Reworked the security backend so you should now be able to use a HSM again for XML security. Support for non-XML crypto using HSMs are on the way.

4 files changed, 49 insertions, 14 deletions

diff --git a/tests/test_31_config.py b/tests/test_31_config.py
index 570f321d..623c944f 100644
--- a/tests/test_31_config.py
+++ b/tests/test_31_config.py
@@ -12,6 +12,7 @@ from py.test import raises
 from saml2 import root_logger
 
 from pathutils import dotname, full_path
+from saml2.sigver import security_context, CryptoBackendXMLSecurity
 
 sp1 = {
     "entityid": "urn:mace:umu.se:saml:roland:sp",
@@ -166,6 +167,33 @@ ECP_SP = {
     #"xmlsec_binary" : "/opt/local/bin/xmlsec1",
 }
 
+IDP_XMLSECURITY = {
+    "entityid": "urn:mace:umu.se:saml:roland:idp",
+    "name": "Rolands IdP",
+    "service": {
+        "idp": {
+            "endpoints": {
+                "single_sign_on_service": ["http://localhost:8088/"],
+                "single_logout_service": [
+                    ("http://localhost:8088/", BINDING_HTTP_REDIRECT)],
+            },
+            "policy": {
+                "default": {
+                    "attribute_restrictions": {
+                        "givenName": None,
+                        "surName": None,
+                        "eduPersonAffiliation": ["(member|staff)"],
+                        "mail": [".*@example.com"],
+                    }
+                },
+                "urn:mace:umu.se:saml:roland:sp": None
+            },
+        }
+    },
+    "key_file": "pkcs11:///usr/lunasa/lib/libCryptoki2_64.so:1/eduID dev SAML signing key?pin=123456",
+    "crypto_backend": "XMLSecurity"
+}
+
 
 def _eq(l1, l2):
     return set(l1) == set(l2)
@@ -371,5 +399,14 @@ def test_assertion_consumer_service():
     assert acs[0][
         "location"] == 'https://www.zimride.com/Shibboleth.sso/SAML2/POST'
 
+
+def test_crypto_backend():
+    idpc = IdPConfig()
+    idpc.load(IDP_XMLSECURITY)
+
+    assert idpc.crypto_backend == 'XMLSecurity'
+    sec = security_context(idpc)
+    assert isinstance(sec.crypto, CryptoBackendXMLSecurity)
+
 if __name__ == "__main__":
-    test_2()
+    test_crypto_backend()
diff --git a/tests/test_40_sigver.py b/tests/test_40_sigver.py
index d3b65501..801454d7 100644
--- a/tests/test_40_sigver.py
+++ b/tests/test_40_sigver.py
@@ -112,6 +112,9 @@ class FakeConfig():
     tmp_key_file = None
     validate_certificate = False
 
+    def getattr(self, attr, default):
+        return getattr(self, attr, default)
+
 
 class TestSecurity():
     def setup_class(self):
diff --git a/tests/test_51_client.py b/tests/test_51_client.py
index d6db4c90..be250fac 100644
--- a/tests/test_51_client.py
+++ b/tests/test_51_client.py
@@ -1176,11 +1176,9 @@ class TestClient:
         msg_str = "%s" % self.client.create_authn_request(
             "http://localhost:8088/sso", message_id="id1")[1]
 
-        key = self.client.signkey
-
         info = self.client.apply_binding(
             BINDING_HTTP_REDIRECT, msg_str, destination="",
-            relay_state="relay2", sigalg=SIG_RSA_SHA256, key=key)
+            relay_state="relay2", sigalg=SIG_RSA_SHA256)
 
         loc = info["headers"][0][1]
         qs = parse_qs(loc[1:])
@@ -1188,7 +1186,7 @@ class TestClient:
                     ['SigAlg', 'SAMLRequest', 'RelayState', 'Signature'])
 
         assert verify_redirect_signature(list_values2simpletons(qs),
-                                         sigkey=key)
+                                         self.client.sec.sec_backend)
 
         res = self.server.parse_authn_request(qs["SAMLRequest"][0],
                                               BINDING_HTTP_REDIRECT)
@@ -1198,7 +1196,6 @@ class TestClient:
         conf = config.SPConfig()
         conf.load_file("sp_slo_redirect_conf")
         client = Saml2Client(conf)
-        key = client.signkey
 
         # information about the user from an IdP
         session_info = {
@@ -1229,10 +1226,10 @@ class TestClient:
                     ['SigAlg', 'SAMLRequest', 'RelayState', 'Signature'])
 
         assert verify_redirect_signature(list_values2simpletons(qs),
-                                         sigkey=key)
+                                         client.sec.sec_backend)
 
         res = self.server.parse_logout_request(qs["SAMLRequest"][0],
-                                              BINDING_HTTP_REDIRECT)
+                                               BINDING_HTTP_REDIRECT)
         print(res)
 
     def test_do_logout_post(self):
diff --git a/tests/test_70_redirect_signing.py b/tests/test_70_redirect_signing.py
index 58a2fdbb..a079d6cb 100644
--- a/tests/test_70_redirect_signing.py
+++ b/tests/test_70_redirect_signing.py
@@ -30,14 +30,11 @@ def test():
         destination = srvs[0]["location"]
         req_id, req = sp.create_authn_request(destination, id="id1")
 
-        try:
-            key = sp.sec.key
-        except AttributeError:
-            key = import_rsa_key_from_file(sp.sec.key_file)
+        signer = sp.sec.sec_backend.get_signer(SIG_RSA_SHA1)
 
         info = http_redirect_message(req, destination, relay_state="RS",
                                      typ="SAMLRequest", sigalg=SIG_RSA_SHA1,
-                                     key=key)
+                                     signer=signer)
 
         verified_ok = False
 
@@ -47,7 +44,8 @@ def test():
                 _certs = idp.metadata.certs(sp.config.entityid, "any", "signing")
                 for cert in _certs:
                     if verify_redirect_signature(
-                            list_values2simpletons(_dict), cert):
+                            list_values2simpletons(_dict), sp.sec.sec_backend,
+                            cert):
                         verified_ok = True
 
         assert verified_ok