Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XAdESVerifier verify CertDigest by index #247

Open
wants to merge 11 commits into
base: develop
Choose a base branch
from
Open

XAdESVerifier verify CertDigest by index #247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
7433b08
Update verifier.py for public_key overwrite
msetina Mar 16, 2024
7bd46d0
certDigest verification by list number
msetina Mar 18, 2024
a1be6d9
fix spelling
msetina Mar 18, 2024
badc8a8
one based index
msetina Mar 18, 2024
f398bd9
Merge branch 'XML-Security:develop' into develop
msetina Mar 18, 2024
42665f0
make black happier
msetina Mar 18, 2024
079ab59
make black happy
msetina Mar 18, 2024
6352c78
Ignore if missing CertDigest
msetina Mar 18, 2024
3132e15
Removed error_condition that is no longer error
msetina Mar 19, 2024
0500462
making black happy
msetina Mar 19, 2024
a34ee6e
helping lint to better place
msetina Mar 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 20 additions & 16 deletions signxml/xades/xades.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -272,8 +272,9 @@ class XAdESVerifier(XAdESProcessor, XMLVerifier):
def _verify_signing_time(self, verify_result: VerifyResult):
pass

def _verify_cert_digest(self, signing_cert_node, expect_cert):
for cert in self._findall(signing_cert_node, "xades:Cert"):
def _verify_cert_digest(self, signing_cert_node, expect_cert, idx):
cert = self._find(signing_cert_node, "xades:Cert[{0}]".format(idx), False)
if cert is not None:
cert_digest = self._find(cert, "xades:CertDigest")
digest_alg = DigestAlgorithm(self._find(cert_digest, "DigestMethod").get("Algorithm"))
digest_value = self._find(cert_digest, "DigestValue")
Expand All @@ -285,20 +286,23 @@ def _verify_cert_digest(self, signing_cert_node, expect_cert):

def _verify_cert_digests(self, verify_result: VerifyResult):
x509_data = verify_result.signature_xml.find("ds:KeyInfo/ds:X509Data", namespaces=namespaces)
cert_from_key_info = load_certificate(
FILETYPE_PEM, add_pem_header(self._find(x509_data, "X509Certificate").text)
)
signed_signature_props = self._find(verify_result.signed_xml, "xades:SignedSignatureProperties")
signing_cert = self._find(signed_signature_props, "xades:SigningCertificate", require=False)
signing_cert_v2 = self._find(signed_signature_props, "xades:SigningCertificateV2", require=False)
if signing_cert is None and signing_cert_v2 is None:
raise InvalidInput("Expected to find XML element xades:SigningCertificate or xades:SigningCertificateV2")
if signing_cert is not None and signing_cert_v2 is not None:
raise InvalidInput("Expected to find exactly one of xades:SigningCertificate or xades:SigningCertificateV2")
if signing_cert is not None:
self._verify_cert_digest(signing_cert, expect_cert=cert_from_key_info)
elif signing_cert_v2 is not None:
self._verify_cert_digest(signing_cert_v2, expect_cert=cert_from_key_info)
for idx, x_cert in enumerate(self._findall(x509_data, "X509Certificate")):
cert_from_key_info = load_certificate(FILETYPE_PEM, add_pem_header(x_cert.text))
signed_signature_props = self._find(verify_result.signed_xml, "xades:SignedSignatureProperties")
signing_cert = self._find(signed_signature_props, "xades:SigningCertificate", require=False)
signing_cert_v2 = self._find(signed_signature_props, "xades:SigningCertificateV2", require=False)
if signing_cert is None and signing_cert_v2 is None:
raise InvalidInput(
"Expected to find XML element xades:SigningCertificate or xades:SigningCertificateV2"
)
if signing_cert is not None and signing_cert_v2 is not None:
raise InvalidInput(
"Expected to find exactly one of xades:SigningCertificate or xades:SigningCertificateV2"
)
if signing_cert is not None:
self._verify_cert_digest(signing_cert, expect_cert=cert_from_key_info, idx=(idx + 1))
elif signing_cert_v2 is not None:
self._verify_cert_digest(signing_cert_v2, expect_cert=cert_from_key_info, idx=(idx + 1))

def _verify_signature_policy(self, verify_result: VerifyResult, expect_signature_policy: XAdESSignaturePolicy):
signed_signature_props = self._find(verify_result.signed_xml, "xades:SignedSignatureProperties")
Expand Down
1 change: 0 additions & 1 deletion test/test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -740,7 +740,6 @@ def test_xades_interop_examples(self):
"corrupted-cert": etree.DocumentInvalid, # FIXME - flaky validation
"cert-v2-wrong-digest": InvalidDigest,
"wrong-sign-cert-digest": InvalidDigest,
"nonconformant-X_BE_CONN_10": InvalidDigest,
"sigPolStore-noDigest": InvalidInput,
}
for sig_file in glob(os.path.join(os.path.dirname(__file__), "xades", "*.xml")):
Expand Down
Loading