From 177892dab5cfbca65523ace8321c034858ee3851 Mon Sep 17 00:00:00 2001
From: Roland Hedberg <roland.hedberg@adm.umu.se>
Date: Mon, 7 Sep 2015 09:13:30 +0200
Subject: [PATCH] Useful when debugging 'after the fact'.

---
 src/saml2/response.py | 11 +++++++++--
 src/saml2/sigver.py   | 25 +++++--------------------
 2 files changed, 14 insertions(+), 22 deletions(-)

diff --git a/src/saml2/response.py b/src/saml2/response.py
index 481623d..e55cd7a 100644
--- a/src/saml2/response.py
+++ b/src/saml2/response.py
@@ -265,6 +265,7 @@ class StatusResponse(object):
         self.require_response_signature = False
         self.not_signed = False
         self.asynchop = asynchop
+        self.do_not_verify = False
 
     def _clear(self):
         self.xmlstr = ""
@@ -316,10 +317,16 @@ class StatusResponse(object):
         else:
             self.origxml = self.xmlstr
 
+        if self.do_not_verify:
+            args = {"do_not_verify": True}
+        else:
+            args = {}
+
         try:
             self.response = self.signature_check(
                 xmldata, origdoc=origxml, must=self.require_signature,
-                require_response_signature=self.require_response_signature)
+                require_response_signature=self.require_response_signature,
+                **args)
 
         except TypeError:
             raise
@@ -759,7 +766,7 @@ class AuthnResponse(StatusResponse):
                 raise SignatureError("Signature missing for assertion")
         else:
             logger.debug("signed")
-            if not verified:
+            if not verified and self.do_not_verify is False:
                 try:
                     self.sec.check_signature(assertion, class_name(assertion),self.xmlstr)
                 except Exception as exc:
diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py
index cd1c257..8c4301e 100644
--- a/src/saml2/sigver.py
+++ b/src/saml2/sigver.py
@@ -1678,29 +1678,14 @@ class SecurityContext(object):
             raise TypeError("Not a Response")
 
         if response.signature:
-            self._check_signature(decoded_xml, response, class_name(response),
-                                  origdoc)
+            if "do_not_verify" in kwargs:
+                pass
+            else:
+                self._check_signature(decoded_xml, response,
+                                      class_name(response), origdoc)
         elif require_response_signature:
             raise SignatureError("Signature missing for response")
 
-        # if isinstance(response, Response) and response.assertion:
-        #     # Try to find the signing cert in the assertion
-        #     for assertion in response.assertion:
-        #         if not hasattr(assertion, 'signature') or not assertion.signature:
-        #             logger.debug("unsigned")
-        #             if must:
-        #                 raise SignatureError("Signature missing for assertion")
-        #             continue
-        #         else:
-        #             logger.debug("signed")
-        #
-        #         try:
-        #             self._check_signature(decoded_xml, assertion,
-        #                                   class_name(assertion), origdoc)
-        #         except Exception as exc:
-        #             logger.error("correctly_signed_response: %s" % exc)
-        #             raise
-
         return response
 
     #--------------------------------------------------------------------------