Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

get serialNumber from subject #118

Open
wants to merge 6 commits into
base: develop
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 23 additions & 7 deletions signxml/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -591,9 +591,17 @@ def _apply_transforms(self, payload, transforms_node, signature, c14n_algorithm)

return payload

def verify(self, data, require_x509=True, x509_cert=None, cert_subject_name=None, ca_pem_file=None, ca_path=None,
hmac_key=None, validate_schema=True, parser=None, uri_resolver=None, id_attribute=None,
expect_references=1):
def _get_serial_number(self, comps, serial):
for v in comps:
if len(v) == 2 and \
v[0].decode('utf-8') in 'serialNumber' and \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comparison seems wrong. Why are you testing for a substring of 'serialNumber'?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😄 definitely some autocomplete/paste issue.

I ended up omitting the serial number validation in my project and left the merge request half done, but since you want to give this attention I'll get back to this.

Thanks for a great library!

v[1].decode('utf-8') in serial:
return True
return False

def verify(self, data, require_x509=True, x509_cert=None, cert_subject_name=None, cert_subject_serial=None,
ca_pem_file=None, ca_path=None, hmac_key=None, validate_schema=True, parser=None,
uri_resolver=None, id_attribute=None, expect_references=1):
"""
Verify the XML signature supplied in the data and return the XML node signed by the signature, or raise an
exception if the signature is not valid. By default, this requires the signature to be generated using a valid
Expand Down Expand Up @@ -718,11 +726,19 @@ def verify(self, data, require_x509=True, x509_cert=None, cert_subject_name=None
elif isinstance(self.x509_cert, X509):
signing_cert = self.x509_cert
else:
signing_cert = load_certificate(FILETYPE_PEM, add_pem_header(self.x509_cert))

if cert_subject_name and signing_cert.get_subject().commonName != cert_subject_name:
raise InvalidSignature("Certificate subject common name mismatch")
signing_cert = load_certificate(FILETYPE_PEM,
add_pem_header(self.x509_cert))
comps = signing_cert.get_subject().get_components()
if not cert_subject_serial:
has_serial = False
else:
has_serial = self._get_serial_number(comps, cert_subject_serial)

if (cert_subject_name and
signing_cert.get_subject().commonName != cert_subject_name) \
or (cert_subject_serial and has_serial is False):
raise InvalidSignature('Certificate subject '
'common name mismatch')
signature_digest_method = self._get_signature_digest_method(signature_alg).name
try:
verify(signing_cert, raw_signature, signed_info_c14n, signature_digest_method)
Expand Down