Xades XML 签名策略
您好,我正在编写一个使用 Xades 签署 XML 文件的脚本(强制)。我以前从未参与过对 XML 文件进行签名,所以我很迷茫。
该错误似乎与标志政策有关,但我不确定它是如何完成的。我必须添加 指向“http://ticketbai.eus/politicafirma”的链接,策略哈希为:“d69VEBc4ED4QbwnDtCA2JESgJiw+rwzfutcaSl5gYvM=”。我还需要考虑到密钥必须大于 1024 字节。
注:我在Python上工作,因为我最习惯它,但我没有改变的不便。除了脚本之外,证书已验证并正常工作。
追溯
ctx.sign(signature)
File "C:\Users\acarrera\AppData\Local\Programs\Python\Python39\lib\site-packages\xades\xades_context.py", line 47, in sign
self.calculate_signed_properties(signed_properties, node, True)
File "C:\Users\acarrera\AppData\Local\Programs\Python\Python39\lib\site-packages\xades\xades_context.py", line 102, in calculate_signed_properties
self.calculate_signature_properties(signature_properties, node, sign)
File "C:\Users\acarrera\AppData\Local\Programs\Python\Python39\lib\site-packages\xades\xades_context.py", line 125, in calculate_signature_properties
self.policy.calculate_certificates(
File "C:\Users\acarrera\AppData\Local\Programs\Python\Python39\lib\site-packages\xades\policy.py", line 134, in calculate_certificates
for key_x509 in keys_x509:
TypeError: 'builtins.Certificate' object is not iterable
PYTHON 代码
import os
import xmlsig
from lxml import etree
from OpenSSL import crypto
from xades import XAdESContext, template, utils
from xades.policy import GenericPolicyId
SIGN_POLICY = f"https://ticketbai.araba.eus/tbai/sinadura/"
CERTIANDER = os.environ.get(
'CERTIANDER',
r'SOLDISP_PF2856A9_CERT.pfx')
parsed_file = etree.parse('Factura1.xml').getroot()
signature = xmlsig.template.create(
xmlsig.constants.TransformInclC14N,
xmlsig.constants.TransformRsaSha256,
"Signature",
)
signature_id = utils.get_unique_id()
ref = xmlsig.template.add_reference(
signature, xmlsig.constants.TransformSha256, uri="", name="REF"
)
xmlsig.template.add_transform(ref, xmlsig.constants.TransformEnveloped)
xmlsig.template.add_reference(
signature, xmlsig.constants.TransformSha256, uri="#" + signature_id
)
xmlsig.template.add_reference(
signature, xmlsig.constants.TransformSha256, uri="#" + signature_id
)
ki = xmlsig.template.ensure_key_info(signature, name="KI")
data = xmlsig.template.add_x509_data(ki)
xmlsig.template.x509_data_add_certificate(data)
serial = xmlsig.template.x509_data_add_issuer_serial(data)
xmlsig.template.x509_issuer_serial_add_issuer_name(serial)
xmlsig.template.x509_issuer_serial_add_serial_number(serial)
xmlsig.template.add_key_value(ki)
qualifying = template.create_qualifying_properties(
signature, name=utils.get_unique_id(), etsi='xades'
)
props = template.create_signed_properties(qualifying, name=signature_id)
policy = GenericPolicyId(
SIGN_POLICY,
xmlsig.constants.TransformSha256,
)
parsed_file.append(signature)
with open(CERTIANDER, "rb") as key_file:
pfx = key_file.read()
certificate = crypto.load_pkcs12(pfx, b'password') #Personal Password
ctx = XAdESContext(
policy,
certificate.get_certificate().to_cryptography(),
)
ctx.load_pkcs12(certificate)
ctx.sign(signature)
parsed_file[0][0][0].append(signature)
et = etree.ElementTree(parsed_file)
nfs_name = 'Firmado'
et.write(nfs_name, pretty_print=True,
encoding='utf-8', xml_declaration=True)
Hello I'm working on a script to sign XML files with Xades (mandatory). I never worked before in signing XML files so I'm quite lost.
The error seems realted to the sign policy but I'm not sure how it is done. I must add
a link to "http://ticketbai.eus/politicafirma", and the policy hash is: "d69VEBc4ED4QbwnDtCA2JESgJiw+rwzfutcaSl5gYvM=" . I also need to take in account that the key must be above 1024 bytes.
Note: I'm working on Python because I'm the most used to it, but I don't have inconvenience to change. The certificate is validated and working correctly apart from the script.
TRACEBACK
ctx.sign(signature)
File "C:\Users\acarrera\AppData\Local\Programs\Python\Python39\lib\site-packages\xades\xades_context.py", line 47, in sign
self.calculate_signed_properties(signed_properties, node, True)
File "C:\Users\acarrera\AppData\Local\Programs\Python\Python39\lib\site-packages\xades\xades_context.py", line 102, in calculate_signed_properties
self.calculate_signature_properties(signature_properties, node, sign)
File "C:\Users\acarrera\AppData\Local\Programs\Python\Python39\lib\site-packages\xades\xades_context.py", line 125, in calculate_signature_properties
self.policy.calculate_certificates(
File "C:\Users\acarrera\AppData\Local\Programs\Python\Python39\lib\site-packages\xades\policy.py", line 134, in calculate_certificates
for key_x509 in keys_x509:
TypeError: 'builtins.Certificate' object is not iterable
PYTHON CODE
import os
import xmlsig
from lxml import etree
from OpenSSL import crypto
from xades import XAdESContext, template, utils
from xades.policy import GenericPolicyId
SIGN_POLICY = f"https://ticketbai.araba.eus/tbai/sinadura/"
CERTIANDER = os.environ.get(
'CERTIANDER',
r'SOLDISP_PF2856A9_CERT.pfx')
parsed_file = etree.parse('Factura1.xml').getroot()
signature = xmlsig.template.create(
xmlsig.constants.TransformInclC14N,
xmlsig.constants.TransformRsaSha256,
"Signature",
)
signature_id = utils.get_unique_id()
ref = xmlsig.template.add_reference(
signature, xmlsig.constants.TransformSha256, uri="", name="REF"
)
xmlsig.template.add_transform(ref, xmlsig.constants.TransformEnveloped)
xmlsig.template.add_reference(
signature, xmlsig.constants.TransformSha256, uri="#" + signature_id
)
xmlsig.template.add_reference(
signature, xmlsig.constants.TransformSha256, uri="#" + signature_id
)
ki = xmlsig.template.ensure_key_info(signature, name="KI")
data = xmlsig.template.add_x509_data(ki)
xmlsig.template.x509_data_add_certificate(data)
serial = xmlsig.template.x509_data_add_issuer_serial(data)
xmlsig.template.x509_issuer_serial_add_issuer_name(serial)
xmlsig.template.x509_issuer_serial_add_serial_number(serial)
xmlsig.template.add_key_value(ki)
qualifying = template.create_qualifying_properties(
signature, name=utils.get_unique_id(), etsi='xades'
)
props = template.create_signed_properties(qualifying, name=signature_id)
policy = GenericPolicyId(
SIGN_POLICY,
xmlsig.constants.TransformSha256,
)
parsed_file.append(signature)
with open(CERTIANDER, "rb") as key_file:
pfx = key_file.read()
certificate = crypto.load_pkcs12(pfx, b'password') #Personal Password
ctx = XAdESContext(
policy,
certificate.get_certificate().to_cryptography(),
)
ctx.load_pkcs12(certificate)
ctx.sign(signature)
parsed_file[0][0][0].append(signature)
et = etree.ElementTree(parsed_file)
nfs_name = 'Firmado'
et.write(nfs_name, pretty_print=True,
encoding='utf-8', xml_declaration=True)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我遇到了同样的问题,在这个问题的最后 如何使用 Xades-EPES 标准和 Python 进行签名? 他们提到唯一的区别是该库可以有多个证书,而您只能有一个。我修改了库并消除了失败的地方。这对我有用!
I had the same issue and at the end of this question How to sign using Xades-EPES standard with Python? they mention the only difference is that the library can have multiple certificates and you can only have one. I modified the library and eliminated the for where it fails. That worked for me!
我遇到了同样的问题,但我阅读了 git-hub 上的文档,并成功签名xml 具有该库的一项功能。如果您在西班牙,我签署了 xml,并且 Autofirma 检测到有效标志,但在网络上 Valida Firma 不是,我不知道为什么要
导入这些库。
I'm Having Same Problems But I Read the documentation on git-hub and I managed to sign xml with one function of the library. If you are in Spain I signed the xml and Autofirma detect valid sign, but on the web Valida Firma is not and I don't know why
Import these libraries.