def _sign_node(ctx, signature, target):
"""Add sig for ``target`` in ``signature`` node, using ``ctx`` context.
Doesn't actually perform the signing; ``ctx.sign(signature)`` should be
called later to do that.
Adds a Reference node to the signature with URI attribute pointing to the
target node, and registers the target node's ID so XMLSec will be able to
find the target node by ID when it signs.
"""
# Ensure the target node has a wsu:Id attribute and get its value.
node_id = ensure_id(target)
# Unlike HTML, XML doesn't have a single standardized Id. WSSE suggests the
# use of the wsu:Id attribute for this purpose, but XMLSec doesn't
# understand that natively. So for XMLSec to be able to find the referenced
# node by id, we have to tell xmlsec about it using the register_id method.
ctx.register_id(target, 'Id', ns.WSU)
# Add reference to signature with URI attribute pointing to that ID.
ref = xmlsec.template.add_reference(signature,
xmlsec.Transform.SHA1,
uri='#' + node_id)
# This is an XML normalization transform which will be performed on the
# target node contents before signing. This ensures that changes to
# irrelevant whitespace, attribute ordering, etc won't invalidate the
# signature.
xmlsec.template.add_transform(ref, xmlsec.Transform.EXCL_C14N)
def _sign_envelope_with_key_binary(envelope,
key,
signature_method,
digest_method,
signatures=None):
"""Perofrm signature and place the key info in to BinarySecurityToken."""
security, sec_token_ref, x509_data = _signature_prepare(
envelope, key, signature_method, digest_method, signatures=signatures)
ref = SubElement(
sec_token_ref, QName(ns.WSSE, 'Reference'), {
'ValueType':
'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'
})
bintok = Element(
QName(ns.WSSE, 'BinarySecurityToken'), {
'ValueType':
'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3',
'EncodingType':
'http://docs.oasis-open.org/wss/2004/01/'
'oasis-200401-wss-soap-message-security-1.0#Base64Binary'
})
ref.attrib['URI'] = '#' + ensure_id(bintok)
bintok.text = x509_data.find(QName(ns.DS, 'X509Certificate')).text
security.insert(1, bintok)
x509_data.getparent().remove(x509_data)
def _sign_envelope_with_key_binary(envelope,
key,
signature_method,
digest_method,
expires_dt=None):
security, sec_token_ref, x509_data = _signature_prepare(
envelope, key, signature_method, digest_method, expires_dt=expires_dt)
ref = etree.SubElement(
sec_token_ref,
QName(ns.WSSE, "Reference"),
{
"ValueType":
"http://docs.oasis-open.org/wss/2004/01/"
"oasis-200401-wss-x509-token-profile-1.0#X509v3"
},
)
bintok = etree.Element(
QName(ns.WSSE, "BinarySecurityToken"),
{
"ValueType":
"http://docs.oasis-open.org/wss/2004/01/"
"oasis-200401-wss-x509-token-profile-1.0#X509v3",
"EncodingType":
"http://docs.oasis-open.org/wss/2004/01/"
"oasis-200401-wss-soap-message-security-1.0#Base64Binary",
},
)
ref.attrib["URI"] = "#" + ensure_id(bintok)
bintok.text = x509_data.find(QName(ns.DS, "X509Certificate")).text
security.insert(1, bintok)
x509_data.getparent().remove(x509_data)
def _sign_envelope_with_key_binary(envelope, key):
security, sec_token_ref, x509_data = _signature_prepare(envelope, key)
ref = etree.SubElement(
sec_token_ref, QName(ns.WSSE, 'Reference'), {
'ValueType':
'http://docs.oasis-open.org/wss/2004/01/'
'oasis-200401-wss-x509-token-profile-1.0#X509v3'
})
ref_id = ensure_id(ref)
bintok = etree.Element(
QName(ns.WSSE, 'BinarySecurityToken'), {
QName(ns.WSU, 'Id'):
ref_id,
'ValueType':
'http://docs.oasis-open.org/wss/2004/01/'
'oasis-200401-wss-x509-token-profile-1.0#X509v3',
'EncodingType':
'http://docs.oasis-open.org/wss/2004/01/'
'oasis-200401-wss-soap-message-security-1.0#Base64Binary'
})
bintok.text = x509_data.find(QName(ns.DS, 'X509Certificate')).text
security.insert(1, bintok)
x509_data.getparent().remove(x509_data)
