Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
"""
Should sign a pre-constructed template file
using a key from a PEM file.
"""
# Load the pre-constructed XML template.
template = parse_xml('sign1-tmpl.xml')
# Find the node.
signature_node = xmlsec.tree.find_node(template, xmlsec.Node.SIGNATURE)
assert signature_node is not None
assert signature_node.tag.endswith(xmlsec.Node.SIGNATURE)
# Create a digital signature context (no key manager is needed).
ctx = xmlsec.SignatureContext()
# Load private key (assuming that there is no password).
filename = path.join(BASE_DIR, 'rsakey.pem')
key = xmlsec.Key.from_file(filename, xmlsec.KeyFormat.PEM)
assert key is not None
# Set key name to the file name (note: this is just a test).
key.name = path.basename(filename)
# Set the key on the context.
ctx.key = key
assert ctx.key is not None
assert ctx.key.name == path.basename(filename)
del key
template.append(signature_node)
# Add the node to the signature template.
ref = xmlsec.template.add_reference(signature_node, xmlsec.Transform.SHA1, uri=elem_id)
# Add the enveloped transform descriptor.
xmlsec.template.add_transform(ref, xmlsec.Transform.ENVELOPED)
# Add the excl_c14n transform descriptor.
xmlsec.template.add_transform(ref, xmlsec.Transform.EXCL_C14N)
# Add the and nodes.
key_info = xmlsec.template.ensure_key_info(signature_node)
xmlsec.template.add_x509_data(key_info)
# Create a digital signature context (no key manager is needed).
ctx = xmlsec.SignatureContext()
# Load private key (assuming that there is no password).
filename = path.join(BASE_DIR, 'rsakey.pem')
key = xmlsec.Key.from_file(filename, xmlsec.KeyFormat.PEM)
assert key is not None
# Load the certificate and add it to the key.
filename = path.join(BASE_DIR, 'rsacert.pem')
key.load_cert_from_file(filename, xmlsec.KeyFormat.PEM)
# Set key name to the file name (note: this is just a test).
key.name = path.basename(filename)
# Set the key on the context.
ctx.key = key
# Add the node to the document.
template.append(signature_node)
# Add the node to the signature template.
ref = xmlsec.template.add_reference(signature_node, xmlsec.Transform.SHA1)
# Add the enveloped transform descriptor.
xmlsec.template.add_transform(ref, xmlsec.Transform.ENVELOPED)
# Add the and nodes.
key_info = xmlsec.template.ensure_key_info(signature_node)
xmlsec.template.add_key_name(key_info)
# Create a digital signature context (no key manager is needed).
ctx = xmlsec.SignatureContext()
# Load private key (assuming that there is no password).
filename = path.join(BASE_DIR, 'rsakey.pem')
key = xmlsec.Key.from_file(filename, xmlsec.KeyFormat.PEM)
assert key is not None
# Set key name to the file name (note: this is just a test).
key.name = path.basename(filename)
# Set the key on the context.
ctx.key = key
assert ctx.key is not None
assert ctx.key.name == path.basename(filename)
if cert is None or cert == '':
return False
# Check if Reference URI is empty
reference_elem = OneLogin_Saml2_XML.query(signature_node, '//ds:Reference')
if len(reference_elem) > 0:
if reference_elem[0].get('URI') == '':
reference_elem[0].set('URI', '#%s' % signature_node.getparent().get('ID'))
if validatecert:
manager = xmlsec.KeysManager()
manager.load_cert_from_memory(cert, xmlsec.KeyFormat.CERT_PEM, xmlsec.KeyDataType.TRUSTED)
dsig_ctx = xmlsec.SignatureContext(manager)
else:
dsig_ctx = xmlsec.SignatureContext()
dsig_ctx.key = xmlsec.Key.from_memory(cert, xmlsec.KeyFormat.CERT_PEM, None)
dsig_ctx.set_enabled_key_data([xmlsec.KeyData.X509])
dsig_ctx.verify(signature_node)
return True
except xmlsec.Error as e:
if debug:
print(e)
:param signature: The signature that will be validate
:type: string
:param cert: The pubic cert
:type: string
:param algorithm: Signature algorithm
:type: string
:param debug: Activate the xmlsec debug
:type: bool
"""
try:
xmlsec.enable_debug_trace(debug)
dsig_ctx = xmlsec.SignatureContext()
dsig_ctx.key = xmlsec.Key.from_memory(cert, xmlsec.KeyFormat.CERT_PEM, None)
sign_algorithm_transform_map = {
OneLogin_Saml2_Constants.DSA_SHA1: xmlsec.Transform.DSA_SHA1,
OneLogin_Saml2_Constants.RSA_SHA1: xmlsec.Transform.RSA_SHA1,
OneLogin_Saml2_Constants.RSA_SHA256: xmlsec.Transform.RSA_SHA256,
OneLogin_Saml2_Constants.RSA_SHA384: xmlsec.Transform.RSA_SHA384,
OneLogin_Saml2_Constants.RSA_SHA512: xmlsec.Transform.RSA_SHA512
}
sign_algorithm_transform = sign_algorithm_transform_map.get(algorithm, xmlsec.Transform.RSA_SHA1)
dsig_ctx.verify_binary(compat.to_bytes(signed_query),
sign_algorithm_transform,
compat.to_bytes(signature))
return True
except xmlsec.Error as e:
if cert is None or cert == '':
return False
# Check if Reference URI is empty
reference_elem = OneLogin_Saml2_XML.query(signature_node, '//ds:Reference')
if len(reference_elem) > 0:
if reference_elem[0].get('URI') == '':
reference_elem[0].set('URI', '#%s' % signature_node.getparent().get('ID'))
if validatecert:
manager = xmlsec.KeysManager()
manager.load_cert_from_memory(cert, xmlsec.KeyFormat.CERT_PEM, xmlsec.KeyDataType.TRUSTED)
dsig_ctx = xmlsec.SignatureContext(manager)
else:
dsig_ctx = xmlsec.SignatureContext()
dsig_ctx.key = xmlsec.Key.from_memory(cert, xmlsec.KeyFormat.CERT_PEM, None)
dsig_ctx.set_enabled_key_data([xmlsec.KeyData.X509])
dsig_ctx.verify(signature_node)
return True
except xmlsec.Error as e:
if debug:
print(e)
def get_signature_context(signature, envelope):
ctx = xmlsec.SignatureContext()
# Find each signed element and register its ID with the signing context.
refs = signature.xpath("ds:SignedInfo/ds:Reference", namespaces={"ds": DS_NS})
for ref in refs:
# Get the reference URI and cut off the initial '#'
referenced_id = ref.get("URI")[1:]
referenced = envelope.xpath(
"//*[@wsu:Id='%s']" % referenced_id, namespaces={"wsu": WSU_NS}
)[0]
ctx.register_id(referenced, "Id", WSU_NS)
return ctx
xml,
xmlsec.Transform.EXCL_C14N,
xmlsec.Transform.RSA_SHA1)
# Add the node to the document.
xml.insert(element.meta.signature_index, signature_node)
# Add the node to the signature template.
ref = xmlsec.template.add_reference(
signature_node, xmlsec.Transform.SHA1)
# Add the enveloped transform descriptor.
xmlsec.template.add_transform(ref, xmlsec.Transform.ENVELOPED)
# Create a digital signature context (no key manager is needed).
ctx = xmlsec.SignatureContext()
# Load private key.
key = xmlsec.Key.from_memory(stream, xmlsec.KeyFormat.PEM, password)
# Set the key on the context.
ctx.key = key
# Sign the template.
ctx.sign(signature_node)
if fingerprint == x509_fingerprint_value:
cert = OneLogin_Saml2_Utils.format_cert(x509_cert_value)
if cert is None or cert == '':
return False
# Check if Reference URI is empty
reference_elem = OneLogin_Saml2_XML.query(signature_node, '//ds:Reference')
if len(reference_elem) > 0:
if reference_elem[0].get('URI') == '':
reference_elem[0].set('URI', '#%s' % signature_node.getparent().get('ID'))
if validatecert:
manager = xmlsec.KeysManager()
manager.load_cert_from_memory(cert, xmlsec.KeyFormat.CERT_PEM, xmlsec.KeyDataType.TRUSTED)
dsig_ctx = xmlsec.SignatureContext(manager)
else:
dsig_ctx = xmlsec.SignatureContext()
dsig_ctx.key = xmlsec.Key.from_memory(cert, xmlsec.KeyFormat.CERT_PEM, None)
dsig_ctx.set_enabled_key_data([xmlsec.KeyData.X509])
dsig_ctx.verify(signature_node)
return True
except xmlsec.Error as e:
if debug:
print(e)