[pycrypto] XML Digital Signature (XML-DSig)

Dwayne Litzenberger dlitz at dlitz.net
Thu Feb 6 09:12:31 PST 2014

On Wed, Feb 05, 2014 at 11:54:31PM -0300, Anurag Chourasia wrote:
>Hi All,
>Is it possible to digitally sign <http://www.w3.org/TR/xmldsig-core/> a XML
>document using the PyCrypto library, provided that I have the certificate
>in .pfx format?
>A sample signed XML is at http://dpaste.com/1587241
>I am a little thin on the concept and appreciate your comments and guidance.

Implementing the XML Security spec is way beyond the scope of PyCrypto.  
See https://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt

It's a really terrible idea anyway.  Individually, X.509 and XML 
Canonicalization are complicated, overengineered specifications.  
Exposing their *combined* complexity to attackers is not advisable.

If, for legacy reasons, you still need to do this, you might be able to 
use an external library (such as pyxmlsec or pyxser) to do most of the 
work, but the only recommendation I can give is "don't do that".

Dwayne C. Litzenberger <dlitz at dlitz.net>
  OpenPGP: 19E1 1FE8 B3CF F273 ED17  4A24 928C EC13 39C2 5CF7

More information about the pycrypto mailing list