Configurable signing and digest alg

Author: peppelinux

docs/howto/config.rst

@@ -247,6 +247,7 @@ The globally unique identifier of the entity.
 .. note:: It is recommended that the entityid should point to a real
     webpage where the metadata for the entity can be found.
 
+
 key_file
 ^^^^^^^^
 
@@ -1013,6 +1014,23 @@ Example::
         }
     }
 
+
+signing_algorithm
+"""""""""""""""""
+
+Default algorithm to be used. Example::
+
+    'signing_algorithm':  saml2.xmldsig.SIG_RSA_SHA256,
+
+
+digest_algorithm
+"""""""""""""""""
+
+Default algorithm to be used. Example::
+
+    'digest_algorithm':  saml2.xmldsig.DIGEST_SHA256,
+
+
 logout_responses_signed
 """""""""""""""""""""""
 
@@ -1031,6 +1049,7 @@ Example::
         }
     }
 
+
 subject_data
 """"""""""""
 

src/saml2/client_base.py

@@ -186,6 +186,10 @@ def __init__(self, config=None, identity_cache=None, state_cache=None,
 
             setattr(self, attr, val)
 
+        # signing and digest algs
+        self.signing_algorithm = self.config.getattr('signing_algorithm', "sp")
+        self.digest_algorithm = self.config.getattr('digest_algorithm', "sp")
+
         if self.entity_type == "sp" and not any(
             [
                 self.want_assertions_signed,
@@ -234,8 +238,10 @@ def _sso_location(self, entityid=None, binding=BINDING_HTTP_REDIRECT):
             raise IdpUnspecified("Too many IdPs to choose from: %s" % eids)
 
         try:
-            srvs = self.metadata.single_sign_on_service(list(eids.keys())[0], binding)
+            srvs = self.metadata.single_sign_on_service(list(eids.keys())[0], 
+                                                        binding)
             return next(locations(srvs), None)
+
         except IndexError:
             raise IdpUnspecified("No IdP to send to given the premises")
 

src/saml2/config.py

@@ -76,6 +76,8 @@
     "metadata",
     "ui_info",
     "name_id_format",
+    "signing_algorithm",
+    "digest_algorithm",
 ]
 
 SP_ARGS = [
@@ -225,6 +227,8 @@ def __init__(self, homedir="."):
         self.attribute_profile = []
         self.requested_attribute_name_format = NAME_FORMAT_URI
         self.delete_tmpfiles = True
+        self.signing_algorithm = None
+        self.digest_algorithm = None
 
     def setattr(self, context, attr, val):
         if context == "":

src/saml2/entity.py

@@ -453,6 +453,10 @@ def sign(
         sign_alg=None,
         digest_alg=None,
     ):
+        # sign adn digest algs
+        sign_alg = sign_alg or self.signing_algorithm
+        digest_alg = digest_alg or self.digest_algorithm
+
         if msg.signature is None:
             msg.signature = pre_signature_part(
                 msg.id, self.sec.my_cert, 1, sign_alg=sign_alg, digest_alg=digest_alg

src/saml2/server.py

@@ -524,7 +524,8 @@ def create_attribute_response(self, identity, in_response_to, destination,
 
         if not name_id and userid:
             try:
-                name_id = self.ident.construct_nameid(userid, policy, sp_entity_id)
+                name_id = self.ident.construct_nameid(userid, policy,
+                                                      sp_entity_id)
                 logger.warning("Unspecified NameID format")
             except Exception:
                 pass
@@ -593,7 +594,11 @@ def gather_authn_response_args(self, sp_entity_id, name_id_policy, userid,
             args['best_effort'] = kwargs["best_effort"]
         except KeyError:
             args['best_effort'] = False
-
+        
+        # signing and digest algs
+        self.signing_algorithm = self.config.getattr('signing_algorithm', "idp")
+        self.digest_algorithm = self.config.getattr('digest_algorithm', "idp")
+        
         for param in ['sign_assertion', 'sign_response', 'encrypt_assertion',
                       'encrypt_assertion_self_contained',
                       'encrypted_advice_attributes', 'encrypt_cert_advice',