从python中的SOAP请求复制/验证XMLDSig [英] Replicating / verifying XMLDSig from a SOAP request in python

问题描述

我正在尝试使用WS-Security从gSOAP Web服务复制XMLDSig，但是签名永远不匹配。该服务使用rsa-sha1，并且我可以访问公钥和私钥。

I'm trying to replicate a XMLDSig from a gSOAP webservice using WS-Security, but the signatures never match. The service uses rsa-sha1, and I have access to both, public and private key.

我正在通过正则表达式（包括尾随制表符（ b'\t'），因此它与原始字节相同，并且我尝试使用相同的私钥对其进行签名（或者，我尝试使用公钥来验证签名），

I'm grabbing the bytestring of the element via regex including the trailing tabs (b'\t'), so it is identical to the original byte-by-byte, and I'm trying to sign it using the same private key (alternatively, I've tried verifying the signature with the public key), but to no avail.

当前，我正在尝试删除制表符（b'\t'），以使其与XML根齐平： / p>

Currently I'm trying my luck with removing tabs (b'\t') such that it is all flush with the XML root:

def extractSigInfFromHttp(data):
    f = io.BytesIO(data)
    root = etree.parse(f)
    data = c14n(nodes=root, algorithm='http://www.w3.org/2001/10/xml-exc-c14n#')
    filtered = re.search(b'<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">\n([\s\S]+)</ds:SignedInfo>', data)
    if(filtered):
        sig = filtered.group(1)
    newsig = re.sub(b'\t\t\t\t', b'', sig)
    return newsig + b'</ds:SignedInfo>'

如您在代码，在签名/验证之前我也正在执行c14n。

As you can see in the code, I am also doing c14n before signing / verifying.

但是签名永远不会匹配/验证...有人可以告诉我一般以哪种形式使用gSOAP WSS或WSS处理元素？我可以在网上找到的XMLDSig示例始终仅将元素显示为根，或者根本不显示其摘要。

But the signature never matches / verifies ... Could anyone tell me in which form gSOAP WSS or WSS in general process the element? The XMLDSig examples I could find online always show just the element as root, or never show what exactly is digested.

推荐答案

gSOAP支持，因为使用缩进的XML表现得非常难以预测，所以有人告诉我使用缩进的XML。

After contacting gSOAP support, I've been told to use the unindented XML because the indented XML behaves pretty much unpredictably.

此外，我最终使用了 signxml .XMLVerifier（）。verify 并在经过验证之前抢夺signedInfo变量。基本上，这里的方法是在xml上构建 etree 并在那里提取SignedInfo元素。不知道它与byte（sub）字符串有什么不同，但这使M2Crypto验证有效。

Furthermore, I ended up using signxml.XMLVerifier().verify and snatching the signedInfo variable before it gets verified. Basically, the way to go here is to build an etree over the xml and extracting the SignedInfo element there. No idea how exactly it differs from the byte(sub-)string, but this made the M2Crypto verification work.

这篇关于从python中的SOAP请求复制/验证XMLDSig的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！