@@ -233,8 +233,8 @@ def _apply_transforms(self, payload, *, transforms_node: etree._Element, signatu
233233
234234 return payload
235235
236- def get_cert_chain_verifier (self , ca_pem_file , ca_path ):
237- return X509CertChainVerifier (ca_pem_file = ca_pem_file , ca_path = ca_path )
236+ def get_cert_chain_verifier (self , ca_pem_file ):
237+ return X509CertChainVerifier (ca_pem_file = ca_pem_file )
238238
239239 def _match_key_values (self , key_value , der_encoded_key_value , signing_cert , signature_alg ):
240240 if self .config .ignore_ambiguous_key_info is False :
@@ -279,7 +279,6 @@ def verify(
279279 cert_subject_name : Optional [str ] = None ,
280280 cert_resolver : Optional [Callable ] = None ,
281281 ca_pem_file : Optional [Union [str , bytes ]] = None ,
282- ca_path : Optional [str ] = None ,
283282 hmac_key : Optional [str ] = None ,
284283 validate_schema : bool = True ,
285284 parser = None ,
@@ -302,8 +301,16 @@ def verify(
302301 signed by that signature.
303302
304303 In SignXML, you can ensure that the information signed is what you expect to be signed by only trusting the
305- data returned by the ``verify()`` method. The return value is the XML node or string that was signed. Also,
306- depending on the canonicalization method used by the signature, comments in the XML data may not be subject to
304+ data returned by ``XMLVerifier.verify()``. The ``signed_xml`` attribute of the return value is the XML node or string
305+ that was signed. We also recommend that you assert the expected location for the signature within the document:
306+
307+ .. code-block:: python
308+
309+ from signxml import XMLVerifier, SignatureConfiguration
310+ config = SignatureConfiguration(location="./")
311+ XMLVerifier(...).verify(..., expect_config=config)
312+
313+ Depending on the canonicalization method used by the signature, comments in the XML data may not be subject to
307314 signing, so may need to be untrusted. If so, they are excised from the return value of ``verify()``.
308315
309316 **Recommended reading:** http://www.w3.org/TR/xmldsig-bestpractices/#practices-applications
@@ -316,7 +323,7 @@ def verify(
316323 ``x509_cert`` argument to specify a certificate that was pre-shared out-of-band (e.g. via SAML metadata, as
317324 shown in :ref:`Verifying SAML assertions <verifying-saml-assertions>`), or ``cert_subject_name`` to specify a
318325 subject name that must be in the signing X.509 certificate given by the signature (verified as if it were a
319- domain name), or ``ca_pem_file``/``ca_path`` to give a custom CA.
326+ domain name), or ``ca_pem_file`` to give a custom CA.
320327
321328 :param data: Signature data to verify
322329 :type data: String, file-like object, or XML ElementTree Element API compatible object
@@ -336,10 +343,6 @@ def verify(
336343 :param ca_pem_file:
337344 Filename of a PEM file containing certificate authority information to use when verifying certificate-based
338345 signatures.
339- :param ca_path:
340- Path to a directory containing PEM-formatted certificate authority files to use when verifying
341- certificate-based signatures. If neither **ca_pem_file** nor **ca_path** is given, the Mozilla CA bundle
342- provided by :py:mod:`certifi` will be loaded.
343346 :param hmac_key: If using HMAC, a string containing the shared secret.
344347 :param validate_schema: Whether to validate **data** against the XML Signature schema.
345348 :param parser:
@@ -433,7 +436,7 @@ def verify(
433436 else :
434437 cert_chain = [x509 .load_pem_x509_certificate (add_pem_header (cert )) for cert in certs ]
435438
436- cert_verifier = self .get_cert_chain_verifier (ca_pem_file = ca_pem_file , ca_path = ca_path )
439+ cert_verifier = self .get_cert_chain_verifier (ca_pem_file = ca_pem_file )
437440
438441 signing_cert = cert_verifier .verify (cert_chain )
439442 elif isinstance (self .x509_cert , x509 .Certificate ):
0 commit comments