From f0e64bd841287a35e2e5d6fdd6d4b832727c83e8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Mar 2023 12:55:12 +0000 Subject: [PATCH 1/2] chore(deps): Bump signxml from 2.10.1 to 3.1.0 Bumps [signxml](https://github.com/kislyuk/signxml) from 2.10.1 to 3.1.0. - [Release notes](https://github.com/kislyuk/signxml/releases) - [Changelog](https://github.com/XML-Security/signxml/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/signxml/compare/v2.10.1...v3.1.0) --- updated-dependencies: - dependency-name: signxml dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- requirements.in | 2 +- requirements.txt | 10 ++-------- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/requirements.in b/requirements.in index 30db7fa5..e7aae973 100644 --- a/requirements.in +++ b/requirements.in @@ -16,4 +16,4 @@ marshmallow==3.19.0 pydantic==1.10.4 pyOpenSSL==23.0.0 pytz==2022.7.1 -signxml==2.10.1 +signxml==3.1.0 diff --git a/requirements.txt b/requirements.txt index 78ca53c2..a21fa5f7 100644 --- a/requirements.txt +++ b/requirements.txt @@ -27,8 +27,6 @@ djangorestframework==3.14.0 # via -r requirements.in importlib-metadata==1.6.0 # via -r requirements.in -importlib-resources==5.10.2 - # via jsonschema jsonschema==4.17.3 # via -r requirements.in lxml==4.9.2 @@ -39,8 +37,6 @@ marshmallow==3.19.0 # via -r requirements.in packaging==23.0 # via marshmallow -pkgutil-resolve-name==1.3.10 - # via jsonschema pycparser==2.20 # via cffi pydantic==1.10.4 @@ -56,13 +52,11 @@ pytz==2022.7.1 # -r requirements.in # django # djangorestframework -signxml==2.10.1 +signxml==3.1.0 # via -r requirements.in sqlparse==0.4.2 # via django typing-extensions==4.3.0 # via pydantic zipp==3.8.1 - # via - # importlib-metadata - # importlib-resources + # via importlib-metadata From 321cb97575ed1ddcb1aaba398a604879fde09a8e Mon Sep 17 00:00:00 2001 From: Samuel Villegas Date: Mon, 13 Mar 2023 11:32:15 -0300 Subject: [PATCH 2/2] chore: Add `expect_config` to `verify_xml_signature` method At version `3.0.1` SHA1 was deprecated, so it is necessary to specify the signature configuration Ref: https://github.com/XML-Security/signxml/releases/tag/v3.0.1 --- cl_sii/libs/xml_utils.py | 9 ++++++++- cl_sii/rtc/xml_utils.py | 5 +++-- requirements.txt | 8 +++++++- tests/test_libs_xml_utils.py | 5 ++++- 4 files changed, 22 insertions(+), 5 deletions(-) diff --git a/cl_sii/libs/xml_utils.py b/cl_sii/libs/xml_utils.py index f204bc26..f378bd08 100644 --- a/cl_sii/libs/xml_utils.py +++ b/cl_sii/libs/xml_utils.py @@ -30,7 +30,9 @@ import defusedxml.lxml import lxml.etree import signxml +import signxml.algorithms import signxml.exceptions +import signxml.verifier from lxml.etree import ElementBase as XmlElement from lxml.etree import XMLSchema as XmlSchema from lxml.etree import ( # note: 'lxml.etree.ElementTree' is a **function**, not a class. # noqa: E501 @@ -478,12 +480,17 @@ def verify_xml_signature( # # Source: # https://github.com/XML-Security/signxml/commit/ef15da8dbb904f1dedfdd210ae3e0df5da535612 - result: signxml.VerifyResult = xml_verifier.verify( + result = xml_verifier.verify( data=tmp_bytes, require_x509=True, x509_cert=trusted_x509_cert_open_ssl, ignore_ambiguous_key_info=True, + expect_config=signxml.verifier.SignatureConfiguration( + signature_methods=frozenset([signxml.algorithms.SignatureMethod.RSA_SHA1]), + digest_algorithms=frozenset([signxml.algorithms.DigestAlgorithm.SHA1]), + ), ) + assert isinstance(result, signxml.VerifyResult) except signxml.exceptions.InvalidDigest as exc: # warning: catch before 'InvalidSignature' (it is the parent of 'InvalidDigest'). diff --git a/cl_sii/rtc/xml_utils.py b/cl_sii/rtc/xml_utils.py index 82fac86a..3c5e4dc9 100644 --- a/cl_sii/rtc/xml_utils.py +++ b/cl_sii/rtc/xml_utils.py @@ -4,6 +4,7 @@ from typing import Any, ClassVar, Optional import signxml +import signxml.util from cl_sii.dte.parse import DTE_XMLNS_MAP from cl_sii.libs import crypto_utils, xml_utils @@ -29,10 +30,10 @@ def _get_signature(self, root: Any) -> object: f'Only XML element {self.AEC_XML_ELEMENT_TAG!r} is supported. Found: {root.tag!r}', ) - if root.tag == signxml.ds_tag("Signature"): + if root.tag == signxml.util.ds_tag("Signature"): return root else: - return self._find(root, "Signature", anywhere=False) + return self._find(root, "Signature") ############################################################################### diff --git a/requirements.txt b/requirements.txt index a21fa5f7..1421071b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -27,6 +27,8 @@ djangorestframework==3.14.0 # via -r requirements.in importlib-metadata==1.6.0 # via -r requirements.in +importlib-resources==5.12.0 + # via jsonschema jsonschema==4.17.3 # via -r requirements.in lxml==4.9.2 @@ -37,6 +39,8 @@ marshmallow==3.19.0 # via -r requirements.in packaging==23.0 # via marshmallow +pkgutil-resolve-name==1.3.10 + # via jsonschema pycparser==2.20 # via cffi pydantic==1.10.4 @@ -59,4 +63,6 @@ sqlparse==0.4.2 typing-extensions==4.3.0 # via pydantic zipp==3.8.1 - # via importlib-metadata + # via + # importlib-metadata + # importlib-resources diff --git a/tests/test_libs_xml_utils.py b/tests/test_libs_xml_utils.py index ab2a453e..2ab5c33c 100644 --- a/tests/test_libs_xml_utils.py +++ b/tests/test_libs_xml_utils.py @@ -267,7 +267,10 @@ def test_fail_signed_data_modified(self) -> None: with self.assertRaises(XmlSignatureUnverified) as cm: verify_xml_signature(xml_doc, trusted_x509_cert=cert) - self.assertEqual(cm.exception.args, ("Digest mismatch for reference 0",)) + self.assertEqual( + cm.exception.args, + ("Digest mismatch for reference 0 (#MiPE76354771-13419)",), + ) def test_xml_doc_without_signature_1(self) -> None: xml_doc = parse_untrusted_xml(self.without_signature)