cordada · svillegas-cdd · Mar 13, 2023 · Mar 13, 2023 · Mar 13, 2023
@@ -30,7 +30,9 @@
 import defusedxml.lxml
 import lxml.etree
 import signxml
+import signxml.algorithms
 import signxml.exceptions
+import signxml.verifier
 from lxml.etree import ElementBase as XmlElement
 from lxml.etree import XMLSchema as XmlSchema
 from lxml.etree import (  # note: 'lxml.etree.ElementTree' is a **function**, not a class.  # noqa: E501
@@ -478,12 +480,17 @@ def verify_xml_signature(
         #
         #   Source:
         #   https://github.com/XML-Security/signxml/commit/ef15da8dbb904f1dedfdd210ae3e0df5da535612
-        result: signxml.VerifyResult = xml_verifier.verify(
+        result = xml_verifier.verify(
             data=tmp_bytes,
             require_x509=True,
             x509_cert=trusted_x509_cert_open_ssl,
             ignore_ambiguous_key_info=True,
+            expect_config=signxml.verifier.SignatureConfiguration(
+                signature_methods=frozenset([signxml.algorithms.SignatureMethod.RSA_SHA1]),
+                digest_algorithms=frozenset([signxml.algorithms.DigestAlgorithm.SHA1]),
+            ),
         )
+        assert isinstance(result, signxml.VerifyResult)
 
     except signxml.exceptions.InvalidDigest as exc:
         # warning: catch before 'InvalidSignature' (it is the parent of 'InvalidDigest').

@@ -4,6 +4,7 @@
 from typing import Any, ClassVar, Optional
 
 import signxml
+import signxml.util
 
 from cl_sii.dte.parse import DTE_XMLNS_MAP
 from cl_sii.libs import crypto_utils, xml_utils
@@ -29,10 +30,10 @@ def _get_signature(self, root: Any) -> object:
                 f'Only XML element {self.AEC_XML_ELEMENT_TAG!r} is supported. Found: {root.tag!r}',
             )
 
-        if root.tag == signxml.ds_tag("Signature"):
+        if root.tag == signxml.util.ds_tag("Signature"):
             return root
         else:
-            return self._find(root, "Signature", anywhere=False)
+            return self._find(root, "Signature")
 
 
 ###############################################################################

diff --git a/requirements.in b/requirements.in
@@ -16,4 +16,4 @@ marshmallow==3.19.0
 pydantic==1.10.4
 pyOpenSSL==23.0.0
 pytz==2022.7.1
-signxml==2.10.1
+signxml==3.1.0
diff --git a/requirements.txt b/requirements.txt
@@ -27,7 +27,7 @@ djangorestframework==3.14.0
     # via -r requirements.in
 importlib-metadata==1.6.0
     # via -r requirements.in
-importlib-resources==5.10.2
+importlib-resources==5.12.0
     # via jsonschema
 jsonschema==4.17.3
     # via -r requirements.in
@@ -56,7 +56,7 @@ pytz==2022.7.1
     #   -r requirements.in
     #   django
     #   djangorestframework
-signxml==2.10.1
+signxml==3.1.0
     # via -r requirements.in
 sqlparse==0.4.2
     # via django

@@ -267,7 +267,10 @@ def test_fail_signed_data_modified(self) -> None:
 
         with self.assertRaises(XmlSignatureUnverified) as cm:
             verify_xml_signature(xml_doc, trusted_x509_cert=cert)
-        self.assertEqual(cm.exception.args, ("Digest mismatch for reference 0",))
+        self.assertEqual(
+            cm.exception.args,
+            ("Digest mismatch for reference 0 (#MiPE76354771-13419)",),
+        )
 
     def test_xml_doc_without_signature_1(self) -> None:
         xml_doc = parse_untrusted_xml(self.without_signature)