Skip to content

signed parts#1428

Open
blaggacao wants to merge 9 commits intomvantellingen:mainfrom
blaggacao:signed_parts
Open

signed parts#1428
blaggacao wants to merge 9 commits intomvantellingen:mainfrom
blaggacao:signed_parts

Conversation

@blaggacao
Copy link

@blaggacao blaggacao commented Sep 21, 2024
edited
Loading

  • Parse SignedParts for bindings and assign
  • Sign elements required by WSDL
  • Added tests
  • Omitt WSSE header elements from signature

rebase of #747
closes: #497

@mvantellingen This seemed a pretty solid PR and I have concrete use for it on this service: https://vpfe-hab.dian.gov.co/WcfDianCustomerServices.svc?wsdl - clould you kindly consider reviewing this or the original #747 ? In the meantime I can use this PR patch, though. It is unwieldy to implement a custom Signature class.

Details 
<wsp:Policy wsu:Id="WSHttpBinding_IWcfDianCustomerServices_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
...
</sp:TransportBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
<sp:SignedParts>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefThumbprint/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

Edit

There seems to be one issue that I need to use an older URI for sp in my use case:

In [25]: NSMAP
Out[25]:
{'wsdl': 'http://schemas.xmlsoap.org/wsdl/',
 'wsp': 'http://schemas.xmlsoap.org/ws/2004/09/policy',
 'sp': 'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702',
 'wsu': 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'}

In [26]: NSMAP["sp"] = "http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"

In [28]: doc.xpath('//wsp:Policy//sp:SignedParts', namespaces=NSMAP)
Out[28]: [<Element {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}SignedParts at 0x7fcd9a279780>]

@blaggacao blaggacao force-pushed the signed_parts branch 2 times, most recently from 94ac51f to 87f213b Compare September 21, 2024 17:14
@blaggacao blaggacao force-pushed the signed_parts branch 2 times, most recently from 251abff to e6267bd Compare September 21, 2024 19:39
@blaggacao blaggacao force-pushed the signed_parts branch 2 times, most recently from 3ec6ccb to 7e385b2 Compare September 21, 2024 20:37
@tpazderka tpazderka mentioned this pull request Feb 26, 2025
Closed
martincollignon added a commit to martincollignon/python-zeep that referenced this pull request Mar 20, 2026
@martincollignon @claude
feat(wsse): add pure-Python WS-Security signing (no xmlsec dependency)
80cab29 
Add `zeep.wsse.crypto` module as a drop-in alternative to the existing
xmlsec-based `zeep.wsse.signature` module. Uses the `cryptography`
library instead of the C-based `xmlsec`, making installation
straightforward on all platforms.

New capabilities beyond the xmlsec-based module:
- No C library dependency (pure Python via `cryptography` + `lxml`)
- PKCS#12 (.p12/.pfx) key loading support
- Configurable signed parts (Body, Timestamp, UsernameToken,
  BinarySecurityToken, or any element with wsu:Id)
- Per-reference inclusive namespace prefixes for exclusive C14N
- Mixed digest/signature algorithms (e.g. SHA-256 digests + RSA-SHA1)

Classes: CryptoSignature, CryptoBinarySignature, CryptoMemorySignature,
CryptoBinaryMemorySignature, PKCS12Signature

Install with: pip install zeep[crypto]

Closes mvantellingen#1357, relates to mvantellingen#1419, mvantellingen#1428, mvantellingen#1363, mvantellingen#1318

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@martincollignon martincollignon mentioned this pull request Mar 20, 2026
Closed
4 tasks
martincollignon added a commit to martincollignon/python-zeep that referenced this pull request Mar 20, 2026
@martincollignon @claude
feat(wsse): add pure-Python WS-Security signing (no xmlsec dependency)
a7ab990 
Add `zeep.wsse.crypto` module as a drop-in alternative to the existing
xmlsec-based `zeep.wsse.signature` module. Uses the `cryptography`
library instead of the C-based `xmlsec`, making installation
straightforward on all platforms.

New capabilities beyond the xmlsec-based module:
- No C library dependency (pure Python via `cryptography` + `lxml`)
- PKCS#12 (.p12/.pfx) key loading support
- Configurable signed parts (Body, Timestamp, UsernameToken,
  BinarySecurityToken, or any element with wsu:Id)
- Per-reference inclusive namespace prefixes for exclusive C14N
- Mixed digest/signature algorithms (e.g. SHA-256 digests + RSA-SHA1)

Classes: CryptoSignature, CryptoBinarySignature, CryptoMemorySignature,
CryptoBinaryMemorySignature, PKCS12Signature

Install with: pip install zeep[crypto]

Closes mvantellingen#1357, relates to mvantellingen#1419, mvantellingen#1428, mvantellingen#1363, mvantellingen#1318

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@martincollignon martincollignon mentioned this pull request Mar 20, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

wsse does not sign parts required by WSDL

2 participants

@blaggacao @tpazderka