Signed payload is not valid when using signxml but xmlsec one is valid
vnkrish90 opened this issue · comments
I used this code to generate signature for the signing the payload. You can onsider this issue extension to #171
from xml.etree import ElementTree
import signxml
from cryptography.hazmat.primitives.serialization import pkcs12
from cryptography.hazmat.backends import default_backend
cert_bytes = open("certs/test.pfx", "rb").read()
(private_key, certificate, additional_certificates) = pkcs12.load_key_and_certificates(data=cert_bytes, password="pwdtest".encode(), backend=default_backend())
data = open("payload.xml", encoding="UTF-8").read()
root = ElementTree.fromstring(data)
signer = signxml.XMLSigner(method=signxml.methods.enveloped,
signature_algorithm="rsa-sha1",
digest_algorithm="sha1",
c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#")
signed_info = signer.sign(data=root,
key=private_key,
cert=[certificate],
reference_uri="#Body")
print(ElementTree.tostring(signed_info))
But the signed payload is not correct, ending up with either signature verification failed error/getting error message to check for the signature. When I used the xmlsec, it is generating in a proper way. But I have to use signxml as it does not have platform dependencies. Attached both the xml output files here.
And the payload here
payload.txt
I see the Issuer details tag is missing in signxml generated output document and there are two Reference URI and digest method and value in xmlsec generated output but seeing only one on the signxml. How can I make the signxml to generate and verify the signature and able to successfully make SOA API invocation?
XMLSec code: Ref https://github.com/orcasgit/py-wsse/blob/ff4fea90687606af31d4b31cbdb3e753154299a4/wsse/signing.py#L19
wsse = signing.sign(envelope=envelope, keyfile=key_path, certfile=cert_path)
signing.verify(envelope=wsse.decode(), certfile=cert_path)
I would appreciate any help on this from anyone/@kislyuk
Thanks for your report. Can you clarify how you determined that the signed payload is "not valid"? Also, when I run the code that you supplied on the "payload.txt" file, I get signxml.exceptions.InvalidInput: Unable to resolve reference URI: #Body - but you must have gotten past that error, since you got signxml to produce a signature. Can you provide a complete reproduction?
@kislyuk Just change the method to signxml.methods.detached in signxml.XMLSigner. Also, we have the server(Getting the signature verification error/Please check the signature error) which validates XML with signature in it. Also signxml.XMLVerifier() cannot verifies the signed data.
Note: Regarding reproduction, I cannot attach the .pfx certificate due to security concerns.
from xml.etree import ElementTree
import signxml
from cryptography.hazmat.primitives.serialization import pkcs12
from cryptography.hazmat.backends import default_backend
cert_bytes = open("certs/test.pfx", "rb").read()
(private_key, certificate, additional_certificates) = pkcs12.load_key_and_certificates(data=cert_bytes, password="pwdtest".encode(), backend=default_backend())
data = open("payload.xml", encoding="UTF-8").read()
root = ElementTree.fromstring(data)
signer = signxml.XMLSigner(method=signxml.methods.detached,
signature_algorithm="rsa-sha1",
digest_algorithm="sha1",
c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#")
signed_info = signer.sign(data=root,
key=private_key,
cert=[certificate],
reference_uri="#Body")
print(ElementTree.tostring(signed_info))
@kislyuk Able to generate the correct signature that is verified with XMLVerifier(), posted the answer here https://stackoverflow.com/a/74124973/8293736. This is awesome, I'm able to generate the signature using signXML with 10 lines of code..