Use the new saml2.cryptography module

Replace AESCipher with the default symmetric method.
Use the default key generation method to generate a key for the server.
Warn about the use of aes attribute of authn.UsernamePasswordMako class.
Hide cryptography details behind the saml2.cryptography module.

Signed-off-by: Ivan Kanakarakis <[email protected]>

Author: c00kiemon5ter

src/saml2/authn.py

@@ -1,8 +1,9 @@
+import warnings
 import logging
 import six
 import time
 from saml2 import SAMLError
-from saml2.aes import AESCipher
+import saml2.cryptography.symmetric
 from saml2.httputil import Response
 from saml2.httputil import make_cookie
 from saml2.httputil import Redirect
@@ -14,6 +15,7 @@
 __author__ = 'rolandh'
 
 logger = logging.getLogger(__name__)
+warnings.simplefilter('default')
 
 
 class AuthnFailure(SAMLError):
@@ -120,7 +122,16 @@ def __init__(self, srv, mako_template, template_lookup, pwd, return_to):
         self.return_to = return_to
         self.active = {}
         self.query_param = "upm_answer"
-        self.aes = AESCipher(self.srv.symkey.encode())
+        self.symmetric = saml2.cryptography.symmetric.Default(srv.symkey)
+
+    @property
+    def aes(self):
+        _deprecation_msg = (
+            'This attribute is deprecated. '
+            'It will be removed in the next version. '
+            'Use self.symmetric instead.')
+        warnings.warn(_deprecation_msg, DeprecationWarning)
+        return self.symmetric
 
     def __call__(self, cookie=None, policy_url=None, logo_url=None,
                  query="", **kwargs):
@@ -172,7 +183,7 @@ def verify(self, request, **kwargs):
             self._verify(_dict["password"][0], _dict["login"][0])
             timestamp = str(int(time.mktime(time.gmtime())))
             msg = "::".join([_dict["login"][0], timestamp])
-            info = self.aes.encrypt(msg.encode())
+            info = self.symmetric.encrypt(msg.encode())
             self.active[info] = timestamp
             cookie = make_cookie(self.cookie_name, info, self.srv.seed)
             return_to = create_return_url(self.return_to, _dict["query"][0],
@@ -192,7 +203,7 @@ def authenticated_as(self, cookie=None, **kwargs):
                 info, timestamp = parse_cookie(self.cookie_name,
                                                self.srv.seed, cookie)
                 if self.active[info] == timestamp:
-                    msg = self.aes.decrypt(info).decode()
+                    msg = self.symmetric.decrypt(info).decode()
                     uid, _ts = msg.split("::")
                     if timestamp == _ts:
                         return {"uid": uid}

src/saml2/cert.py

@@ -9,10 +9,8 @@
 from os.path import join
 from os import remove
 
-from cryptography.hazmat.backends import default_backend
-from cryptography.x509 import load_pem_x509_certificate
+import saml2.cryptography.pki
 
-backend = default_backend()
 
 class WrongInput(Exception):
     pass
@@ -325,7 +323,8 @@ def verify(self, signing_cert_str, cert_str):
                 cert_algorithm = cert_algorithm.decode('ascii')
                 cert_str = cert_str.encode('ascii')
 
-            cert_crypto = load_pem_x509_certificate(cert_str, backend)
+            cert_crypto = saml2.cryptography.pki.load_pem_x509_certificate(
+                    cert_str)
 
             try:
                 crypto.verify(ca_cert, cert_crypto.signature,

src/saml2/server.py

@@ -14,6 +14,7 @@
 import six
 import threading
 
+import saml2.cryptography.symmetric
 from saml2 import saml
 from saml2 import element_to_extension_element
 from saml2 import class_name
@@ -84,7 +85,10 @@ def __init__(self, config_file="", config=None, cache=None, stype="idp",
         self.cache = cache
         self.ticket = {}
         self.session_db = self.choose_session_storage()
-        self.symkey = symkey
+        if symkey:
+            self.symkey = symkey.encode()
+        else:
+            self.symkey = saml2.cryptography.symmetric.Default.generate_key()
         self.seed = rndstr()
         self.lock = threading.Lock()
 

src/saml2/sigver.py

@@ -19,13 +19,8 @@
 
 from future.backports.urllib.parse import urlencode
 
-from cryptography.exceptions import InvalidSignature
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.primitives.asymmetric import rsa
-from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
-from cryptography.hazmat.primitives.serialization import load_pem_private_key
-from cryptography.x509 import load_pem_x509_certificate
+import saml2.cryptography.asymmetric
+import saml2.cryptography.pki
 
 from tempfile import NamedTemporaryFile
 from subprocess import Popen
@@ -75,8 +70,6 @@
 PREFIX1 = "<?xml version='1.0' encoding='UTF-8'?>"
 PREFIX2 = '<?xml version="1.0" encoding="UTF-8"?>'
 
-backend = default_backend()
-
 
 class SigverError(SAMLError):
     pass
@@ -489,7 +482,7 @@ def base64_to_long(data):
 
 
 def extract_rsa_key_from_x509_cert(pem):
-    cert = load_pem_x509_certificate(pem, backend)
+    cert = saml2.cryptography.pki.load_pem_x509_certificate(pem)
     return cert.public_key()
 
 
@@ -499,7 +492,9 @@ def pem_format(key):
 
 
 def import_rsa_key_from_file(filename):
-    return load_pem_private_key(read_file(filename, 'rb'), None, backend)
+    data = read_file(filename, 'rb')
+    key = saml2.cryptography.asymmetric.load_pem_private_key(data, None)
+    return key
 
 
 def parse_xmlsec_output(output):
@@ -542,31 +537,20 @@ def __init__(self, digest, key=None):
         self.digest = digest
 
     def sign(self, msg, key=None):
-        if key is None:
-            key = self.key
-
-        return key.sign(msg, PKCS1v15(), self.digest)
+        return saml2.cryptography.asymmetric.key_sign(
+                key or self.key, msg, self.digest)
 
     def verify(self, msg, sig, key=None):
-        if key is None:
-            key = self.key
-
-        try:
-            if isinstance(key, rsa.RSAPrivateKey):
-                key = key.public_key()
-
-            key.verify(sig, msg, PKCS1v15(), self.digest)
-            return True
-        except InvalidSignature:
-            return False
+        return saml2.cryptography.asymmetric.key_verify(
+                key or self.key, sig, msg, self.digest)
 
 
 SIGNER_ALGS = {
-    SIG_RSA_SHA1: RSASigner(hashes.SHA1()),
-    SIG_RSA_SHA224: RSASigner(hashes.SHA224()),
-    SIG_RSA_SHA256: RSASigner(hashes.SHA256()),
-    SIG_RSA_SHA384: RSASigner(hashes.SHA384()),
-    SIG_RSA_SHA512: RSASigner(hashes.SHA512()),
+    SIG_RSA_SHA1: RSASigner(saml2.cryptography.asymmetric.hashes.SHA1()),
+    SIG_RSA_SHA224: RSASigner(saml2.cryptography.asymmetric.hashes.SHA224()),
+    SIG_RSA_SHA256: RSASigner(saml2.cryptography.asymmetric.hashes.SHA256()),
+    SIG_RSA_SHA384: RSASigner(saml2.cryptography.asymmetric.hashes.SHA384()),
+    SIG_RSA_SHA512: RSASigner(saml2.cryptography.asymmetric.hashes.SHA512()),
 }
 
 REQ_ORDER = ["SAMLRequest", "RelayState", "SigAlg"]