def _verify(self):
'''
Check, if message is wellsigned
'''
try:
# canonize soap body a make sha256 digest
body_c14n = etree.tostring(self.body, method='c14n', exclusive=True, with_comments=False)
sha256 = hashlib.sha256(body_c14n)
digest = b64encode(sha256.digest())
# load cert options
cert = self.root.find('.//wsse:BinarySecurityToken', namespaces=NSMAP)
sig_info = self.root.find('.//ds:SignedInfo', namespaces=NSMAP)
sig_value = self.root.find('.//ds:SignatureValue', namespaces=NSMAP)
# check, if there is all nesesery data
assert cert is not None
assert sig_info is not None
assert sig_value is not None
# canonize signature info
sig_info_c14n = etree.tostring(sig_info, method='c14n', exclusive=True, with_comments=False)
# transform and load cert
cert = '\n'.join(['-----BEGIN CERTIFICATE-----'] + textwrap.wrap(cert.text, 64) + ['-----END CERTIFICATE-----\n'])
cert = load_pem_x509_certificate(cert.encode('utf-8'), default_backend())
key = cert.public_key()
# verify digest
verifier = key.verifier(b64decode(sig_value.text), padding.PKCS1v15(), hashes.SHA256())
verifier.update(sig_info_c14n)
# if verify fail, raise exception
verifier.verify()
return True
except Exception as e:
logger.exception(e)
# probably error, return false
return False
评论列表
文章目录
