def signXML(self, fiskXML, elementToSign):
"""
signs xml template acording to XML Signature Syntax and Processing
returns signed xml
fiskXMLTemplate - Element (from ElementTree) xml template to sign
elementToSign - string - name tag of element to sign inside xml template
"""
if (self.init_error):
raise FiskXMLEleSignerError(self.init_error)
root = fiskXML
#print(et.tostring(root))
RequestElement = None
for child in root.iter(elementToSign):
if (child.tag == elementToSign):
RequestElement = child
break
if (RequestElement == None):
raise FiskXMLEleSignerError("Coudl not find element to sign")
#dodavanje Signature taga
namespace = "{http://www.w3.org/2000/09/xmldsig#}"
Signature = et.SubElement(RequestElement, namespace + "Signature",
{'Id': 'placeholder'})
#signer = xmldsig(RequestElement, digest_algorithm="sha1")
signed_root = XMLSigner(
signature_algorithm="rsa-sha1",
digest_algorithm="sha1",
c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#").sign(
root,
key=self.key,
passphrase=self.password,
cert=self.certificate,
reference_uri="#" + RequestElement.get("Id"))
#signxml does not fill correctly certificate data so we need to do it manualy
sslcert = load_certificate(FILETYPE_PEM, self.certificate)
child = signed_root.find(".//" + namespace + "X509Data")
if (child != None):
isuerserial = et.SubElement(child, namespace + "X509IssuerSerial")
name = et.SubElement(isuerserial, namespace + "X509IssuerName")
issuer = sslcert.get_issuer()
# issuer.CN is not present in some certificates
name.text = ','.join(
filter(None, [
issuer.CN and "CN=" + issuer.CN, issuer.OU
and "OU=" + issuer.OU, issuer.O and "O=" + issuer.O,
issuer.C and "C=" + issuer.C
]))
serial = et.SubElement(isuerserial, namespace + "X509SerialNumber")
serial.text = '{:d}'.format(sslcert.get_serial_number())
return et.tostring(signed_root)
def assina_xml(self, xml_element, reference):
cert, key = extract_cert_and_key_from_pfx(self.arquivo, self.senha)
for element in xml_element.iter("*"):
if element.text is not None and not element.text.strip():
element.text = None
signer = XMLSigner(
method=signxml.methods.enveloped, signature_algorithm="rsa-sha1",
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
ns = {}
ns[None] = signer.namespaces['ds']
signer.namespaces = ns
ref_uri = ('#%s' % reference) if reference else None
signed_root = signer.sign(
xml_element, key=key, cert=cert,
reference_uri=ref_uri)
if reference:
element_signed = signed_root.find(".//*[@Id='%s']" % reference)
signature = signed_root.find(
".//{http://www.w3.org/2000/09/xmldsig#}Signature")
if element_signed is not None and signature is not None:
parent = element_signed.getparent()
parent.append(signature)
return etree.tostring(signed_root)
def signWithCert(self, stringXml, key, returnString=True):
xmlBuffer = etree.fromstring(stringXml)
tree = etree.fromstring(stringXml)
reference = tree.findall(".//*[@Id]")
cert = self.extractCertContent()
key = open(key, "rb").read()
signer = XMLSigner(
method=signxml.methods.enveloped, signature_algorithm="rsa-sha1",
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
ns = {None: signer.namespaces['ds']}
signer.namespaces = ns
refUri = ('#%s' % reference) if reference else None
signedRoot = signer.sign(
xmlBuffer, key=key, cert=cert, reference_uri=refUri)
ns = {'ns': NAMESPACE_SIG}
# Insert the cert file buffered data (content) into specified tags X509Data/X509Certificate
tagX509Data = signedRoot.find('.//ns:X509Data', namespaces=ns)
etree.SubElement(tagX509Data, 'X509Certificate').text = cert
if returnString:
xmlEnvelope = etree.tostring(signedRoot, encoding="unicode", pretty_print=False)
return xmlEnvelope
else:
return signedRoot
def assina_xml(self, xml_element, reference):
cert, key = extract_cert_and_key_from_pfx(self.arquivo, self.senha)
for element in xml_element.iter("*"):
if element.text is not None and not element.text.strip():
element.text = None
signer = XMLSigner(
method=signxml.methods.enveloped,
signature_algorithm="rsa-sha1",
digest_algorithm="sha1",
c14n_algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
)
ns = {}
ns[None] = signer.namespaces["ds"]
signer.namespaces = ns
ref_uri = ("#%s" % reference) if reference else None
signed_root = signer.sign(xml_element,
key=key.encode(),
cert=cert.encode(),
reference_uri=ref_uri)
if reference:
element_signed = signed_root.find(".//*[@Id='%s']" % reference)
signature = (signed_root.find(".//*[@URI='#%s']" %
reference).getparent().getparent())
if element_signed is not None and signature is not None:
parent = element_signed.getparent()
parent.append(signature)
return etree.tostring(signed_root, encoding=str)
def assina_xml(self, xml_element, reference, key_name=None):
cert, key = extract_cert_and_key_from_pfx(self.arquivo, self.senha)
for element in xml_element.iter("*"):
if element.text is not None and not element.text.strip():
element.text = None
signer = XMLSigner(
method=signxml.methods.enveloped,
signature_algorithm="rsa-sha1",
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
ns = {}
ns[None] = signer.namespaces['ds']
signer.namespaces = ns
ref_uri = ('#%s' % reference) if reference else None
signed_root = signer.sign(xml_element,
key=key,
cert=cert,
reference_uri=ref_uri,
key_name=key_name)
if reference:
element_signed = signed_root.find(".//*[@Id='%s']" % reference)
signature = signed_root.find(
".//{http://www.w3.org/2000/09/xmldsig#}Signature")
if element_signed is not None and signature is not None:
parent = element_signed.getparent()
parent.append(signature)
return etree.tostring(signed_root)
def assinar(self, xml, retorna_string=False):
# busca tag que tem id(reference_uri), logo nao importa se tem namespace
reference = xml.find(".//*[@Id]").attrib['Id']
# retira acentos
xml_str = remover_acentos(
etree.tostring(xml, encoding="unicode", pretty_print=False))
xml = etree.fromstring(xml_str)
signer = XMLSigner(
method=signxml.methods.enveloped,
signature_algorithm="rsa-sha1",
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
ns = {None: signer.namespaces['ds']}
signer.namespaces = ns
ref_uri = ('#%s' % reference) if reference else None
signed_root = signer.sign(xml,
key=self.key,
cert=self.cert,
reference_uri=ref_uri)
ns = {'ns': NAMESPACE_SIG}
# coloca o certificado na tag X509Data/X509Certificate
tagX509Data = signed_root.find('.//ns:X509Data', namespaces=ns)
etree.SubElement(tagX509Data, 'X509Certificate').text = self.cert
if retorna_string:
return etree.tostring(signed_root,
encoding="unicode",
pretty_print=False)
else:
return signed_root
def assinar(self, xml, retorna_string=False):
# busca tag que tem id(reference_uri), logo nao importa se tem namespace
reference = xml.find(".//*[@Id]").attrib['Id']
#print('Referencia: ',reference)
# retira acentos
xml_str = remover_acentos(etree.tostring(xml, encoding="unicode", pretty_print=False))
xml = etree.fromstring(xml_str)
signer = XMLSigner(
method=signxml.methods.enveloped, signature_algorithm="rsa-sha1",
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
ns = {None: signer.namespaces['ds']}
signer.namespaces = ns
#print('Chave......: ',self.key)
#print('*',200)
#print('Certificado: ',self.cert)
ref_uri = ('#%s' % reference) if reference else None
signed_root = signer.sign(
xml, key=self.key, cert=self.cert, reference_uri=ref_uri)
ns = {'ns': NAMESPACE_SIG}
# coloca o certificado na tag X509Data/X509Certificate
tagX509Data = signed_root.find('.//ns:X509Data', namespaces=ns)
etree.SubElement(tagX509Data, 'X509Certificate').text = self.cert
#print('Assinatura: ',etree.tostring(signed_root, encoding="unicode", pretty_print=False) )
if retorna_string:
return etree.tostring(signed_root, encoding="unicode", pretty_print=False)
else:
return signed_root
def test_x509_certs(self):
from OpenSSL.crypto import load_certificate, FILETYPE_PEM, Error as OpenSSLCryptoError
tree = etree.parse(self.example_xml_files[0])
ca_pem_file = os.path.join(os.path.dirname(__file__), "example-ca.pem").encode("utf-8")
with open(os.path.join(os.path.dirname(__file__), "example.pem"), "rb") as fh:
crt = fh.read()
with open(os.path.join(os.path.dirname(__file__), "example.key"), "rb") as fh:
key = fh.read()
for hash_alg in "sha1", "sha256":
for method in methods.enveloped, methods.enveloping:
for c14_transform_option in include_c14_transformation:
print(hash_alg, method)
data = tree.getroot()
reset_tree(data, method)
signer = XMLSigner(method=method, signature_algorithm="rsa-" + hash_alg,
include_c14n_transform=c14_transform_option)
signed = signer.sign(data, key=key, cert=crt)
signed_data = etree.tostring(signed)
XMLVerifier().verify(signed_data, ca_pem_file=ca_pem_file)
XMLVerifier().verify(signed_data, x509_cert=crt)
XMLVerifier().verify(signed_data, x509_cert=load_certificate(FILETYPE_PEM, crt))
XMLVerifier().verify(signed_data, x509_cert=crt, cert_subject_name="*.example.com")
with self.assertRaises(OpenSSLCryptoError):
XMLVerifier().verify(signed_data, x509_cert=crt[::-1])
with self.assertRaises(InvalidSignature):
XMLVerifier().verify(signed_data, x509_cert=crt, cert_subject_name="test")
with self.assertRaisesRegexp(InvalidCertificate, "unable to get local issuer certificate"):
XMLVerifier().verify(signed_data)
def test_x509_certs(self):
from OpenSSL.crypto import load_certificate, FILETYPE_PEM, Error as OpenSSLCryptoError
tree = etree.parse(self.example_xml_files[0])
ca_pem_file = os.path.join(os.path.dirname(__file__), "example-ca.pem").encode("utf-8")
with open(os.path.join(os.path.dirname(__file__), "example.pem"), "rb") as fh:
crt = fh.read()
with open(os.path.join(os.path.dirname(__file__), "example.key"), "rb") as fh:
key = fh.read()
for hash_alg in "sha1", "sha256":
for method in methods.enveloped, methods.enveloping:
print(hash_alg, method)
data = tree.getroot()
reset_tree(data, method)
signer = XMLSigner(method=method, signature_algorithm="rsa-" + hash_alg)
signed = signer.sign(data, key=key, cert=crt)
signed_data = etree.tostring(signed)
XMLVerifier().verify(signed_data, ca_pem_file=ca_pem_file)
XMLVerifier().verify(signed_data, x509_cert=crt)
XMLVerifier().verify(signed_data, x509_cert=load_certificate(FILETYPE_PEM, crt))
with self.assertRaises(OpenSSLCryptoError):
XMLVerifier().verify(signed_data, x509_cert=crt[::-1])
with self.assertRaisesRegexp(InvalidCertificate, "unable to get local issuer certificate"):
XMLVerifier().verify(signed_data)
def assina_xml(self, xml_element):
cert, key = extract_cert_and_key_from_pfx(self.arquivo, self.senha)
for element in xml_element.iter("*"):
if element.text is not None and not element.text.strip():
element.text = None
signer = XMLSigner(
method=methods.enveloped,
signature_algorithm=u"rsa-sha1",
digest_algorithm=u"sha1",
c14n_algorithm=u"http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
)
ns = {}
ns[None] = signer.namespaces["ds"]
signer.namespaces = ns
element_signed = xml_element.find(".//{http://nfse.goiania.go.gov.br/xsd/nfse_gyn_v02.xsd}Rps")
signed_root = signer.sign(
xml_element, key=key.encode(), cert=cert.encode()
)
signature = signed_root.find(
".//{http://www.w3.org/2000/09/xmldsig#}Signature"
)
if element_signed is not None and signature is not None:
parent = xml_element.getchildren()[0]
parent.append(signature)
return etree.tostring(xml_element, encoding=str)
def assina_xml(self, xml_element, reference):
cert, key = extract_cert_and_key_from_pfx(self.arquivo, self.senha)
for element in xml_element.iter("*"):
if element.text is not None and not element.text.strip():
element.text = None
signer = XMLSigner(
method=signxml.methods.enveloped, signature_algorithm=u"rsa-sha1",
digest_algorithm=u'sha1',
c14n_algorithm=u'http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
ns = {}
ns[None] = signer.namespaces['ds']
signer.namespaces = ns
element_to_be_signed = xml_element.getchildren()[0].getchildren()[0]
signed_root = signer.sign(
element_to_be_signed, key=key.encode(), cert=cert.encode())
if reference:
element_signed = signed_root.find(".//*[@Id='%s']" % reference)
signature = signed_root.find(
".//{http://www.w3.org/2000/09/xmldsig#}Signature")
if element_signed is not None and signature is not None:
parent = xml_element.getchildren()[0]
parent.append(signature)
return etree.tostring(xml_element, encoding=str)
def sign_http_post(xmlstr, key, cert, message=False, assertion=True):
logger.debug('http-post signing')
signer = XMLSigner(
signature_algorithm='rsa-sha256',
digest_algorithm='sha256',
c14n_algorithm='http://www.w3.org/2001/10/xml-exc-c14n#',
)
root = fromstring(xmlstr)
if assertion:
logger.debug('signing assertion')
assertions = root.findall('{%s}Assertion' % SAML)
for assertion in assertions:
issuer = assertion.find('{%s}Issuer' % SAML)
issuer.addnext(
fromstring(
'<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="placeholder"></ds:Signature>'
))
root = signer.sign(root,
reference_uri=assertion.attrib['ID'],
key=key,
cert=cert)
if message:
issuer = root.find('{%s}Issuer' % SAML)
issuer.addnext(
fromstring(
'<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="placeholder"></ds:Signature>'
))
root = signer.sign(root, key=key, cert=cert)
return tostring(root, pretty_print=False)
def test_signxml_changing_signature_namespace_prefix(self):
data = etree.parse(self.example_xml_files[0]).getroot()
signer = XMLSigner()
signer.namespaces = dict(digi_sign=namespaces['ds'])
signed = signer.sign(data, key=self.keys["rsa"])
signed_data = etree.tostring(signed)
expected_match = ("<digi_sign:Signature xmlns:"
"digi_sign=\"%s\">") % namespaces['ds']
self.assertTrue(re.search(expected_match.encode('ascii'), signed_data))
def sign(self, data, reference_uri):
signer = XMLSigner(
method=methods.detached,
signature_algorithm="rsa-sha1",
digest_algorithm="sha1",
c14n_algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
)
return signer.sign(data=data, key=self.key, cert=self.cert, reference_uri="#{}".format(reference_uri))
def test_signxml_changing_signature_namespace_prefix(self):
data = etree.parse(self.example_xml_files[0]).getroot()
signer = XMLSigner()
signer.namespaces = dict(digi_sign=namespaces['ds'])
signed = signer.sign(data, key=self.keys["rsa"])
signed_data = etree.tostring(signed)
expected_match = ("<digi_sign:Signature xmlns:"
"digi_sign=\"%s\">") % namespaces['ds']
self.assertTrue(re.search(expected_match.encode('ascii'), signed_data))
def signXML(self, fiskXML, elementToSign):
"""
signs xml template acording to XML Signature Syntax and Processing
returns signed xml
fiskXMLTemplate - Element (from ElementTree) xml template to sign
elementToSign - string - name tag of element to sign inside xml template
"""
if(self.init_error):
raise FiskXMLEleSignerError(self.init_error)
root = fiskXML
#print(et.tostring(root))
RequestElement = None
for child in root.iter(elementToSign):
if(child.tag == elementToSign):
RequestElement = child
break
if(RequestElement == None):
raise FiskXMLEleSignerError("Coudl not find element to sign")
#dodavanje Signature taga
namespace = "{http://www.w3.org/2000/09/xmldsig#}"
Signature = et.SubElement(RequestElement, namespace + "Signature", {'Id':'placeholder'})
#signer = xmldsig(RequestElement, digest_algorithm="sha1")
signed_root = XMLSigner(signature_algorithm="rsa-sha1",
digest_algorithm="sha1",
c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#").sign(root,
key=self.key,
passphrase=self.password,
cert=self.certificate,
reference_uri="#" + RequestElement.get("Id"))
#signxml does not fill correctly certificate data so we need to do it manualy
sslcert = load_certificate(FILETYPE_PEM, self.certificate)
child = signed_root.find(".//" + namespace + "X509Data")
if(child != None):
isuerserial = et.SubElement(child, namespace + "X509IssuerSerial")
name = et.SubElement(isuerserial, namespace + "X509IssuerName")
issuer = sslcert.get_issuer()
# issuer.CN is not present in some certificates
name.text = ','.join(filter(None, [
issuer.CN and "CN=" + issuer.CN,
issuer.OU and "OU=" + issuer.OU,
issuer.O and "O=" + issuer.O,
issuer.C and "C=" + issuer.C]))
serial = et.SubElement(isuerserial, namespace + "X509SerialNumber")
serial.text = '{:d}'.format(sslcert.get_serial_number())
return et.tostring(signed_root)
def __init__(self, certificado, chave, namespace):
self.cert = certificado
self.key = chave
self.NAMESPACE = namespace
self._assinador = XMLSigner(
method=methods.detached,
signature_algorithm="rsa-sha1",
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
def sign_assertion(assertion, key, cert, reference_uri):
signer = XMLSigner(signature_algorithm="rsa-sha1",
digest_algorithm="sha1",
c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#")
signed_assertion_element = signer.sign(assertion,
key=key,
cert=cert,
reference_uri=reference_uri)
return signed_assertion_element
def sign(node, key_path, cert_path, get_object=False):
key = import_key(key_path)
cert = import_key(cert_path)
signer = XMLSigner(
method=methods.enveloped,
signature_algorithm='rsa-sha1',
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
signed_node = signer.sign(node, key=key, cert=cert)
if get_object is True:
return signed_node
return etree.tostring(signed_node)
def genAuthnResponse(self, responsetoid, acs_url, issuer, name_id=""):
cert_pem = self.pemcert
key_pem = self.pemkey
format = {
"timenow":
datetime.datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ"),
"generated_id":
"_92c76e8d097344229ba1b13200f15fe6",
"generated_assertion_id":
"_f2bee8431dda412c90ac584a5afa342d",
"expirytime":
(datetime.datetime.utcnow() +
datetime.timedelta(minutes=15)).strftime("%Y-%m-%dT%H:%M:%SZ"),
"acs_url":
acs_url,
"issuer":
issuer,
"responsetoid":
responsetoid,
"name_id":
name_id,
"sp_name":
acs_url.split(
'/')[2][4:], # tamad: derive qualified SP name from acs_url
"audience":
acs_url.split('/')[2][
4:] # tamad: derive audience name from acs_url
}
tree = etree.fromstring(self.__canonicalize(XML_TEMPLATE % format))
assertion_tree = tree.find("{%s}Assertion" % SAML_ASSERTION_NS)
signed_assertion_tree = XMLSigner(
signature_algorithm='rsa-sha1',
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/2001/10/xml-exc-c14n#').sign(
assertion_tree, key=key_pem, cert=cert_pem)
self.__reorder_signature(signed_assertion_tree)
# awkward replacement
tree.remove(assertion_tree)
tree.append(signed_assertion_tree)
# return etree.tostring(XMLSigner(signature_algorithm='rsa-sha1',digest_algorithm='sha1').sign(tree,key=pemkey,cert=pemcert));
treeRes = XMLSigner(
signature_algorithm='rsa-sha1',
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/2001/10/xml-exc-c14n#').sign(
tree, key=key_pem, cert=cert_pem)
self.__reorder_signature(treeRes)
#rVal = etree.tostring(treeRes);
return self.__canonicalize(etree.tostring(treeRes))
def sign(xml, cert_data):
signer = XMLSigner(
method=signxml.methods.enveloped,
signature_algorithm='rsa-sha256',
digest_algorithm='sha256',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315'
)
xml_root = None
if not isinstance(xml, etree._ElementTree):
xml = load_fromfile(xml)
xml_root = xml.getroot()
signed_root = signer.sign(xml_root, key=cert_data['key_str'], cert=cert_data['cert_str'])
return etree.ElementTree(signed_root)
def sign(element, reference_uri, certificate_data, key_data):
signer = XMLSigner(
signature_algorithm="rsa-sha1",
digest_algorithm="sha1",
c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#")
# Sign XML.
signed_element = signer.sign(element,
key=key_data,
cert=certificate_data,
reference_uri=reference_uri)
return signed_element
def sign_assertions(response_str):
""" Return signed response string """
response_element = etree.fromstring(response_str)
cert = read_bytes("keys/cert.pem")
key = read_bytes("keys/key.pem")
for e in response_element.findall(
'{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'):
signer = XMLSigner(
c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#",
signature_algorithm='rsa-sha1',
digest_algorithm='sha1')
signed_e = signer.sign(e, key=key, cert=cert)
response_element.replace(e, signed_e)
return etree.tostring(response_element, pretty_print=True)
def test_reference_uris_and_custom_key_info(self):
with open(os.path.join(os.path.dirname(__file__), "example.pem"), "rb") as fh:
crt = fh.read()
with open(os.path.join(os.path.dirname(__file__), "example.key"), "rb") as fh:
key = fh.read()
# Both ID and Id formats. XPath 1 doesn't have case insensitive attribute search
for d in ['''<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="responseId">
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="assertionId">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="placeholder" />
</saml:Assertion>
</samlp:Response>''',
'''<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Id="responseId">
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" Id="assertionId">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="placeholder" />
</saml:Assertion>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" Id="assertion2">
</saml:Assertion>
</samlp:Response>''']:
data = etree.fromstring(d)
reference_uri = ["assertionId", "assertion2"] if "assertion2" in d else "assertionId"
signed_root = XMLSigner().sign(data, reference_uri=reference_uri, key=key, cert=crt)
signed_data_root = XMLVerifier().verify(etree.tostring(signed_root), x509_cert=crt, expect_references=True)[1]
ref = signed_root.xpath('/samlp:Response/saml:Assertion/ds:Signature/ds:SignedInfo/ds:Reference',
namespaces={"ds": "http://www.w3.org/2000/09/xmldsig#",
"saml": "urn:oasis:names:tc:SAML:2.0:assertion",
"samlp": "urn:oasis:names:tc:SAML:2.0:protocol"})
self.assertEqual("assertionId", ref[0].attrib['URI'][1:])
self.assertEqual("{urn:oasis:names:tc:SAML:2.0:assertion}Assertion", signed_data_root.tag)
# Also test with detached signing
for c14_transform_option in include_c14_transformation:
XMLSigner(method=methods.detached,
include_c14n_transform=c14_transform_option
).sign(data, reference_uri=reference_uri, key=key, cert=crt)
# Test setting custom key info
custom_key_info = etree.fromstring('''
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-639b8970-7644-4f9e-9bc4-9c2e367808fc-1"/>
</wsse:SecurityTokenReference>''')
XMLSigner().sign(data, reference_uri=reference_uri, key=key, cert=crt, key_info=custom_key_info)
def assina_xml(self, xml):
##Modificado para utilizar o signxml ao inves do libxml2 e xmlsec
from signxml import XMLSigner
from signxml import methods
xml = self._prepara_doc_xml(xml)
doc_xml = lxml.etree.fromstring(xml.encode('utf-8'))
#buscando chave de acesso no documento e retiranto TAG Signature
chave_de_acesso = self._ler_chave_acesso(doc_xml)
if chave_de_acesso is None:
raise ValueError(
'Nao foi possivel encontrar a Tag para a assinatura.')
#String para bytes para a leitura no signxml
chave = self.chave.encode('utf-8')
certificado = self.certificado.encode('utf-8')
signer = XMLSigner(
method=methods.enveloped,
signature_algorithm='rsa-sha1',
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
#Retirar os prefixos ds: da assinatura
ns = {}
ns[None] = signer.namespaces['ds']
signer.namespaces = ns
#Assina o documento
signed_doc = signer.sign(doc_xml,
key=chave,
cert=certificado,
reference_uri='#{0}'.format(chave_de_acesso))
#Selecionar apenas a tag Signature do documento.
signature_tag = None
for child in signed_doc:
if 'Signature' in child.tag:
signature_tag = child
if signature_tag is None:
raise ("Assinatura nao encontrada.")
signature_tag = lxml.etree.tostring(signature_tag).decode('utf-8')
signature_tag = self._finaliza_xml(signature_tag)
return signature_tag
def assinar_efdreinf(xml):
from lxml import etree
from emensageriapro.settings import FORCE_PRODUCAO_RESTRITA, BASE_DIR
from signxml import XMLSigner, methods
from emensageriapro.settings import CERT, CERT_HOST, CERT_PASS, CERT_PEM_FILE, KEY_PEM_FILE
CERT_HOST = BASE_DIR + '/' + CERT_HOST
CERT_PEM_FILE = CERT_PEM_FILE
KEY_PEM_FILE = KEY_PEM_FILE
# a = executar_sql("""
# SELECT efdreinf_certificado, efdreinf_senha
# FROM public.transmissores where id=%s;
# """ % transmissor_id, True)
if FORCE_PRODUCAO_RESTRITA:
xml = xml.replace('<tpAmb>1</tpAmb>','<tpAmb>2</tpAmb>')
identidade = get_identidade_evento(xml)
create_pem_files(CERT_HOST, CERT_PASS, CERT_PEM_FILE, KEY_PEM_FILE)
cert_str = ler_arquivo(CERT_PEM_FILE)
key_str = ler_arquivo(KEY_PEM_FILE)
root = etree.fromstring(xml)
signed_root = XMLSigner(
method=methods.enveloped,
signature_algorithm=u'rsa-sha256',
digest_algorithm=u'sha256',
c14n_algorithm=u'http://www.w3.org/TR/2001/REC-xml-c14n-20010315'
).sign(root,
reference_uri='#' + identidade,
key=key_str,
cert=cert_str)
return etree.tostring(signed_root)
def sign_seed(self, message, privkey, cert):
doc = etree.fromstring(message)
signed_node = XMLSigner(method=methods.enveloped, digest_algorithm='sha1').sign(
doc, key=privkey.encode('ascii'), cert=cert)
msg = etree.tostring(
signed_node, pretty_print=True).decode().replace('ds:', '')
return msg
def sign(name):
try:
et = fromstring(XML_TEMPLATE.format(name))
signed = XMLSigner().sign(et, key=key, cert=cert)
return HTML_TEMPLATE.format(ET.tostring(signed))
except:
return
def assinar_efdreinf(xml):
from lxml import etree
from emensageriapro.settings import FORCE_PRODUCAO_RESTRITA, BASE_DIR
from signxml import XMLSigner, methods
from emensageriapro.settings import CERT_HOST, CERT_PASS, CERT_PEM_FILE, KEY_PEM_FILE
cert_host = BASE_DIR + '/' + CERT_HOST
cert_pem_file = CERT_PEM_FILE
key_pem_file = KEY_PEM_FILE
if FORCE_PRODUCAO_RESTRITA:
xml = xml.replace('<tpAmb>1</tpAmb>','<tpAmb>2</tpAmb>')
identidade = get_identidade_evento(xml)
create_pem_files(cert_host, CERT_PASS, cert_pem_file, key_pem_file)
cert_str = ler_arquivo(cert_pem_file)
key_str = ler_arquivo(key_pem_file)
root = etree.fromstring(xml)
signed_root = XMLSigner(
method=methods.enveloped,
signature_algorithm=u'rsa-sha256',
digest_algorithm=u'sha256',
c14n_algorithm=u'http://www.w3.org/TR/2001/REC-xml-c14n-20010315'
).sign(root,
reference_uri='#' + identidade,
key=key_str,
cert=cert_str)
return etree.tostring(signed_root)
def make_request(binding, message, destination, key, cert):
_binding, method, encoding = BINDINGS_TO_SAML2BINDINGS.get(binding)
print('BINDING: {}'.format(binding))
print('METHOD: {}'.format(binding))
print('DESTINATION: {}'.format(destination))
with open(message, 'rb') as fp:
message = fp.read()
if _binding == BINDING_HTTP_REDIRECT:
encoded_message = encoding(message)
print('ENCODED MESSAGE: {}'.format(encoded_message))
arguments = {
'SAMLRequest': encoded_message,
'SigAlg': SIG_RSA_SHA256
}
args_list = [urlencode({k: arguments[k]}) for k in arguments]
query_string = '&'.join(args_list).encode('ascii')
digest = SHA256.new()
digest.update(query_string)
private_key = load_pkey_from_file(key)
signer = PKCS1_v1_5.new(private_key)
signed = signer.sign(digest)
arguments['Signature'] = base64.b64encode(signed)
query_string = urlencode(arguments)
url = '{}?{}'.format(destination, query_string)
print('URL: {}'.format(url))
req_args = [url]
elif _binding == BINDING_HTTP_POST:
signer = XMLSigner(
signature_algorithm='rsa-sha256',
digest_algorithm='sha256',
)
root = etree.fromstring(message)
_key = open(key, 'rb').read()
_cert = open(cert, 'rb').read()
print(_key, _cert)
signed_root = signer.sign(root, key=_key, cert=_cert)
message = etree.tostring(signed_root)
print('SIGNED XML: {}'.format(message))
encoded_message = encoding(message)
print('ENCODED MESSAGE: {}'.format(encoded_message))
url = destination
print('URL: {}'.format(url))
extra = {'SAMLRequest': encoded_message}
req_args = [url, extra]
response = getattr(requests, method)(*req_args, verify=False)
print('RESPONSE: {}'. format(response.text))
def sign_assertion(cls, root, key, cert):
''' Reads the certificate and private key to memory from the paths provided.
uses signxml module to sign the root object provided.
:param root: root object to sign
:param : private RSA key to sign with
:param : public certificate of the private key
:return: a signed root object
'''
# Read the private key and certificate
key = open(key, "r").read()
cert = open(cert, "r").read()
# Set up xml signer object
signer = XMLSigner(c14n_algorithm=cls.C14_ALG)
# Sign the Assertion
return signer.sign(root, key=key, cert=cert)
def sign_http_post(xmlstr, key, cert, message=False, assertion=True):
signer = XMLSigner(
signature_algorithm='rsa-sha256',
digest_algorithm='sha256',
)
root = fromstring(xmlstr)
if message:
root = signer.sign(root, key=key, cert=cert)
if assertion:
assertions = root.findall('{%s}Assertion' % SAML)
for assertion in assertions:
_assertion = signer.sign(assertion, key=key, cert=cert)
issuer = _assertion.find('{%s}Issuer' % SAML)
signature = _assertion.find('%sSignature' % SIG_NS)
issuer.addnext(signature)
assertion.getparent().replace(assertion, _assertion)
response = tostring(root)
return base64.b64encode(response).decode('ascii')
def assinar_efdreinf(request, xml, transmissor_id):
from lxml import etree
from emensageriapro.settings import BASE_DIR
from signxml import XMLSigner, methods
from emensageriapro.mensageiro.functions.funcoes import get_identidade_evento, create_pem_files, ler_arquivo
if transmissor_id:
tra = TransmissorLoteEfdreinf.objects. \
get(id=transmissor_id)
if tra.transmissor:
if tra.transmissor.certificado:
cert_host = '%s/certificado/%s' % (
BASE_DIR, tra.transmissor.certificado.certificado)
cert_pass = tra.transmissor.certificado.senha
cert_pem_file = '/certificado/cert_%s.pem' % tra.transmissor.certificado.id
key_pem_file = '/certificado/key_%s.pem' % tra.transmissor.certificado.id
create_pem_files(cert_host, cert_pass, cert_pem_file,
key_pem_file)
cert_str = ler_arquivo(cert_pem_file)
key_str = ler_arquivo(key_pem_file)
root = etree.fromstring(xml)
identidade = get_identidade_evento(xml)
signed_root = XMLSigner(
method=methods.enveloped,
signature_algorithm=u'rsa-sha256',
digest_algorithm=u'sha256',
c14n_algorithm=
u'http://www.w3.org/TR/2001/REC-xml-c14n-20010315').sign(
root,
reference_uri='#' + identidade,
key=key_str,
cert=cert_str)
return etree.tostring(signed_root)
else:
messages.error(
request, '''O certificado não está configurado,
configure pelo menos um transmissor para o respectivo empregador!'''
)
else:
messages.error(request, '''O transmissor não está configurado!''')
return xml
def sign(self):
_logger.debug('Firma de XML : ')
cert = open(templateXML+ os.sep +'myr.cer').read()
privkey = open(templateXML+ os.sep +'myr.key').read()
root = etree.fromstring(self._xml.encode('ISO-8859-1'), parser=etree.XMLParser(encoding='ISO-8859-1'))
_logger.debug(root)
signed_root = XMLSigner(method=methods.enveloped, signature_algorithm='rsa-sha1', digest_algorithm='sha1', c14n_algorithm=u'http://www.w3.org/TR/2001/REC-xml-c14n-20010315').sign(root, key=privkey, cert=cert)
self._xml = etree.tostring(signed_root,encoding='ISO-8859-1')
assertion_data = XMLVerifier().verify(signed_root,x509_cert=cert).signed_xml
_logger.debug(assertion_data)
_logger.debug(self._xml)
def assina_xml(self, xml_element, reference):
cert, key = extract_cert_and_key_from_pfx(self.arquivo, self.senha)
for element in xml_element.iter("*"):
if element.text is not None and not element.text.strip():
element.text = None
signer = XMLSigner(
method=signxml.methods.enveloped,
signature_algorithm="rsa-sha1",
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
signed_root = signer.sign(xml_element,
key=key,
cert=cert,
reference_uri=('#%s' % reference))
if len(signed_root) > 3:
signed_root[2].append(signed_root[3])
return etree.tostring(signed_root)
def test_basic_signxml_statements(self):
with self.assertRaisesRegexp(InvalidInput, "Unknown signature method"):
signer = XMLSigner(method=None)
with self.assertRaisesRegexp(InvalidInput, "must be an XML element"):
XMLSigner().sign("x")
digest_algs = {"sha1", "sha224", "sha256", "sha384", "sha512"}
sig_algs = {"hmac", "dsa", "rsa", "ecdsa"}
hash_algs = {"sha1", "sha256"}
c14n_algs = {"http://www.w3.org/2001/10/xml-exc-c14n#",
"http://www.w3.org/2001/10/xml-exc-c14n#WithComments",
XMLSignatureProcessor.default_c14n_algorithm}
all_methods = itertools.product(digest_algs, sig_algs, hash_algs, methods, c14n_algs)
for digest_alg, sig_alg, hash_alg, method, c14n_alg in all_methods:
data = [etree.parse(f).getroot() for f in self.example_xml_files]
# FIXME: data.extend(stdlibElementTree.parse(f).getroot() for f in (self.example_xml_files)
data.append(stdlibElementTree.parse(self.example_xml_files[0]).getroot())
data.append("x y \n z t\n я\n")
for d in data:
if isinstance(d, str) and method != methods.enveloping:
continue
print(digest_alg, sig_alg, hash_alg, c14n_alg, method, type(d))
reset_tree(d, method)
signer = XMLSigner(method=method,
signature_algorithm="-".join([sig_alg, hash_alg]),
digest_algorithm=digest_alg,
c14n_algorithm=c14n_alg)
signed = signer.sign(d,
key=self.keys[sig_alg],
reference_uri="URI" if method == methods.detached else None)
# print(etree.tostring(signed))
hmac_key = self.keys["hmac"] if sig_alg == "hmac" else None
verify_kwargs = dict(require_x509=False, hmac_key=hmac_key, validate_schema=True)
if method == methods.detached:
def resolver(uri):
if isinstance(d, stdlibElementTree.Element):
return etree.fromstring(stdlibElementTree.tostring(d))
else:
return d
verify_kwargs["uri_resolver"] = resolver
signed_data = etree.tostring(signed)
XMLVerifier().verify(signed_data, **verify_kwargs)
XMLVerifier().verify(signed_data, parser=parser, **verify_kwargs)
(_d, _x, _s) = XMLVerifier().verify(signed_data, id_attribute="Id", **verify_kwargs)
if _x is not None:
# Ensure the signature is not part of the signed data
self.assertIsNone(_x.find(".//{http://www.w3.org/2000/09/xmldsig#}Signature"))
self.assertNotEqual(_x.tag, "{http://www.w3.org/2000/09/xmldsig#}Signature")
# Ensure the signature was returned
self.assertEqual(_s.tag, "{http://www.w3.org/2000/09/xmldsig#}Signature")
if method == methods.enveloping:
with self.assertRaisesRegexp(InvalidInput, "Unable to resolve reference URI"):
XMLVerifier().verify(signed_data, id_attribute="X", **verify_kwargs)
with self.assertRaisesRegexp(InvalidInput, "Expected a X.509 certificate based signature"):
XMLVerifier().verify(signed_data, hmac_key=hmac_key, uri_resolver=verify_kwargs.get("uri_resolver"))
if method != methods.detached:
with self.assertRaisesRegexp(InvalidSignature, "Digest mismatch"):
mangled_sig = signed_data.replace(b"Austria", b"Mongolia").replace(b"x y", b"a b")
XMLVerifier().verify(mangled_sig, **verify_kwargs)
with self.assertRaises(cryptography.exceptions.InvalidSignature):
mangled_sig = signed_data.replace(b"<ds:DigestValue>", b"<ds:DigestValue>!")
XMLVerifier().verify(mangled_sig, **verify_kwargs)
with self.assertRaises(cryptography.exceptions.InvalidSignature):
sig_value = re.search(b"<ds:SignatureValue>(.+?)</ds:SignatureValue>", signed_data).group(1)
mangled_sig = re.sub(
b"<ds:SignatureValue>(.+?)</ds:SignatureValue>",
b"<ds:SignatureValue>" + b64encode(b64decode(sig_value)[::-1]) + b"</ds:SignatureValue>",
signed_data
)
XMLVerifier().verify(mangled_sig, **verify_kwargs)
with self.assertRaises(etree.XMLSyntaxError):
XMLVerifier().verify("", hmac_key=hmac_key, require_x509=False)
if sig_alg == "hmac":
with self.assertRaisesRegexp(InvalidSignature, "Signature mismatch"):
verify_kwargs["hmac_key"] = b"SECRET"
XMLVerifier().verify(signed_data, **verify_kwargs)
def test_elementtree_compat(self):
data = stdlibElementTree.parse(self.example_xml_files[0]).getroot()
signer = XMLSigner()
signed = signer.sign(data, key=self.keys["rsa"])
