summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoland Hedberg <roland.hedberg@adm.umu.se>2014-03-24 12:24:38 +0100
committerRoland Hedberg <roland.hedberg@adm.umu.se>2014-03-24 12:24:38 +0100
commitb6fe85543a64904928761a45dd3365b87236ff72 (patch)
treee48f383a6ea7513d8779687899dcc52b395c937f
parentc52306c11a99285971f2e0a836f0cfce984ed9e2 (diff)
downloadpysaml2-b6fe85543a64904928761a45dd3365b87236ff72.tar.gz
PEP-8 stuff
Diffstat
-rw-r--r--src/saml2/assertion.py3
-rw-r--r--src/saml2/cert.py186
-rw-r--r--src/saml2/server.py7
-rw-r--r--src/saml2/sigver.py5
4 files changed, 131 insertions, 70 deletions
diff --git a/src/saml2/assertion.py b/src/saml2/assertion.py
index a0bccd68..1057ca41 100644
--- a/src/saml2/assertion.py
+++ b/src/saml2/assertion.py
@@ -541,7 +541,8 @@ class Assertion(dict):
def __init__(self, dic=None):
dict.__init__(self, dic)
- def _authn_context_decl(self, decl, authn_auth=None):
+ @staticmethod
+ def _authn_context_decl(decl, authn_auth=None):
"""
Construct the authn context with a authn context declaration
:param decl: The authn context declaration
diff --git a/src/saml2/cert.py b/src/saml2/cert.py
index 638052e9..4cfcd20a 100644
--- a/src/saml2/cert.py
+++ b/src/saml2/cert.py
@@ -9,7 +9,6 @@ from os.path import join
from os import remove
from Crypto.Util import asn1
-
class WrongInput(Exception):
pass
@@ -23,55 +22,82 @@ class PayloadError(Exception):
class OpenSSLWrapper(object):
-
def __init__(self):
pass
- def create_certificate(self, cert_info, request=False, valid_from=0, valid_to=315360000, sn=1, key_length=1024,
- hash_alg="sha256", write_to_file=False, cert_dir="", cipher_passphrase = None):
+ def create_certificate(self, cert_info, request=False, valid_from=0,
+ valid_to=315360000, sn=1, key_length=1024,
+ hash_alg="sha256", write_to_file=False, cert_dir="",
+ cipher_passphrase=None):
"""
- Can create certificate requests, to be signed later by another certificate with the method
+ Can create certificate requests, to be signed later by another
+ certificate with the method
create_cert_signed_certificate. If request is True.
- Can also create self signed root certificates if request is False. This is default behaviour.
+ Can also create self signed root certificates if request is False.
+ This is default behaviour.
:param cert_info: Contains information about the certificate.
Is a dictionary that must contain the keys:
- cn = Common name. This part must match the host being authenticated
- country_code = Two letter description of the country.
+ cn = Common name. This part
+ must match the host being authenticated
+ country_code = Two letter description
+ of the country.
state = State
city = City
- organization = Organization, can be a company name.
- organization_unit = A unit at the organization, can be a department.
+ organization = Organization, can be a
+ company name.
+ organization_unit = A unit at the
+ organization, can be a department.
Example:
cert_info_ca = {
"cn": "company.com",
"country_code": "se",
"state": "AC",
"city": "Dorotea",
- "organization": "Company",
- "organization_unit": "Sales"
+ "organization":
+ "Company",
+ "organization_unit":
+ "Sales"
}
- :param request: True if this is a request for certificate, that should be signed.
- False if this is a self signed certificate, root certificate.
- :param valid_from: When the certificate starts to be valid. Amount of seconds from when the
+ :param request: True if this is a request for certificate,
+ that should be signed.
+ False if this is a self signed certificate,
+ root certificate.
+ :param valid_from: When the certificate starts to be valid.
+ Amount of seconds from when the
certificate is generated.
- :param valid_to: How long the certificate will be valid from when it is generated.
- The value is in seconds. Default is 315360000 seconds, a.k.a 10 years.
- :param sn: Serial number for the certificate. Default is 1.
- :param key_length: Length of the key to be generated. Defaults to 1024.
- :param hash_alg: Hash algorithm to use for the key. Default is sha256.
- :param write_to_file: True if you want to write the certificate to a file. The method will then return
- a tuple with path to certificate file and path to key file.
- False if you want to get the result as strings. The method will then return a tuple
- with the certificate string and the key as string.
- WILL OVERWRITE ALL EXISTING FILES WITHOUT ASKING!
- :param cert_dir: Where to save the files if write_to_file is true.
- :param cipher_passphrase A dictionary with cipher and passphrase. Example:
- {"cipher": "blowfish", "passphrase": "qwerty"}
- :return: string representation of certificate, string representation of private key
+ :param valid_to: How long the certificate will be valid from
+ when it is generated.
+ The value is in seconds. Default is
+ 315360000 seconds, a.k.a 10 years.
+ :param sn: Serial number for the certificate. Default
+ is 1.
+ :param key_length: Length of the key to be generated. Defaults
+ to 1024.
+ :param hash_alg: Hash algorithm to use for the key. Default
+ is sha256.
+ :param write_to_file: True if you want to write the certificate
+ to a file. The method will then return
+ a tuple with path to certificate file and
+ path to key file.
+ False if you want to get the result as
+ strings. The method will then return a tuple
+ with the certificate string and the key as
+ string.
+ WILL OVERWRITE ALL EXISTING FILES WITHOUT
+ ASKING!
+ :param cert_dir: Where to save the files if write_to_file is
+ true.
+ :param cipher_passphrase A dictionary with cipher and passphrase.
+ Example::
+ {"cipher": "blowfish", "passphrase": "qwerty"}
+
+ :return: string representation of certificate,
+ string representation of private key
if write_to_file parameter is False otherwise
- path to certificate file, path to private key file
+ path to certificate file, path to private
+ key file
"""
cn = cert_info["cn"]
@@ -97,7 +123,7 @@ class OpenSSLWrapper(object):
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, key_length)
- # create a self-signed cert
+ # create a self-signed cert
cert = crypto.X509()
if request:
@@ -113,8 +139,8 @@ class OpenSSLWrapper(object):
cert.get_subject().CN = cn
if not request:
cert.set_serial_number(sn)
- cert.gmtime_adj_notBefore(valid_from) #Valid before present time
- cert.gmtime_adj_notAfter(valid_to) #3 650 days
+ cert.gmtime_adj_notBefore(valid_from) #Valid before present time
+ cert.gmtime_adj_notAfter(valid_to) #3 650 days
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, hash_alg)
@@ -122,13 +148,16 @@ class OpenSSLWrapper(object):
filesCreated = False
try:
if request:
- tmp_cert = crypto.dump_certificate_request(crypto.FILETYPE_PEM, cert)
+ tmp_cert = crypto.dump_certificate_request(crypto.FILETYPE_PEM,
+ cert)
else:
tmp_cert = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
tmp_key = None
if cipher_passphrase is not None:
- tmp_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, k, cipher_passphrase["cipher"],
- cipher_passphrase["passphrase"])
+ tmp_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, k,
+ cipher_passphrase["cipher"],
+ cipher_passphrase[
+ "passphrase"])
else:
tmp_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, k)
if write_to_file:
@@ -172,36 +201,52 @@ class OpenSSLWrapper(object):
return base64.b64encode(str(str_data))
- def create_cert_signed_certificate(self, sign_cert_str, sign_key_str, request_cert_str, hash_alg="sha256",
- valid_from=0, valid_to=315360000, sn=1, passphrase=None):
+ def create_cert_signed_certificate(self, sign_cert_str, sign_key_str,
+ request_cert_str, hash_alg="sha256",
+ valid_from=0, valid_to=315360000, sn=1,
+ passphrase=None):
"""
Will sign a certificate request with a give certificate.
- :param sign_cert_str: This certificate will be used to sign with. Must be a string representation of
- the certificate. If you only have a file use the method read_str_from_file to
+ :param sign_cert_str: This certificate will be used to sign with.
+ Must be a string representation of
+ the certificate. If you only have a file
+ use the method read_str_from_file to
get a string representation.
- :param sign_key_str: This is the key for the ca_cert_str represented as a string.
- If you only have a file use the method read_str_from_file to get a string
+ :param sign_key_str: This is the key for the ca_cert_str
+ represented as a string.
+ If you only have a file use the method
+ read_str_from_file to get a string
representation.
- :param request_cert_str: This is the prepared certificate to be signed. Must be a string representation of
- the requested certificate. If you only have a file use the method read_str_from_file
+ :param request_cert_str: This is the prepared certificate to be
+ signed. Must be a string representation of
+ the requested certificate. If you only have
+ a file use the method read_str_from_file
to get a string representation.
- :param hash_alg: Hash algorithm to use for the key. Default is sha256.
- :param valid_from: When the certificate starts to be valid. Amount of seconds from when the
+ :param hash_alg: Hash algorithm to use for the key. Default
+ is sha256.
+ :param valid_from: When the certificate starts to be valid.
+ Amount of seconds from when the
certificate is generated.
- :param valid_to: How long the certificate will be valid from when it is generated.
- The value is in seconds. Default is 315360000 seconds, a.k.a 10 years.
- :param sn: Serial number for the certificate. Default is 1.
+ :param valid_to: How long the certificate will be valid from
+ when it is generated.
+ The value is in seconds. Default is
+ 315360000 seconds, a.k.a 10 years.
+ :param sn: Serial number for the certificate. Default
+ is 1.
:param passphrase: Password for the private key in sign_key_str.
- :return: String representation of the signed certificate.
+ :return: String representation of the signed
+ certificate.
"""
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, sign_cert_str)
ca_key = None
if passphrase is not None:
- ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, sign_key_str, passphrase)
+ ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, sign_key_str,
+ passphrase)
else:
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, sign_key_str)
- req_cert = crypto.load_certificate_request(crypto.FILETYPE_PEM, request_cert_str)
+ req_cert = crypto.load_certificate_request(crypto.FILETYPE_PEM,
+ request_cert_str)
cert = crypto.X509()
cert.set_subject(req_cert.get_subject())
@@ -217,7 +262,8 @@ class OpenSSLWrapper(object):
def verify_chain(self, cert_chain_str_list, cert_str):
"""
- :param cert_chain_str_list: Must be a list of certificate strings, where the first certificate to be validate
+ :param cert_chain_str_list: Must be a list of certificate strings,
+ where the first certificate to be validate
is in the beginning and the root certificate is last.
:param cert_str: The certificate to be validated.
:return:
@@ -229,7 +275,8 @@ class OpenSSLWrapper(object):
else:
cert_str = tmp_cert_str
return (True,
- "Signed certificate is valid and correctly signed by CA certificate.")
+ "Signed certificate is valid and correctly signed by CA "
+ "certificate.")
def certificate_not_valid_yet(self, cert):
starts_to_be_valid = dateutil.parser.parse(cert.get_notBefore())
@@ -243,18 +290,24 @@ class OpenSSLWrapper(object):
"""
Verifies if a certificate is valid and signed by a given certificate.
- :param signing_cert_str: This certificate will be used to verify the signature. Must be a string representation
- of the certificate. If you only have a file use the method read_str_from_file to
+ :param signing_cert_str: This certificate will be used to verify the
+ signature. Must be a string representation
+ of the certificate. If you only have a file
+ use the method read_str_from_file to
get a string representation.
- :param cert_str: This certificate will be verified if it is correct. Must be a string representation
- of the certificate. If you only have a file use the method read_str_from_file to
+ :param cert_str: This certificate will be verified if it is
+ correct. Must be a string representation
+ of the certificate. If you only have a file
+ use the method read_str_from_file to
get a string representation.
:return: Valid, Message
- Valid = True if the certificate is valid, otherwise false.
+ Valid = True if the certificate is valid,
+ otherwise false.
Message = Why the validation failed.
"""
try:
- ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, signing_cert_str)
+ ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
+ signing_cert_str)
cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert_str)
if self.certificate_not_valid_yet(ca_cert):
@@ -270,7 +323,8 @@ class OpenSSLWrapper(object):
return False, "The signed certificate is not valid yet."
if ca_cert.get_subject().CN == cert.get_subject().CN:
- return False, "CN may not be equal for CA certificate and the signed certificate."
+ return False, ("CN may not be equal for CA certificate and the "
+ "signed certificate.")
cert_algorithm = cert.get_signature_algorithm()
@@ -279,9 +333,9 @@ class OpenSSLWrapper(object):
der_seq = asn1.DerSequence()
der_seq.decode(cert_asn1)
- cert_certificate=der_seq[0]
+ cert_certificate = der_seq[0]
#cert_signature_algorithm=der_seq[1]
- cert_signature=der_seq[2]
+ cert_signature = der_seq[2]
cert_signature_decoded = asn1.DerObject()
cert_signature_decoded.decode(cert_signature)
@@ -289,12 +343,14 @@ class OpenSSLWrapper(object):
signature_payload = cert_signature_decoded.payload
if signature_payload[0] != '\x00':
- return False, "The certificate should not contain any unused bits."
+ return (False,
+ "The certificate should not contain any unused bits.")
signature = signature_payload[1:]
try:
- crypto.verify(ca_cert, signature, cert_certificate, cert_algorithm)
+ crypto.verify(ca_cert, signature, cert_certificate,
+ cert_algorithm)
return True, "Signed certificate is valid and correctly signed by CA certificate."
except crypto.Error, e:
return False, "Certificate is incorrectly signed."
diff --git a/src/saml2/server.py b/src/saml2/server.py
index 89d0fddc..8199f24e 100644
--- a/src/saml2/server.py
+++ b/src/saml2/server.py
@@ -521,7 +521,6 @@ class Server(Entity):
try:
_authn = authn
- response = None
if (sign_assertion or sign_response) and self.sec.cert_handler.generate_cert():
with self.lock:
self.sec.cert_handler.update_cert(True)
@@ -536,7 +535,8 @@ class Server(Entity):
sign_assertion=sign_assertion,
sign_response=sign_response,
best_effort=best_effort,
- encrypt_assertion=encrypt_assertion, encrypt_cert=encrypt_cert)
+ encrypt_assertion=encrypt_assertion,
+ encrypt_cert=encrypt_cert)
return self._authn_response(in_response_to, # in_response_to
destination, # consumer_url
sp_entity_id, # sp_entity_id
@@ -548,7 +548,8 @@ class Server(Entity):
sign_assertion=sign_assertion,
sign_response=sign_response,
best_effort=best_effort,
- encrypt_assertion=encrypt_assertion, encrypt_cert=encrypt_cert)
+ encrypt_assertion=encrypt_assertion,
+ encrypt_cert=encrypt_cert)
except MissingValue, exc:
return self.create_error_response(in_response_to, destination,
diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py
index 0fa5ce4c..57fa5914 100644
--- a/src/saml2/sigver.py
+++ b/src/saml2/sigver.py
@@ -1011,6 +1011,7 @@ def security_context(conf, debug=None):
tmp_key_file=conf.tmp_key_file,
validate_certificate=conf.validate_certificate)
+
def encrypt_cert_from_item(item):
_encrypt_cert = None
try:
@@ -1031,6 +1032,7 @@ def encrypt_cert_from_item(item):
return None
return _encrypt_cert
+
class CertHandlerExtra(object):
def __init__(self):
pass
@@ -1488,7 +1490,8 @@ class SecurityContext(object):
return self.correctly_signed_message(decoded_xml, "assertion", must,
origdoc, only_valid_cert)
- def correctly_signed_response(self, decoded_xml, must=False, origdoc=None,only_valid_cert=False,
+ def correctly_signed_response(self, decoded_xml, must=False, origdoc=None,
+ only_valid_cert=False,
require_response_signature=False, **kwargs):
""" Check if a instance is correctly signed, if we have metadata for
the IdP that sent the info use that, if not use the key that are in
View Lorry Controller Status