From d614026c3b84d376e0cd346448f3eda760b5e4e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans=20Ho=CC=88rberg?= Date: Wed, 22 Apr 2015 13:44:26 +0200 Subject: [PATCH 1/2] Fix so the wsgi SP follows PEFIM. --- example/sp-wsgi/pki/localhost.ca.crt | 15 +++++++++++++++ example/sp-wsgi/pki/localhost.ca.key | 15 +++++++++++++++ example/sp-wsgi/sp.py | 28 +++++++++++++++++++++++++--- 3 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 example/sp-wsgi/pki/localhost.ca.crt create mode 100644 example/sp-wsgi/pki/localhost.ca.key diff --git a/example/sp-wsgi/pki/localhost.ca.crt b/example/sp-wsgi/pki/localhost.ca.crt new file mode 100644 index 0000000..dd8d229 --- /dev/null +++ b/example/sp-wsgi/pki/localhost.ca.crt @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICSTCCAbICAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV +BAgTAmFjMQ0wCwYDVQQHEwR1bWVhMRwwGgYDVQQKExNJVFMgVW1lYSBVbml2ZXJz +aXR5MQ0wCwYDVQQLEwRESVJHMRUwEwYDVQQDEwxsb2NhbGhvc3QuY2EwHhcNMTQw +MzE3MTY0MjM5WhcNMjQwMzE0MTY0MjM5WjBtMQswCQYDVQQGEwJzZTELMAkGA1UE +CBMCYWMxDTALBgNVBAcTBHVtZWExHDAaBgNVBAoTE0lUUyBVbWVhIFVuaXZlcnNp +dHkxDTALBgNVBAsTBERJUkcxFTATBgNVBAMTDGxvY2FsaG9zdC5jYTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEA0+e/ncbbFMpsYc7Pb5wub2Q0jBpaaae3ZklR +8QNLgQnja6kkKseRR3oOBioo9e7qZbN1N6E2mIye/pMtlOuBcAmp3A+F4rn5VC5p +U9MMliLaYYY9369lrMk/1u/mOvHmrkV5XdkinR9cY82A2swexWrpNg0IXJorrWXM +l6mgCncCAwEAATANBgkqhkiG9w0BAQsFAAOBgQBQmC3rYQCyB3iCJBhRF4H10EMw +NCNMPUiOMvu0+TOIz09hx71LjRbtxUQ+NeksuHJ3ii6UG2XIgXvFCaE0v/pB1UkK +oTqyfzUSZGvPyODEBX+erq5sQeUeONGHDIEK9c200kwlSnfHSoDSk/C3ceIYY/Ry +nD3fl05aOEowsVesMw== +-----END CERTIFICATE----- diff --git a/example/sp-wsgi/pki/localhost.ca.key b/example/sp-wsgi/pki/localhost.ca.key new file mode 100644 index 0000000..8ff65b3 --- /dev/null +++ b/example/sp-wsgi/pki/localhost.ca.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXgIBAAKBgQDT57+dxtsUymxhzs9vnC5vZDSMGlppp7dmSVHxA0uBCeNrqSQq +x5FHeg4GKij17upls3U3oTaYjJ7+ky2U64FwCancD4XiuflULmlT0wyWItphhj3f +r2WsyT/W7+Y68eauRXld2SKdH1xjzYDazB7Fauk2DQhcmiutZcyXqaAKdwIDAQAB +AoGBALORf19EVAKaRp3bkw0RXIgoch8HdfZymYekOjvyftkqd/2Tp4JY+1OGqruu +nmdJvnfQS1SI2KsM/u7b6ZR4vYWYqKIMRK5FTBjW0DNp70DV7Y7Y3Bl17xYfo2eJ +Zn80OOHBXyLrhWAnQCDERasXtFpHN5hYFoAx2S5YvyYef1aBAkEA8ZgBooYWkzAO +feEgIywvAaUtCv7TnLwZkTk5wUz4JavkX49LHjMdVef8vRohVOzv5+YPL8L/Aa+C +afsB56jtbQJBAOCKigLo9XtCrgm7j69r+C4MZaVPMEbXPzgOQFcsI5/K4FiGHeRF +9XCnVGJP7/tdRBbhX+CrQWIVy+fqqqQR3PMCQQDlQlky0Em17SGjZLIpjnEg/4zJ +5V4MWxdsD0D2ZUMKBJ9X61PeWaUZ82aMULKWs61Jg7Cfo0x4XgPE7HQ3UL/VAkAm +Ttx+5JnE/rpMhMhdyFDeIlVRH7J/04dAnAXUGX62a1ldIPyGjnzyTEn0P+kUfHP6 +Z1cBMJaGEmvoVDvqo/WLAkEAhIpFpf1j0c+FrtkGCmNPiANlpWJVz0u1Qt34adZS +R4GwY5YPKtQ9wo+Z0/K0sEuUBUQYv5nKlXCxRNcL1azr7g== +-----END RSA PRIVATE KEY----- diff --git a/example/sp-wsgi/sp.py b/example/sp-wsgi/sp.py index b67917b..1b72143 100755 --- a/example/sp-wsgi/sp.py +++ b/example/sp-wsgi/sp.py @@ -2,13 +2,14 @@ import logging import re import argparse +from saml2.extension.pefim import SPCertEnc import service_conf from Cookie import SimpleCookie from urlparse import parse_qs import sys -from saml2 import BINDING_HTTP_REDIRECT +from saml2 import BINDING_HTTP_REDIRECT, element_to_extension_element from saml2 import BINDING_SOAP from saml2 import time_util from saml2 import ecp @@ -33,6 +34,8 @@ from saml2.s_utils import UnsupportedBinding from saml2.s_utils import sid from saml2.s_utils import rndstr #from srtest import exception_trace +from saml2.md import Extensions +import xmldsig as ds logger = logging.getLogger("") hdlr = logging.FileHandler('spx.log') @@ -152,6 +155,7 @@ class Cache(object): self.uid2user = {} self.cookie_name = "spauthn" self.outstanding_queries = {} + self.outstanding_certs = {} self.relay_state = {} self.user = {} self.result = {} @@ -348,7 +352,7 @@ class ACS(Service): try: self.response = self.sp.parse_authn_request_response( - response, binding, self.outstanding_queries) + response, binding, self.outstanding_queries, self.cache.outstanding_certs) except UnknownPrincipal, excp: logger.error("UnknownPrincipal: %s" % (excp,)) resp = ServiceError("UnknownPrincipal: %s" % (excp,)) @@ -551,13 +555,31 @@ class SSO(object): "assertion_consumer_service"] # just pick one endp, return_binding = acs[0] + + extensions = None + cert = None + if _cli.config.generate_cert_func is not None: + cert_str, req_key_str = _cli.config.generate_cert_func() + cert = { + "cert": cert_str, + "key": req_key_str + } + spcertenc = SPCertEnc(x509_data=ds.X509Data( + x509_certificate=ds.X509Certificate(text=cert_str))) + extensions = Extensions(extension_elements=[ + element_to_extension_element(spcertenc)]) + req_id, req = _cli.create_authn_request(destination, - binding=return_binding) + binding=return_binding, extensions=extensions) _rstate = rndstr() self.cache.relay_state[_rstate] = came_from ht_args = _cli.apply_binding(_binding, "%s" % req, destination, relay_state=_rstate) _sid = req_id + + if cert is not None: + self.cache.outstanding_certs[_sid] = cert + except Exception, exc: logger.exception(exc) resp = ServiceError( From 00a3a04ade78d40f5c3245eec52d88bbe8525547 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans=20Ho=CC=88rberg?= Date: Wed, 22 Apr 2015 13:45:14 +0200 Subject: [PATCH 2/2] Removed files. --- example/sp-wsgi/pki/localhost.ca.crt | 15 --------------- example/sp-wsgi/pki/localhost.ca.key | 15 --------------- 2 files changed, 30 deletions(-) delete mode 100644 example/sp-wsgi/pki/localhost.ca.crt delete mode 100644 example/sp-wsgi/pki/localhost.ca.key diff --git a/example/sp-wsgi/pki/localhost.ca.crt b/example/sp-wsgi/pki/localhost.ca.crt deleted file mode 100644 index dd8d229..0000000 --- a/example/sp-wsgi/pki/localhost.ca.crt +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICSTCCAbICAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV -BAgTAmFjMQ0wCwYDVQQHEwR1bWVhMRwwGgYDVQQKExNJVFMgVW1lYSBVbml2ZXJz -aXR5MQ0wCwYDVQQLEwRESVJHMRUwEwYDVQQDEwxsb2NhbGhvc3QuY2EwHhcNMTQw -MzE3MTY0MjM5WhcNMjQwMzE0MTY0MjM5WjBtMQswCQYDVQQGEwJzZTELMAkGA1UE -CBMCYWMxDTALBgNVBAcTBHVtZWExHDAaBgNVBAoTE0lUUyBVbWVhIFVuaXZlcnNp -dHkxDTALBgNVBAsTBERJUkcxFTATBgNVBAMTDGxvY2FsaG9zdC5jYTCBnzANBgkq -hkiG9w0BAQEFAAOBjQAwgYkCgYEA0+e/ncbbFMpsYc7Pb5wub2Q0jBpaaae3ZklR -8QNLgQnja6kkKseRR3oOBioo9e7qZbN1N6E2mIye/pMtlOuBcAmp3A+F4rn5VC5p -U9MMliLaYYY9369lrMk/1u/mOvHmrkV5XdkinR9cY82A2swexWrpNg0IXJorrWXM -l6mgCncCAwEAATANBgkqhkiG9w0BAQsFAAOBgQBQmC3rYQCyB3iCJBhRF4H10EMw -NCNMPUiOMvu0+TOIz09hx71LjRbtxUQ+NeksuHJ3ii6UG2XIgXvFCaE0v/pB1UkK -oTqyfzUSZGvPyODEBX+erq5sQeUeONGHDIEK9c200kwlSnfHSoDSk/C3ceIYY/Ry -nD3fl05aOEowsVesMw== ------END CERTIFICATE----- diff --git a/example/sp-wsgi/pki/localhost.ca.key b/example/sp-wsgi/pki/localhost.ca.key deleted file mode 100644 index 8ff65b3..0000000 --- a/example/sp-wsgi/pki/localhost.ca.key +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIICXgIBAAKBgQDT57+dxtsUymxhzs9vnC5vZDSMGlppp7dmSVHxA0uBCeNrqSQq -x5FHeg4GKij17upls3U3oTaYjJ7+ky2U64FwCancD4XiuflULmlT0wyWItphhj3f -r2WsyT/W7+Y68eauRXld2SKdH1xjzYDazB7Fauk2DQhcmiutZcyXqaAKdwIDAQAB -AoGBALORf19EVAKaRp3bkw0RXIgoch8HdfZymYekOjvyftkqd/2Tp4JY+1OGqruu -nmdJvnfQS1SI2KsM/u7b6ZR4vYWYqKIMRK5FTBjW0DNp70DV7Y7Y3Bl17xYfo2eJ -Zn80OOHBXyLrhWAnQCDERasXtFpHN5hYFoAx2S5YvyYef1aBAkEA8ZgBooYWkzAO -feEgIywvAaUtCv7TnLwZkTk5wUz4JavkX49LHjMdVef8vRohVOzv5+YPL8L/Aa+C -afsB56jtbQJBAOCKigLo9XtCrgm7j69r+C4MZaVPMEbXPzgOQFcsI5/K4FiGHeRF -9XCnVGJP7/tdRBbhX+CrQWIVy+fqqqQR3PMCQQDlQlky0Em17SGjZLIpjnEg/4zJ -5V4MWxdsD0D2ZUMKBJ9X61PeWaUZ82aMULKWs61Jg7Cfo0x4XgPE7HQ3UL/VAkAm -Ttx+5JnE/rpMhMhdyFDeIlVRH7J/04dAnAXUGX62a1ldIPyGjnzyTEn0P+kUfHP6 -Z1cBMJaGEmvoVDvqo/WLAkEAhIpFpf1j0c+FrtkGCmNPiANlpWJVz0u1Qt34adZS -R4GwY5YPKtQ9wo+Z0/K0sEuUBUQYv5nKlXCxRNcL1azr7g== ------END RSA PRIVATE KEY-----