From 2942e0fc753aca6a3e62fa738eddc43e41aa5f6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans=20Ho=CC=88rberg?= Date: Mon, 4 May 2015 13:15:21 +0200 Subject: [PATCH 1/3] Correction for PEFIM. elements must contain the encryption certificate used to encrypt the assertion with the attribute statement. The encryption key is represented within a element. Its XPath is: /samlp:AuthnRequest/samlp:extension/pefim:SPCertEnc/ds:KeyInfo/ ds:X509Data/ds:X509Certificate. --- src/saml2/extension/pefim.py | 19 ++++++++++++++++--- src/saml2/sigver.py | 28 +++++++++++++++++----------- tests/test_82_pefim.py | 2 +- 3 files changed, 34 insertions(+), 15 deletions(-) diff --git a/src/saml2/extension/pefim.py b/src/saml2/extension/pefim.py index 2e05668..f4810a4 100644 --- a/src/saml2/extension/pefim.py +++ b/src/saml2/extension/pefim.py @@ -3,6 +3,7 @@ import saml2 from saml2 import SamlBase from xmldsig import X509Data +from xmldsig import KeyInfo NAMESPACE = 'urn:net:eustix:names:tc:PEFIM:0.0:assertion' @@ -16,11 +17,16 @@ class SPCertEncType_(SamlBase): c_attributes = SamlBase.c_attributes.copy() c_child_order = SamlBase.c_child_order[:] c_cardinality = SamlBase.c_cardinality.copy() - c_children['{http://www.w3.org/2000/09/xmldsig#}X509Data'] = ('x509_data', - [X509Data]) + c_children['{http://www.w3.org/2000/09/xmldsig#}KeyInfo'] = ('key_info', + [KeyInfo]) + c_cardinality['key_info'] = {"min": 1} + c_attributes['VerifyDepth'] = ('verify_depth', 'unsignedByte', False) + c_child_order.extend(['key_info']) def __init__(self, + key_info=None, x509_data=None, + verify_depth='1', text=None, extension_elements=None, extension_attributes=None): @@ -28,7 +34,14 @@ class SPCertEncType_(SamlBase): text=text, extension_elements=extension_elements, extension_attributes=extension_attributes) - self.x509_data = x509_data + if key_info: + self.key_info = key_info + elif x509_data: + self.key_info = KeyInfo(x509_data=x509_data) + else: + self.key_info = [] + self.verify_depth = verify_depth + #self.x509_data = x509_data def spcertenc_type__from_string(xml_string): diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py index efe96fe..be36246 100644 --- a/src/saml2/sigver.py +++ b/src/saml2/sigver.py @@ -21,6 +21,7 @@ from Crypto.Util.asn1 import DerSequence from Crypto.PublicKey import RSA from saml2.cert import OpenSSLWrapper from saml2.extension import pefim +from saml2.extension.pefim import SPCertEnc from saml2.saml import EncryptedAssertion import xmldsig as ds @@ -1063,19 +1064,24 @@ def encrypt_cert_from_item(item): try: _elem = extension_elements_to_elements(item.extension_elements[0].children, [pefim, ds]) - if len(_elem) == 1: - _encrypt_cert = _elem[0].x509_data[0].x509_certificate.text - else: - certs = cert_from_instance(item) - if len(certs) > 0: - _encrypt_cert = certs[0] - except Exception: + for _tmp_elem in _elem: + if isinstance(_tmp_elem, SPCertEnc): + for _tmp_key_info in _tmp_elem.key_info: + if _tmp_key_info.x509_data is not None and len(_tmp_key_info.x509_data) > 0: + _encrypt_cert = _tmp_key_info.x509_data[0].x509_certificate.text + break + #_encrypt_cert = _elem[0].x509_data[0].x509_certificate.text +# else: +# certs = cert_from_instance(item) +# if len(certs) > 0: +# _encrypt_cert = certs[0] + except Exception as _exception: pass - if _encrypt_cert is None: - certs = cert_from_instance(item) - if len(certs) > 0: - _encrypt_cert = certs[0] +# if _encrypt_cert is None: +# certs = cert_from_instance(item) +# if len(certs) > 0: +# _encrypt_cert = certs[0] if _encrypt_cert is not None: if _encrypt_cert.find("-----BEGIN CERTIFICATE-----\n") == -1: diff --git a/tests/test_82_pefim.py b/tests/test_82_pefim.py index cc82551..f40608c 100644 --- a/tests/test_82_pefim.py +++ b/tests/test_82_pefim.py @@ -48,5 +48,5 @@ _elem = extension_elements_to_elements(parsed.extensions.extension_elements, assert len(_elem) == 1 _spcertenc = _elem[0] -_cert = _spcertenc.x509_data[0].x509_certificate.text +_cert = _spcertenc.key_info[0].x509_data[0].x509_certificate.text assert cert == _cert From ee3d828f80ff18082f89e219e0b48faf0dab45ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans=20Ho=CC=88rberg?= Date: Tue, 5 May 2015 14:34:06 +0200 Subject: [PATCH 2/3] Date fix --- tests/attribute_response.xml | 4 ++-- tests/saml_false_signed.xml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/attribute_response.xml b/tests/attribute_response.xml index e6f88c6..d56817c 100644 --- a/tests/attribute_response.xml +++ b/tests/attribute_response.xml @@ -32,13 +32,13 @@ Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> urn:mace:example.com:saml:roland:sp diff --git a/tests/saml_false_signed.xml b/tests/saml_false_signed.xml index 87092d4..faf133b 100644 --- a/tests/saml_false_signed.xml +++ b/tests/saml_false_signed.xml @@ -49,7 +49,7 @@ OmuMZY0K6ERY4fNVnGEAoUZeieehC6/ljmfk14xCAlE= _cddc88563d433f556d4cc70c3162deabddea3b5019 - + From d8a03cba3075a07e6588a07d9fff871daad632ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans=20Ho=CC=88rberg?= Date: Wed, 6 May 2015 18:10:34 +0200 Subject: [PATCH 3/3] Fix for reading the certificate. --- src/saml2/sigver.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py index be36246..b33ab02 100644 --- a/src/saml2/sigver.py +++ b/src/saml2/sigver.py @@ -1062,8 +1062,12 @@ def security_context(conf, debug=None): def encrypt_cert_from_item(item): _encrypt_cert = None try: - _elem = extension_elements_to_elements(item.extension_elements[0].children, - [pefim, ds]) + try: + _elem = extension_elements_to_elements(item.extensions.extension_elements,[pefim, ds]) + except: + _elem = extension_elements_to_elements(item.extension_elements[0].children, + [pefim, ds]) + for _tmp_elem in _elem: if isinstance(_tmp_elem, SPCertEnc): for _tmp_key_info in _tmp_elem.key_info: