Organize and autodoc enums

Author: kislyuk

docs/index.rst

@@ -6,6 +6,7 @@ API documentation
 .. automodule:: signxml
    :members:
    :imported-members:
+   :undoc-members:
 
 Change log
 ==========

signxml/__init__.py

@@ -1,9 +1,9 @@
 # isort: skip_file
 from .signer import XMLSigner  # noqa:F401
 from .verifier import XMLVerifier, VerifyResult  # noqa:F401
-from .algorithms import XMLSecurityDigestAlgorithm as digest_algorithms  # noqa:F401
-from .algorithms import XMLSecuritySignatureMethod as signature_methods  # noqa:F401
-from .algorithms import XMLSignatureMethods as methods  # noqa:F401
+from .algorithms import DigestAlgorithm, SignatureMethod, SignatureType  # noqa:F401
 from .exceptions import InvalidCertificate, InvalidDigest, InvalidInput, InvalidSignature  # noqa:F401
 from .processor import XMLSignatureProcessor  # noqa:F401
 from .util import SigningSettings, namespaces  # noqa:F401
+
+methods = SignatureType

signxml/algorithms.py

@@ -5,10 +5,30 @@
 from .exceptions import InvalidInput
 
 
-class XMLSignatureMethods(Enum):
+class SignatureType(Enum):
+    """
+    An enumeration of the structural type of signature supported by SignXML.
+    """
+
     enveloped = auto()
+    """
+    The signature is over the XML content that contains the signature as an element. The content provides the root
+    XML document element.
+    """
+
     enveloping = auto()
+    """
+    The signature is over content found within an Object element of the signature itself. The Object (or its
+    content) is identified via a Reference (via a URI fragment identifier or transform).
+    """
+
     detached = auto()
+    """
+    The signature is over content external to the Signature element, and can be identified via a URI or
+    transform. Consequently, the signature is "detached" from the content it signs. This definition typically applies to
+    separate data objects, but it also includes the instance where the Signature and data object reside within the same
+    XML document but are sibling elements.
+    """
 
 
 class FragmentLookupMixin:
@@ -27,7 +47,11 @@ def _missing_(cls, value):
         raise InvalidInput(f"Unrecognized {cls.__name__}: {value}")
 
 
-class XMLSecurityDigestAlgorithm(FragmentLookupMixin, InvalidInputErrorMixin, Enum):
+class DigestAlgorithm(FragmentLookupMixin, InvalidInputErrorMixin, Enum):
+    """
+    An enumeration of digest algorithms supported by SignXML. See RFC 9231 for details.
+    """
+
     SHA1 = "http://www.w3.org/2000/09/xmldsig#sha1"
     SHA224 = "http://www.w3.org/2001/04/xmldsig-more#sha224"
     SHA384 = "http://www.w3.org/2001/04/xmldsig-more#sha384"
@@ -44,7 +68,11 @@ def implementation(self):
 
 
 # TODO: check if padding errors are fixed by using padding=MGF1
-class XMLSecuritySignatureMethod(FragmentLookupMixin, InvalidInputErrorMixin, Enum):
+class SignatureMethod(FragmentLookupMixin, InvalidInputErrorMixin, Enum):
+    """
+    An enumeration of signature methods supported by SignXML. See RFC 9231 for details.
+    """
+
     DSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#dsa-sha1"
     HMAC_SHA1 = "http://www.w3.org/2000/09/xmldsig#hmac-sha1"
     RSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
@@ -72,36 +100,36 @@ class XMLSecuritySignatureMethod(FragmentLookupMixin, InvalidInputErrorMixin, En
 
 
 digest_algorithm_implementations = {
-    XMLSecurityDigestAlgorithm.SHA1: hashes.SHA1,
-    XMLSecurityDigestAlgorithm.SHA224: hashes.SHA224,
-    XMLSecurityDigestAlgorithm.SHA384: hashes.SHA384,
-    XMLSecurityDigestAlgorithm.SHA256: hashes.SHA256,
-    XMLSecurityDigestAlgorithm.SHA512: hashes.SHA512,
-    XMLSecurityDigestAlgorithm.SHA3_224: hashes.SHA3_224,
-    XMLSecurityDigestAlgorithm.SHA3_256: hashes.SHA3_256,
-    XMLSecurityDigestAlgorithm.SHA3_384: hashes.SHA3_384,
-    XMLSecurityDigestAlgorithm.SHA3_512: hashes.SHA3_512,
-    XMLSecuritySignatureMethod.DSA_SHA1: hashes.SHA1,
-    XMLSecuritySignatureMethod.HMAC_SHA1: hashes.SHA1,
-    XMLSecuritySignatureMethod.RSA_SHA1: hashes.SHA1,
-    XMLSecuritySignatureMethod.ECDSA_SHA1: hashes.SHA1,
-    XMLSecuritySignatureMethod.ECDSA_SHA224: hashes.SHA224,
-    XMLSecuritySignatureMethod.ECDSA_SHA256: hashes.SHA256,
-    XMLSecuritySignatureMethod.ECDSA_SHA384: hashes.SHA384,
-    XMLSecuritySignatureMethod.ECDSA_SHA512: hashes.SHA512,
-    XMLSecuritySignatureMethod.HMAC_SHA224: hashes.SHA224,
-    XMLSecuritySignatureMethod.HMAC_SHA256: hashes.SHA256,
-    XMLSecuritySignatureMethod.HMAC_SHA384: hashes.SHA384,
-    XMLSecuritySignatureMethod.HMAC_SHA512: hashes.SHA512,
-    XMLSecuritySignatureMethod.RSA_SHA224: hashes.SHA224,
-    XMLSecuritySignatureMethod.RSA_SHA256: hashes.SHA256,
-    XMLSecuritySignatureMethod.RSA_SHA384: hashes.SHA384,
-    XMLSecuritySignatureMethod.RSA_SHA512: hashes.SHA512,
-    XMLSecuritySignatureMethod.DSA_SHA256: hashes.SHA256,
-    XMLSecuritySignatureMethod.ECDSA_SHA3_224: hashes.SHA1,
-    XMLSecuritySignatureMethod.ECDSA_SHA3_256: hashes.SHA1,
-    XMLSecuritySignatureMethod.ECDSA_SHA3_384: hashes.SHA1,
-    XMLSecuritySignatureMethod.ECDSA_SHA3_512: hashes.SHA1,
-    XMLSecuritySignatureMethod.EDDSA_ED25519: hashes.SHA512,
-    XMLSecuritySignatureMethod.EDDSA_ED448: hashes.SHAKE256,
+    DigestAlgorithm.SHA1: hashes.SHA1,
+    DigestAlgorithm.SHA224: hashes.SHA224,
+    DigestAlgorithm.SHA384: hashes.SHA384,
+    DigestAlgorithm.SHA256: hashes.SHA256,
+    DigestAlgorithm.SHA512: hashes.SHA512,
+    DigestAlgorithm.SHA3_224: hashes.SHA3_224,
+    DigestAlgorithm.SHA3_256: hashes.SHA3_256,
+    DigestAlgorithm.SHA3_384: hashes.SHA3_384,
+    DigestAlgorithm.SHA3_512: hashes.SHA3_512,
+    SignatureMethod.DSA_SHA1: hashes.SHA1,
+    SignatureMethod.HMAC_SHA1: hashes.SHA1,
+    SignatureMethod.RSA_SHA1: hashes.SHA1,
+    SignatureMethod.ECDSA_SHA1: hashes.SHA1,
+    SignatureMethod.ECDSA_SHA224: hashes.SHA224,
+    SignatureMethod.ECDSA_SHA256: hashes.SHA256,
+    SignatureMethod.ECDSA_SHA384: hashes.SHA384,
+    SignatureMethod.ECDSA_SHA512: hashes.SHA512,
+    SignatureMethod.HMAC_SHA224: hashes.SHA224,
+    SignatureMethod.HMAC_SHA256: hashes.SHA256,
+    SignatureMethod.HMAC_SHA384: hashes.SHA384,
+    SignatureMethod.HMAC_SHA512: hashes.SHA512,
+    SignatureMethod.RSA_SHA224: hashes.SHA224,
+    SignatureMethod.RSA_SHA256: hashes.SHA256,
+    SignatureMethod.RSA_SHA384: hashes.SHA384,
+    SignatureMethod.RSA_SHA512: hashes.SHA512,
+    SignatureMethod.DSA_SHA256: hashes.SHA256,
+    SignatureMethod.ECDSA_SHA3_224: hashes.SHA1,
+    SignatureMethod.ECDSA_SHA3_256: hashes.SHA1,
+    SignatureMethod.ECDSA_SHA3_384: hashes.SHA1,
+    SignatureMethod.ECDSA_SHA3_512: hashes.SHA1,
+    SignatureMethod.EDDSA_ED25519: hashes.SHA512,
+    SignatureMethod.EDDSA_ED448: hashes.SHAKE256,
 }

signxml/processor.py

@@ -6,8 +6,7 @@
 from cryptography.hazmat.primitives.hashes import Hash
 from lxml import etree
 
-from .algorithms import XMLSecurityDigestAlgorithm as digest_algorithms
-from .algorithms import digest_algorithm_implementations
+from .algorithms import DigestAlgorithm, digest_algorithm_implementations
 from .exceptions import InvalidInput
 from .util import namespaces
 
@@ -89,7 +88,7 @@ class XMLSignatureProcessor(XMLProcessor):
 
     id_attributes: Tuple[str, ...] = ("Id", "ID", "id", "xml:id")
 
-    def _get_digest(self, data, algorithm: digest_algorithms):
+    def _get_digest(self, data, algorithm: DigestAlgorithm):
         algorithm_implementation = digest_algorithm_implementations[algorithm]()
         hasher = Hash(algorithm=algorithm_implementation)
         hasher.update(data)

signxml/signer.py

@@ -8,10 +8,7 @@
 from lxml.etree import Element, SubElement
 from OpenSSL.crypto import FILETYPE_PEM, dump_certificate
 
-from .algorithms import XMLSecurityDigestAlgorithm as digest_algorithms
-from .algorithms import XMLSecuritySignatureMethod as signature_methods
-from .algorithms import XMLSignatureMethods as methods
-from .algorithms import digest_algorithm_implementations
+from .algorithms import DigestAlgorithm, SignatureMethod, SignatureType, digest_algorithm_implementations
 from .exceptions import InvalidInput
 from .processor import XMLSignatureProcessor
 from .util import (
@@ -38,37 +35,34 @@ class XMLSigner(XMLSignatureProcessor):
         ``signxml.methods.enveloped``, ``signxml.methods.enveloping``, or ``signxml.methods.detached``. See the list
         of signature types under `XML Signature Syntax and Processing Version 2.0, Definitions
         <http://www.w3.org/TR/xmldsig-core2/#sec-Definitions>`_.
-    :type method: :py:class:`methods`
     :param signature_algorithm:
         Algorithm that will be used to generate the signature, composed of the signature algorithm and the digest
         algorithm, separated by a hyphen. All algorithm IDs listed under the `Algorithm Identifiers and
         Implementation Requirements <http://www.w3.org/TR/xmldsig-core1/#sec-AlgID>`_ section of the XML Signature
         1.1 standard are supported.
-    :type signature_algorithm: string
     :param digest_algorithm: Algorithm that will be used to hash the data during signature generation. All algorithm IDs
         listed under the `Algorithm Identifiers and Implementation Requirements
         <http://www.w3.org/TR/xmldsig-core1/#sec-AlgID>`_ section of the XML Signature 1.1 standard are supported.
-    :type digest_algorithm: string
     """
 
     def __init__(
         self,
-        method: methods = methods.enveloped,
-        signature_algorithm: Union[signature_methods, str] = signature_methods.RSA_SHA256,
-        digest_algorithm: Union[digest_algorithms, str] = digest_algorithms.SHA256,
+        method: SignatureType = SignatureType.enveloped,
+        signature_algorithm: Union[SignatureMethod, str] = SignatureMethod.RSA_SHA256,
+        digest_algorithm: Union[DigestAlgorithm, str] = DigestAlgorithm.SHA256,
         c14n_algorithm=XMLSignatureProcessor.default_c14n_algorithm,
     ):
-        if method is None or method not in methods:
+        if method is None or method not in SignatureType:
             raise InvalidInput("Unknown signature method {}".format(method))
-        self.method = method
+        self.signature_type = method
         if isinstance(signature_algorithm, str) and "#" not in signature_algorithm:
-            self.sign_alg = signature_methods.from_fragment(signature_algorithm)
+            self.sign_alg = SignatureMethod.from_fragment(signature_algorithm)
         else:
-            self.sign_alg = signature_methods(signature_algorithm)
+            self.sign_alg = SignatureMethod(signature_algorithm)
         if isinstance(digest_algorithm, str) and "#" not in digest_algorithm:
-            self.digest_alg = digest_algorithms.from_fragment(digest_algorithm)
+            self.digest_alg = DigestAlgorithm.from_fragment(digest_algorithm)
         else:
-            self.digest_alg = digest_algorithms(digest_algorithm)
+            self.digest_alg = DigestAlgorithm(digest_algorithm)
         assert c14n_algorithm in self.known_c14n_algorithms
         self.c14n_alg = c14n_algorithm
         self.namespaces = dict(ds=namespaces.ds)
@@ -189,7 +183,7 @@ def sign(
 
         sig_root, doc_root, c14n_inputs, reference_uris = self._unpack(data, reference_uris)
 
-        if self.method == methods.detached and signature_properties is not None:
+        if self.signature_type == SignatureType.detached and signature_properties is not None:
             reference_uris.append("#prop")
             if signature_properties is not None and not isinstance(signature_properties, list):
                 signature_properties = [signature_properties]
@@ -237,14 +231,14 @@ def sign(
         else:
             raise NotImplementedError()
 
-        if self.method == methods.enveloping:
+        if self.signature_type == SignatureType.enveloping:
             for c14n_input in c14n_inputs:
                 doc_root.append(c14n_input)
 
-        if self.method == methods.detached and signature_properties is not None:
+        if self.signature_type == SignatureType.detached and signature_properties is not None:
             sig_root.append(signature_properties_el)
 
-        return doc_root if self.method == methods.enveloped else sig_root
+        return doc_root if self.signature_type == SignatureType.enveloped else sig_root
 
     def _add_key_info(self, sig_root, signing_settings: SigningSettings):
         if self.sign_alg.name.startswith("HMAC_"):
@@ -280,7 +274,7 @@ def _get_c14n_inputs_from_reference_uris(self, doc_root, reference_uris):
 
     def _unpack(self, data, reference_uris):
         sig_root = Element(ds_tag("Signature"), nsmap=self.namespaces)
-        if self.method == methods.enveloped:
+        if self.signature_type == SignatureType.enveloped:
             if isinstance(data, (str, bytes)):
                 raise InvalidInput("When using enveloped signature, **data** must be an XML element")
             doc_root = self.get_root(data)
@@ -309,7 +303,7 @@ def _unpack(self, data, reference_uris):
                 for c14n_input in c14n_inputs:
                     payload_id = c14n_input.get("Id", c14n_input.get("ID"))
                     reference_uris.append("#{}".format(payload_id) if payload_id is not None else "")
-        elif self.method == methods.detached:
+        elif self.signature_type == SignatureType.detached:
             doc_root = self.get_root(data)
             if reference_uris is None:
                 reference_uris = ["#{}".format(data.get("Id", data.get("ID", "object")))]
@@ -318,7 +312,7 @@ def _unpack(self, data, reference_uris):
                 c14n_inputs, reference_uris = self._get_c14n_inputs_from_reference_uris(doc_root, reference_uris)
             except InvalidInput:  # Dummy reference URI
                 c14n_inputs = [self.get_root(data)]
-        elif self.method == methods.enveloping:
+        elif self.signature_type == SignatureType.enveloping:
             doc_root = sig_root
             c14n_inputs = [Element(ds_tag("Object"), nsmap=self.namespaces, Id="object")]
             if isinstance(data, (str, bytes)):
@@ -338,7 +332,7 @@ def _build_sig(self, sig_root, reference_uris, c14n_inputs, sig_insp, payload_in
         for i, reference_uri in enumerate(reference_uris):
             reference = SubElement(signed_info, ds_tag("Reference"), URI=reference_uri)
             transforms = SubElement(reference, ds_tag("Transforms"))
-            if self.method == methods.enveloped:
+            if self.signature_type == SignatureType.enveloped:
                 SubElement(transforms, ds_tag("Transform"), Algorithm=namespaces.ds + "enveloped-signature")
                 SubElement(transforms, ds_tag("Transform"), Algorithm=self.c14n_alg)
             else:

signxml/verifier.py

@@ -12,9 +12,7 @@
 from OpenSSL.crypto import load_certificate
 from OpenSSL.crypto import verify as openssl_verify
 
-from .algorithms import XMLSecurityDigestAlgorithm as digest_algorithms
-from .algorithms import XMLSecuritySignatureMethod as signature_methods
-from .algorithms import digest_algorithm_implementations
+from .algorithms import DigestAlgorithm, SignatureMethod, digest_algorithm_implementations
 from .exceptions import InvalidCertificate, InvalidDigest, InvalidInput, InvalidSignature  # noqa
 from .processor import XMLSignatureProcessor
 from .util import (
@@ -280,7 +278,7 @@ def verify(
         inclusive_ns_prefixes = self._get_inclusive_ns_prefixes(c14n_method)
         signature_method = self._find(signed_info, "SignatureMethod")
         signature_value = self._find(signature, "SignatureValue")
-        signature_alg = signature_methods(signature_method.get("Algorithm"))
+        signature_alg = SignatureMethod(signature_method.get("Algorithm"))
         raw_signature = b64decode(signature_value.text)
         x509_data = signature.find("ds:KeyInfo/ds:X509Data", namespaces=namespaces)
         key_value = signature.find("ds:KeyInfo/ds:KeyValue", namespaces=namespaces)
@@ -396,7 +394,7 @@ def verify(
             digest_value = self._find(reference, "DigestValue")
             payload = self._resolve_reference(copied_root, reference, uri_resolver=uri_resolver)
             payload_c14n = self._apply_transforms(payload, transforms, copied_signature_ref, c14n_algorithm)
-            if b64decode(digest_value.text) != self._get_digest(payload_c14n, digest_algorithms(digest_alg)):
+            if b64decode(digest_value.text) != self._get_digest(payload_c14n, DigestAlgorithm(digest_alg)):
                 raise InvalidDigest(f"Digest mismatch for reference {len(verify_results)} ({reference.get('URI')})")
 
             # We return the signed XML (and only that) to ensure no access to unsigned data happens
@@ -422,7 +420,7 @@ def validate_schema(self, signature):
                 last_exception = e
         raise last_exception  # type: ignore
 
-    def check_key_value_matches_cert_public_key(self, key_value, public_key, signature_alg: signature_methods):
+    def check_key_value_matches_cert_public_key(self, key_value, public_key, signature_alg: SignatureMethod):
         if signature_alg.name.startswith("ECDSA_") and isinstance(
             public_key.to_cryptography_key(), ec.EllipticCurvePublicKey
         ):

signxml/xades/__init__.py

@@ -50,7 +50,7 @@
 from OpenSSL.crypto import FILETYPE_ASN1, FILETYPE_PEM, X509, dump_certificate, load_certificate
 
 from .. import VerifyResult, XMLSignatureProcessor, XMLSigner, XMLVerifier
-from ..algorithms import XMLSecurityDigestAlgorithm as digest_algorithms
+from ..algorithms import DigestAlgorithm
 from ..exceptions import InvalidDigest, InvalidInput
 from ..util import SigningSettings, add_pem_header, ds_tag, namespaces, xades_tag
 
@@ -195,7 +195,7 @@ def add_signature_policy_identifier(self, signed_signature_properties, sig_root,
             description = SubElement(sig_policy_id, xades_tag("Description"), nsmap=self.namespaces)
             description.text = self.signature_policy["Description"]
             sig_policy_hash = SubElement(signature_policy_id, xades_tag("SigPolicyHash"), nsmap=self.namespaces)
-            digest_alg = digest_algorithms(self.signature_policy["DigestMethod"])
+            digest_alg = DigestAlgorithm(self.signature_policy["DigestMethod"])
             SubElement(sig_policy_hash, ds_tag("DigestMethod"), nsmap=self.namespaces, Algorithm=digest_alg.value)
             digest_value_node = SubElement(sig_policy_hash, ds_tag("DigestValue"), nsmap=self.namespaces)
             digest_value_node.text = self.signature_policy["DigestValue"]
@@ -245,7 +245,7 @@ def _verify_signing_time(self, verify_result: VerifyResult):
     def _verify_cert_digest(self, signing_cert_node, expect_cert):
         for cert in self._findall(signing_cert_node, "xades:Cert"):
             cert_digest = self._find(cert, "xades:CertDigest")
-            digest_alg = digest_algorithms(self._find(cert_digest, "DigestMethod").get("Algorithm"))
+            digest_alg = DigestAlgorithm(self._find(cert_digest, "DigestMethod").get("Algorithm"))
             digest_value = self._find(cert_digest, "DigestValue")
             # check spec for specific method of retrieving cert
             der_encoded_cert = dump_certificate(FILETYPE_ASN1, expect_cert)
@@ -286,7 +286,7 @@ def _verify_signature_policy(self, verify_result: VerifyResult):
                     f"but found {identifier.text}"
                 )
             sig_policy_hash = self._find(signature_policy_id, "xades:SigPolicyHash")
-            digest_alg = digest_algorithms(self._find(sig_policy_hash, "DigestMethod").get("Algorithm"))
+            digest_alg = DigestAlgorithm(self._find(sig_policy_hash, "DigestMethod").get("Algorithm"))
             if digest_alg != self.expect_signature_policy["DigestMethod"]:
                 raise InvalidInput(
                     f"Expected to find signature digest algorithm {self.expect_signature_policy['DigestMethod']}, "