Merge pull request #289 from HaToHo/master

Try 999. :) Added to possibility to manually set sign and digest alg. as well the possibility to change the default values for sign and digest alg.

Author: Roland Hedberg

example/idp2/idp.py

@@ -49,6 +49,7 @@
 from idp_user import USERS
 from idp_user import EXTRA
 from mako.lookup import TemplateLookup
+import saml2.xmldsig as ds
 
 logger = logging.getLogger("saml2.idp")
 logger.setLevel(logging.WARNING)
@@ -1068,6 +1069,18 @@ def application(environ, start_response):
     HOST = CONFIG.HOST
     PORT = CONFIG.PORT
 
+    sign_alg = None
+    digest_alg = None
+    try:
+        sign_alg = CONFIG.SIGN_ALG
+    except:
+        pass
+    try:
+        digest_alg = CONFIG.DIGEST_ALG
+    except:
+        pass
+    ds.DefaultSignature(sign_alg, digest_alg)
+
     SRV = wsgiserver.CherryPyWSGIServer((HOST, PORT), application)
 
     _https = ""

example/idp2/idp_conf.py.example

@@ -8,6 +8,7 @@ from saml2.saml import NAME_FORMAT_URI
 from saml2.saml import NAMEID_FORMAT_TRANSIENT
 from saml2.saml import NAMEID_FORMAT_PERSISTENT
 import os.path
+import saml2.xmldsig as ds
 
 try:
     from saml2.sigver import get_xmlsec_binary
@@ -39,6 +40,11 @@ else:
 SERVER_CERT = "pki/mycert.pem"
 SERVER_KEY = "pki/mykey.pem"
 CERT_CHAIN = ""
+SIGN_ALG = None
+DIGEST_ALG = None
+#SIGN_ALG = ds.SIG_RSA_SHA512
+#DIGEST_ALG = ds.DIGEST_SHA512
+
 
 CONFIG = {
     "entityid": "%s/idp.xml" % BASE,

example/sp-wsgi/service_conf.py

@@ -1,8 +1,13 @@
 from saml2.assertion import Policy
+import saml2.xmldsig as ds
 
-HOST = '127.0.0.1'
+HOST = 'localhost'
 PORT = 8087
 HTTPS = False
+SIGN_ALG = None
+DIGEST_ALG = None
+#SIGN_ALG = ds.SIG_RSA_SHA512
+#DIGEST_ALG = ds.DIGEST_SHA512
 
 # Which groups of entity categories to use
 POLICY = Policy(

example/sp-wsgi/sp.py

@@ -45,6 +45,7 @@
 #from srtest import exception_trace
 from saml2.samlp import Extensions
 from saml2 import xmldsig as ds
+import saml2.xmldsig as ds
 
 logger = logging.getLogger("")
 hdlr = logging.FileHandler('spx.log')
@@ -890,6 +891,17 @@ def application(environ, start_response):
     POLICY = service_conf.POLICY
 
     add_urls()
+    sign_alg = None
+    digest_alg = None
+    try:
+        sign_alg = service_conf.SIGN_ALG
+    except:
+        pass
+    try:
+        digest_alg = service_conf.DIGEST_ALG
+    except:
+        pass
+    ds.DefaultSignature(sign_alg, digest_alg)
 
     SRV = wsgiserver.CherryPyWSGIServer((HOST, PORT), application)
 

src/saml2/client.py

@@ -137,7 +137,7 @@ def prepare_for_negotiated_authenticate(
             raise SignOnError(
                 "No supported bindings available for authentication")
 
-    def global_logout(self, name_id, reason="", expire=None, sign=None):
+    def global_logout(self, name_id, reason="", expire=None, sign=None, sign_alg=None, digest_alg=None):
         """ More or less a layer of indirection :-/
         Bootstrapping the whole thing by finding all the IdPs that should
         be notified.
@@ -162,10 +162,10 @@ def global_logout(self, name_id, reason="", expire=None, sign=None):
 
         # find out which IdPs/AAs I should notify
         entity_ids = self.users.issuers_of_info(name_id)
-        return self.do_logout(name_id, entity_ids, reason, expire, sign)
+        return self.do_logout(name_id, entity_ids, reason, expire, sign, sign_alg=sign_alg, digest_alg=digest_alg)
 
     def do_logout(self, name_id, entity_ids, reason, expire, sign=None,
-                  expected_binding=None, **kwargs):
+                  expected_binding=None, sign_alg=None, digest_alg=None, **kwargs):
         """
 
         :param name_id: Identifier of the Subject (a NameID instance)
@@ -230,11 +230,11 @@ def do_logout(self, name_id, entity_ids, reason, expire, sign=None,
                 key = None
                 if sign:
                     if binding == BINDING_HTTP_REDIRECT:
-                        sigalg = kwargs.get("sigalg", ds.sig_default)
+                        sigalg = kwargs.get("sigalg", ds.DefaultSignature().get_sign_alg())
                         key = kwargs.get("key", self.signkey)
                         srequest = str(request)
                     else:
-                        srequest = self.sign(request)
+                        srequest = self.sign(request, sign_alg=sign_alg, digest_alg=digest_alg)
                 else:
                     srequest = str(request)
 
@@ -294,7 +294,7 @@ def is_logged_in(self, name_id):
         identity = self.users.get_identity(name_id)[0]
         return bool(identity)
 
-    def handle_logout_response(self, response):
+    def handle_logout_response(self, response, sign_alg=None, digest_alg=None):
         """ handles a Logout response
 
         :param response: A response.Response instance
@@ -313,10 +313,12 @@ def handle_logout_response(self, response):
             return 0, "200 Ok", [("Content-type", "text/html")], []
         else:
             status["entity_ids"].remove(issuer)
+            if "sign_alg" in status:
+                sign_alg = status["sign_alg"]
             return self.do_logout(decode(status["name_id"]),
                                   status["entity_ids"],
                                   status["reason"], status["not_on_or_after"],
-                                  status["sign"])
+                                  status["sign"], sign_alg=sign_alg, digest_alg=digest_alg)
 
     def _use_soap(self, destination, query_type, **kwargs):
         _create_func = getattr(self, "create_%s" % query_type)

src/saml2/client_base.py

@@ -205,7 +205,7 @@ def create_authn_request(self, destination, vorg="", scoping=None,
                              nameid_format=None,
                              service_url_binding=None, message_id=0,
                              consent=None, extensions=None, sign=None,
-                             allow_create=False, sign_prepare=False, **kwargs):
+                             allow_create=False, sign_prepare=False, sign_alg=None, digest_alg=None, **kwargs):
         """ Creates an authentication request.
 
         :param destination: Where the request should be sent.
@@ -342,15 +342,15 @@ def create_authn_request(self, destination, vorg="", scoping=None,
                 return self._message(AuthnRequest, destination, message_id,
                                      consent, extensions, sign, sign_prepare,
                                      protocol_binding=binding,
-                                     scoping=scoping, nsprefix=nsprefix, **args)
+                                     scoping=scoping, nsprefix=nsprefix, sign_alg=sign_alg, digest_alg=digest_alg, **args)
         return self._message(AuthnRequest, destination, message_id, consent,
                              extensions, sign, sign_prepare,
                              protocol_binding=binding,
-                             scoping=scoping, nsprefix=nsprefix, **args)
+                             scoping=scoping, nsprefix=nsprefix, sign_alg=sign_alg, digest_alg=digest_alg, **args)
 
     def create_attribute_query(self, destination, name_id=None,
                                attribute=None, message_id=0, consent=None,
-                               extensions=None, sign=False, sign_prepare=False,
+                               extensions=None, sign=False, sign_prepare=False, sign_alg=None, digest_alg=None,
                                **kwargs):
         """ Constructs an AttributeQuery
 
@@ -407,15 +407,15 @@ def create_attribute_query(self, destination, name_id=None,
 
         return self._message(AttributeQuery, destination, message_id, consent,
                              extensions, sign, sign_prepare, subject=subject,
-                             attribute=attribute, nsprefix=nsprefix)
+                             attribute=attribute, nsprefix=nsprefix, sign_alg=sign_alg, digest_alg=digest_alg)
 
     # MUST use SOAP for
     # AssertionIDRequest, SubjectQuery,
     # AuthnQuery, AttributeQuery, or AuthzDecisionQuery
     def create_authz_decision_query(self, destination, action,
                                     evidence=None, resource=None, subject=None,
                                     message_id=0, consent=None, extensions=None,
-                                    sign=None, **kwargs):
+                                    sign=None, sign_alg=None, digest_alg=None, **kwargs):
         """ Creates an authz decision query.
 
         :param destination: The IdP endpoint
@@ -433,7 +433,7 @@ def create_authz_decision_query(self, destination, action,
         return self._message(AuthzDecisionQuery, destination, message_id,
                              consent, extensions, sign, action=action,
                              evidence=evidence, resource=resource,
-                             subject=subject, **kwargs)
+                             subject=subject, sign_alg=sign_alg, digest_alg=digest_alg, **kwargs)
 
     def create_authz_decision_query_using_assertion(self, destination,
                                                     assertion, action=None,
@@ -485,7 +485,7 @@ def create_assertion_id_request(assertion_id_refs, **kwargs):
 
     def create_authn_query(self, subject, destination=None, authn_context=None,
                            session_index="", message_id=0, consent=None,
-                           extensions=None, sign=False, nsprefix=None):
+                           extensions=None, sign=False, nsprefix=None, sign_alg=None, digest_alg=None):
         """
 
         :param subject: The subject its all about as a <Subject> instance
@@ -502,14 +502,14 @@ def create_authn_query(self, subject, destination=None, authn_context=None,
                              extensions, sign, subject=subject,
                              session_index=session_index,
                              requested_authn_context=authn_context,
-                             nsprefix=nsprefix)
+                             nsprefix=nsprefix, sign_alg=sign_alg, digest_alg=digest_alg)
 
     def create_name_id_mapping_request(self, name_id_policy,
                                        name_id=None, base_id=None,
                                        encrypted_id=None, destination=None,
                                        message_id=0, consent=None,
                                        extensions=None, sign=False,
-                                       nsprefix=None):
+                                       nsprefix=None, sign_alg=None, digest_alg=None):
         """
 
         :param name_id_policy:
@@ -531,17 +531,17 @@ def create_name_id_mapping_request(self, name_id_policy,
             return self._message(NameIDMappingRequest, destination, message_id,
                                  consent, extensions, sign,
                                  name_id_policy=name_id_policy, name_id=name_id,
-                                 nsprefix=nsprefix)
+                                 nsprefix=nsprefix, sign_alg=sign_alg, digest_alg=digest_alg)
         elif base_id:
             return self._message(NameIDMappingRequest, destination, message_id,
                                  consent, extensions, sign,
                                  name_id_policy=name_id_policy, base_id=base_id,
-                                 nsprefix=nsprefix)
+                                 nsprefix=nsprefix, sign_alg=sign_alg, digest_alg=digest_alg)
         else:
             return self._message(NameIDMappingRequest, destination, message_id,
                                  consent, extensions, sign,
                                  name_id_policy=name_id_policy,
-                                 encrypted_id=encrypted_id, nsprefix=nsprefix)
+                                 encrypted_id=encrypted_id, nsprefix=nsprefix, sign_alg=sign_alg, digest_alg=digest_alg)
 
     # ======== response handling ===========