Coder Social home page Coder Social logo

schlenk / signxml Goto Github PK

View Code? Open in Web Editor NEW

This project forked from xml-security/signxml

0.0 2.0 0.0 331 KB

Python XML Signature library

Home Page: https://signxml.readthedocs.org/

License: Apache License 2.0

Makefile 0.93% Python 97.51% XSLT 1.57%

signxml's Introduction

SignXML: XML Signature in Python

SignXML is an implementation of the W3C XML Signature standard in Python (both "Second Edition" and Version 1.1). This standard (also known as XMLDSig and RFC 3275) is used to provide payload security in SAML 2.0, among other uses. SignXML implements all of the required components of the standard, and most recommended ones. Its features are:

  • Use of defusedxml.lxml to defend against common XML-based attacks when verifying signatures
  • Extensions to allow signing with and verifying X.509 certificate chains, including hostname/CN validation
  • Support for exclusive XML canonicalization with inclusive prefixes (InclusiveNamespaces PrefixList, required to verify signatures generated by some SAML implementations)
  • Modern Python compatibility (2.7-3.4+ and PyPy)
  • Well-supported, portable, reliable dependencies: lxml, defusedxml, cryptography, eight, pyOpenSSL
  • Comprehensive testing (including the XMLDSig interoperability suite) and continuous integration
  • Simple interface with useful defaults
  • Compactness, readability, and extensibility

Installation

pip install signxml

Note: SignXML depends on lxml and cryptography, which in turn depend on OpenSSL, LibXML, and Python tools to interface with them. On Ubuntu, you can install those with:

apt-get install python-dev libxml2-dev libxslt1-dev libssl-dev python-cffi

Ubuntu 12.04: python-cffi is not available on 12.04. Use apt-get install libffi-dev followed by pip install cffi.

Synopsis

SignXML uses the ElementTree API (also supported by lxml) to work with XML data.

from signxml import xmldsig

cert = open("example.pem").read()
key = open("example.key").read()
root = ElementTree.fromstring(signature_data)
xmldsig(root).sign(key=key, cert=cert)
verified_data = xmldsig(root).verify()

Verifying SAML assertions

Assuming metadata.xml contains SAML metadata for the assertion source:

from lxml import etree
from base64 import b64decode
from signxml import xmldsig

with open("metadata.xml", "rb") as fh:
    cert = etree.parse(fh).find("//ds:X509Certificate").text

assertion_data = xmldsig(b64decode(assertion_body)).verify(x509_cert=cert)

Signing SAML assertions

The SAML assertion schema specifies a location for the enveloped XML signature (between <Issuer> and <Subject>). To sign a SAML assertion in a schema-compliant way, insert a signature placeholder tag at that location before calling xmldsig: <ds:Signature Id="placeholder"></ds:Signature>.

See what is signed

It is important to understand and follow the best practice rule of "See what is signed" when verifying XML signatures. The gist of this rule is: if your application neglects to verify that the information it trusts is what was actually signed, the attacker can supply a valid signature but point you to malicious data that wasn't signed by that signature.

In SignXML, you can ensure that the information signed is what you expect to be signed by only trusting the data returned by the verify() method. The return value is the XML node or string that was signed.

Recommended reading: http://www.w3.org/TR/xmldsig-bestpractices/#practices-applications

Detached signatures

The XML Signature specification requires support of detached signatures, where the signature document refers (in <Reference URI="...">) to an external document. SignXML does not support generating detached signatures. To verify a detached signature, pass a resolver callable to the xmldsig.verify() method.

See the API documentation for more.

Authors

  • Andrey Kislyuk

Links

Bugs

Please report bugs, issues, feature requests, etc. on GitHub.

License

Licensed under the terms of the Apache License, Version 2.0.

image

image

image

image

image

image

signxml's People

Contributors

kislyuk avatar

Watchers

James Cloos avatar Michael Schlenker avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.