diff --git a/cl_sii/libs/xml_utils.py b/cl_sii/libs/xml_utils.py index f204bc26..f378bd08 100644 --- a/cl_sii/libs/xml_utils.py +++ b/cl_sii/libs/xml_utils.py @@ -30,7 +30,9 @@ import defusedxml.lxml import lxml.etree import signxml +import signxml.algorithms import signxml.exceptions +import signxml.verifier from lxml.etree import ElementBase as XmlElement from lxml.etree import XMLSchema as XmlSchema from lxml.etree import ( # note: 'lxml.etree.ElementTree' is a **function**, not a class. # noqa: E501 @@ -478,12 +480,17 @@ def verify_xml_signature( # # Source: # https://github.com/XML-Security/signxml/commit/ef15da8dbb904f1dedfdd210ae3e0df5da535612 - result: signxml.VerifyResult = xml_verifier.verify( + result = xml_verifier.verify( data=tmp_bytes, require_x509=True, x509_cert=trusted_x509_cert_open_ssl, ignore_ambiguous_key_info=True, + expect_config=signxml.verifier.SignatureConfiguration( + signature_methods=frozenset([signxml.algorithms.SignatureMethod.RSA_SHA1]), + digest_algorithms=frozenset([signxml.algorithms.DigestAlgorithm.SHA1]), + ), ) + assert isinstance(result, signxml.VerifyResult) except signxml.exceptions.InvalidDigest as exc: # warning: catch before 'InvalidSignature' (it is the parent of 'InvalidDigest'). diff --git a/cl_sii/rtc/xml_utils.py b/cl_sii/rtc/xml_utils.py index 82fac86a..3c5e4dc9 100644 --- a/cl_sii/rtc/xml_utils.py +++ b/cl_sii/rtc/xml_utils.py @@ -4,6 +4,7 @@ from typing import Any, ClassVar, Optional import signxml +import signxml.util from cl_sii.dte.parse import DTE_XMLNS_MAP from cl_sii.libs import crypto_utils, xml_utils @@ -29,10 +30,10 @@ def _get_signature(self, root: Any) -> object: f'Only XML element {self.AEC_XML_ELEMENT_TAG!r} is supported. Found: {root.tag!r}', ) - if root.tag == signxml.ds_tag("Signature"): + if root.tag == signxml.util.ds_tag("Signature"): return root else: - return self._find(root, "Signature", anywhere=False) + return self._find(root, "Signature") ############################################################################### diff --git a/requirements.in b/requirements.in index 30db7fa5..e7aae973 100644 --- a/requirements.in +++ b/requirements.in @@ -16,4 +16,4 @@ marshmallow==3.19.0 pydantic==1.10.4 pyOpenSSL==23.0.0 pytz==2022.7.1 -signxml==2.10.1 +signxml==3.1.0 diff --git a/requirements.txt b/requirements.txt index 78ca53c2..1421071b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -27,7 +27,7 @@ djangorestframework==3.14.0 # via -r requirements.in importlib-metadata==1.6.0 # via -r requirements.in -importlib-resources==5.10.2 +importlib-resources==5.12.0 # via jsonschema jsonschema==4.17.3 # via -r requirements.in @@ -56,7 +56,7 @@ pytz==2022.7.1 # -r requirements.in # django # djangorestframework -signxml==2.10.1 +signxml==3.1.0 # via -r requirements.in sqlparse==0.4.2 # via django diff --git a/tests/test_libs_xml_utils.py b/tests/test_libs_xml_utils.py index ab2a453e..2ab5c33c 100644 --- a/tests/test_libs_xml_utils.py +++ b/tests/test_libs_xml_utils.py @@ -267,7 +267,10 @@ def test_fail_signed_data_modified(self) -> None: with self.assertRaises(XmlSignatureUnverified) as cm: verify_xml_signature(xml_doc, trusted_x509_cert=cert) - self.assertEqual(cm.exception.args, ("Digest mismatch for reference 0",)) + self.assertEqual( + cm.exception.args, + ("Digest mismatch for reference 0 (#MiPE76354771-13419)",), + ) def test_xml_doc_without_signature_1(self) -> None: xml_doc = parse_untrusted_xml(self.without_signature)