Omitt WSSE header elements from signature

Author: tpazderka

src/zeep/wsse/signature.py

@@ -25,6 +25,8 @@
 
 # SOAP envelope
 SOAP_NS = "http://schemas.xmlsoap.org/soap/envelope/"
+# Namespaces omitted from signing
+OMITTED_HEADERS = [ns.WSSE]
 
 
 def _read_file(f_name):
@@ -259,7 +261,9 @@ def _signature_prepare(envelope, key, signature_method, digest_method, signature
         header = get_or_create_header(envelope)
         if signatures["everything"]:
             for node in header.iterchildren():
-                _sign_node(ctx, signature, node, digest_method)
+                # Everything doesn't mean everything ...
+                if node.nsmap.get(node.prefix) not in OMITTED_HEADERS:
+                    _sign_node(ctx, signature, node, digest_method)
         else:
             for node in signatures["header"]:
                 _sign_node(

tests/test_wsse_signature.py

@@ -114,6 +114,124 @@ def test_sign(
         assert sig.get("Algorithm") == expected_signature_href
 
 
+@skip_if_no_xmlsec
+@pytest.mark.parametrize("digest_method,expected_digest_href", DIGEST_METHODS_TESTDATA)
+@pytest.mark.parametrize(
+    "signature_method,expected_signature_href", SIGNATURE_METHODS_TESTDATA
+)
+def test_sign_element(
+    digest_method, signature_method, expected_digest_href, expected_signature_href
+):
+    envelope = load_xml(
+        """
+        <soapenv:Envelope
+            xmlns:tns="http://tests.python-zeep.org/"
+            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
+            xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+            xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+            xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/">
+          <soapenv:Header>
+            <wsse:Security mustUnderstand="true">
+              <wsu:Timestamp>
+                <wsu:Created>2015-06-25T21:53:25.246276+00:00</wsu:Created>
+                <wsu:Expires>2015-06-25T21:58:25.246276+00:00</wsu:Expires>
+              </wsu:Timestamp>
+            </wsse:Security>
+            <tns:Some>OK</tns:Some>
+          </soapenv:Header>
+          <soapenv:Body>
+            <tns:Function>
+              <tns:Argument>OK</tns:Argument>
+            </tns:Function>
+          </soapenv:Body>
+        </soapenv:Envelope>
+    """
+    )
+
+    # Force header element and body signature
+    signatures = {
+        "everything": False,
+        "body": True,
+        "header": [{"Namespace": "http://tests.python-zeep.org/", "Name": "Some"}],
+    }
+    signature.sign_envelope(
+        envelope,
+        KEY_FILE,
+        KEY_FILE,
+        signature_method=getattr(xmlsec_installed.Transform, signature_method),
+        digest_method=getattr(xmlsec_installed.Transform, digest_method),
+        signatures=signatures,
+    )
+    signature.verify_envelope(envelope, KEY_FILE)
+
+    digests = envelope.xpath("//ds:DigestMethod", namespaces={"ds": ns.DS})
+    assert len(digests)
+    for digest in digests:
+        assert digest.get("Algorithm") == expected_digest_href
+    signatures = envelope.xpath("//ds:SignatureMethod", namespaces={"ds": ns.DS})
+    assert len(signatures)
+    for sig in signatures:
+        assert sig.get("Algorithm") == expected_signature_href
+
+
+@skip_if_no_xmlsec
+@pytest.mark.parametrize("digest_method,expected_digest_href", DIGEST_METHODS_TESTDATA)
+@pytest.mark.parametrize(
+    "signature_method,expected_signature_href", SIGNATURE_METHODS_TESTDATA
+)
+def test_sign_everything(
+    digest_method, signature_method, expected_digest_href, expected_signature_href
+):
+    envelope = load_xml(
+        """
+        <soapenv:Envelope
+            xmlns:tns="http://tests.python-zeep.org/"
+            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
+            xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+            xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+            xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/">
+          <soapenv:Header>
+            <wsse:Security mustUnderstand="true">
+              <wsu:Timestamp>
+                <wsu:Created>2015-06-25T21:53:25.246276+00:00</wsu:Created>
+                <wsu:Expires>2015-06-25T21:58:25.246276+00:00</wsu:Expires>
+              </wsu:Timestamp>
+            </wsse:Security>
+            <tns:Some>OK</tns:Some>
+          </soapenv:Header>
+          <soapenv:Body>
+            <tns:Function>
+              <tns:Argument>OK</tns:Argument>
+            </tns:Function>
+          </soapenv:Body>
+        </soapenv:Envelope>
+    """
+    )
+
+    # Force header element and body signature
+    signatures = {"everything": True, "body": True, "header": []}
+    signature.sign_envelope(
+        envelope,
+        KEY_FILE,
+        KEY_FILE,
+        signature_method=getattr(xmlsec_installed.Transform, signature_method),
+        digest_method=getattr(xmlsec_installed.Transform, digest_method),
+        signatures=signatures,
+    )
+    signature.verify_envelope(envelope, KEY_FILE)
+
+    digests = envelope.xpath("//ds:DigestMethod", namespaces={"ds": ns.DS})
+    assert len(digests)
+    for digest in digests:
+        assert digest.get("Algorithm") == expected_digest_href
+    signatures = envelope.xpath("//ds:SignatureMethod", namespaces={"ds": ns.DS})
+    assert len(signatures)
+    for sig in signatures:
+        assert sig.get("Algorithm") == expected_signature_href
+
+
 @skip_if_no_xmlsec
 def test_sign_pw():
     envelope = load_xml(
@@ -135,7 +253,9 @@ def test_sign_pw():
 
     # Force body signature
     signatures = {"everything": False, "body": True, "header": []}
-    signature.sign_envelope(envelope, KEY_FILE_PW, KEY_FILE_PW, "geheim", signatures=signatures)
+    signature.sign_envelope(
+        envelope, KEY_FILE_PW, KEY_FILE_PW, "geheim", signatures=signatures
+    )
     signature.verify_envelope(envelope, KEY_FILE_PW)