Merge branch 'master' into 164-pkcs11-support

jimjag · web-flow · commit 6c90fe757942 · 2024-03-12T16:42:22.000-04:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -31,7 +31,7 @@ repos:
         exclude: ^setup.py$
         additional_dependencies: [flake8-docstrings, flake8-bugbear, flake8-logging-format, flake8-builtins, flake8-eradicate, flake8-fixme, pep8-naming, flake8-pep3101, flake8-annotations-complexity,flake8-pyi]
 -   repo: https://github.com/PyCQA/isort
-    rev: 5.11.5
+    rev: 5.12.0
     hooks:
     -   id: isort
 -   repo: https://github.com/pre-commit/mirrors-mypy
diff --git a/doc/source/modules/constants.rst b/doc/source/modules/constants.rst
@@ -47,7 +47,7 @@ KeyData
 
    The DSA key klass.
 
-.. data:: xmlsec.constants.KeyDataEcdsa
+.. data:: xmlsec.constants.KeyDataEc
 
    The ECDSA key klass.
 
@@ -166,12 +166,6 @@ Namespaces
 .. data:: xmlsec.constants.XPointerNs
    :annotation: = 'http://www.w3.org/2001/04/xmldsig-more/xptr'
 
-.. data:: xmlsec.constants.Soap11Ns
-   :annotation: = 'http://schemas.xmlsoap.org/soap/envelope/'
-
-.. data:: xmlsec.constants.Soap12Ns
-   :annotation: = 'http://www.w3.org/2002/06/soap-envelope'
-
 .. data:: xmlsec.constants.NsExcC14N
    :annotation: = 'http://www.w3.org/2001/10/xml-exc-c14n#'
 
diff --git a/setup.py b/setup.py
@@ -86,6 +86,7 @@ def run(self):
         ext = self.ext_map['xmlsec']
         self.debug = os.environ.get('PYXMLSEC_ENABLE_DEBUG', False)
         self.static = os.environ.get('PYXMLSEC_STATIC_DEPS', False)
+        self.size_opt = os.environ.get('PYXMLSEC_OPTIMIZE_SIZE', True)
 
         if self.static or sys.platform == 'win32':
             self.info('starting static build on {}'.format(sys.platform))
@@ -153,11 +154,18 @@ def run(self):
             )
 
         if self.debug:
-            ext.extra_compile_args.append('-Wall')
-            ext.extra_compile_args.append('-O0')
             ext.define_macros.append(('PYXMLSEC_ENABLE_DEBUG', '1'))
+            if sys.platform == 'win32':
+                ext.extra_compile_args.append('/Od')
+            else:
+                ext.extra_compile_args.append('-Wall')
+                ext.extra_compile_args.append('-O0')
         else:
-            ext.extra_compile_args.append('-Os')
+            if self.size_opt:
+                if sys.platform == 'win32':
+                    ext.extra_compile_args.append('/Os')
+                else:
+                    ext.extra_compile_args.append('-Os')
 
         super(build_ext, self).run()
 
diff --git a/src/common.h b/src/common.h
@@ -13,7 +13,7 @@
 #include "debug.h"
 
 #ifndef MODULE_NAME
-#define MODULE_NAME "xmlsec"
+#define MODULE_NAME xmlsec
 #endif
 
 #define JOIN(X,Y) DO_JOIN1(X,Y)
diff --git a/src/constants.c b/src/constants.c
@@ -316,8 +316,6 @@ int PyXmlSec_ConstantsModule_Init(PyObject* package) {
     PYXMLSEC_ADD_NS_CONSTANT(XPathNs, "XPATH");
     PYXMLSEC_ADD_NS_CONSTANT(XPath2Ns, "XPATH2");
     PYXMLSEC_ADD_NS_CONSTANT(XPointerNs, "XPOINTER");
-    PYXMLSEC_ADD_NS_CONSTANT(Soap11Ns, "SOAP11");
-    PYXMLSEC_ADD_NS_CONSTANT(Soap12Ns, "SOAP12");
     PYXMLSEC_ADD_NS_CONSTANT(NsExcC14N, "EXC_C14N");
     PYXMLSEC_ADD_NS_CONSTANT(NsExcC14NWithComments, "EXC_C14N_WITH_COMMENT");
 
@@ -441,13 +439,15 @@ int PyXmlSec_ConstantsModule_Init(PyObject* package) {
     PYXMLSEC_ADD_KEYDATA_CONSTANT(KeyDataRetrievalMethod, "RETRIEVALMETHOD")
     PYXMLSEC_ADD_KEYDATA_CONSTANT(KeyDataEncryptedKey, "ENCRYPTEDKEY")
     PYXMLSEC_ADD_KEYDATA_CONSTANT(KeyDataAes, "AES")
+#ifndef XMLSEC_NO_DES
     PYXMLSEC_ADD_KEYDATA_CONSTANT(KeyDataDes, "DES")
+#endif
 #ifndef XMLSEC_NO_DSA
     PYXMLSEC_ADD_KEYDATA_CONSTANT(KeyDataDsa, "DSA")
 #endif
 #if XMLSEC_VERSION_HEX > 0x10212
     // from version 1.2.19
-    PYXMLSEC_ADD_KEYDATA_CONSTANT(KeyDataEcdsa, "ECDSA")
+    PYXMLSEC_ADD_KEYDATA_CONSTANT(KeyDataEc, "ECDSA")
 #endif
     PYXMLSEC_ADD_KEYDATA_CONSTANT(KeyDataHmac, "HMAC")
     PYXMLSEC_ADD_KEYDATA_CONSTANT(KeyDataRsa, "RSA")
@@ -489,8 +489,10 @@ int PyXmlSec_ConstantsModule_Init(PyObject* package) {
     PYXMLSEC_ADD_TRANSFORM_CONSTANT(TransformKWAes192, "KW_AES192");
     PYXMLSEC_ADD_TRANSFORM_CONSTANT(TransformKWAes256, "KW_AES256");
 
+#ifndef XMLSEC_NO_DES
     PYXMLSEC_ADD_TRANSFORM_CONSTANT(TransformDes3Cbc, "DES3");
     PYXMLSEC_ADD_TRANSFORM_CONSTANT(TransformKWDes3, "KW_DES3");
+#endif
 #ifndef XMLSEC_NO_DSA
     PYXMLSEC_ADD_TRANSFORM_CONSTANT(TransformDsaSha1, "DSA_SHA1");
 #endif
diff --git a/src/enc.c b/src/enc.c
@@ -17,6 +17,11 @@
 #include <xmlsec/xmlenc.h>
 #include <xmlsec/xmltree.h>
 
+// Backwards compatibility with xmlsec 1.2
+#ifndef XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH
+#define XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH 0x00008000
+#endif
+
 typedef struct {
     PyObject_HEAD
     xmlSecEncCtxPtr handle;
@@ -50,6 +55,13 @@ static int PyXmlSec_EncryptionContext__init__(PyObject* self, PyObject* args, Py
     }
     ctx->manager = manager;
     PYXMLSEC_DEBUGF("%p: init enc context - ok, manager - %p", self, manager);
+
+    // xmlsec 1.3 changed the key search to strict mode, causing various examples
+    // in the docs to fail. For backwards compatibility, this changes it back to
+    // lax mode for now.
+    ctx->handle->keyInfoReadCtx.flags = XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH;
+    ctx->handle->keyInfoWriteCtx.flags = XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH;
+
     return 0;
 ON_FAIL:
     PYXMLSEC_DEBUGF("%p: init enc context - failed", self);
diff --git a/src/keys.c b/src/keys.c
@@ -163,7 +163,7 @@ static PyObject* PyXmlSec_KeyFromFile(PyObject* self, PyObject* args, PyObject*
     if (is_content) {
         key->handle = xmlSecCryptoAppKeyLoadMemory((const xmlSecByte*)data, (xmlSecSize)data_size, format, password, NULL, NULL);
     } else {
-        key->handle = xmlSecCryptoAppKeyLoad(data, format, password, NULL, NULL);
+        key->handle = xmlSecCryptoAppKeyLoadEx(data, xmlSecKeyDataTypePrivate, format, password, NULL, NULL);
     }
     Py_END_ALLOW_THREADS;
 
diff --git a/src/xmlsec/constants.pyi b/src/xmlsec/constants.pyi
@@ -29,7 +29,7 @@ EncNs: Final[str]
 KeyDataAes: Final[__KeyData]
 KeyDataDes: Final[__KeyData]
 KeyDataDsa: Final[__KeyData]
-KeyDataEcdsa: Final[__KeyData]
+KeyDataEc: Final[__KeyData]
 KeyDataEncryptedKey: Final[__KeyData]
 KeyDataFormatBinary: Final[int]
 KeyDataFormatCertDer: Final[int]
@@ -85,8 +85,6 @@ NodeX509Data: Final[str]
 Ns: Final[str]
 NsExcC14N: Final[str]
 NsExcC14NWithComments: Final[str]
-Soap11Ns: Final[str]
-Soap12Ns: Final[str]
 TransformAes128Cbc: Final[__Transform]
 TransformAes128Gcm: Final[__Transform]
 TransformAes192Cbc: Final[__Transform]
diff --git a/tests/data/enc-bad-in.xml b/tests/data/enc-bad-in.xml
diff --git a/tests/test_enc.py b/tests/test_enc.py
@@ -233,22 +233,3 @@ def test_decrypt_bad_args(self):
         ctx = xmlsec.EncryptionContext()
         with self.assertRaises(TypeError):
             ctx.decrypt('')
-
-    def check_no_segfault(self):
-        namespaces = {'soap': 'http://schemas.xmlsoap.org/soap/envelope/'}
-
-        manager = xmlsec.KeysManager()
-        key = xmlsec.Key.from_file(self.path("rsacert.pem"), format=consts.KeyDataFormatCertPem)
-        manager.add_key(key)
-        template = self.load_xml('enc-bad-in.xml')
-        enc_data = xmlsec.template.encrypted_data_create(
-            template, xmlsec.Transform.AES128, type=xmlsec.EncryptionType.CONTENT, ns='xenc'
-        )
-        xmlsec.template.encrypted_data_ensure_cipher_value(enc_data)
-        key_info = xmlsec.template.encrypted_data_ensure_key_info(enc_data, ns='dsig')
-        enc_key = xmlsec.template.add_encrypted_key(key_info, xmlsec.Transform.RSA_PKCS1)
-        xmlsec.template.encrypted_data_ensure_cipher_value(enc_key)
-        data = template.find('soap:Body', namespaces=namespaces)
-        enc_ctx = xmlsec.EncryptionContext(manager)
-        enc_ctx.key = xmlsec.Key.generate(xmlsec.KeyData.AES, 192, xmlsec.KeyDataType.SESSION)
-        self.assertRaises(Exception, enc_ctx.encrypt_xml(enc_data, data))

Original file line number	Diff line number	Diff line change
`@@ -163,7 +163,7 @@ static PyObject* PyXmlSec_KeyFromFile(PyObject* self, PyObject* args, PyObject*`
`163`	`163`	`if (is_content) {`
`164`	`164`	`key->handle = xmlSecCryptoAppKeyLoadMemory((const xmlSecByte*)data, (xmlSecSize)data_size, format, password, NULL, NULL);`
`165`	`165`	`} else {`
`166`		`- key->handle = xmlSecCryptoAppKeyLoad(data, format, password, NULL, NULL);`
	`166`	`+ key->handle = xmlSecCryptoAppKeyLoadEx(data, xmlSecKeyDataTypePrivate, format, password, NULL, NULL);`
`167`	`167`	`}`
`168`	`168`	`Py_END_ALLOW_THREADS;`
`169`	`169`