Merge pull request #215 from HaToHo/master

PEFIM corrections

src/saml2/extension/pefim.py

@@ -3,6 +3,7 @@
 import saml2
 from saml2 import SamlBase
 from xmldsig import X509Data
+from xmldsig import KeyInfo
 
 NAMESPACE = 'urn:net:eustix:names:tc:PEFIM:0.0:assertion'
 
@@ -16,11 +17,16 @@ class SPCertEncType_(SamlBase):
     c_attributes = SamlBase.c_attributes.copy()
     c_child_order = SamlBase.c_child_order[:]
     c_cardinality = SamlBase.c_cardinality.copy()
-    c_children['{http://www.w3.org/2000/09/xmldsig#}X509Data'] = ('x509_data',
-                                                                  [X509Data])
+    c_children['{http://www.w3.org/2000/09/xmldsig#}KeyInfo'] = ('key_info',
+                                                                 [KeyInfo])
+    c_cardinality['key_info'] = {"min": 1}
+    c_attributes['VerifyDepth'] = ('verify_depth', 'unsignedByte', False)
+    c_child_order.extend(['key_info'])
 
     def __init__(self,
+                 key_info=None,
                  x509_data=None,
+                 verify_depth='1',
                  text=None,
                  extension_elements=None,
                  extension_attributes=None):
@@ -28,7 +34,14 @@ class SPCertEncType_(SamlBase):
                           text=text,
                           extension_elements=extension_elements,
                           extension_attributes=extension_attributes)
-        self.x509_data = x509_data
+        if key_info:
+            self.key_info = key_info
+        elif x509_data:
+            self.key_info = KeyInfo(x509_data=x509_data)
+        else:
+            self.key_info = []
+        self.verify_depth = verify_depth
+        #self.x509_data = x509_data
 
 
 def spcertenc_type__from_string(xml_string):

src/saml2/sigver.py

@@ -21,6 +21,7 @@ from Crypto.Util.asn1 import DerSequence
 from Crypto.PublicKey import RSA
 from saml2.cert import OpenSSLWrapper
 from saml2.extension import pefim
+from saml2.extension.pefim import SPCertEnc
 from saml2.saml import EncryptedAssertion
 
 import xmldsig as ds
@@ -1061,21 +1062,30 @@ def security_context(conf, debug=None):
 def encrypt_cert_from_item(item):
     _encrypt_cert = None
     try:
-        _elem = extension_elements_to_elements(item.extension_elements[0].children,
-                                               [pefim, ds])
-        if len(_elem) == 1:
-            _encrypt_cert = _elem[0].x509_data[0].x509_certificate.text
-        else:
-            certs = cert_from_instance(item)
-            if len(certs) > 0:
-                _encrypt_cert = certs[0]
-    except Exception:
+        try:
+            _elem = extension_elements_to_elements(item.extensions.extension_elements,[pefim, ds])
+        except:
+            _elem = extension_elements_to_elements(item.extension_elements[0].children,
+                                                   [pefim, ds])
+
+        for _tmp_elem in _elem:
+            if isinstance(_tmp_elem, SPCertEnc):
+                for _tmp_key_info in _tmp_elem.key_info:
+                    if _tmp_key_info.x509_data is not None and len(_tmp_key_info.x509_data) > 0:
+                        _encrypt_cert = _tmp_key_info.x509_data[0].x509_certificate.text
+                        break
+            #_encrypt_cert = _elem[0].x509_data[0].x509_certificate.text
+#        else:
+#            certs = cert_from_instance(item)
+#            if len(certs) > 0:
+#                _encrypt_cert = certs[0]
+    except Exception as _exception:
         pass
 
-    if _encrypt_cert is None:
-        certs = cert_from_instance(item)
-        if len(certs) > 0:
-            _encrypt_cert = certs[0]
+#    if _encrypt_cert is None:
+#        certs = cert_from_instance(item)
+#        if len(certs) > 0:
+#            _encrypt_cert = certs[0]
 
     if _encrypt_cert is not None:
         if _encrypt_cert.find("-----BEGIN CERTIFICATE-----\n") == -1:

tests/attribute_response.xml

@@ -32,13 +32,13 @@
                     Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                 <saml2:SubjectConfirmationData Address="192.168.1.1"
                                                InResponseTo="id-f4d370f3d03650f3ec0da694e2348bfe"
-                                               NotOnOrAfter="2014-09-14T21:06:32.081Z"
+                                               NotOnOrAfter="2024-09-14T21:06:32.081Z"
                                                Recipient="https://myreviewroom.com/saml2/acs/"
                         />
             </saml2:SubjectConfirmation>
         </saml2:Subject>
         <saml2:Conditions NotBefore="2014-09-14T21:01:32.081Z"
-                          NotOnOrAfter="2014-09-14T21:06:32.081Z"
+                          NotOnOrAfter="2024-09-14T21:06:32.081Z"
                 >
             <saml2:AudienceRestriction>
                 <saml2:Audience>urn:mace:example.com:saml:roland:sp

tests/saml_false_signed.xml

@@ -49,7 +49,7 @@ OmuMZY0K6ERY4fNVnGEAoUZeieehC6/ljmfk14xCAlE=</ns2:SignatureValue>
         _cddc88563d433f556d4cc70c3162deabddea3b5019
       </ns1:NameID>
       <ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-        <ns1:SubjectConfirmationData InResponseTo="bahigehogffohiphlfmplepdpcohkhhmheppcdie" NotOnOrAfter="2014-10-04T09:59:39Z" Recipient="http://xenosmilus.umdc.umu.se:8087/login"/>
+        <ns1:SubjectConfirmationData InResponseTo="bahigehogffohiphlfmplepdpcohkhhmheppcdie" NotOnOrAfter="2024-10-04T09:59:39Z" Recipient="http://xenosmilus.umdc.umu.se:8087/login"/>
       </ns1:SubjectConfirmation>
     </ns1:Subject>
     <ns1:Conditions NotBefore="2014-10-04T09:59:39Z" NotOnOrAfter="2024-05-04T09:59:39Z">

tests/test_82_pefim.py

@@ -48,5 +48,5 @@ _elem = extension_elements_to_elements(parsed.extensions.extension_elements,
 
 assert len(_elem) == 1
 _spcertenc = _elem[0]
-_cert = _spcertenc.x509_data[0].x509_certificate.text
+_cert = _spcertenc.key_info[0].x509_data[0].x509_certificate.text
 assert cert == _cert