diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/saml2/entity.py | 10 | ||||
| -rw-r--r-- | src/saml2/server.py | 1 | ||||
| -rw-r--r-- | src/saml2/sigver.py | 40 |
3 files changed, 33 insertions, 18 deletions
diff --git a/src/saml2/entity.py b/src/saml2/entity.py index 3b6c109f..88c2606b 100644 --- a/src/saml2/entity.py +++ b/src/saml2/entity.py @@ -516,8 +516,8 @@ class Entity(HTTPBase): # XXX DONE will actually use sign the POST-Binding # XXX DONE deepest level - needs to decide the sign value # XXX DONE calls self.sign must figure out sign - # XXX ensure both SPs and IdPs go through this - # XXX ensure this works for the POST-Binding + # XXX DONE ensure both SPs and IdPs go through this + # XXX DONE ensure this works for the POST-Binding def _message( self, request_cls, @@ -673,6 +673,8 @@ class Entity(HTTPBase): return response # XXX DONE calls self.sign must figure out sign + # XXX calls signed_instance_factory - must have called pre_signature_part + # XXX calls pre_signature_part - must figure out sign_alg/digest_alg def _response( self, in_response_to, @@ -746,8 +748,8 @@ class Entity(HTTPBase): sign = sign if sign is not None else self.should_sign if ( - not sign - and to_sign + to_sign + and not sign and not encrypt_assertion ): return signed_instance_factory(response, self.sec, to_sign) diff --git a/src/saml2/server.py b/src/saml2/server.py index d23418ff..808ec679 100644 --- a/src/saml2/server.py +++ b/src/saml2/server.py @@ -414,6 +414,7 @@ class Server(Entity): **kwargs) return assertion + # XXX calls pre_signature_part # XXX > _response def _authn_response( self, diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py index 65d4f39c..52324eb4 100644 --- a/src/saml2/sigver.py +++ b/src/saml2/sigver.py @@ -315,17 +315,20 @@ def signed_instance_factory(instance, seccont, elements_to_sign=None): :param elements_to_sign: Which parts if any that should be signed :return: A class instance if not signed otherwise a string """ - if elements_to_sign: - signed_xml = instance - if not isinstance(instance, six.string_types): - signed_xml = instance.to_string() - for (node_name, nodeid) in elements_to_sign: - signed_xml = seccont.sign_statement( - signed_xml, node_name=node_name, node_id=nodeid) - return signed_xml - else: + if not elements_to_sign: return instance + signed_xml = instance + if not isinstance(instance, six.string_types): + signed_xml = instance.to_string() + + for (node_name, nodeid) in elements_to_sign: + signed_xml = seccont.sign_statement( + signed_xml, node_name=node_name, node_id=nodeid + ) + + return signed_xml + def make_temp(content, suffix="", decode=True, delete_tmpfiles=True): """ @@ -1740,10 +1743,11 @@ class SecurityContext(object): if not item.signature: item.signature = pre_signature_part( - sid, - self.cert_file, - sign_alg=sign_alg, - digest_alg=digest_alg) + ident=sid, + public_key=self.cert_file, + sign_alg=sign_alg, + digest_alg=digest_alg, + ) statement = self.sign_statement( statement, @@ -1757,7 +1761,13 @@ class SecurityContext(object): # XXX FIXME calls DefaultSignature - remove to unveil chain of calls without proper args -def pre_signature_part(ident, public_key=None, identifier=None, digest_alg=None, sign_alg=None): +def pre_signature_part( + ident, + public_key=None, + identifier=None, + digest_alg=None, + sign_alg=None, +): """ If an assertion is to be signed the signature part has to be preset with which algorithms to be used, this function returns such a @@ -1770,10 +1780,12 @@ def pre_signature_part(ident, public_key=None, identifier=None, digest_alg=None, :return: A preset signature part """ + # XXX if not digest_alg: digest_alg = ds.DefaultSignature().get_digest_alg() if not sign_alg: sign_alg = ds.DefaultSignature().get_sign_alg() + signature_method = ds.SignatureMethod(algorithm=sign_alg) canonicalization_method = ds.CanonicalizationMethod( algorithm=ds.ALG_EXC_C14N) |