From 0651987b5bbfd190cdafefdb9087222fa21bf325 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20LAJOIE?= Date: Thu, 1 Dec 2016 14:40:14 +0100 Subject: [PATCH] Sign timestamp only when the tag is set --- doc/index.rst | 11 ++++++----- wsse/signing.py | 5 +++-- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/doc/index.rst b/doc/index.rst index 28e4d68..bad4d43 100644 --- a/doc/index.rst +++ b/doc/index.rst @@ -100,9 +100,9 @@ list of ``plugins`` passed to a new ``Client`` instance:: ) ``WssePlugin`` requires that the outgoing messages already have a -``wsse:Security`` element in the ``soap:Header`` with a ``wsu:Timestamp`` -token. Suds can do this via its ``Security`` and ``Timestamp`` objects, as -shown in the above example. +``wsse:Security`` element in the ``soap:Header`` with an optional +``wsu:Timestamp`` token. Suds can do this via its ``Security`` and +``Timestamp`` objects, as shown in the above example. In the example, ``our_keyfile_path``, ``our_certfile_path``, and ``their_certfile_path`` should all be absolute filesystem paths to X509 @@ -112,8 +112,9 @@ used to encrypt outgoing messages and verify the signature on incoming messages. Note that ``WssePlugin`` is currently hardcoded to sign the ``wsu:Timestamp`` -and ``soap:Body`` elements, and to optionally encrypt only the first child of -the ``soap:Body`` element. Pull requests to add more flexibility are welcome. +(if it is present) and ``soap:Body`` elements, and to optionally encrypt only +the first child of the ``soap:Body`` element. +Pull requests to add more flexibility are welcome. Standalone functions diff --git a/wsse/signing.py b/wsse/signing.py index 22beac7..321aa54 100644 --- a/wsse/signing.py +++ b/wsse/signing.py @@ -20,7 +20,7 @@ def sign(envelope, keyfile, certfile): """Sign given SOAP envelope with WSSE sig using given key and cert. Sign the wsu:Timestamp node in the wsse:Security header and the soap:Body; - both must be present. + Timestamp is optional, Body must be present. Add a ds:Signature node in the wsse:Security header containing the signature. @@ -135,7 +135,8 @@ def sign(envelope, keyfile, certfile): ctx = xmlsec.SignatureContext() ctx.key = key _sign_node(ctx, signature, doc.find(ns(SOAP_NS, 'Body'))) - _sign_node(ctx, signature, security.find(ns(WSU_NS, 'Timestamp'))) + if security.find(ns(WSU_NS, 'Timestamp')): + _sign_node(ctx, signature, security.find(ns(WSU_NS, 'Timestamp'))) ctx.sign(signature) # Place the X509 data inside a WSSE SecurityTokenReference within