diff options
-rw-r--r-- | src/saml2/client.py | 4 | ||||
-rw-r--r-- | src/saml2/client_base.py | 16 | ||||
-rw-r--r-- | src/saml2/entity.py | 4 | ||||
-rw-r--r-- | src/saml2/pack.py | 1 |
4 files changed, 17 insertions, 8 deletions
diff --git a/src/saml2/client.py b/src/saml2/client.py index 65491a24..2bd1eabd 100644 --- a/src/saml2/client.py +++ b/src/saml2/client.py @@ -14,7 +14,7 @@ from saml2 import BINDING_HTTP_REDIRECT from saml2 import BINDING_HTTP_POST from saml2 import BINDING_SOAP -import saml2.xmldsig as ds +from saml2.xmldsig import DefaultSignature from saml2.ident import decode, code from saml2.httpbase import HTTPError @@ -264,7 +264,7 @@ class Saml2Client(Base): if sign is None: sign = self.logout_requests_signed - def_sig = ds.DefaultSignature() + def_sig = DefaultSignature() sign_alg = def_sig.get_sign_alg() if sign_alg is None else sign_alg digest_alg = ( def_sig.get_digest_alg() diff --git a/src/saml2/client_base.py b/src/saml2/client_base.py index c82b978f..889c4359 100644 --- a/src/saml2/client_base.py +++ b/src/saml2/client_base.py @@ -54,8 +54,9 @@ from saml2 import BINDING_HTTP_REDIRECT from saml2 import BINDING_HTTP_POST from saml2 import BINDING_PAOS -import saml2.xmldsig as ds - +from saml2.xmldsig import SIG_ALLOWED_ALG +from saml2.xmldsig import DIGEST_ALLOWED_ALG +from saml2.xmldsig import DefaultSignature logger = logging.getLogger(__name__) @@ -450,10 +451,19 @@ class Base(Entity): # XXX will be used to embed the signature to the xml doc - ie, POST binding # XXX always called by the SP, no need to check the context sign = self.authn_requests_signed if sign is None else sign - def_sig = ds.DefaultSignature() + def_sig = DefaultSignature() sign_alg = sign_alg or def_sig.get_sign_alg() digest_alg = digest_alg or def_sig.get_digest_alg() + if sign_alg not in [long_name for short_name, long_name in SIG_ALLOWED_ALG]: + raise Exception( + "Signature algo not in allowed list: {algo}".format(algo=sign_alg) + ) + if digest_alg not in [long_name for short_name, long_name in DIGEST_ALLOWED_ALG]: + raise Exception( + "Digest algo not in allowed list: {algo}".format(algo=digest_alg) + ) + if (sign and self.sec.cert_handler.generate_cert()) or client_crt is not None: with self.lock: self.sec.cert_handler.update_cert(True, client_crt) diff --git a/src/saml2/entity.py b/src/saml2/entity.py index 8b472dec..fdea5a74 100644 --- a/src/saml2/entity.py +++ b/src/saml2/entity.py @@ -74,7 +74,7 @@ from saml2.virtual_org import VirtualOrg from saml2.pack import http_redirect_message from saml2.pack import http_form_post_message -import saml2.xmldsig as ds +from saml2.xmldsig import DefaultSignature logger = logging.getLogger(__name__) @@ -231,7 +231,7 @@ class Entity(HTTPBase): else None ) sign = sign_config if sign is None else sign - def_sig = ds.DefaultSignature() + def_sig = DefaultSignature() sigalg = sigalg or def_sig.get_sign_alg() # unless if BINDING_HTTP_ARTIFACT diff --git a/src/saml2/pack.py b/src/saml2/pack.py index 50f35dcf..f0890471 100644 --- a/src/saml2/pack.py +++ b/src/saml2/pack.py @@ -186,7 +186,6 @@ def http_redirect_message( args["RelayState"] = relay_state if sign: - # XXX check for allowed algo -- should do the same for POST binding # sigalgs, should be one defined in xmldsig if sigalg not in [long_name for short_name, long_name in SIG_ALLOWED_ALG]: raise Exception( |