search

XML-Security / signxml

Python XML Signature and XAdES library
https://xml-security.github.io/signxml/
Apache License 2.0
137 stars 107 forks source link

XMLVerifier can't decode X509 since 4.0.0 #263

Open avtobiff opened 2 weeks ago

avtobiff commented 2 weeks ago

It is not possible to verify a signed XML payload since signxml 4.0.0. This works in signxml<4.0.0.

Trying to use XMLVerifier produces the following trace:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/.../flask-saml2/flask_saml2/xml_parser.py", line 44, in __init__
    self.xml_tree = self.parse_signed(self.xml_tree, self.certificate)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/.../flask-saml2/flask_saml2/xml_parser.py", line 73, in parse_signed
    return XMLVerifier().verify(xml_tree, x509_cert=certificate).signed_xml
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/.../flask-saml2/pyvenv/lib/python3.12/site-packages/signxml/verifier.py", line 434, in verify
    signing_cert = x509.load_pem_x509_certificate(add_pem_header(self.x509_cert))
                                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/.../flask-saml2/pyvenv/lib/python3.12/site-packages/signxml/util/__init__.py", line 162, in add_pem_header
    bare_base64_cert = ensure_str(bare_base64_cert)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/.../flask-saml2/pyvenv/lib/python3.12/site-packages/signxml/util/__init__.py", line 85, in ensure_str
    x = x.decode(encoding)
        ^^^^^^^^
AttributeError: 'X509' object has no attribute 'decode'

To reproduce this do the following:

git clone https://github.com/mx-moth/flask-saml2
cd flask-saml2
virtualenv pyvenv
. pyvenv/bin/activate
pip install -r tests/requirements.txt
pip install -e .
pip install --upgrade pyopenssl

Start a python interpreter and run the following:

import defusedxml
from signxml import XMLVerifier
from tests.idp.base import CERTIFICATE

xml_string = '''<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:9000/saml/acs/" ID="_2427a2a09f614f8b9ea1d6fb620ed430" InResponseTo="_00b391e554004ec1b019fff3f426ba19" IssueInstant="2024-08-30T09:58:53.745389+00:00" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8000/saml/metadata.xml</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#_2427a2a09f614f8b9ea1d6fb620ed430"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>hLTrojshkS3JRO0WM+nU6eUsX0KOktgH5CVA3xYAbA8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>SkRNqDMGjN8NH8aGYJCbFpoQN93+c9Gfa+udW8D7P+w3tJL3JdIN3Vifx3i6B7oIuwsLyOGH8gtHzCVqw0/iaQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_3deea41eb8394cb4af1adf3b07e1014b" IssueInstant="2024-08-30T09:58:53.745389+00:00" Version="2.0"><saml:Issuer>http://localhost:8000/saml/metadata.xml</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#_3deea41eb8394cb4af1adf3b07e1014b"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>8saGUTsmwg1DkRA74ttWoqG4roUQT1v8aQOa2w7ckyk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>haW67iR59aBZlrwJCkSmxPOzLY8CA9xaLKnghrEQ3knnAD7xIwiAMdv6SpFD8QOEmMcnV42PYP81C8C7Q8oFbg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="http://localhost:9000/saml/metadata.xml">alex@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_00b391e554004ec1b019fff3f426ba19" NotOnOrAfter="2024-08-30T10:13:53.745389+00:00" Recipient="http://localhost:9000/saml/acs/"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2024-08-30T09:55:53.745389+00:00" NotOnOrAfter="2024-08-30T10:13:53.745389+00:00"><saml:AudienceRestriction><saml:Audience>http://localhost:9000/saml/metadata.xml</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2024-08-30T09:58:53.745389+00:00"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="foo" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>bar</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>'''

xml_tree = defusedxml.lxml.fromstring(xml_string)
XMLVerifier().verify(xml_tree, x509_cert=CERTIFICATE)
kislyuk commented 2 weeks ago

Hello, thank you for reporting this. I have released a fix in v4.0.1, can you please install and see if it fixes the issue you are facing?

(Your repro is not quite complete because from tests.idp.base import CERTIFICATE is importing from a private tests package that is private to your project, but I understand the general idea.)