diff --git a/signxml/algorithms.py b/signxml/algorithms.py index 2e7ec22..5169c2e 100644 --- a/signxml/algorithms.py +++ b/signxml/algorithms.py @@ -37,7 +37,7 @@ class SignatureConstructionMethod(Enum): class FragmentLookupMixin: @classmethod def from_fragment(cls, fragment): - for i in cls: # type: ignore + for i in cls: # type: ignore[attr-defined] if i.value.endswith("#" + fragment): return i else: @@ -50,7 +50,7 @@ def _missing_(cls, value): raise InvalidInput(f"Unrecognized {cls.__name__}: {value}") def __repr__(self): - return f"{self.__class__.__name__}.{self.name}" # type: ignore + return f"{self.__class__.__name__}.{self.name}" # type: ignore[attr-defined] class DigestAlgorithm(FragmentLookupMixin, InvalidInputErrorMixin, Enum): diff --git a/signxml/processor.py b/signxml/processor.py index 011d588..fca886c 100644 --- a/signxml/processor.py +++ b/signxml/processor.py @@ -76,7 +76,7 @@ class XMLSignatureProcessor(XMLProcessor): "urn:oid:1.3.132.0.37": ec.SECT409R1, "urn:oid:1.3.132.0.38": ec.SECT571K1, } - known_ecdsa_curve_oids = {ec().name: oid for oid, ec in known_ecdsa_curves.items()} # type: ignore + known_ecdsa_curve_oids = {ec().name: oid for oid, ec in known_ecdsa_curves.items()} # type: ignore[abstract] excise_empty_xmlns_declarations = False diff --git a/signxml/signer.py b/signxml/signer.py index d8da4c3..ac39002 100644 --- a/signxml/signer.py +++ b/signxml/signer.py @@ -201,7 +201,7 @@ def sign( if len(cert_chain) == 0: raise InvalidInput("No PEM-encoded certificates found in string cert input data") else: - cert_chain = cert # type: ignore + cert_chain = cert # type:ignore[assignment] input_references = self._preprocess_reference_uri(reference_uri) @@ -244,7 +244,7 @@ def sign( signed_info_node, algorithm=self.c14n_alg, inclusive_ns_prefixes=inclusive_ns_prefixes ) if self.sign_alg.name.startswith("HMAC_"): - signer = HMAC(key=key, algorithm=digest_algorithm_implementations[self.sign_alg]()) # type: ignore + signer = HMAC(key=key, algorithm=digest_algorithm_implementations[self.sign_alg]()) # type:ignore[arg-type] signer.update(signed_info_c14n) signature_value_node.text = b64encode(signer.finalize()).decode() sig_root.append(signature_value_node) @@ -378,14 +378,15 @@ def _unpack(self, data, references: List[SignatureReference]): return sig_root, doc_root, c14n_inputs, references def _build_transforms_for_reference(self, *, transforms_node: _Element, reference: SignatureReference): + assert reference.c14n_method is not None if self.construction_method == SignatureConstructionMethod.enveloped: SubElement(transforms_node, ds_tag("Transform"), Algorithm=SignatureConstructionMethod.enveloped.value) - SubElement(transforms_node, ds_tag("Transform"), Algorithm=reference.c14n_method.value) # type: ignore + SubElement(transforms_node, ds_tag("Transform"), Algorithm=reference.c14n_method.value) else: c14n_xform = SubElement( transforms_node, ds_tag("Transform"), - Algorithm=reference.c14n_method.value, # type: ignore + Algorithm=reference.c14n_method.value, ) if reference.inclusive_ns_prefixes: SubElement( diff --git a/signxml/util/__init__.py b/signxml/util/__init__.py index aa8fadf..801f1d1 100644 --- a/signxml/util/__init__.py +++ b/signxml/util/__init__.py @@ -152,10 +152,10 @@ def bits_to_bytes_unit(num_of_bits): def strip_pem_header(cert): - try: - return re.search(pem_regexp, ensure_str(cert)).group(1).replace("\r", "") # type: ignore - except Exception: - return ensure_str(cert).replace("\r", "") + search_res = re.search(pem_regexp, ensure_str(cert)) + if search_res: + return search_res.group(1).replace("\r", "") + return ensure_str(cert).replace("\r", "") def add_pem_header(bare_base64_cert): diff --git a/signxml/verifier.py b/signxml/verifier.py index a1edb7c..a57635c 100644 --- a/signxml/verifier.py +++ b/signxml/verifier.py @@ -17,7 +17,7 @@ SignatureMethod, digest_algorithm_implementations, ) -from .exceptions import InvalidCertificate, InvalidDigest, InvalidInput, InvalidSignature +from .exceptions import InvalidCertificate, InvalidDigest, InvalidInput, InvalidSignature, SignXMLException from .processor import XMLSignatureProcessor from .util import ( X509CertChainVerifier, @@ -124,7 +124,8 @@ def _verify_signature_with_pubkey( signing_certificate: Optional[x509.Certificate] = None, ) -> None: if der_encoded_key_value is not None: - key = load_der_public_key(b64decode(der_encoded_key_value.text)) # type: ignore + assert der_encoded_key_value.text is not None + key = load_der_public_key(b64decode(der_encoded_key_value.text)) elif signing_certificate is not None: key = signing_certificate.public_key() elif key_value is None: @@ -140,7 +141,7 @@ def _verify_signature_with_pubkey( x = bytes_to_long(key_data[: len(key_data) // 2]) y = bytes_to_long(key_data[len(key_data) // 2 :]) curve_class = self.known_ecdsa_curves[named_curve.get("URI")] - ecpn = ec.EllipticCurvePublicNumbers(x=x, y=y, curve=curve_class()) # type: ignore + ecpn = ec.EllipticCurvePublicNumbers(x=x, y=y, curve=curve_class()) # type: ignore[abstract] key = ecpn.public_key() elif not isinstance(key, ec.EllipticCurvePublicKey): raise InvalidInput("DER encoded key value does not match specified signature algorithm") @@ -154,7 +155,7 @@ def _verify_signature_with_pubkey( g = self._get_long(dsa_key_value, "G", require=False) y = self._get_long(dsa_key_value, "Y") dsapn = dsa.DSAPublicNumbers(y=y, parameter_numbers=dsa.DSAParameterNumbers(p=p, q=q, g=g)) - key = dsapn.public_key() # type: ignore + key = dsapn.public_key() elif not isinstance(key, dsa.DSAPublicKey): raise InvalidInput("DER encoded key value does not match specified signature algorithm") # TODO: supply meaningful key_size_bits for signature length assertion @@ -505,7 +506,9 @@ def validate_schema(self, signature): return except Exception as e: last_exception = e - raise last_exception # type: ignore + if last_exception is not None: + raise last_exception + raise SignXMLException("Invalid state") def _check_key_value_matches_cert_public_key(self, key_value, public_key, signature_alg: SignatureMethod): if signature_alg.name.startswith("ECDSA_") and isinstance(public_key, ec.EllipticCurvePublicKey): @@ -529,9 +532,9 @@ def _check_key_value_matches_cert_public_key(self, key_value, public_key, signat q = self._get_long(dsa_key_value, "Q") g = self._get_long(dsa_key_value, "G", require=False) - pubk_p = public_key.public_numbers().p - pubk_q = public_key.public_numbers().q - pubk_g = public_key.public_numbers().g + pubk_p = public_key.public_numbers().parameter_numbers.p + pubk_q = public_key.public_numbers().parameter_numbers.q + pubk_g = public_key.public_numbers().parameter_numbers.g return p == pubk_p and q == pubk_q and g == pubk_g @@ -571,13 +574,13 @@ def _check_der_key_value_matches_cert_public_key(self, der_encoded_key_value, pu and isinstance(der_public_key, dsa.DSAPublicKey) and isinstance(public_key, dsa.DSAPublicKey) ): - p = der_public_key.public_numbers().parameter_numbers().p # type: ignore - q = der_public_key.public_numbers().parameter_numbers().q # type: ignore - g = der_public_key.public_numbers().parameter_numbers().g # type: ignore + p = der_public_key.public_numbers().parameter_numbers.p + q = der_public_key.public_numbers().parameter_numbers.q + g = der_public_key.public_numbers().parameter_numbers.g - pubk_p = public_key.public_numbers().p - pubk_q = public_key.public_numbers().q - pubk_g = public_key.public_numbers().g + pubk_p = public_key.public_numbers().parameter_numbers.p + pubk_q = public_key.public_numbers().parameter_numbers.q + pubk_g = public_key.public_numbers().parameter_numbers.g return p == pubk_p and q == pubk_q and g == pubk_g diff --git a/signxml/xades/xades.py b/signxml/xades/xades.py index 6e13911..01146d7 100644 --- a/signxml/xades/xades.py +++ b/signxml/xades/xades.py @@ -128,7 +128,7 @@ def __init__( self.namespaces.update(xades=namespaces.xades) @wraps(XMLSigner.sign) - def sign(self, data, always_add_key_value: bool = True, **kwargs) -> _Element: # type: ignore + def sign(self, data, always_add_key_value: bool = True, **kwargs) -> _Element: # type: ignore[override] return super().sign(data=data, always_add_key_value=always_add_key_value, **kwargs) def _get_token(self, length=4): @@ -195,7 +195,8 @@ def add_signing_certificate(self, signed_signature_properties, sig_root, signing signing_cert_v2 = SubElement( signed_signature_properties, xades_tag("SigningCertificateV2"), nsmap=self.namespaces ) - for cert in signing_settings.cert_chain: # type: ignore + assert signing_settings.cert_chain is not None + for cert in signing_settings.cert_chain: if isinstance(cert, x509.Certificate): loaded_cert = cert else: @@ -333,7 +334,7 @@ def _verify_signed_properties(self, verify_result): ) return self._find(verify_result.signed_xml, "xades:SignedSignatureProperties") - def verify( # type: ignore + def verify( # type: ignore[override] self, data, *, @@ -367,7 +368,7 @@ def verify( # type: ignore if verify_result.signed_xml is None: continue if verify_result.signed_xml.tag == xades_tag("SignedProperties"): - verify_results[i] = XAdESVerifyResult( # type: ignore + verify_results[i] = XAdESVerifyResult( # type: ignore[misc] *astuple(verify_result), signed_properties=self._verify_signed_properties(verify_result) ) break @@ -375,4 +376,4 @@ def verify( # type: ignore raise InvalidInput("Expected to find a xades:SignedProperties element") # TODO: assert all mandatory signed properties are set - return verify_results # type: ignore + return verify_results # type: ignore[return-value]