Check allowed signature and digest algo for the POST binding

Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>

4 files changed, 17 insertions, 8 deletions

diff --git a/src/saml2/client.py b/src/saml2/client.py
index 65491a24..2bd1eabd 100644
--- a/src/saml2/client.py
+++ b/src/saml2/client.py
@@ -14,7 +14,7 @@ from saml2 import BINDING_HTTP_REDIRECT
 from saml2 import BINDING_HTTP_POST
 from saml2 import BINDING_SOAP
 
-import saml2.xmldsig as ds
+from saml2.xmldsig import DefaultSignature
 
 from saml2.ident import decode, code
 from saml2.httpbase import HTTPError
@@ -264,7 +264,7 @@ class Saml2Client(Base):
                 if sign is None:
                     sign = self.logout_requests_signed
 
-                def_sig = ds.DefaultSignature()
+                def_sig = DefaultSignature()
                 sign_alg = def_sig.get_sign_alg() if sign_alg is None else sign_alg
                 digest_alg = (
                     def_sig.get_digest_alg()
diff --git a/src/saml2/client_base.py b/src/saml2/client_base.py
index c82b978f..889c4359 100644
--- a/src/saml2/client_base.py
+++ b/src/saml2/client_base.py
@@ -54,8 +54,9 @@ from saml2 import BINDING_HTTP_REDIRECT
 from saml2 import BINDING_HTTP_POST
 from saml2 import BINDING_PAOS
 
-import saml2.xmldsig as ds
-
+from saml2.xmldsig import SIG_ALLOWED_ALG
+from saml2.xmldsig import DIGEST_ALLOWED_ALG
+from saml2.xmldsig import DefaultSignature
 
 logger = logging.getLogger(__name__)
 
@@ -450,10 +451,19 @@ class Base(Entity):
         # XXX will be used to embed the signature to the xml doc - ie, POST binding
         # XXX always called by the SP, no need to check the context
         sign = self.authn_requests_signed if sign is None else sign
-        def_sig = ds.DefaultSignature()
+        def_sig = DefaultSignature()
         sign_alg = sign_alg or def_sig.get_sign_alg()
         digest_alg = digest_alg or def_sig.get_digest_alg()
 
+        if sign_alg not in [long_name for short_name, long_name in SIG_ALLOWED_ALG]:
+            raise Exception(
+                "Signature algo not in allowed list: {algo}".format(algo=sign_alg)
+            )
+        if digest_alg not in [long_name for short_name, long_name in DIGEST_ALLOWED_ALG]:
+            raise Exception(
+                "Digest algo not in allowed list: {algo}".format(algo=digest_alg)
+            )
+
         if (sign and self.sec.cert_handler.generate_cert()) or client_crt is not None:
             with self.lock:
                 self.sec.cert_handler.update_cert(True, client_crt)
diff --git a/src/saml2/entity.py b/src/saml2/entity.py
index 8b472dec..fdea5a74 100644
--- a/src/saml2/entity.py
+++ b/src/saml2/entity.py
@@ -74,7 +74,7 @@ from saml2.virtual_org import VirtualOrg
 from saml2.pack import http_redirect_message
 from saml2.pack import http_form_post_message
 
-import saml2.xmldsig as ds
+from saml2.xmldsig import DefaultSignature
 
 
 logger = logging.getLogger(__name__)
@@ -231,7 +231,7 @@ class Entity(HTTPBase):
             else None
         )
         sign = sign_config if sign is None else sign
-        def_sig = ds.DefaultSignature()
+        def_sig = DefaultSignature()
         sigalg = sigalg or def_sig.get_sign_alg()
 
         # unless if BINDING_HTTP_ARTIFACT
diff --git a/src/saml2/pack.py b/src/saml2/pack.py
index 50f35dcf..f0890471 100644
--- a/src/saml2/pack.py
+++ b/src/saml2/pack.py
@@ -186,7 +186,6 @@ def http_redirect_message(
         args["RelayState"] = relay_state
 
     if sign:
-        # XXX check for allowed algo -- should do the same for POST binding
         # sigalgs, should be one defined in xmldsig
         if sigalg not in [long_name for short_name, long_name in SIG_ALLOWED_ALG]:
             raise Exception(