openstack/deb-python-pysaml2
Code Issues Proposed changes

Use the original XML document when checking signature

Browse Source
This commit is contained in:
Roland Hedberg
2011-04-27 14:16:51 +02:00
parent 5932692726
commit 2e069c7337
1 changed files with 15 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/saml2/sigver.py
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python #!/usr/bin/env python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# #
# Copyright (C) 2009 Umeå University # Copyright (C) 2009 Umeå University
@@ -477,7 +477,8 @@ class SecurityContext(object):
return verify_signature(enctext, self.xmlsec, cert_file, cert_type, return verify_signature(enctext, self.xmlsec, cert_file, cert_type,
node_name, self.debug, node_id) node_name, self.debug, node_id)
def _check_signature(self, decoded_xml, item, node_name=NODE_NAME): def _check_signature(self, decoded_xml, item, node_name=NODE_NAME,
origdoc=None):
#print item #print item
try: try:
issuer = item.issuer.text.strip() issuer = item.issuer.text.strip()
@@ -505,10 +506,16 @@ class SecurityContext(object):
verified = False verified = False
for _, pem_file in certs: for _, pem_file in certs:
try: try:
if self.verify_signature(decoded_xml, pem_file, "pem", node_name, if origdoc is not None:
item.id): if self.verify_signature(origdoc, pem_file, "pem",
verified = True node_name, item.id):
break verified = True
break
else:
if self.verify_signature(decoded_xml, pem_file, "pem",
node_name, item.id):
verified = True
break
except XmlsecError, exc: except XmlsecError, exc:
if self.log: if self.log:
self.log.error("check_sig: %s" % exc) self.log.error("check_sig: %s" % exc)
@@ -592,7 +599,7 @@ class SecurityContext(object):
return self._check_signature( decoded_xml, request ) return self._check_signature( decoded_xml, request )
def correctly_signed_response(self, decoded_xml, must=False): def correctly_signed_response(self, decoded_xml, must=False, origdoc=None):
""" Check if a instance is correctly signed, if we have metadata for """ Check if a instance is correctly signed, if we have metadata for
the IdP that sent the info use that, if not use the key that are in the IdP that sent the info use that, if not use the key that are in
the message if any. the message if any.
@@ -623,7 +630,7 @@ class SecurityContext(object):
try: try:
self._check_signature(decoded_xml, assertion, self._check_signature(decoded_xml, assertion,
class_name(assertion)) class_name(assertion), origdoc)
except Exception, exc: except Exception, exc:
if self.log: if self.log:
self.log.error("correctly_signed_response: %s" % exc) self.log.error("correctly_signed_response: %s" % exc)