Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/docs/signatures.rst
blob: f5adc7877fb96eb0afa27842096bfb68efbb6adb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
XML Signature checking
======================

.. module:: pskc.signature

PSKC files can contain embedded XML signatures that allow integrity and
authenticity checks of the transmitted information. This signature typically
covers the whole PSKC file while MAC checking only covers the encrypted
parts.

   >>> pskc = PSKC('somefile.pskcxml')
   >>> pskc.signature.verify()
   >>> pskc = pskc.signature.signed_pskc

When using XML signatures it is important to use the
:attr:`~pskc.signature.Signature.signed_pskc` attribute after verification
because that :class:`~pskc.PSKC` instance will only contain the signed
information.


To create a signed PSKC file build up a :class:`~pskc.PSKC` instance as
usual, configure the signature and save it:

   >>> pskc.signature.sign(key, certificate)
   >>> pskc.write('output.pskcxml')


The Signature class
--------------------

.. class:: Signature

   .. attribute:: is_signed

      A boolan value that indicates whether an XML signature is present in
      the PSKC file. This propery does not indicate whether the signature
      is validated.

   .. attribute:: algorithm

      A URI of the signing algorithm used.
      Assigned values to this attribute will be converted to the canonical
      URI for the algorithm if it is known.

   .. attribute:: canonicalization_method

      A URI that is used to identify the XML canonicalization method used.

   .. attribute:: digest_algorithm

      A URI that identifies that hashing algorithm that is used to construct
      the signature.

   .. attribute:: issuer

      A distinguished name of the issuer of the certificate that belongs to
      the key that is used for the signature.

   .. attribute:: serial

      A serial number of the certificate that belongs to the key that is used
      for the signature.

   .. attribute:: key

      A PEM encoded key that will be used to create the signed PSKC file.

   .. attribute:: certificate

      A PEM encoded certificate that is embedded inside the signature that
      can be used to validate the signature.

   .. attribute:: signed_pskc

      A :class:`~pskc.PSKC` instance that contains the signed contents of the
      PSKC file. It is usually required to call :func:`verify` before
      accessing this attribute without raising an exception.

   .. function:: verify(certificate=None, ca_pem_file=None)

      Verify the validity of the embedded XML signature. This function will
      raise an exception when the validation fails.

      :param bytes certificate: a PEM encoded certificate that is used for verification
      :param str ca_pem_file: the name of a file that contains a CA certificate

      The signature can be verified in three ways:

      * The signature was made with a key that has a certificate that is
        signed by a CA that is configured in the system CA store. In this
        case neither `certificate` or `ca_pem_file` need to be specified (but
        a certificate needs to be embedded inside the PSKC file).
      * The signature was made with a key and a certificate for the key was
        transmitted out-of-band. In this case the `certificate` argument
        needs to be present.
      * The signature was made with a key and has a certificate that is
        signed by a specific CA who's certificate was transmitted
        out-of-band. In this case the `ca_pem_file` is used to point to a CA
        certificate file (but a certificate needs to be embedded inside the
        PSKC file).

      After calling this function a verified version of the PSKC file will
      be present in the :attr:`signed_pskc` attribute.

   .. function:: sign(key, certificate=None)

      Set up a key and optionally a certificate that will be used to create an
      embedded XML signature when writing the file.

      :param bytes key: PEM encoded key used for signing
      :param bytes certificate: PEM encoded certificate that will be embedded

      This is a utility function that is used to configure the properties
      needed to create a signed PSKC file.