diff --git a/README.rst b/README.rst index aa73127..8682be4 100644 --- a/README.rst +++ b/README.rst @@ -58,8 +58,8 @@ SignXML uses the `lxml ElementTree API `_ to work from signxml import XMLSigner, XMLVerifier data_to_sign = "" - cert = open("example.pem").read() - key = open("example.key").read() + cert = open("cert.pem").read() + key = open("privkey.pem").read() root = etree.fromstring(data_to_sign) signed_root = XMLSigner().sign(root, key=key, cert=cert) verified_data = XMLVerifier().verify(signed_root).signed_xml @@ -67,7 +67,7 @@ SignXML uses the `lxml ElementTree API `_ to work To make this example self-sufficient for test purposes: - Generate a test certificate and key using - ``openssl req -x509 -sha256 -nodes -subj "/CN=test" -days 1 -newkey rsa:2048 -keyout example.key -out example.pem`` + ``openssl req -x509 -nodes -subj "/CN=test" -days 1 -newkey rsa:2048 > cert.pem`` (run ``yum install openssl`` on Red Hat). - Pass the ``x509_cert=cert`` keyword argument to ``XMLVerifier.verify()``. (In production, ensure this is replaced with the correct configuration for the trusted CA or certificate - this determines which signatures your application trusts.) diff --git a/signxml/algorithms.py b/signxml/algorithms.py index 660ea8d..fb21102 100644 --- a/signxml/algorithms.py +++ b/signxml/algorithms.py @@ -151,9 +151,8 @@ class CanonicalizationMethod(InvalidInputErrorMixin, Enum): CANONICAL_XML_1_0 = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" CANONICAL_XML_1_0_WITH_COMMENTS = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" - CANONICAL_XML_1_1 = "http://www.w3.org/2006/12/xmlc14n11#" - CANONICAL_XML_1_1_DEPRECATED_URI = "http://www.w3.org/2006/12/xml-c14n11" - CANONICAL_XML_1_1_WITH_COMMENTS = "http://www.w3.org/2006/12/xmlc14n11#WithComments" + CANONICAL_XML_1_1 = "http://www.w3.org/2006/12/xml-c14n11" + CANONICAL_XML_1_1_WITH_COMMENTS = "http://www.w3.org/2006/12/xml-c14n11#WithComments" EXCLUSIVE_XML_CANONICALIZATION_1_0 = "http://www.w3.org/2001/10/xml-exc-c14n#" EXCLUSIVE_XML_CANONICALIZATION_1_0_WITH_COMMENTS = "http://www.w3.org/2001/10/xml-exc-c14n#WithComments" diff --git a/signxml/processor.py b/signxml/processor.py index 557ae95..1903b36 100644 --- a/signxml/processor.py +++ b/signxml/processor.py @@ -140,7 +140,9 @@ def _c14n(self, nodes, algorithm: CanonicalizationMethod, inclusive_ns_prefixes= def _resolve_reference(self, doc_root, reference, uri_resolver=None): uri = reference.get("URI") - if not uri: + if uri is None: + raise InvalidInput("References without URIs are not supported") + elif uri == "": return doc_root elif uri.startswith("#xpointer("): raise InvalidInput("XPointer references are not supported") diff --git a/signxml/verifier.py b/signxml/verifier.py index e2b5796..b35cb9b 100644 --- a/signxml/verifier.py +++ b/signxml/verifier.py @@ -294,8 +294,10 @@ def verify( ``resolve_entities=False``. See https://lxml.de/FAQ.html#how-do-i-use-lxml-safely-as-a-web-service-endpoint. :type parser: :class:`lxml.etree.XMLParser` compatible parser :param uri_resolver: - Function to use to resolve reference URIs that don't start with "#". The function is called with a single - string argument containing the URI to be resolved, and is expected to return a lxml.etree node or string. + Function to use to resolve reference URIs that are not empty and don't start with "#" (such references are + only expected in detached signatures; if you don't expect such signatures, leave this unset to prevent them + from validating). The function is called with a single string argument containing the URI to be resolved, + and is expected to return a :class:`lxml.etree._Element` node or bytes. :param id_attribute: Name of the attribute whose value ``URI`` refers to. By default, SignXML will search for "Id", then "ID". :param expect_config: