openstack/deb-python-pysaml2
Code Issues Proposed changes

Correction for PEFIM.

Browse Source 
<AuthnRequest> elements must contain the encryption certificate used to encrypt the assertion with the attribute statement. The encryption key is represented within a <ds:KeyInfo> element. Its XPath is: /samlp:AuthnRequest/samlp:extension/pefim:SPCertEnc/ds:KeyInfo/ ds:X509Data/ds:X509Certificate.
This commit is contained in:
Hans Hörberg
2015-05-04 13:15:21 +02:00
parent 00a3a04ade
commit 2942e0fc75
3 changed files with 34 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/saml2/extension/pefim.py
View File

@@ -3,6 +3,7 @@
import saml2 import saml2
from saml2 import SamlBase from saml2 import SamlBase
from xmldsig import X509Data from xmldsig import X509Data
from xmldsig import KeyInfo
NAMESPACE = 'urn:net:eustix:names:tc:PEFIM:0.0:assertion' NAMESPACE = 'urn:net:eustix:names:tc:PEFIM:0.0:assertion'
@@ -16,11 +17,16 @@ class SPCertEncType_(SamlBase):
c_attributes = SamlBase.c_attributes.copy() c_attributes = SamlBase.c_attributes.copy()
c_child_order = SamlBase.c_child_order[:] c_child_order = SamlBase.c_child_order[:]
c_cardinality = SamlBase.c_cardinality.copy() c_cardinality = SamlBase.c_cardinality.copy()
c_children['{http://www.w3.org/2000/09/xmldsig#}X509Data'] = ('x509_data', c_children['{http://www.w3.org/2000/09/xmldsig#}KeyInfo'] = ('key_info',
[X509Data]) [KeyInfo])
c_cardinality['key_info'] = {"min": 1}
c_attributes['VerifyDepth'] = ('verify_depth', 'unsignedByte', False)
c_child_order.extend(['key_info'])
def __init__(self, def __init__(self,
key_info=None,
x509_data=None, x509_data=None,
verify_depth='1',
text=None, text=None,
extension_elements=None, extension_elements=None,
extension_attributes=None): extension_attributes=None):
@@ -28,7 +34,14 @@ class SPCertEncType_(SamlBase):
text=text, text=text,
extension_elements=extension_elements, extension_elements=extension_elements,
extension_attributes=extension_attributes) extension_attributes=extension_attributes)
self.x509_data = x509_data if key_info:
self.key_info = key_info
elif x509_data:
self.key_info = KeyInfo(x509_data=x509_data)
else:
self.key_info = []
self.verify_depth = verify_depth
#self.x509_data = x509_data
def spcertenc_type__from_string(xml_string): def spcertenc_type__from_string(xml_string):

28
src/saml2/sigver.py
View File

@@ -21,6 +21,7 @@ from Crypto.Util.asn1 import DerSequence
from Crypto.PublicKey import RSA from Crypto.PublicKey import RSA
from saml2.cert import OpenSSLWrapper from saml2.cert import OpenSSLWrapper
from saml2.extension import pefim from saml2.extension import pefim
from saml2.extension.pefim import SPCertEnc
from saml2.saml import EncryptedAssertion from saml2.saml import EncryptedAssertion
import xmldsig as ds import xmldsig as ds
@@ -1063,19 +1064,24 @@ def encrypt_cert_from_item(item):
try: try:
_elem = extension_elements_to_elements(item.extension_elements[0].children, _elem = extension_elements_to_elements(item.extension_elements[0].children,
[pefim, ds]) [pefim, ds])
if len(_elem) == 1: for _tmp_elem in _elem:
_encrypt_cert = _elem[0].x509_data[0].x509_certificate.text if isinstance(_tmp_elem, SPCertEnc):
else: for _tmp_key_info in _tmp_elem.key_info:
certs = cert_from_instance(item) if _tmp_key_info.x509_data is not None and len(_tmp_key_info.x509_data) > 0:
if len(certs) > 0: _encrypt_cert = _tmp_key_info.x509_data[0].x509_certificate.text
_encrypt_cert = certs[0] break
except Exception: #_encrypt_cert = _elem[0].x509_data[0].x509_certificate.text
# else:
# certs = cert_from_instance(item)
# if len(certs) > 0:
# _encrypt_cert = certs[0]
except Exception as _exception:
pass pass
if _encrypt_cert is None: # if _encrypt_cert is None:
certs = cert_from_instance(item) # certs = cert_from_instance(item)
if len(certs) > 0: # if len(certs) > 0:
_encrypt_cert = certs[0] # _encrypt_cert = certs[0]
if _encrypt_cert is not None: if _encrypt_cert is not None:
if _encrypt_cert.find("-----BEGIN CERTIFICATE-----\n") == -1: if _encrypt_cert.find("-----BEGIN CERTIFICATE-----\n") == -1:

2
tests/test_82_pefim.py
View File

@@ -48,5 +48,5 @@ _elem = extension_elements_to_elements(parsed.extensions.extension_elements,
assert len(_elem) == 1 assert len(_elem) == 1
_spcertenc = _elem[0] _spcertenc = _elem[0]
_cert = _spcertenc.x509_data[0].x509_certificate.text _cert = _spcertenc.key_info[0].x509_data[0].x509_certificate.text
assert cert == _cert assert cert == _cert