summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/saml2/entity.py10
-rw-r--r--src/saml2/server.py1
-rw-r--r--src/saml2/sigver.py40
3 files changed, 33 insertions, 18 deletions
diff --git a/src/saml2/entity.py b/src/saml2/entity.py
index 3b6c109f..88c2606b 100644
--- a/src/saml2/entity.py
+++ b/src/saml2/entity.py
@@ -516,8 +516,8 @@ class Entity(HTTPBase):
# XXX DONE will actually use sign the POST-Binding
# XXX DONE deepest level - needs to decide the sign value
# XXX DONE calls self.sign must figure out sign
- # XXX ensure both SPs and IdPs go through this
- # XXX ensure this works for the POST-Binding
+ # XXX DONE ensure both SPs and IdPs go through this
+ # XXX DONE ensure this works for the POST-Binding
def _message(
self,
request_cls,
@@ -673,6 +673,8 @@ class Entity(HTTPBase):
return response
# XXX DONE calls self.sign must figure out sign
+ # XXX calls signed_instance_factory - must have called pre_signature_part
+ # XXX calls pre_signature_part - must figure out sign_alg/digest_alg
def _response(
self,
in_response_to,
@@ -746,8 +748,8 @@ class Entity(HTTPBase):
sign = sign if sign is not None else self.should_sign
if (
- not sign
- and to_sign
+ to_sign
+ and not sign
and not encrypt_assertion
):
return signed_instance_factory(response, self.sec, to_sign)
diff --git a/src/saml2/server.py b/src/saml2/server.py
index d23418ff..808ec679 100644
--- a/src/saml2/server.py
+++ b/src/saml2/server.py
@@ -414,6 +414,7 @@ class Server(Entity):
**kwargs)
return assertion
+ # XXX calls pre_signature_part
# XXX > _response
def _authn_response(
self,
diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py
index 65d4f39c..52324eb4 100644
--- a/src/saml2/sigver.py
+++ b/src/saml2/sigver.py
@@ -315,17 +315,20 @@ def signed_instance_factory(instance, seccont, elements_to_sign=None):
:param elements_to_sign: Which parts if any that should be signed
:return: A class instance if not signed otherwise a string
"""
- if elements_to_sign:
- signed_xml = instance
- if not isinstance(instance, six.string_types):
- signed_xml = instance.to_string()
- for (node_name, nodeid) in elements_to_sign:
- signed_xml = seccont.sign_statement(
- signed_xml, node_name=node_name, node_id=nodeid)
- return signed_xml
- else:
+ if not elements_to_sign:
return instance
+ signed_xml = instance
+ if not isinstance(instance, six.string_types):
+ signed_xml = instance.to_string()
+
+ for (node_name, nodeid) in elements_to_sign:
+ signed_xml = seccont.sign_statement(
+ signed_xml, node_name=node_name, node_id=nodeid
+ )
+
+ return signed_xml
+
def make_temp(content, suffix="", decode=True, delete_tmpfiles=True):
"""
@@ -1740,10 +1743,11 @@ class SecurityContext(object):
if not item.signature:
item.signature = pre_signature_part(
- sid,
- self.cert_file,
- sign_alg=sign_alg,
- digest_alg=digest_alg)
+ ident=sid,
+ public_key=self.cert_file,
+ sign_alg=sign_alg,
+ digest_alg=digest_alg,
+ )
statement = self.sign_statement(
statement,
@@ -1757,7 +1761,13 @@ class SecurityContext(object):
# XXX FIXME calls DefaultSignature - remove to unveil chain of calls without proper args
-def pre_signature_part(ident, public_key=None, identifier=None, digest_alg=None, sign_alg=None):
+def pre_signature_part(
+ ident,
+ public_key=None,
+ identifier=None,
+ digest_alg=None,
+ sign_alg=None,
+):
"""
If an assertion is to be signed the signature part has to be preset
with which algorithms to be used, this function returns such a
@@ -1770,10 +1780,12 @@ def pre_signature_part(ident, public_key=None, identifier=None, digest_alg=None,
:return: A preset signature part
"""
+ # XXX
if not digest_alg:
digest_alg = ds.DefaultSignature().get_digest_alg()
if not sign_alg:
sign_alg = ds.DefaultSignature().get_sign_alg()
+
signature_method = ds.SignatureMethod(algorithm=sign_alg)
canonicalization_method = ds.CanonicalizationMethod(
algorithm=ds.ALG_EXC_C14N)