[pycrypto] XML Digital Signature (XML-DSig)
Dwayne Litzenberger
dlitz at dlitz.net
Thu Feb 6 09:12:31 PST 2014
On Wed, Feb 05, 2014 at 11:54:31PM -0300, Anurag Chourasia wrote:
>Hi All,
>
>Is it possible to digitally sign <http://www.w3.org/TR/xmldsig-core/> a XML
>document using the PyCrypto library, provided that I have the certificate
>in .pfx format?
>
>A sample signed XML is at http://dpaste.com/1587241
>
>I am a little thin on the concept and appreciate your comments and guidance.
Implementing the XML Security spec is way beyond the scope of PyCrypto.
See https://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt
It's a really terrible idea anyway. Individually, X.509 and XML
Canonicalization are complicated, overengineered specifications.
Exposing their *combined* complexity to attackers is not advisable.
If, for legacy reasons, you still need to do this, you might be able to
use an external library (such as pyxmlsec or pyxser) to do most of the
work, but the only recommendation I can give is "don't do that".
--
Dwayne C. Litzenberger <dlitz at dlitz.net>
OpenPGP: 19E1 1FE8 B3CF F273 ED17 4A24 928C EC13 39C2 5CF7
More information about the pycrypto
mailing list