IdentityPython
diff --git a/‎example/sp-wsgi/sp.py
Lines changed: 23 additions & 14 deletions b/‎example/sp-wsgi/sp.py
Lines changed: 23 additions & 14 deletions
diff --git a/‎src/saml2/__init__.py
Lines changed: 31 additions & 18 deletions b/‎src/saml2/__init__.py
Lines changed: 31 additions & 18 deletions
diff --git a/‎src/saml2/assertion.py
Lines changed: 51 additions & 29 deletions b/‎src/saml2/assertion.py
Lines changed: 51 additions & 29 deletions
diff --git a/‎src/saml2/entity.py
Lines changed: 1 addition & 1 deletion b/‎src/saml2/entity.py
Lines changed: 1 addition & 1 deletion
@@ -9,6 +9,7 @@
 import re
 import sys
 import xml.dom.minidom
+from saml2.sigver import SignatureError
 
 import six
 from six.moves.http_cookies import SimpleCookie
@@ -48,7 +49,7 @@
 logger = logging.getLogger("")
 hdlr = logging.FileHandler('spx.log')
 base_formatter = logging.Formatter(
-        "%(asctime)s %(name)s:%(levelname)s %(message)s")
+    "%(asctime)s %(name)s:%(levelname)s %(message)s")
 
 hdlr.setFormatter(base_formatter)
 logger.addHandler(hdlr)
@@ -329,7 +330,8 @@ def __init__(self, name_id, data, saml_response):
 
     @property
     def authn_statement(self):
-        xml_doc = xml.dom.minidom.parseString(str(self.response.assertion.authn_statement[0]))
+        xml_doc = xml.dom.minidom.parseString(
+            str(self.response.assertion.authn_statement[0]))
         return xml_doc.toprettyxml()
 
 
@@ -355,7 +357,8 @@ def do(self, response, binding, relay_state="", mtype="response"):
 
         try:
             self.response = self.sp.parse_authn_request_response(
-                    response, binding, self.outstanding_queries, self.cache.outstanding_certs)
+                response, binding, self.outstanding_queries,
+                self.cache.outstanding_certs)
         except UnknownPrincipal as excp:
             logger.error("UnknownPrincipal: %s", excp)
             resp = ServiceError("UnknownPrincipal: %s" % (excp,))
@@ -367,6 +370,9 @@ def do(self, response, binding, relay_state="", mtype="response"):
         except VerificationError as err:
             resp = ServiceError("Verification error: %s" % (err,))
             return resp(self.environ, self.start_response)
+        except SignatureError as err:
+            resp = ServiceError("Signature error: %s" % (err,))
+            return resp(self.environ, self.start_response)
         except Exception as err:
             resp = ServiceError("Other error: %s" % (err,))
             return resp(self.environ, self.start_response)
@@ -384,7 +390,7 @@ def do(self, response, binding, relay_state="", mtype="response"):
     def verify_attributes(self, ava):
         logger.info("SP: %s", self.sp.config.entityid)
         rest = POLICY.get_entity_categories(
-                self.sp.config.entityid, self.sp.metadata)
+            self.sp.config.entityid, self.sp.metadata)
 
         akeys = [k.lower() for k in ava.keys()]
 
@@ -469,7 +475,7 @@ def _pick_idp(self, came_from):
                     _rstate = rndstr()
                     self.cache.relay_state[_rstate] = geturl(self.environ)
                     _entityid = _cli.config.ecp_endpoint(
-                            self.environ["REMOTE_ADDR"])
+                        self.environ["REMOTE_ADDR"])
 
                     if not _entityid:
                         return -1, ServiceError("No IdP to talk to")
@@ -521,7 +527,7 @@ def _pick_idp(self, came_from):
             elif self.discosrv:
                 if query:
                     idp_entity_id = _cli.parse_discovery_service_response(
-                            query=self.environ.get("QUERY_STRING"))
+                        query=self.environ.get("QUERY_STRING"))
                 if not idp_entity_id:
                     sid_ = sid()
                     self.cache.outstanding_queries[sid_] = came_from
@@ -531,7 +537,7 @@ def _pick_idp(self, came_from):
                                               "sp")["discovery_response"][0][0]
                     ret += "?sid=%s" % sid_
                     loc = _cli.create_discovery_service_request(
-                            self.discosrv, eid, **{"return": ret})
+                        self.discosrv, eid, **{"return": ret})
                     return -1, SeeOther(loc)
             elif len(idps) == 1:
                 # idps is a dictionary
@@ -548,8 +554,8 @@ def redirect_to_auth(self, _cli, entity_id, came_from, sigalg=""):
         try:
             # Picks a binding to use for sending the Request to the IDP
             _binding, destination = _cli.pick_binding(
-                    "single_sign_on_service", self.bindings, "idpsso",
-                    entity_id=entity_id)
+                "single_sign_on_service", self.bindings, "idpsso",
+                entity_id=entity_id)
             logger.debug("binding: %s, destination: %s", _binding,
                          destination)
             # Binding here is the response binding that is which binding the
@@ -568,7 +574,7 @@ def redirect_to_auth(self, _cli, entity_id, came_from, sigalg=""):
                     "key": req_key_str
                 }
                 spcertenc = SPCertEnc(x509_data=ds.X509Data(
-                        x509_certificate=ds.X509Certificate(text=cert_str)))
+                    x509_certificate=ds.X509Certificate(text=cert_str)))
                 extensions = Extensions(extension_elements=[
                     element_to_extension_element(spcertenc)])
 
@@ -589,7 +595,7 @@ def redirect_to_auth(self, _cli, entity_id, came_from, sigalg=""):
         except Exception as exc:
             logger.exception(exc)
             resp = ServiceError(
-                    "Failed to construct the AuthnRequest: %s" % exc)
+                "Failed to construct the AuthnRequest: %s" % exc)
             return resp
 
         # remember the request
@@ -782,7 +788,8 @@ def metadata(environ, start_response):
         if path[-1] != "/":
             path += "/"
         metadata = create_metadata_string(path + "sp_conf.py", None,
-                                          _args.valid, _args.cert, _args.keyfile,
+                                          _args.valid, _args.cert,
+                                          _args.keyfile,
                                           _args.id, _args.name, _args.sign)
         start_response('200 OK', [('Content-Type', "text/xml")])
         return metadata
@@ -851,10 +858,12 @@ def application(environ, start_response):
     _parser.add_argument("config", help="SAML client config")
     _parser.add_argument('-p', dest='path', help='Path to configuration file.')
     _parser.add_argument('-v', dest='valid', default="4",
-                         help="How long, in days, the metadata is valid from the time of creation")
+                         help="How long, in days, the metadata is valid from "
+                              "the time of creation")
     _parser.add_argument('-c', dest='cert', help='certificate')
     _parser.add_argument('-i', dest='id',
-                         help="The ID of the entities descriptor in the metadata")
+                         help="The ID of the entities descriptor in the "
+                              "metadata")
     _parser.add_argument('-k', dest='keyfile',
                          help="A file with a key to sign the metadata with")
     _parser.add_argument('-n', dest='name')
 
@@ -25,6 +25,7 @@
 
 try:
     from xml.etree import cElementTree as ElementTree
+
     if ElementTree.VERSION < '1.3.0':
         # cElementTree has no support for register_namespace
         # neither _namespace_map, thus we sacrify performance
@@ -40,17 +41,17 @@
 root_logger.level = logging.NOTSET
 
 NAMESPACE = 'urn:oasis:names:tc:SAML:2.0:assertion'
-#TEMPLATE = '{urn:oasis:names:tc:SAML:2.0:assertion}%s'
-#XSI_NAMESPACE = 'http://www.w3.org/2001/XMLSchema-instance'
+# TEMPLATE = '{urn:oasis:names:tc:SAML:2.0:assertion}%s'
+# XSI_NAMESPACE = 'http://www.w3.org/2001/XMLSchema-instance'
 
 NAMEID_FORMAT_EMAILADDRESS = (
     "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
 
 # These are defined in saml2.saml
-#NAME_FORMAT_UNSPECIFIED = (
+# NAME_FORMAT_UNSPECIFIED = (
 #    "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified")
-#NAME_FORMAT_URI = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-#NAME_FORMAT_BASIC = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
+# NAME_FORMAT_URI = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+# NAME_FORMAT_BASIC = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
 
 DECISION_TYPE_PERMIT = "Permit"
 DECISION_TYPE_DENY = "Deny"
@@ -290,7 +291,6 @@ def _extension_element_from_element_tree(element_tree):
 
 
 class ExtensionContainer(object):
-
     c_tag = ""
     c_namespace = ""
 
@@ -300,6 +300,7 @@ def __init__(self, text=None, extension_elements=None,
         self.text = text
         self.extension_elements = extension_elements or []
         self.extension_attributes = extension_attributes or {}
+        self.encrypted_assertion = None
 
     # Three methods to create an object from an ElementTree
     def harvest_element_tree(self, tree):
@@ -403,7 +404,7 @@ class instance may be a value on a property in a defined class instance.
     """
     cinst = None
 
-    #print("make_vals(%s, %s)" % (val, klass))
+    # print("make_vals(%s, %s)" % (val, klass))
 
     if isinstance(val, dict):
         cinst = klass().loadd(val, base64encode=base64encode)
@@ -571,8 +572,8 @@ def get_ns_map_attribute(self, attributes, uri_set):
 
     def tag_get_uri(self, elem):
         if elem.tag[0] == "{":
-                uri, tag = elem.tag[1:].split("}")
-                return uri
+            uri, tag = elem.tag[1:].split("}")
+            return uri
         return None
 
     def get_ns_map(self, elements, uri_set):
@@ -592,30 +593,41 @@ def get_prefix_map(self, elements):
             prefix_map["encas%d" % len(prefix_map)] = uri
         return prefix_map
 
-    def get_xml_string_with_self_contained_assertion_within_advice_encrypted_assertion(self, assertion_tag, advice_tag):
-        for tmp_encrypted_assertion in self.assertion.advice.encrypted_assertion:
+    def get_xml_string_with_self_contained_assertion_within_advice_encrypted_assertion(
+            self, assertion_tag, advice_tag):
+        for tmp_encrypted_assertion in \
+                self.assertion.advice.encrypted_assertion:
             if tmp_encrypted_assertion.encrypted_data is None:
-                prefix_map = self.get_prefix_map([tmp_encrypted_assertion._to_element_tree().find(assertion_tag)])
+                prefix_map = self.get_prefix_map([
+                                                     tmp_encrypted_assertion._to_element_tree().find(
+                                                         assertion_tag)])
                 tree = self._to_element_tree()
-                encs = tree.find(assertion_tag).find(advice_tag).findall(tmp_encrypted_assertion._to_element_tree().tag)
+                encs = tree.find(assertion_tag).find(advice_tag).findall(
+                    tmp_encrypted_assertion._to_element_tree().tag)
                 for enc in encs:
                     assertion = enc.find(assertion_tag)
                     if assertion is not None:
                         self.set_prefixes(assertion, prefix_map)
 
         return ElementTree.tostring(tree, encoding="UTF-8").decode('utf-8')
 
-    def get_xml_string_with_self_contained_assertion_within_encrypted_assertion(self, assertion_tag):
-        """ Makes a encrypted assertion only containing self contained namespaces.
+    def get_xml_string_with_self_contained_assertion_within_encrypted_assertion(
+            self, assertion_tag):
+        """ Makes a encrypted assertion only containing self contained
+        namespaces.
 
         :param assertion_tag: Tag for the assertion to be transformed.
         :return: A new samlp.Resonse in string representation.
         """
-        prefix_map = self.get_prefix_map([self.encrypted_assertion._to_element_tree().find(assertion_tag)])
+        prefix_map = self.get_prefix_map(
+            [self.encrypted_assertion._to_element_tree().find(assertion_tag)])
 
         tree = self._to_element_tree()
 
-        self.set_prefixes(tree.find(self.encrypted_assertion._to_element_tree().tag).find(assertion_tag), prefix_map)
+        self.set_prefixes(
+            tree.find(
+                self.encrypted_assertion._to_element_tree().tag).find(
+                assertion_tag), prefix_map)
 
         return ElementTree.tostring(tree, encoding="UTF-8").decode('utf-8')
 
@@ -648,6 +660,7 @@ def fixup(name):
                     new_name = uri_map[uri] + ":" + tag
                     memo[name] = new_name
                     return new_name
+
         # fix element name
         name = fixup(elem.tag)
         if name:
@@ -724,7 +737,7 @@ def children_with_values(self):
                 childs.append(member)
         return childs
 
-    #noinspection PyUnusedLocal
+    # noinspection PyUnusedLocal
     def set_text(self, val, base64encode=False):
         """ Sets the text property of this instance.
 
 
@@ -654,24 +654,64 @@ def authn_statement(authn_class=None, authn_auth=None,
     return res
 
 
+def do_subject_confirmation(policy, sp_entity_id, key_info=None, **treeargs):
+    """
+
+    :param policy: Policy instance
+    :param sp_entity_id: The entityid of the SP
+    :param subject_confirmation_method: How was the subject confirmed
+    :param address: The network address/location from which an attesting entity
+        can present the assertion.
+    :param key_info: Information of the key used to confirm the subject
+    :param in_response_to: The ID of a SAML protocol message in response to
+        which an attesting entity can present the assertion.
+    :param recipient: A URI specifying the entity or location to which an
+        attesting entity can present the assertion.
+    :param not_before: A time instant before which the subject cannot be
+        confirmed. The time value MUST be encoded in UTC.
+    :return:
+    """
+
+    _sc = factory(saml.SubjectConfirmation, **treeargs)
+
+    _scd = _sc.subject_confirmation_data
+    _scd.not_on_or_after = policy.not_on_or_after(sp_entity_id)
+
+    if _sc.method == saml.SCM_HOLDER_OF_KEY:
+        _scd.add_extension_element(key_info)
+
+    return _sc
+
+
+def do_subject(policy, sp_entity_id, name_id, **farg):
+    #
+    specs = farg['subject_confirmation']
+
+    if isinstance(specs, list):
+        res = [do_subject_confirmation(policy, sp_entity_id, **s) for s in specs]
+    else:
+        res = [do_subject_confirmation(policy, sp_entity_id, **specs)]
+
+    return factory(saml.Subject, name_id=name_id, subject_confirmation=res)
+
+
 class Assertion(dict):
     """ Handles assertions about subjects """
 
     def __init__(self, dic=None):
         dict.__init__(self, dic)
         self.acs = []
 
-    def construct(self, sp_entity_id, in_response_to, consumer_url,
-                  name_id, attrconvs, policy, issuer, authn_class=None,
-                  authn_auth=None, authn_decl=None, encrypt=None,
-                  sec_context=None, authn_decl_ref=None, authn_instant="",
-                  subject_locality="", authn_statem=None, add_subject=True):
+    def construct(self, sp_entity_id, attrconvs, policy, issuer, farg,
+                  authn_class=None, authn_auth=None, authn_decl=None,
+                  encrypt=None, sec_context=None, authn_decl_ref=None,
+                  authn_instant="", subject_locality="", authn_statem=None,
+                  name_id=None):
         """ Construct the Assertion
 
         :param sp_entity_id: The entityid of the SP
         :param in_response_to: An identifier of the message, this message is
             a response to
-        :param consumer_url: The intended consumer of the assertion
         :param name_id: An NameID instance
         :param attrconvs: AttributeConverters
         :param policy: The policy that should be adhered to when replying
@@ -721,29 +761,11 @@ def construct(self, sp_entity_id, in_response_to, consumer_url,
         else:
             _authn_statement = None
 
-        if not add_subject:
-            _ass = assertion_factory(
-                    issuer=issuer,
-                    conditions=conds,
-                    subject=None
-            )
-        else:
-            _ass = assertion_factory(
-                    issuer=issuer,
-                    conditions=conds,
-                    subject=factory(
-                            saml.Subject,
-                            name_id=name_id,
-                            subject_confirmation=[factory(
-                                    saml.SubjectConfirmation,
-                                    method=saml.SCM_BEARER,
-                                    subject_confirmation_data=factory(
-                                            saml.SubjectConfirmationData,
-                                            in_response_to=in_response_to,
-                                            recipient=consumer_url,
-                                            not_on_or_after=policy.not_on_or_after(sp_entity_id)))]
-                    ),
-            )
+        subject = do_subject(policy, sp_entity_id, name_id,
+                             **farg['subject'])
+
+        _ass = assertion_factory(issuer=issuer, conditions=conds,
+                                 subject=subject)
 
         if _authn_statement:
             _ass.authn_statement = [_authn_statement]
 
@@ -604,7 +604,7 @@ def _response(self, in_response_to, consumer_url=None, status=None,
 
         :param in_response_to: The session identifier of the request
         :param consumer_url: The URL which should receive the response
-        :param status: The status of the response
+        :param status: An instance of samlp.Status
         :param issuer: The issuer of the response
         :param sign: Whether the response should be signed or not
         :param to_sign: If there are other parts to sign