python - xml signature validation is getting fails

Question

I have generated private key and public cert using the openssl command:

openssl req -x509 -newkey rsa:4096 -keyout private_key.pem -out public_cert.pem -nodes -days 1460 -subj "/C=YOURCOUNTRY/O=YOURCOMPANYNAME/CN=COMMONNAME

signed the xml using the above generated privatekey and tried to verify the same, but verification is failing, sample code as follows:

from lxml import etree
import os
from signxml import XMLSigner, XMLVerifier


current_path = os.path.dirname(os.path.abspath(__file__))
ca_cert_file = os.path.join(current_path, "public_cert.pem")
cert = open(ca_cert_file).read()
key = open(os.path.join(current_path, "private_key.pem")).read()

data_to_sign = "<Test/>"
root = etree.fromstring(data_to_sign)
signer = XMLSigner(c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
signed_root = signer.sign(root, key=key, cert=cert)
verified_data = XMLVerifier().verify(signed_root, ca_pem_file=ca_cert_file)

executing the above code resulting in below exception:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Programs\Python\Python38-32\lib\site-packages\signxml\__init__.py", line 864, in verify
    verify(signing_cert, raw_signature, signed_info_c14n, signature_digest_method)
  File "C:\Users\<username>\AppData\Local\Programs\Python\Python38-32\lib\site-packages\OpenSSL\crypto.py", line 2869, in verify
    _raise_current_error()
  File "C:\Users\<username>\AppData\Local\Programs\Python\Python38-32\lib\site-packages\OpenSSL\_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.crypto.Error: [('rsa routines', 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines', 'rsa_ossl_public_decrypt', 'padding check failed')]

Answer 1

An invalid padding warning usually indicates that there is a problem with the keys. For instance: "the Public key does not matched to the Private key for decryption."

I was able to throw this error when I purposely mismatched my keys. This error is the same one that you mentioned in your question.

OpenSSL.crypto.Error: [('rsa routines', 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines', 'rsa_ossl_public_decrypt', 'padding check failed')]

I would recommend recreating the keys, verify that you're using the correct key pair in your code and then retest.

I generated my key this way.

openssl req -x509 -newkey rsa:4096 -keyout private_key.pem -out public_cert.pem -nodes -days 1460 -subj "/C=US/O=mycompanyname/CN=domainname.com"

The code below didn't produce an error.

import os
from lxml import etree
from signxml import XMLSigner, XMLVerifier, InvalidCertificate

current_path = os.path.dirname(os.path.abspath(__file__))
ca_cert_file = os.path.join(current_path, "public_cert.pem")
cert = open(ca_cert_file).read()
key = open(os.path.join(current_path, "private_key.pem")).read()

data_to_sign = "<Test/>"
root = etree.fromstring(data_to_sign)
signer = XMLSigner(c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
signed_root = signer.sign(root, key=key, cert=cert)
try:
    verified_data = XMLVerifier().verify(signed_root, ca_pem_file=ca_cert_file)
except InvalidCertificate as e:
    print(e)
else:
    print('verified signature')

----------------------------------------
 System information
----------------------------------------
Platform:    macOS
Python:      3.8.0
lxml:        4.6.2
signxml:     2.8.1
LibreSSL:    2.8.3 (openssl)
----------------------------------------