
assert verified_element.attrib["ID"] == "test"