From 805915bce5d124f3e0bb45aab0ccd0f7fe16651b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans=20Ho=CC=88rberg?= Date: Fri, 17 Apr 2015 16:05:52 +0200 Subject: [PATCH 1/3] Correction so all aes encryption alg. can be used while decrypting. --- src/saml2/aes.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/saml2/aes.py b/src/saml2/aes.py index 27a61aa..4110e1f 100644 --- a/src/saml2/aes.py +++ b/src/saml2/aes.py @@ -87,7 +87,7 @@ class AESCipher(object): return cmsg - def decrypt(self, msg, iv=None, padding="PKCS#7", b64dec=True): + def decrypt(self, msg, iv=None, alg="aes_128_cbc", padding="PKCS#7", b64dec=True): """ :param key: The encryption key :param iv: init vector @@ -102,7 +102,7 @@ class AESCipher(object): _iv = data[:AES.block_size] if iv: assert iv == _iv - cipher, iv = self.build_cipher(iv) + cipher, iv = self.build_cipher(iv, alg=alg) res = cipher.decrypt(data)[AES.block_size:] if padding in ["PKCS#5", "PKCS#7"]: res = res[:-ord(res[-1])] From f3a5df6e8f394109f4f804a5a6c3788bd417e5aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans=20Ho=CC=88rberg?= Date: Fri, 17 Apr 2015 16:07:39 +0200 Subject: [PATCH 2/3] Fix for encryption of assertions. --- src/saml2/sigver.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py index 5a8fae6..efe96fe 100644 --- a/src/saml2/sigver.py +++ b/src/saml2/sigver.py @@ -1820,10 +1820,11 @@ def pre_encrypt_assertion(response): assertion = response.assertion response.assertion = None response.encrypted_assertion = EncryptedAssertion() - if isinstance(assertion, list): - response.encrypted_assertion.add_extension_elements(assertion) - else: - response.encrypted_assertion.add_extension_element(assertion) + if assertion is not None: + if isinstance(assertion, list): + response.encrypted_assertion.add_extension_elements(assertion) + else: + response.encrypted_assertion.add_extension_element(assertion) # txt = "%s" % response # _ass = "%s" % assertion # _ass = rm_xmltag(_ass) From 453061ca457ae5590a3d77bda70b2d9859f50abb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans=20Ho=CC=88rberg?= Date: Fri, 17 Apr 2015 16:08:34 +0200 Subject: [PATCH 3/3] Fix so the IdP follows PEFIM. --- example/idp2/idp.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/example/idp2/idp.py b/example/idp2/idp.py index 5d2a46e..8c42d36 100755 --- a/example/idp2/idp.py +++ b/example/idp2/idp.py @@ -335,6 +335,8 @@ class SSO(Service): _resp = IDP.create_authn_response( identity, userid=self.user, encrypt_cert=encrypt_cert, + encrypt_assertion_self_contained=True, + encrypted_advice_attributes=True, **resp_args) except Exception as excp: logging.error(exception_trace(excp)) @@ -399,9 +401,9 @@ class SSO(Service): return resp(self.environ, self.start_response) if self.user: + saml_msg["req_info"] = self.req_info if _req.force_authn is not None and \ _req.force_authn.lower() == 'true': - saml_msg["req_info"] = self.req_info key = self._store_request(saml_msg) return self.not_authn(key, _req.requested_authn_context) else: @@ -1013,6 +1015,7 @@ def application(environ, start_response): if isinstance(callback, tuple): cls = callback[0](environ, start_response, user) func = getattr(cls, callback[1]) + return func() return callback(environ, start_response, user)