Fixed making redirect signature work, cleaned up.

Author: Roland Hedberg

src/saml2/entity.py

@@ -641,8 +641,8 @@ def _parse_request(self, enc_request, request_cls, service, binding):
             only_valid_cert = False
         if only_valid_cert:
             must = True
-        _request = _request.loads(xmlstr, binding, origdoc=enc_request, must=must,
-                                  only_valid_cert=only_valid_cert)
+        _request = _request.loads(xmlstr, binding, origdoc=enc_request,
+                                  must=must, only_valid_cert=only_valid_cert)
 
         _log_debug("Loaded request")
 

src/saml2/request.py

@@ -1,7 +1,7 @@
 import logging
 
 from attribute_converter import to_local
-from saml2 import time_util
+from saml2 import time_util, BINDING_HTTP_REDIRECT
 from saml2.s_utils import OtherError
 
 from saml2.validate import valid_instance
@@ -38,6 +38,9 @@ def _clear(self):
 
     def _loads(self, xmldata, binding=None, origdoc=None, must=None,
                only_valid_cert=False):
+        if binding == BINDING_HTTP_REDIRECT:
+            pass
+
         # own copy
         self.xmlstr = xmldata[:]
         logger.info("xmlstr: %s" % (self.xmlstr,))
@@ -87,8 +90,10 @@ def _verify(self):
         assert self.issue_instant_ok()
         return self
 
-    def loads(self, xmldata, binding, origdoc=None, must=None, only_valid_cert=False):
-        return self._loads(xmldata, binding, origdoc, must, only_valid_cert=only_valid_cert)
+    def loads(self, xmldata, binding, origdoc=None, must=None,
+              only_valid_cert=False):
+        return self._loads(xmldata, binding, origdoc, must,
+                           only_valid_cert=only_valid_cert)
 
     def verify(self):
         try:

src/saml2/server.py

@@ -12,18 +12,18 @@
 import shelve
 import threading
 
-from saml2.eptid import EptidShelve, Eptid
-from saml2.saml import EncryptedAssertion
-from saml2.sdb import SessionStorage
-from saml2.schema import soapenv
-
-from saml2.samlp import NameIDMappingResponse
-from saml2.entity import Entity
-
-from saml2 import saml, element_to_extension_element
+from saml2 import saml
+from saml2 import element_to_extension_element
 from saml2 import class_name
 from saml2 import BINDING_HTTP_REDIRECT
 
+from saml2.entity import Entity
+from saml2.eptid import Eptid
+from saml2.eptid import EptidShelve
+from saml2.samlp import NameIDMappingResponse
+from saml2.sdb import SessionStorage
+from saml2.schema import soapenv
+
 from saml2.request import AuthnRequest
 from saml2.request import AssertionIDRequest
 from saml2.request import AttributeQuery
@@ -33,7 +33,9 @@
 
 from saml2.s_utils import MissingValue, Unknown, rndstr
 
-from saml2.sigver import pre_signature_part, signed_instance_factory, CertificateError, CryptoBackendXmlSec1
+from saml2.sigver import pre_signature_part
+from saml2.sigver import signed_instance_factory
+from saml2.sigver import CertificateError
 
 from saml2.assertion import Assertion
 from saml2.assertion import Policy

src/saml2/sigver.py

@@ -608,7 +608,7 @@ def verify(self, msg, sig, key):
 RESP_ORDER = ["SAMLResponse", "RelayState", "SigAlg"]
 
 
-def verify_redirect_signature(saml_msg, cert):
+def verify_redirect_signature(saml_msg, cert=None, sigkey=None):
     """
 
     :param saml_msg: A dictionary as produced by parse_qs, means all values are
@@ -622,7 +622,7 @@ def verify_redirect_signature(saml_msg, cert):
     except KeyError:
         raise Unsupported("Signature algorithm: %s" % saml_msg["SigAlg"])
     else:
-        if saml_msg["SigAlg"][0] == SIG_RSA_SHA1:
+        if saml_msg["SigAlg"][0] in SIGNER_ALGS:
             if "SAMLRequest" in saml_msg:
                 _order = REQ_ORDER
             elif "SAMLResponse" in saml_msg:
@@ -635,7 +635,10 @@ def verify_redirect_signature(saml_msg, cert):
             del args["Signature"]  # everything but the signature
             string = "&".join(
                 [urllib.urlencode({k: args[k][0]}) for k in _order if k in args])
-            _key = extract_rsa_key_from_x509_cert(pem_format(cert))
+            if cert:
+                _key = extract_rsa_key_from_x509_cert(pem_format(cert))
+            else:
+                _key = sigkey
             _sign = base64.b64decode(saml_msg["Signature"][0])
 
             return bool(signer.verify(string, _sign, _key))

tests/test_51_client.py

@@ -4,7 +4,6 @@
 import base64
 import urllib
 import urlparse
-from Crypto.PublicKey import RSA
 from xmldsig import SIG_RSA_SHA256
 from saml2 import BINDING_HTTP_POST
 from saml2 import BINDING_HTTP_REDIRECT
@@ -25,7 +24,8 @@
 from saml2.saml import NAMEID_FORMAT_TRANSIENT
 from saml2.saml import NameID
 from saml2.server import Server
-from saml2.sigver import pre_encryption_part, rm_xmltag
+from saml2.sigver import pre_encryption_part, rm_xmltag, \
+    verify_redirect_signature
 from saml2.s_utils import do_attribute_statement
 from saml2.s_utils import factory
 from saml2.time_util import in_a_while
@@ -497,7 +497,7 @@ def test_sign_then_encrypt_assertion2(self):
     def test_signed_redirect(self):
 
         msg_str = "%s" % self.client.create_authn_request(
-            "http://www.example.com/sso", message_id="id1")[1]
+            "http://localhost:8088/sso", message_id="id1")[1]
 
         key = self.client.signkey
 
@@ -508,7 +508,13 @@ def test_signed_redirect(self):
         loc = info["headers"][0][1]
         qs = urlparse.parse_qs(loc[1:])
         assert _leq(qs.keys(),
-                   ['SigAlg', 'SAMLRequest', 'RelayState', 'Signature'])
+                    ['SigAlg', 'SAMLRequest', 'RelayState', 'Signature'])
+
+        assert verify_redirect_signature(qs, sigkey=key)
+
+        res = self.server.parse_authn_request(qs["SAMLRequest"][0],
+                                              BINDING_HTTP_REDIRECT)
+        print res
 
 # Below can only be done with dummy Server
 IDP = "urn:mace:example.com:saml:roland:idp"