support certificate chains #9
Comments
|
+1 for this. Workaround in the mean time -- use xslt to add the certificate chain in form of a template for the ds. pyXMLSecurity called by the pyFF sign-builtin will use this template and add the necessary values for URI/ID, DigestValue and SinatureValue. <?xml version="1.0" ?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<xsl:template match="/*">
<xsl:copy>
<xsl:copy-of select="@*"/>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#{@ID}">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue></ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue></ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MII[...]</ds:X509Certificate>
<ds:X509Certificate>MII[...]</ds:X509Certificate>
<ds:X509Certificate>MII[...]</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<xsl:copy-of select="node()"/>
</xsl:copy>
</xsl:template>
</xsl:stylesheet>with a pipeline like this - pubinfo:
publisher: http://testpublisher.com
- first
- finalize:
cacheDuration: PT12H
validUntil: P7D
- xslt:
stylesheet: add_sig.xslt
- sign:
key: /etc/ssl/private/...
# do not use a cert-line or pyff will try to add it as well
# cert: /etc/ssl/aai/
- publish: test.xml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Needs a new PEM-parser and some other logic.
The text was updated successfully, but these errors were encountered: