Do not embed the cert in the EncryptedData element

Signed-off-by: Ivan Kanakarakis <[email protected]>

Author: c00kiemon5ter

src/saml2/entity.py

@@ -657,21 +657,14 @@ def _encrypt_assertion(self, encrypt_cert, sp_entity_id, response, node_xpath=No
         for _cert in _certs:
             wrapped_cert, unwrapped_cert = get_pem_wrapped_unwrapped(_cert)
             try:
-                tmp = make_temp(wrapped_cert.encode('ascii'),
-                                decode=False,
-                                delete_tmpfiles=self.config.delete_tmpfiles)
-
-                # it would be possibile to handle many other args here ...
-                pre_enc_part_dict = dict()
-                if encrypt_cert:
-                    pre_enc_part_dict['encrypt_cert'] = unwrapped_cert
-                pre_enc_part = pre_encryption_part(**pre_enc_part_dict)
-                # end pre_enc_part
-
-
-                response = self.sec.encrypt_assertion(response, tmp.name,
-                                                      pre_enc_part,
-                                                      node_xpath=node_xpath)
+                tmp = make_temp(
+                    wrapped_cert.encode('ascii'),
+                    decode=False,
+                    delete_tmpfiles=self.config.delete_tmpfiles,
+                )
+                response = self.sec.encrypt_assertion(
+                    response, tmp.name, pre_encryption_part(), node_xpath=node_xpath
+                )
                 return response
             except Exception as ex:
                 exception = ex

src/saml2/sigver.py

@@ -1844,6 +1844,7 @@ def pre_signature_part(
     if identifier:
         signature.id = 'Signature{n}'.format(n=identifier)
 
+    # XXX remove - do not embed the cert
     if public_key:
         x509_data = ds.X509Data(
             x509_certificate=[ds.X509Certificate(text=public_key)])
@@ -1881,10 +1882,13 @@ def pre_signature_part(
 # </EncryptedData>
 
 
-def pre_encryption_part(msg_enc=TRIPLE_DES_CBC, key_enc=RSA_OAEP_MGF1P, 
-        key_name='my-rsa-key',
-        encrypted_key_id=None, encrypted_data_id=None,
-        encrypt_cert=None):
+def pre_encryption_part(
+    msg_enc=TRIPLE_DES_CBC,
+    key_enc=RSA_OAEP_MGF1P,
+    key_name='my-rsa-key',
+    encrypted_key_id=None,
+    encrypted_data_id=None,
+):
     """
 
     :param msg_enc:
@@ -1896,12 +1900,8 @@ def pre_encryption_part(msg_enc=TRIPLE_DES_CBC, key_enc=RSA_OAEP_MGF1P,
     ed_id = encrypted_data_id or "ED_{id}".format(id=gen_random_key())
     msg_encryption_method = EncryptionMethod(algorithm=msg_enc)
     key_encryption_method = EncryptionMethod(algorithm=key_enc)
-    
-    enc_key_dict= dict(key_name=ds.KeyName(text=key_name))
-    enc_key_dict['x509_data'] = ds.X509Data(
-        x509_certificate=ds.X509Certificate(text=encrypt_cert))
-    key_info = ds.KeyInfo(**enc_key_dict)
-    
+    key_info = ds.KeyInfo(key_name=ds.KeyName(text=key_name))
+
     encrypted_key = EncryptedKey(
         id=ek_id,
         encryption_method=key_encryption_method,
@@ -1914,7 +1914,8 @@ def pre_encryption_part(msg_enc=TRIPLE_DES_CBC, key_enc=RSA_OAEP_MGF1P,
         type='http://www.w3.org/2001/04/xmlenc#Element',
         encryption_method=msg_encryption_method,
         key_info=key_info,
-        cipher_data=CipherData(cipher_value=CipherValue(text='')))
+        cipher_data=CipherData(cipher_value=CipherValue(text='')),
+    )
     return encrypted_data
 
 

tests/test_42_enc.py

@@ -12,7 +12,7 @@
 
 __author__ = 'roland'
 
-TMPL_NO_HEADER = """<ns0:EncryptedData xmlns:ns0="http://www.w3.org/2001/04/xmlenc#" xmlns:ns1="http://www.w3.org/2000/09/xmldsig#" Id="{ed_id}" Type="http://www.w3.org/2001/04/xmlenc#Element"><ns0:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /><ns1:KeyInfo><ns0:EncryptedKey Id="{ek_id}"><ns0:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" /><ns1:KeyInfo><ns1:KeyName>my-rsa-key</ns1:KeyName><ns1:X509Data><ns1:X509Certificate /></ns1:X509Data></ns1:KeyInfo><ns0:CipherData><ns0:CipherValue /></ns0:CipherData></ns0:EncryptedKey></ns1:KeyInfo><ns0:CipherData><ns0:CipherValue /></ns0:CipherData></ns0:EncryptedData>"""
+TMPL_NO_HEADER = """<ns0:EncryptedData xmlns:ns0="http://www.w3.org/2001/04/xmlenc#" xmlns:ns1="http://www.w3.org/2000/09/xmldsig#" Id="{ed_id}" Type="http://www.w3.org/2001/04/xmlenc#Element"><ns0:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /><ns1:KeyInfo><ns0:EncryptedKey Id="{ek_id}"><ns0:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" /><ns1:KeyInfo><ns1:KeyName>my-rsa-key</ns1:KeyName></ns1:KeyInfo><ns0:CipherData><ns0:CipherValue /></ns0:CipherData></ns0:EncryptedKey></ns1:KeyInfo><ns0:CipherData><ns0:CipherValue /></ns0:CipherData></ns0:EncryptedData>"""
 TMPL = f"<?xml version='1.0' encoding='UTF-8'?>\n{TMPL_NO_HEADER}"
 
 IDENTITY = {"eduPersonAffiliation": ["staff", "member"],