= xmlsec = * https://www.aleksey.com/xmlsec/index.html * https://github.com/lsh123/xmlsec * https://github.com/lsh123/xmlsec/releases XML Security Library is a C library based on LibXML2. The library supports major XML security standards: * https://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html == Slackbuild == {{{#!highlight bash wget https://slackbuilds.org/slackbuilds/14.2/libraries/xmlsec.tar.gz tar xvzf xmlsec.tar.gz cd xmlsec wget https://www.aleksey.com/xmlsec/download/xmlsec1-1.2.29.tar.gz ./xmlsec.SlackBuild installpkg /tmp/xmlsec-1.2.29-i586-1_SBo.tgz }}} == Sign with certificate test.xml == * openssl req -new -x509 -days 3650 -nodes -out cert.pem -keyout privkey.pem * xmlsec1 --sign --privkey-pem privkey.pem --output test_signed.xml test.xml * xmlsec1 --verify test_signed.xml === test.xml === {{{#!highlight xml test }}} === test_rsa_sha256.xml === * xmlsec1 --sign --privkey-pem privkey.pem,cert.pem --output test_rsa_sha256_signed.xml test_rsa_sha256.xml * xmlsec1 --verify --insecure test_rsa_sha256_signed.xml # self-signed certificate {{{#!highlight xml test }}} === test_rsa_sha256_uri.xml === * xmlsec1 --sign --id-attr:Id c --privkey-pem privkey.pem,cert.pem --output test_rsa_sha256_uri_signed.xml test_rsa_sha256_uri.xml 2019-10-21T22:47 vitor@nb200:/tmp * xmlsec1 --verify --id-attr:Id c --insecure test_rsa_sha256_uri_signed.xml {{{#!highlight xml test }}} === test_rsa_sha256_uri_ns.xml === Add the template nodes to the original message to sign. * https://www.w3.org/TR/xmldsig-core1/ * openssl req -new -x509 -days 3650 -nodes -out cert.pem -keyout privkey.pem * xmlsec1 --sign --id-attr:Id c --privkey-pem privkey.pem,cert.pem --output test_rsa_sha256_uri_ns_signed.xml test_rsa_sha256_uri_ns.xml * xmlsec1 --verify --id-attr:Id c --insecure test_rsa_sha256_uri_ns_signed.xml {{{#!highlight xml test }}} == Python bindins for xmlsec - python-xmlsec == * https://pypi.org/project/xmlsec/ * https://github.com/mehcode/python-xmlsec * https://pythonhosted.org/xmlsec/examples.html * https://github.com/mehcode/python-xmlsec/tree/master/tests unit tests Install python bindings '''pip2 install xmlsec --user''' === sign.py === {{{#!highlight python from lxml import etree import xmlsec template = etree.parse('test_rsa_sha256_uri_ns.xml').getroot() node_with_id = template.xpath('//bit:c',namespaces={'bit':'http://bitarus.allowed.org/test'})[0] signature_node = xmlsec.tree.find_node(template, xmlsec.constants.NodeSignature) ctx = xmlsec.SignatureContext() ctx.key = xmlsec.Key.from_file('privkey.pem', xmlsec.constants.KeyDataFormatPem) ctx.key.load_cert_from_file('cert.pem', xmlsec.constants.KeyDataFormatPem) ctx.register_id(node=node_with_id,id_attr='Id') ctx.sign(signature_node) open('signed.xml','wb').write( etree.tostring(template) ) # xmlsec1 --sign --id-attr:Id c --privkey-pem privkey.pem,cert.pem --output signed.xml test_rsa_sha256_uri_ns.xml }}} === verify.py === {{{#!highlight python from lxml import etree import xmlsec from base64 import standard_b64decode template = etree.parse('signed.xml').getroot() node_with_id = template.xpath('//bit:c',namespaces={'bit':'http://bitarus.allowed.org/test'})[0] signature_node = xmlsec.tree.find_node(template, xmlsec.constants.NodeSignature) x509_cert = template.xpath('//ds:X509Certificate',namespaces={'ds':'http://www.w3.org/2000/09/xmldsig#'})[0] ctx = xmlsec.SignatureContext() t = "" t += "-----BEGIN CERTIFICATE-----\n" t += x509_cert.text t += "\n-----END CERTIFICATE-----\n" ctx.key = xmlsec.Key.from_memory(t, xmlsec.constants.KeyDataFormatCertPem ) ctx.register_id(node=node_with_id,id_attr='Id') ctx.verify(signature_node) # xmlsec1 --verify --id-attr:Id c --insecure signed.xml }}}