Direction to take for XML digital signature generation/verification

[darrylcousins]

Hi,

This project is chiefly a migration of Authen-NZRealMe.

I have been porting the perl code in a TDD manner using doctests. The point I'm at is the creation of the AuthnRequest. This xml request needs to be signed.

In Authen-NZRealMe this is handled by the module XMLSig.

I looked at the python package xmldsig and it seems that this is what I want to do (with adjustments to the template):

>>> xml="""<?xml version="1.0" encoding="UTF-8"?>
... <Envelope xmlns="urn:envelope">
...   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
...     <SignedInfo>
...     ...
...     </SignedInfo>
... </Envelope>
>>> xmldsig.sign(xml, 'keyfile.key', 'password', 'name')
(...)

But to use this library, I need to have installed two Python modules:

• python-libxml2
• pyXMLSec

pip install xmlsec went fine but not so for libxml2 or libxml2-python.

After a bit of research I easily installed libxml2.

I'm not even sure that xmldsig will do what I need it to do but I suspect it will.

The question is to make a choice between going with xmldsig and the installation problems with libxml2 or to pursue the option of porting XMLSig.

I'm undecided whether I should take the xmlsig approach in preference to porting XMLSig. Or otherwise.

Thoughts?

Relevant issue: I can't work out how to build libxml2 on Travis.

[darrylcousins]

Answering my own question.

I'm now using dm.xmlsec.binding which installs nicely with pip so avoiding the problems listed above. (But not on travis because of missing libxmlsec package).

I haven't got to signing xml documents yet but I have it working to sign the query string (as required).

[pitbulk]

Hi @darrylcousins , I released a SAML toolkit for python: https://pypi.python.org/pypi/python-saml
And I decided to use dm.xmlsec.binding.

It works perfect on Ubuntu but people have problems installing it in RedHat/Fedora:
SAML-Toolkits/python-saml#30

Did you experience similar issues? I think the problem is related with lxml.

[darrylcousins]

Hi @pitbulk, sorry for the delayed reply.

I don't have anything new to add to your issue 30. This project has had a brief start and is hanging at the moment in partial development state.

I'm developing on osx and like you I have no problems with pip install dm.xmlsec.binding nor with lxml. I did struggle with xmlsig which is why I, like you, have gone for dm.xmlsec.binding.

We use lxml without any problems on many projects. But most of our servers are Ubuntu or CentosOS.

As an aside and probably not related, I did have troubles with installing MCrypto and so I'm using pyOpenSSL for similar tasks (I've no notes of my experiences, doh).

Furthermore, I did have a look at django-saml with the idea of using it for this project especially so as I'm primarily a django developer. At the time my knowledge of how SAML works was nil (and also very little about digital signing and related technologies). Getting some code and tests working has helped me learn my way around and python-saml make a lot more sense to me now. The point here being that I may yet change my direction for nzrealme.

I hope this helps somewhat.

Many thanks,
Darryl Cousins

[darrylcousins]

Closing this issue.

The code is now using python-saml.