From 7368a49b9114153ba53c28e54d594fe49e5de310 Mon Sep 17 00:00:00 2001
From: Bogdan Despotov <bogdan.despotov@cloudsigma.com>
Date: Mon, 3 Jul 2017 14:59:33 +0300
Subject: [PATCH 1/3] Using the binary response content of requests in order to
 avoid the metadata xml being saved with incorrect encoding

---
 src/saml2/mdstore.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/saml2/mdstore.py b/src/saml2/mdstore.py
index eff75c8..60cd5a5 100644
--- a/src/saml2/mdstore.py
+++ b/src/saml2/mdstore.py
@@ -750,7 +750,7 @@ class MetaDataExtern(InMemoryMetaData):
         """
         response = self.http.send(self.url)
         if response.status_code == 200:
-            _txt = response.text.encode("utf-8")
+            _txt = response.content
             return self.parse_and_check_signature(_txt)
         else:
             logger.info("Response status: %s", response.status_code)

From 7ea88803b6a785e0f4ea51463ae85c5fa1df3598 Mon Sep 17 00:00:00 2001
From: Bogdan Despotov <bogdan.despotov@cloudsigma.com>
Date: Mon, 17 Jul 2017 10:51:53 +0300
Subject: [PATCH 2/3] Adding test to expose issue with validating XML signature
 due to encoding issues

---
 tests/test_30_mdstore.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/tests/test_30_mdstore.py b/tests/test_30_mdstore.py
index aadd772..c4fb6d6 100644
--- a/tests/test_30_mdstore.py
+++ b/tests/test_30_mdstore.py
@@ -7,12 +7,13 @@ from collections import OrderedDict
 from future.backports.urllib.parse import quote_plus
 
 from saml2.config import Config
-from saml2.mdstore import MetadataStore
+from saml2.mdstore import MetadataStore, MetaDataExtern
 from saml2.mdstore import MetaDataMDX
 from saml2.mdstore import SAML_METADATA_CONTENT_TYPE
 from saml2.mdstore import destinations
 from saml2.mdstore import name
 from saml2 import sigver
+from saml2.httpbase import HTTPBase
 from saml2 import BINDING_SOAP
 from saml2 import BINDING_HTTP_REDIRECT
 from saml2 import BINDING_HTTP_POST
@@ -385,6 +386,14 @@ def test_load_local():
     assert cfg
 
 
+def test_load_remote_encoding():
+    crypto = sigver._get_xmlsec_cryptobackend()
+    sc = sigver.SecurityContext(crypto, key_type="", cert_type="")
+    httpc = HTTPBase()
+    mds = MetaDataExtern(ATTRCONV, 'http://metadata.aai.switch.ch/metadata.aaitest.xml', sc, '/tmp/SWITCHaaiRootCA.crt.pem', httpc)
+    mds.load()
+
+
 def test_load_string():
     sec_config.xmlsec_binary = sigver.get_xmlsec_binary(["/opt/local/bin"])
     mds = MetadataStore(ATTRCONV, sec_config,

From 9de2347f231913371b7911d4197d48162a53df32 Mon Sep 17 00:00:00 2001
From: Bogdan Despotov <bogdan.despotov@cloudsigma.com>
Date: Mon, 17 Jul 2017 13:31:46 +0300
Subject: [PATCH 3/3] Added certificate file and referenced it in the
 corresponding test. Patched MetaDataMDX to avoid same issue there

---
 src/saml2/mdstore.py          |  2 +-
 tests/SWITCHaaiRootCA.crt.pem | 22 ++++++++++++++++++++++
 tests/test_30_mdstore.py      |  2 +-
 3 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 tests/SWITCHaaiRootCA.crt.pem

diff --git a/src/saml2/mdstore.py b/src/saml2/mdstore.py
index 60cd5a5..72825ea 100644
--- a/src/saml2/mdstore.py
+++ b/src/saml2/mdstore.py
@@ -814,7 +814,7 @@ class MetaDataMDX(InMemoryMetaData):
             response = requests.get(mdx_url, headers={
                 'Accept': SAML_METADATA_CONTENT_TYPE})
             if response.status_code == 200:
-                _txt = response.text.encode("utf-8")
+                _txt = response.content
 
                 if self.parse_and_check_signature(_txt):
                     return self.entity[item]
diff --git a/tests/SWITCHaaiRootCA.crt.pem b/tests/SWITCHaaiRootCA.crt.pem
new file mode 100644
index 0000000..66c9e5d
--- /dev/null
+++ b/tests/SWITCHaaiRootCA.crt.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnzCCAoegAwIBAgINSWITCHaai+Root+CAzANBgkqhkiG9w0BAQUFADBrMQsw
+CQYDVQQGEwJDSDFAMD4GA1UEChM3U3dpdGNoIC0gVGVsZWluZm9ybWF0aWtkaWVu
+c3RlIGZ1ZXIgTGVocmUgdW5kIEZvcnNjaHVuZzEaMBgGA1UEAxMRU1dJVENIYWFp
+IFJvb3QgQ0EwHhcNMDgwNTE1MDYzMDAwWhcNMjgwNTE1MDYyOTU5WjBrMQswCQYD
+VQQGEwJDSDFAMD4GA1UEChM3U3dpdGNoIC0gVGVsZWluZm9ybWF0aWtkaWVuc3Rl
+IGZ1ZXIgTGVocmUgdW5kIEZvcnNjaHVuZzEaMBgGA1UEAxMRU1dJVENIYWFpIFJv
+b3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUSWbn/rhWew/s
+LJRyciyRKDGyFXSgiDO/EohYuZLw6EAKLLlhZorNtEHQbbn0Oo13S33MclHMvGWT
+KJM0u1hG+6gLy78EPmJbqAE1Uv23wVEH4SX0VJfl3JVqIebiAH/CjuLubgMUspDI
+jOdQHNLS7pthTbm7Tgh7zMsiLPyMTZJep5CGbqv8NoK6bMaF0Z+Bt7e1JRlhHFCV
+iJJaR/+hfpzLsJ8NWVivvrpRGaGJ1XR+9FGsTkjNdMCirNJJZ6XvUOe5w7pHSd9M
+cppFP0eyLs02AMzMXI4iz6PK/w3EdzXGXpK+gSgvLxWYct4xHpv1e2NXhNgdJOSN
+9ra/wJLVAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG
+MB0GA1UdDgQWBBTpmuIGWOsP14EDXVyXubG1k307hDANBgkqhkiG9w0BAQUFAAOC
+AQEAMV/eIW6pFB+mbk7rD7hUPTWDRaoca3kHqmFGFnHfuY8+c0/Mqjh8Y/jyX1yb
+f58crTSWrbyGbUZ3oxDGQ34tuZSkmeR32NqryiX3sP5qlNSozVguQKt8o4vhS1Qe
+WPsXALs3em2pdKuIGSOpbuDnopPcmU2g5Zi2R5P7qpKDKAKtNUEwV+LW7GBMEksO
+Nj7BFXk4AFBFBijaYJGgHmoKSImVgeNIvsV+BSv5HJ4q6vcxfnwuvvGHM0AGphYO
+6f5qtHMUgvAblI8M/2QsBgethaGrirtKJ3aCRLdaR2R1QfaGRpck/Ron5/MpMxiJ
+wLT8YlW/zjx2yNABhPSAjfzeMw==
+-----END CERTIFICATE-----
diff --git a/tests/test_30_mdstore.py b/tests/test_30_mdstore.py
index c4fb6d6..2a79c86 100644
--- a/tests/test_30_mdstore.py
+++ b/tests/test_30_mdstore.py
@@ -390,7 +390,7 @@ def test_load_remote_encoding():
     crypto = sigver._get_xmlsec_cryptobackend()
     sc = sigver.SecurityContext(crypto, key_type="", cert_type="")
     httpc = HTTPBase()
-    mds = MetaDataExtern(ATTRCONV, 'http://metadata.aai.switch.ch/metadata.aaitest.xml', sc, '/tmp/SWITCHaaiRootCA.crt.pem', httpc)
+    mds = MetaDataExtern(ATTRCONV, 'http://metadata.aai.switch.ch/metadata.aaitest.xml', sc, full_path('SWITCHaaiRootCA.crt.pem'), httpc)
     mds.load()