xmlsec
XML Security Library is a C library based on LibXML2. The library supports major XML security standards:
Slackbuild
Sign with certificate test.xml
- openssl req -new -x509 -days 3650 -nodes -out cert.pem -keyout privkey.pem
- xmlsec1 --sign --privkey-pem privkey.pem --output test_signed.xml test.xml
- xmlsec1 --verify test_signed.xml
test.xml
1 <a>
2 <b Id="tosign">
3 <c>test</c>
4 </b>
5 <!-- signature template -->
6 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
7 <SignedInfo>
8 <CanonicalizationMethod Algorithm=
9 "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
10 <SignatureMethod Algorithm=
11 "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
12 <Reference URI="">
13 <Transforms>
14 <Transform Algorithm=
15 "http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
16 </Transforms>
17 <DigestMethod Algorithm=
18 "http://www.w3.org/2000/09/xmldsig#sha1"/>
19 <DigestValue></DigestValue>
20 </Reference>
21 </SignedInfo>
22 <SignatureValue />
23 <KeyInfo>
24 <X509Data >
25 <X509SubjectName/>
26 <X509IssuerSerial/>
27 <X509Certificate/>
28 </X509Data>
29 <KeyValue />
30 </KeyInfo>
31 </Signature>
32 </a>
test_rsa_sha256.xml
- xmlsec1 --sign --privkey-pem privkey.pem,cert.pem --output test_rsa_sha256_signed.xml test_rsa_sha256.xml
- xmlsec1 --verify --insecure test_rsa_sha256_signed.xml # self-signed certificate
1 <a>
2 <b Id="tosign">
3 <c>test</c>
4 </b>
5 <!-- signature template -->
6 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
7 <SignedInfo>
8 <CanonicalizationMethod Algorithm=
9 "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
10 <SignatureMethod Algorithm=
11 "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
12 <Reference URI="">
13 <Transforms>
14 <Transform Algorithm=
15 "http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
16 </Transforms>
17 <DigestMethod Algorithm=
18 "http://www.w3.org/2001/04/xmlenc#sha256"/>
19 <DigestValue></DigestValue>
20 </Reference>
21 </SignedInfo>
22 <SignatureValue />
23 <KeyInfo>
24 <X509Data >
25 <X509SubjectName/>
26 <X509IssuerSerial/>
27 <X509Certificate/>
28 </X509Data>
29 <KeyValue />
30 </KeyInfo>
31 </Signature>
32 </a>
test_rsa_sha256_uri.xml
- xmlsec1 --sign --id-attr:Id c --privkey-pem privkey.pem,cert.pem --output test_rsa_sha256_uri_signed.xml test_rsa_sha256_uri.xml
2019-10-21T22:47 vitor@nb200:/tmp
- xmlsec1 --verify --id-attr:Id c --insecure test_rsa_sha256_uri_signed.xml
1 <a>
2 <b>
3 <c Id="tosign">test</c>
4 </b>
5 <!-- signature template -->
6 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
7 <SignedInfo>
8 <CanonicalizationMethod Algorithm=
9 "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
10 <SignatureMethod Algorithm=
11 "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
12 <Reference URI="#tosign">
13 <Transforms>
14 <Transform Algorithm=
15 "http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
16 </Transforms>
17 <DigestMethod Algorithm=
18 "http://www.w3.org/2001/04/xmlenc#sha256"/>
19 <DigestValue></DigestValue>
20 </Reference>
21 </SignedInfo>
22 <SignatureValue />
23 <KeyInfo>
24 <X509Data >
25 <X509SubjectName/>
26 <X509IssuerSerial/>
27 <X509Certificate/>
28 </X509Data>
29 </KeyInfo>
30 </Signature>
31 </a>
test_rsa_sha256_uri_ns.xml
Add the template nodes to the original message to sign.
- openssl req -new -x509 -days 3650 -nodes -out cert.pem -keyout privkey.pem
- xmlsec1 --sign --id-attr:Id c --privkey-pem privkey.pem,cert.pem --output test_rsa_sha256_uri_ns_signed.xml test_rsa_sha256_uri_ns.xml
- xmlsec1 --verify --id-attr:Id c --insecure test_rsa_sha256_uri_ns_signed.xml
1 <bit:a xmlns:bit="http://bitarus.allowed.org/test">
2 <bit:b>
3 <bit:c Id="tosign">test</bit:c>
4 </bit:b>
5 <!-- signature template -->
6 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
7 <SignedInfo>
8 <CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
9 <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
10 <Reference URI="#tosign">
11 <Transforms>
12 <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
13 </Transforms>
14 <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
15 <DigestValue />
16 </Reference>
17 </SignedInfo>
18 <SignatureValue />
19 <KeyInfo>
20 <X509Data >
21 <X509Certificate/>
22 </X509Data>
23 </KeyInfo>
24 </Signature>
25 <!-- signature template -->
26 </bit:a>
Python bindins for xmlsec - python-xmlsec
Install python bindings pip2 install xmlsec --user
sign.py
1 from lxml import etree
2 import xmlsec
3
4 template = etree.parse('test_rsa_sha256_uri_ns.xml').getroot()
5 node_with_id = template.xpath('//bit:c',namespaces={'bit':'http://bitarus.allowed.org/test'})[0]
6 signature_node = xmlsec.tree.find_node(template, xmlsec.constants.NodeSignature)
7
8 ctx = xmlsec.SignatureContext()
9 ctx.key = xmlsec.Key.from_file('privkey.pem', xmlsec.constants.KeyDataFormatPem)
10 ctx.key.load_cert_from_file('cert.pem', xmlsec.constants.KeyDataFormatPem)
11 ctx.register_id(node=node_with_id,id_attr='Id')
12 ctx.sign(signature_node)
13
14 open('signed.xml','wb').write( etree.tostring(template) )
15 # xmlsec1 --sign --id-attr:Id c --privkey-pem privkey.pem,cert.pem --output signed.xml test_rsa_sha256_uri_ns.xml
verify.py
1 from lxml import etree
2 import xmlsec
3 from base64 import standard_b64decode
4
5 template = etree.parse('signed.xml').getroot()
6 node_with_id = template.xpath('//bit:c',namespaces={'bit':'http://bitarus.allowed.org/test'})[0]
7 signature_node = xmlsec.tree.find_node(template, xmlsec.constants.NodeSignature)
8 x509_cert = template.xpath('//ds:X509Certificate',namespaces={'ds':'http://www.w3.org/2000/09/xmldsig#'})[0]
9 ctx = xmlsec.SignatureContext()
10 t = ""
11 t += "-----BEGIN CERTIFICATE-----\n"
12 t += x509_cert.text
13 t += "\n-----END CERTIFICATE-----\n"
14 ctx.key = xmlsec.Key.from_memory(t, xmlsec.constants.KeyDataFormatCertPem )
15 ctx.register_id(node=node_with_id,id_attr='Id')
16 ctx.verify(signature_node)
17 # xmlsec1 --verify --id-attr:Id c --insecure signed.xml