feat(wsse): pure-Python WS-Security signing (no xmlsec required)#1484
Closed
martincollignon wants to merge 51 commits intomvantellingen:masterfrom
Closed
feat(wsse): pure-Python WS-Security signing (no xmlsec required)#1484martincollignon wants to merge 51 commits intomvantellingen:masterfrom
martincollignon wants to merge 51 commits intomvantellingen:masterfrom
Conversation
It's 6 years old already, how long can it stay modern ;-)
Uses email module as suggested in docs: https://docs.python.org/3/library/cgi.html#cgi.parse_header Fixes mvantellingen#1352
An exception will be thrown if a bool is returned from a SOAP service call. `deserialize` soap.py will ask for the length of the result body, but it may not be allowed to take len on some result body types. Added check if length is valid and returns the body directly if it is not. I haven't tested with any other types, such as integers.
According to https://endoflife.date/python python 3.7 has been EOSed 27 Jun 2023. Filter all code over `pyupgracde --py38-plus`. Signed-off-by: Tomasz Kłoczko <kloczek@github.com>
Signed-off-by: Tomasz Kłoczko <kloczek@github.com>
Signed-off-by: Tomasz Kłoczko <kloczek@github.com>
The latest release of the isodate package (0.7.2) doesn’t handle timezone information for dates. While this is indeed not valid according to the ISO specs we want to handle it anway. At a workaround by stripping the timezone data ourselves
I bumped into this when opening several wsdl which in turn opened lots of xsd, with 'file://' scheme. The issue was that the `resp.raw.close` nor `resp.raw.release_conn` set in the `FileAdapter` were ever called. It's unclear to me whether this should be fixed in requests. It doesn't do that great a job at resource management for the naive user aka Human™. It makes sense to me that exhaustively reading `Response.raw` should close it unless the caller explicitly set `stream` on the request. Probably by using this `closing` pattern in the generator in `Response.iter_content`. Workarounds without this fix: - using a scheme-less url as zeep will assume it's a local path and open the file as a context manager. - use one of the caches from `zeep.cache` to hide duplicate open resources.
This seems to result in a conflict with xmlsec/libxml
This also moves the README from rST to markdown
Thanks again to Kraken Tech for making Zeep part of their OSS funding program by issuing a one-time grant in 2023
' reintroduce the "notation" tag because '{http://www.w3.org/2001/XMLSchema}notations' does not exist fixes mvantellingen#1185
pytz dependency is removed. isodate is still needed for ISO durations and missing features in Python's ISO datetime parser.
Add `zeep.wsse.crypto` module as a drop-in alternative to the existing xmlsec-based `zeep.wsse.signature` module. Uses the `cryptography` library instead of the C-based `xmlsec`, making installation straightforward on all platforms. New capabilities beyond the xmlsec-based module: - No C library dependency (pure Python via `cryptography` + `lxml`) - PKCS#12 (.p12/.pfx) key loading support - Configurable signed parts (Body, Timestamp, UsernameToken, BinarySecurityToken, or any element with wsu:Id) - Per-reference inclusive namespace prefixes for exclusive C14N - Mixed digest/signature algorithms (e.g. SHA-256 digests + RSA-SHA1) Classes: CryptoSignature, CryptoBinarySignature, CryptoMemorySignature, CryptoBinaryMemorySignature, PKCS12Signature Install with: pip install zeep[crypto] Closes mvantellingen#1357, relates to mvantellingen#1419, mvantellingen#1428, mvantellingen#1363, mvantellingen#1318 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add features surfaced by review: - KeyIdentifier styles (ThumbprintSHA1, SubjectKeyIdentifier) - Configurable security header element ordering - Timestamp freshness validation (Created/Expires) - Certificate validity period validation - Internal _configure() method for cleaner initialization Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
zeep.wsse.crypto— a pure-Python alternative to the existing xmlsec-basedzeep.wsse.signaturemodule. Uses thecryptographylibrary instead of the C-basedxmlsec, making installation straightforward on all platforms.Motivation: We build Landbruget.dk, a Danish agricultural data transparency project. Integrating with Denmark's VetStat SOAP API for antibiotic usage data required WS-Security features that zeep's current xmlsec-based module doesn't support — and installing
xmlsecacross CI/CD and developer machines was a constant pain point. We ended up writing ~300 lines of manual XML signing. This PR extracts that into a clean, general-purpose module that benefits everyone.What's new
extra_references)Usage
Install:
pip install zeep[crypto]Related issues
cannot load crypto library for xmlsec.#1357 (xmlsec installation failures)Test plan
signature.py— fully additivecryptographynot installed (classes set toNonein__init__.py)🤖 Generated with Claude Code