pyXMLSecurity/src/xmlsec/Signer.py at c03ccb034a81500fa630ab4ffad56fe662a67812 · IdentityPython/pyXMLSecurity · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
import logging
import six
import xmlsec
import xmlsec.exceptions
import xmlsec.crypto
from lxml.builder import ElementMaker
from lxml import etree as etree
from xmlsec.utils import  pem2b64, b64e

NS = {'ds': 'http://www.w3.org/2000/09/xmldsig#'}
NSDefault = {None: 'http://www.w3.org/2000/09/xmldsig#'}
DS = ElementMaker(namespace=NS['ds'], nsmap=NSDefault)

class Signer(object):
    def __init__(self, key_spec, cert_spec=None, debug=False):
        """
        :param key_spec: private key reference, see xmlsec.crypto.from_keyspec() for syntax.
        :param cert_spec: None or public key reference (to add cert to document),
                          see xmlsec.crypto.from_keyspec() for syntax.
        """
        self.log = logging.getLogger('xmlsec')
        self.debug = debug
        self.private = xmlsec.crypto.from_keyspec(key_spec, private=True)
        self.public = None
        if cert_spec is not None:
            self.public = xmlsec.crypto.from_keyspec(cert_spec)
            if self.public is None:
                raise xmlsec.exceptions.XMLSigException("Unable to load public key from '%s'" % cert_spec)
            if self.public.keysize and self.private.keysize:  # XXX maybe one set and one not set should also raise exception?
                if self.public.keysize != self.private.keysize:
                    raise xmlsec.exceptions.XMLSigException("Public and private key sizes do not match ({!s}, {!s})".format(
                                          self.public.keysize, self.private.keysize))
                # This might be incorrect for PKCS#11 tokens if we have no public key
                self.log.debug("Using {!s} bit key".format(self.private.keysize))


    def sign(self, t, reference_uri='', insert_index=0, sig_path=".//{%s}Signature" % NS['ds']):
        """
        Sign an XML document. This means to 'complete' all Signature elements in the XML.

        :param t: XML as lxml.etree
        :param sig_path: An xpath expression identifying the Signature template element
        :param reference_uri: Envelope signature reference URI
        :param insert_index: Insertion point for the Signature element,
                             Signature is inserted at beginning by default
        :returns: XML as lxml.etree (for convenience, 't' is modified in-place)
        """
        sig_paths = t.findall(sig_path)
        templates = list(filter(xmlsec._is_template, sig_paths))
        if not templates:
            tmpl = xmlsec.add_enveloped_signature(t, reference_uri=reference_uri, pos=insert_index)
            templates = [tmpl]

        assert templates, xmlsec.exceptions.XMLSigException("Failed to both find and add a signing template")

        if self.debug:
            with open("/tmp/sig-ref.xml", "w") as fd:
                fd.write(etree_to_string(root_elt(t)))

        for sig in templates:
            self.log.debug("processing sig template: %s" % etree.tostring(sig))
            si = sig.find(".//{%s}SignedInfo" % NS['ds'])
            assert si is not None
            cm_alg = xmlsec._cm_alg(si)
            sig_alg = xmlsec._sig_alg(si)

            xmlsec._process_references(t, sig, verify_mode=False, sig_path=sig_path)
            # XXX create signature reference duplicates/overlaps process references unless a c14 is part of transforms
            self.log.debug("transform %s on %s" % (cm_alg, etree.tostring(si)))
            sic = xmlsec._transform(cm_alg, si)
            self.log.debug("SignedInfo C14N: %s" % sic)

            # sign hash digest and insert it into the XML
            if self.private.do_digest:
                digest = xmlsec.crypto._digest(sic, sig_alg)
                self.log.debug("SignedInfo digest: %s" % digest)
                b_digest = b64d(digest)
                tbs = xmlsec._signed_value(b_digest, private.keysize, private.do_padding, sig_alg)
            else:
                tbs = sic

            signed = self.private.sign(tbs, sig_alg)
            signature = b64e(signed)
            if isinstance(signature, six.binary_type):
                signature = six.text_type(signature, 'utf-8')
            self.log.debug("SignatureValue: %s" % signature)
            sv = sig.find(".//{%s}SignatureValue" % NS['ds'])
            if sv is None:
                si.addnext(DS.SignatureValue(signature))
            else:
                sv.text = signature

            for cert_src in (self.public, self.private):
                if cert_src is not None and cert_src.cert_pem:
                    # Insert cert_data as b64-encoded X.509 certificate into XML document
                    sv_elt = si.getnext()
                    sv_elt.addnext(DS.KeyInfo(DS.X509Data(DS.X509Certificate(pem2b64(cert_src.cert_pem)))))
                    break  # add the first we find, no more

        return t