- Fix issue with support for deprecated PyOpenSSL certificates
- Fully remove the ca_path parameter; add docs for signature location pinning
- XAdES signing: remove duplicate timezone information from
SigningTime
(#266)
- Verifier: Accept PyOpenSSL cert input, add deprecation warning
- Replace PyOpenSSL with Cryptography (#260)
- This is a major infrastructure change that replaces core certificate parsing, key processing, signature validation, and certificate chain validation functions previously provided by PyOpenSSL with those provided by Cryptography. Care was taken to preserve the exisitng API, including exception types, but many error messages raised in various error conditions have changed. If you see unexpected behavior and you have reason to believe it is incorrect, please file an issue.
- Breaking change: the ca_path parameter, previously used to specify CA certificate stores, is no longer supported. Use the ca_pem_file parameter instead.
- Raise error when invalid certificate string is passed as input to signer
- Fix public key matching for ECDSA (#245)
- Update upper bound on lxml dependency to allow lxml 5
- Bump minimum dependency versions to align with Ubuntu 20.04
- Test and release infrastructure improvements
- Use dataclass.replace in SignatureReference construction. Fixes #231
- Roundtrip referenced XML nodes before c14n to detach them from parent document when verifying (#225)
- Add type attribute to XAdES signed properties reference (#224)
- Use distinct default for payload c14n. Fixes #217
- Deprecate SHA1
- Test and documentation improvements
- Remove incorrect deprecation of xml-c14n11 URI
- Mark SHA1 as deprecated
- Aggregate verification settings in SignatureConfiguration dataclass
- Mark all dataclasses in API as frozen
- Add ability to assert expected signature location
- Add ability to assert expected signature algorithms
- Add ability to assert expected digest algorithms
- Add MGF1 (“RSASSA-PSS without parameters”) algorithm identifiers
- Remove PSS (“RSASSA-PSS with parameters”) and EdDSA algorithm identifiers (given low usage and no interop examples, we will not be implementing PSS parameters for now; EdDSA key info additionally has no standardized way to serialize it)
- Add debug logging of canonicalization outputs
- Documentation and formatting improvements
- Add XAdES support
- Migrate all configuration inputs to enums (string identifiers are still supported, but will be deprecated in a future version)
- Migrate structured data inputs to dataclasses
- Deprecate excise_empty_xmlns_declarations
- Documentation and test infrastructure improvements
- Clean up top level signxml and signxml.xades namespaces
- Stop using default_backend for cryptography, it is no longer required
- Drop Python 3.6 support (#200)
- Drop Python 3.6 support.
Do not excise any empty
xmlns=""
declarations by default. This behavior is now configurable as followssigner = XMLSigner() signer.excise_empty_xmlns_declarations = True signer.sign(...)
verifier = XMLVerifier() verifier.excise_empty_xmlns_declarations = True verifier.verify(...)
Documentation and autoformatting improvements
- Excise empty xmlns declarations only in signature, not in payload
- Add pyinstaller support to signxml (#188)
- Documentation, test infrastructure, and code organization improvements
- Unlimit cryptography version constraint. Fixes #177
- Bump pyOpenSSL compat range; add dep version strategy note
- Allow the combination of X509Data and KeyValue when they represent the same public key (#169)
- Use self.namespaces signature properties “Object” element (#167)
- Allow cryptography versions >3 (but <4) (#164)
- Add support for adding Signature Properties to a detached signature (#160)
- Compare raw digest bytes instead of base64 encoded digests. Fixes #155
- Initial X509IssuerSerial/X509Digest support
- Support custom inclusive_ns_prefixes when signing
- Fix ECDSA signature encoding/decoding (#150)
- Add InclusiveNamespaces PrefixList support for SignedInfo
- Test and documentation improvements
- Relax dependency version range on eight
- Update dependency installation documentation
- XMLSigner.sign(): add always_add_key_value kwarg to include both X509Data and KeyValue for ill-defined signing applications
- XMLVerifier.verify(): reject signatures that contain both X509Data and KeyValue by default; add ignore_ambiguous_key_info kwarg to bypass
- Accept PEM keys as either str or bytes
- Drop defusedxml dependency; add security notes
- Add missing c14n transform for enveloping and detached methods (#107)
- Relax pyOpenSSL dependency version range to include version 19
- Apply transforms and digest calculations to copies of root. Closes #125. (#126)
- Documentation and test improvements
- Update dependencies to baseline on Ubuntu 18.04
- Clarify documentation of Ubuntu installation dependencies
- List ipaddress as a dependency
- Strip PEM header from OpenSSL.crypto.X509 cert
- Doc updates: dependency versions, standard links
- Fix cryptography deprecation warnings. Closes #108
- Allow URI attribute of Reference to be absent (#102)
- Fix release
Fix release
- Relax dependency version constraints.
- Drop Python 3.3 support.
- Support for PEM files with CR+LF line endings (#93).
- Import asn1crypto on demand
- Allow newer versions of cryptography library (#89)
- Add explicit dependency on asn1crypto to setup.py (#87)
- Remove use of Exception.message for py3 compatibility. Closes #36 (#86)
- Use asn1crypto instead of pyasn1 to match cryptography lib (#85)
- Pin to major version of lxml instead of minor
- Allow newer versions of several requirements (#84)
- Allow newer version of eight library (#83)
- Documentation and test fixes
- Release automation: parse repo name correctly
- Expand supported cryptography version range. Fixes #74
- Documentation and release automation improvements
- Fix handling of reference URIs in detached signing
- Test infra fixes
- Support custom key info when signing
- Initial elements of ws-security support
- Support signing and verifying multiple references
- Only sign the referenced element when passed reference_uri (thanks to @soby).
- Add CN validation - instead of a full X.509 certificate, it is now possible to pass a common name that will be matched against the CN of a cert trusted by the CA store.
- Order-agnostic cert chain validation and friendlier ingestion of cert chains.
- Minor/internal changes; packaging fix for 2.1.0
- Pre-release; see notes for v2.1.4
- Major API change: signxml.xmldsig(data).sign() -> signxml.XMLSigner().sign(data)
- Major API change: signxml.xmldsig(data).verify() -> signxml.XMLVerifier().verify(data)
- Signer and verifier objects now carry no data-specific state; instead carry system configuration state that is expected to be reused
- Signer and verifier objects should now be safe to reuse in reentrant environments
- Internal architecture changes to improve modularity and eliminate data-specific latent state and side effects
- Update xmlenc namespaces for downstream encryptxml support
- Packaging fix: remove stray .pyc file
- Major API change: Return signature information in verify() return value (#41, #50). Thanks to @klondi.
- Major API change: Excise signature node from verify() return value to avoid possibly returning untrusted data (#47). Thanks to @klondi.
- Remove signature nodes appropriately (#46). Thanks to @klondi.
- Expand Travis CI test to include flake8 linter.
- Add support for using a KeyName element within the KeyInfo block (#38). Thanks to @Pelleplutt.
- Update cryptography dependency
- Expand Travis CI test matrix to include OS X
- Python 3.5 compatibility fix: move enum34 into conditional dependencies (#37). Thanks to @agronholm.
- Support enveloped signatures nested at arbitrary levels beneath root element (#32, #33). Thanks to @jmindek.
- Update certifi, cryptography dependencies
- Handle xml.etree.ElementTree nodes as input (previously these would cause a crash, despite the documentation suggesting otherwise). Closes #19, thanks to @nickcash.
- Do not open schema file in text mode when parsing XML (closes #18, thanks to @nick210)
- Update cryptography dependency
- Add support for parameterizable signature namespace (PR #12, thanks to @ldnunes)
- Update cryptography dependency
- Add support for detached signatures (closes #3)
- Update pyOpenSSL dependency; use X509StoreContext.verify_certificate()
- Use pyasn1 for DER encoding and decoding, eliminating some DSA signature verification failures
- Do not distribute tests in source archive
- Configurable id attribute name for verifying non-standard internal object references, e.g. ADFS (closes #6)
- Python 3 compatibility fixes
- Fix test matrix (Python version configuration) in Travis
- Refactor application of enveloped signature transforms
- Support base64 transform
- Support application of different canonicalization algorithms to signature and payload (closes #1)
- Add support for exclusive canonicalization with InclusiveNamespaces PrefixList attribute
- Overhaul support of canonicalization algorithms
- Fix bug in enveloped signature canonicalization of namespace prefixes
- Fix bug in enveloped signature excision
- Allow location of enveloped signature to be specified
- Use exclusive c14n when signing
- Namespace all tags when generating signature
- Switch default signing method to enveloped signature
- Fix typo in ns prefixing code
- Fix handling of DER sequences in DSA key serialization
- Parameterize excision with ns prefix
- Fix excision with ns prefix
- Fixes to c14n of enveloped signatures
- Expand tests to use the XML Signature interoperability test suite
- Load bare X509 certificates from SAML metadata correctly
- Always use X509 information even if key value is present
- Internal refactor to modularize key value handling logic
- Use defusedxml when verifying signatures.
- Eliminate dependency on PyCrypto.
- Introduce support for ECDSA asymmetric key encryption.
- Introduce ability to validate xmldsig11 schema.
- Expand test suite coverage.
- Allow use of external X509 certificates for validation; add an example of supplying a cert from SAML metadata.
- Packaging fix.
- Packaging fix.
- Accept etree elements in verify.
- Packaging fix.
- Begin work toward conformance with version 1.1 of the spec.
- Require x509 for verification by default.
- Documentation fixes.
- Documentation fixes.
- Initial release.