I am using the library signxml to sign XML signatures for SAML authentication. One of our implementer partners requires that we send the signature in SHA1. The base configuration of XMLSigner does not support SHA1 because it has been deprecated because SHA1 is not secure. Unfortunately I still have to send it as SHA1 because the other implementer won't change their code base. I have read the library documentation and unsure how to force SHA1 support. If you call this code below, it errors out at this point in the code: https://github.com/XML-Security/signxml/blob/9f06f4314f1a0480e22992bbb8209a71bc581e05/signxml/signer.py#L120
signed_saml_root = XMLSigner(method=signxml.methods.enveloped, signature_algorithm="rsa-sha1", digest_algorithm="sha1", c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#")\
.sign(saml_root, key=self.key, cert=self.cert, always_add_key_value=True)
verified_data = XMLVerifier().verify(signed_saml_root, x509_cert=self.cert).signed_xml
The documentation mentions doing the following for SHA1 deprecation: SHA1 based algorithms are not secure for use in digital signatures. They are included for legacy compatibility only and disabled by default. To verify SHA1 based signatures, use:
XMLVerifier().verify(
expect_config=SignatureConfiguration(
signature_methods=...,
digest_algorithms=...
)
)
But that looks for verification only, unsure how to make it work on signature. Can someone provide some advice on how to get SHA1 working with the signxml library.
1 Answer 1
You can overwrite function check_deprecated_methods in source to pass the error.
from signxml import XMLSigner
class XMLSignerWithSHA1(XMLSigner):
def check_deprecated_methods(self):
pass
Now, you can use class XMLSignerWithSHA1 to sign:
signer = XMLSignerWithSHA1(signature_algorithm=SignatureMethod.RSA_SHA1, digest_algorithm=DigestAlgorithm.SHA1)
signed = signer.sign(data, cert=cert, key=key)