From 2e069c7337284f8bc6b12b9987b90a82698e00d1 Mon Sep 17 00:00:00 2001
From: Roland Hedberg <roland.hedberg@adm.umu.se>
Date: Wed, 27 Apr 2011 14:16:51 +0200
Subject: [PATCH] Use the original XML document when checking signature

---
 src/saml2/sigver.py | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py
index 15f7664..d1d0d78 100644
--- a/src/saml2/sigver.py
+++ b/src/saml2/sigver.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
 # -*- coding: utf-8 -*-
 #
 # Copyright (C) 2009 Umeå University
@@ -477,7 +477,8 @@ class SecurityContext(object):
         return verify_signature(enctext, self.xmlsec, cert_file, cert_type,
                                 node_name, self.debug, node_id)
         
-    def _check_signature(self, decoded_xml, item, node_name=NODE_NAME):
+    def _check_signature(self, decoded_xml, item, node_name=NODE_NAME,
+                         origdoc=None):
         #print item
         try:
             issuer = item.issuer.text.strip()
@@ -505,10 +506,16 @@ class SecurityContext(object):
         verified = False
         for _, pem_file in certs:
             try:
-                if self.verify_signature(decoded_xml, pem_file, "pem", node_name,
-                                    item.id):
-                    verified = True
-                    break
+                if origdoc is not None:
+                    if self.verify_signature(origdoc, pem_file, "pem",
+                                             node_name, item.id):
+                        verified = True
+                        break
+                else:
+                    if self.verify_signature(decoded_xml, pem_file, "pem",
+                                             node_name, item.id):
+                        verified = True
+                        break
             except XmlsecError, exc:
                 if self.log:
                     self.log.error("check_sig: %s" % exc)
@@ -592,7 +599,7 @@ class SecurityContext(object):
 
         return self._check_signature( decoded_xml, request )
 
-    def correctly_signed_response(self, decoded_xml, must=False):
+    def correctly_signed_response(self, decoded_xml, must=False, origdoc=None):
         """ Check if a instance is correctly signed, if we have metadata for
         the IdP that sent the info use that, if not use the key that are in 
         the message if any.
@@ -623,7 +630,7 @@ class SecurityContext(object):
 
             try:
                 self._check_signature(decoded_xml, assertion,
-                                        class_name(assertion))
+                                        class_name(assertion), origdoc)
             except Exception, exc:
                 if self.log:
                     self.log.error("correctly_signed_response: %s" % exc)