Ejemplo Registro de Eventos

[Daviid]

Alguien tiene un ejemplo de registro de evento? Firmado y sin firmar?

Creo que tengo uno pero VALIDe me da error, EADTrust también me falla.

Este código me sale todo bien, pero es ChatGPT así que....

Código:

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
# Full XAdES-EPES validation script
# Validates:
#  - Canonicalization of SignedInfo
#  - Digest of SignedProperties
#  - Digest of the enveloped document
#  - SignatureValue (RSA-SHA256)
#  - Certificate used for signing
#  - XAdES EPES requirements: SigningCertificate, SignaturePolicyIdentifier

import base64
import hashlib
import urllib.request
from lxml import etree
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography import x509

XML_FILE = r"firmado.xml"

NS = {
    "ds": "http://www.w3.org/2000/09/xmldsig#",
    "xades": "http://uri.etsi.org/01903/v1.3.2#",
}

def c14n(node, with_comments=False):
    """Returns canonicalized XML for a node."""
    return etree.tostring(
        node,
        method="c14n",
        exclusive=True,
        with_comments=with_comments
    )

def sha256(data):
    return base64.b64encode(hashlib.sha256(data).digest()).decode()

def sha1(data):
    return base64.b64encode(hashlib.sha1(data).digest()).decode()

def load_xml():
    parser = etree.XMLParser(remove_blank_text=True)
    return etree.parse(XML_FILE, parser)

def extract_certificate(cert_b64):
    cert_bytes = base64.b64decode(cert_b64)
    return x509.load_der_x509_certificate(cert_bytes)

def validate_reference_digest(node, expected_digest):
    canon = c14n(node)
    digest = sha256(canon)
    return digest == expected_digest, digest

def validate_signature_value(public_key, signed_info_c14n, signature_value):
    try:
        public_key.verify(
            signature_value,
            signed_info_c14n,
            padding.PKCS1v15(),
            hashes.SHA256()
        )
        return True
    except Exception:
        return False

def main():
    print("Loading XML…")
    doc = load_xml()

    signature = doc.find(".//ds:Signature", NS)
    signed_info = signature.find("ds:SignedInfo", NS)
    signature_value_el = signature.find("ds:SignatureValue", NS)
    key_info = signature.find("ds:KeyInfo/ds:X509Data/ds:X509Certificate", NS)

    # Extract certificate
    cert_b64 = key_info.text.strip()
    cert = extract_certificate(cert_b64)
    public_key = cert.public_key()

    # Canonicalize SignedInfo
    signed_info_c14n = c14n(signed_info)

    # Decode SignatureValue
    signature_value = base64.b64decode(signature_value_el.text.strip())

    print("\n=== Step 1: Validate SignatureValue (RSA-SHA256) ===")
    if validate_signature_value(public_key, signed_info_c14n, signature_value):
        print("✔ SignatureValue is VALID")
    else:
        print("✘ SignatureValue is INVALID")

    print("\n=== Step 2: Validate each Reference digest ===")
    references = signed_info.findall("ds:Reference", NS)
    for ref in references:
        uri = ref.get("URI")
        expected_digest = ref.find("ds:DigestValue", NS).text.strip()

        if uri.startswith("#"):
            target_id = uri[1:]
            target = doc.find(f".//*[@Id='{target_id}']")
        else:
            # Empty URI => enveloped signing of root element
            target = doc.getroot()

        # Root must exclude the <Signature> itself (enveloped signature transform)
        transforms = ref.find("ds:Transforms", NS)
        if transforms is not None:
            for t in transforms.findall("ds:Transform", NS):
                algo = t.get("Algorithm")
                if algo == "http://www.w3.org/2000/09/xmldsig#enveloped-signature":
                    sig_node = signature
                    sig_node.getparent().remove(sig_node)

        valid, computed_digest = validate_reference_digest(target, expected_digest)

        print(f"\nReference URI='{uri}'")
        print(f"Expected digest: {expected_digest}")
        print(f"Computed digest: {computed_digest}")
        print("✔ Digest VALID" if valid else "✘ Digest INVALID")

    print("\n=== Step 3: Validate XAdES SignedProperties digest ===")
    signed_props_ref = signature.find(
        "ds:SignedInfo/ds:Reference[@Type='http://uri.etsi.org/01903#SignedProperties']",
        NS
    )
    if signed_props_ref is not None:
        uri = signed_props_ref.get("URI")[1:]
        expected_digest = signed_props_ref.find("ds:DigestValue", NS).text.strip()

        signed_props = signature.find(
            f"ds:Object/xades:QualifyingProperties/xades:SignedProperties[@Id='{uri}']",
            NS
        )
        valid, computed_digest = validate_reference_digest(signed_props, expected_digest)

        print(f"Expected: {expected_digest}")
        print(f"Computed: {computed_digest}")
        print("✔ SignedProperties digest VALID" if valid else "✘ SignedProperties digest INVALID")

    print("\n=== Step 4: Validate SigningCertificate digest (XAdES requirement) ===")
    signing_cert = signature.find(
        "ds:Object/xades:QualifyingProperties/xades:SignedProperties/"
        "xades:SignedSignatureProperties/xades:SigningCertificate/"
        "xades:Cert/xades:CertDigest/ds:DigestValue",
        NS
    )

    method = signature.find(
        "ds:Object/xades:QualifyingProperties/xades:SignedProperties/"
        "xades:SignedSignatureProperties/xades:SigningCertificate/"
        "xades:Cert/xades:CertDigest/ds:DigestMethod",
        NS
    ).get("Algorithm")

    expected_cert_digest = signing_cert.text.strip()

    if method == "http://www.w3.org/2000/09/xmldsig#sha1":
        computed_cert_digest = sha1(cert.public_bytes(serialization.Encoding.DER))
    else:
        computed_cert_digest = sha256(cert.public_bytes(serialization.Encoding.DER))

    print(f"Expected: {expected_cert_digest}")
    print(f"Computed: {computed_cert_digest}")
    if expected_cert_digest == computed_cert_digest:
        print("✔ SigningCertificate digest VALID")
    else:
        print("✘ SigningCertificate digest INVALID")

    print("\n=== Step 5: Validate XAdES SignaturePolicyHash (EPES) ===")
    policy_hash_el = signature.find(
        "ds:Object/xades:QualifyingProperties/xades:SignedProperties/"
        "xades:SignedSignatureProperties/xades:SignaturePolicyIdentifier/"
        "xades:SignaturePolicyId/xades:SigPolicyHash/ds:DigestValue",
        NS
    )
    policy_method = signature.find(
        "ds:Object/xades:QualifyingProperties/xades:SignedProperties/"
        "xades:SignedSignatureProperties/xades:SignaturePolicyIdentifier/"
        "xades:SignaturePolicyId/xades:SigPolicyHash/ds:DigestMethod",
        NS
    ).get("Algorithm")

    expected_policy_hash = policy_hash_el.text.strip()

    print(f"Policy digest given in XML: {expected_policy_hash}")
    print(f"Digest method: {policy_method}")

    print("\nValidating policy hash...")
    policy_identifier_el = signature.find(
        "ds:Object/xades:QualifyingProperties/xades:SignedProperties/"
        "xades:SignedSignatureProperties/xades:SignaturePolicyIdentifier/"
        "xades:SignaturePolicyId/xades:SigPolicyId/xades:Identifier",
        NS
    )
    if policy_identifier_el is None:
        print("✘ No policy identifier found")
    else:
        policy_identifier = policy_identifier_el.text.strip()
        print(f"Policy Identifier: {policy_identifier}")
        try:
            if policy_identifier.startswith("urn:oid:"):
                if policy_identifier == "urn:oid:2.16.724.1.3.1.1.2.1.9":
                    policy_url = "https://sede.administracion.gob.es/politica_de_firma_anexo_1.pdf"
                else:
                    raise ValueError(f"Unknown OID: {policy_identifier}")
            else:
                policy_url = policy_identifier

            with urllib.request.urlopen(policy_url) as response:
                policy_data = response.read()
            if policy_method == "http://www.w3.org/2000/09/xmldsig#sha1":
                computed_hash = base64.b64encode(hashlib.sha1(policy_data).digest()).decode()
            elif policy_method == "http://www.w3.org/2001/04/xmlenc#sha256":
                computed_hash = base64.b64encode(hashlib.sha256(policy_data).digest()).decode()
            else:
                print(f"Unsupported digest method: {policy_method}")
                computed_hash = None
            if computed_hash:
                print(f"Computed policy hash: {computed_hash}")
                if computed_hash == expected_policy_hash:
                    print("✔ Policy hash VALID")
                else:
                    print("✘ Policy hash INVALID")
        except Exception as e:
            print(f"Error fetching or computing policy hash: {e}")


    print("\n=== VALIDATION FINISHED ===")


if __name__ == "__main__":
    main()