chore: Update to SignXML 4.0.3 version

svillegas-cdd · svillegas-cdd · commit ae5155c22e42 · 2024-12-09T13:38:09.000-03:00
- Updated error messages and expected exception in tests. - Updated `add_pem_cert_header_footer` and now `signxml.util.add_pem_header` returns a byte object. - Removed use of `crypto_utils._X509CertOpenSsl` in `verify_xml_signature` as SignXML has deprecated PyOpenSSL. Ref: https://app.shortcut.com/cordada/story/11838/ [sc-11838]
diff --git a/src/cl_sii/libs/crypto_utils.py b/src/cl_sii/libs/crypto_utils.py
@@ -157,8 +157,7 @@ def add_pem_cert_header_footer(pem_cert: bytes) -> bytes:
     """
     pem_value_str = pem_cert.decode('ascii')
     # note: it would be great if 'add_pem_header' did not forcefully convert bytes to str.
-    mod_pem_value_str = signxml.util.add_pem_header(pem_value_str)
-    mod_pem_value: bytes = mod_pem_value_str.encode('ascii')
+    mod_pem_value: bytes = signxml.util.add_pem_header(pem_value_str)
     return mod_pem_value
 
 
diff --git a/src/cl_sii/libs/xml_utils.py b/src/cl_sii/libs/xml_utils.py
@@ -440,14 +440,8 @@ def verify_xml_signature(
         )
 
     if isinstance(trusted_x509_cert, crypto_utils._X509CertOpenSsl):
-        trusted_x509_cert_open_ssl = trusted_x509_cert
-    elif isinstance(trusted_x509_cert, crypto_utils.X509Cert):
-        trusted_x509_cert_open_ssl = crypto_utils._X509CertOpenSsl.from_cryptography(
-            trusted_x509_cert
-        )
-    elif trusted_x509_cert is None:
-        trusted_x509_cert_open_ssl = None
-    else:
+        trusted_x509_cert = trusted_x509_cert.to_cryptography()
+    elif not isinstance(trusted_x509_cert, (crypto_utils.X509Cert, type(None))):
         # A 'crypto_utils._X509CertOpenSsl' is ok but we prefer 'crypto_utils.X509Cert'.
         raise TypeError("'trusted_x509_cert' must be a 'crypto_utils.X509Cert' instance, or None.")
 
@@ -482,7 +476,7 @@ def verify_xml_signature(
         result = xml_verifier.verify(
             data=tmp_bytes,
             require_x509=True,
-            x509_cert=trusted_x509_cert_open_ssl,
+            x509_cert=trusted_x509_cert,
             ignore_ambiguous_key_info=True,
             expect_config=signxml.verifier.SignatureConfiguration(
                 signature_methods=frozenset([signxml.algorithms.SignatureMethod.RSA_SHA1]),
diff --git a/src/tests/test_libs_xml_utils.py b/src/tests/test_libs_xml_utils.py
@@ -221,7 +221,7 @@ def test_fail_verify_with_other_cert(self) -> None:
             verify_xml_signature(xml_doc, trusted_x509_cert=cert)
         self.assertEqual(
             cm.exception.args,
-            ("Signature verification failed: wrong signature length",),
+            ("Signature verification failed: ",),
         )
 
     def test_bad_cert_included(self) -> None:
@@ -247,11 +247,14 @@ def test_fail_replaced_cert(self) -> None:
         xml_doc = parse_untrusted_xml(self.with_replaced_cert)
         cert = load_pem_x509_cert(self.any_x509_cert_pem_file)
 
-        with self.assertRaises(XmlSignatureInvalid) as cm:
+        with self.assertRaises(ValueError) as cm:
             verify_xml_signature(xml_doc, trusted_x509_cert=cert)
         self.assertEqual(
             cm.exception.args,
-            ("Signature verification failed: []",),
+            (
+                'Invalid input.',
+                'DER encoded key value does not match specified signature algorithm',
+            ),
         )
 
     def test_fail_included_cert_not_from_a_known_ca(self) -> None:
@@ -262,7 +265,7 @@ def test_fail_included_cert_not_from_a_known_ca(self) -> None:
             verify_xml_signature(xml_doc, trusted_x509_cert=None)
         self.assertEqual(
             cm.exception.args,
-            ('unable to get local issuer certificate',),
+            ('validation failed: cert is not valid at validation time',),
         )
 
     def test_fail_signed_data_modified(self) -> None:
