From 98ac0ed9e2bb046d66d256c5eb05376284bc77c3 Mon Sep 17 00:00:00 2001
From: Andrey Kislyuk <andrey.kislyuk@color.com>
Date: Sat, 17 Aug 2024 17:19:23 -0700
Subject: [PATCH] Allow subclasses to override signature, digest alg config
 checks

---
 signxml/util/__init__.py |  7 -------
 signxml/verifier.py      | 14 ++++++++++----
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/signxml/util/__init__.py b/signxml/util/__init__.py
index 0ad2595..b073b69 100644
--- a/signxml/util/__init__.py
+++ b/signxml/util/__init__.py
@@ -259,13 +259,6 @@ def _do_verify(self, cert_chain):
         return result.chain[0]
 
     def verify(self, cert_chain):
-        # [*] leaf, intermediates
-        # [*] reversed(intermediates), leaf
-        # if len(cert_chain) > 2:
-        # [ ] leaf, reversed(intermediates)
-        # [ ] intermediates, leaf
-        # for cert in cert_chain:
-        #    eku_oid = x509.oid.ExtensionOID.EXTENDED_KEY_USAGE
         try:
             return self._do_verify(cert_chain)
         except x509.verification.VerificationError:
diff --git a/signxml/verifier.py b/signxml/verifier.py
index 0ed507f..78f410e 100644
--- a/signxml/verifier.py
+++ b/signxml/verifier.py
@@ -262,6 +262,14 @@ def _match_key_values(self, key_value, der_encoded_key_value, signing_cert, sign
                     "DEREncodedKeyValue and validate using X509Data only."
                 )
 
+    def check_digest_alg_expected(self, digest_alg):
+        if digest_alg not in self.config.digest_algorithms:
+            raise InvalidInput(f"Digest algorithm {digest_alg.name} forbidden by configuration")
+
+    def check_signature_alg_expected(self, signature_alg):
+        if signature_alg not in self.config.signature_methods:
+            raise InvalidInput(f"Signature method {signature_alg.name} forbidden by configuration")
+
     def verify(
         self,
         data,
@@ -382,8 +390,7 @@ def verify(
         signature_method = self._find(signed_info, "SignatureMethod")
         signature_value = self._find(signature, "SignatureValue")
         signature_alg = SignatureMethod(signature_method.get("Algorithm"))
-        if signature_alg not in self.config.signature_methods:
-            raise InvalidInput(f"Signature method {signature_alg.name} forbidden by configuration")
+        self.check_signature_alg_expected(signature_alg)
         raw_signature = b64decode(signature_value.text)
         x509_data = signature.find("ds:KeyInfo/ds:X509Data", namespaces=namespaces)
         key_value = signature.find("ds:KeyInfo/ds:KeyValue", namespaces=namespaces)
@@ -490,8 +497,7 @@ def _verify_reference(self, reference, index, root, uri_resolver, c14n_algorithm
         payload = self._resolve_reference(copied_root, reference, uri_resolver=uri_resolver)
         payload_c14n = self._apply_transforms(payload, transforms_node=transforms, signature=copied_signature_ref)
         digest_alg = DigestAlgorithm(digest_method_alg_name)
-        if digest_alg not in self.config.digest_algorithms:
-            raise InvalidInput(f"Digest algorithm {digest_alg.name} forbidden by configuration")
+        self.check_digest_alg_expected(digest_alg)
 
         if b64decode(digest_value.text) != self._get_digest(payload_c14n, digest_alg):
             raise InvalidDigest(f"Digest mismatch for reference {index} ({reference.get('URI')})")