Skip to content

Commit

Permalink
Allow subclasses to override signature, digest alg config checks
Browse files Browse the repository at this point in the history
  • Loading branch information
@kislyuk
kislyuk committed Aug 18, 2024
1 parent ffd7592 commit 98ac0ed
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 11 deletions.
7 changes: 0 additions & 7 deletions signxml/util/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,13 +259,6 @@ def _do_verify(self, cert_chain):
return result.chain[0]

def verify(self, cert_chain):
# [*] leaf, intermediates
# [*] reversed(intermediates), leaf
# if len(cert_chain) > 2:
# [ ] leaf, reversed(intermediates)
# [ ] intermediates, leaf
# for cert in cert_chain:
# eku_oid = x509.oid.ExtensionOID.EXTENDED_KEY_USAGE
try:
return self._do_verify(cert_chain)
except x509.verification.VerificationError:
Expand Down
14 changes: 10 additions & 4 deletions signxml/verifier.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,14 @@ def _match_key_values(self, key_value, der_encoded_key_value, signing_cert, sign
"DEREncodedKeyValue and validate using X509Data only."
)

def check_digest_alg_expected(self, digest_alg):
if digest_alg not in self.config.digest_algorithms:
raise InvalidInput(f"Digest algorithm {digest_alg.name} forbidden by configuration")

def check_signature_alg_expected(self, signature_alg):
if signature_alg not in self.config.signature_methods:
raise InvalidInput(f"Signature method {signature_alg.name} forbidden by configuration")

def verify(
self,
data,
Expand Down Expand Up @@ -382,8 +390,7 @@ def verify(
signature_method = self._find(signed_info, "SignatureMethod")
signature_value = self._find(signature, "SignatureValue")
signature_alg = SignatureMethod(signature_method.get("Algorithm"))
if signature_alg not in self.config.signature_methods:
raise InvalidInput(f"Signature method {signature_alg.name} forbidden by configuration")
self.check_signature_alg_expected(signature_alg)
raw_signature = b64decode(signature_value.text)
x509_data = signature.find("ds:KeyInfo/ds:X509Data", namespaces=namespaces)
key_value = signature.find("ds:KeyInfo/ds:KeyValue", namespaces=namespaces)
Expand Down Expand Up @@ -490,8 +497,7 @@ def _verify_reference(self, reference, index, root, uri_resolver, c14n_algorithm
payload = self._resolve_reference(copied_root, reference, uri_resolver=uri_resolver)
payload_c14n = self._apply_transforms(payload, transforms_node=transforms, signature=copied_signature_ref)
digest_alg = DigestAlgorithm(digest_method_alg_name)
if digest_alg not in self.config.digest_algorithms:
raise InvalidInput(f"Digest algorithm {digest_alg.name} forbidden by configuration")
self.check_digest_alg_expected(digest_alg)

if b64decode(digest_value.text) != self._get_digest(payload_c14n, digest_alg):
raise InvalidDigest(f"Digest mismatch for reference {index} ({reference.get('URI')})")
Expand Down

0 comments on commit 98ac0ed

Please sign in to comment.