Fix so the wsgi SP follows PEFIM.

Hans Hörberg · Hans Hörberg · commit d614026c3b84 · 2015-04-22T13:44:26.000+02:00
diff --git a/example/sp-wsgi/pki/localhost.ca.crt b/example/sp-wsgi/pki/localhost.ca.crt
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICSTCCAbICAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV
+BAgTAmFjMQ0wCwYDVQQHEwR1bWVhMRwwGgYDVQQKExNJVFMgVW1lYSBVbml2ZXJz
+aXR5MQ0wCwYDVQQLEwRESVJHMRUwEwYDVQQDEwxsb2NhbGhvc3QuY2EwHhcNMTQw
+MzE3MTY0MjM5WhcNMjQwMzE0MTY0MjM5WjBtMQswCQYDVQQGEwJzZTELMAkGA1UE
+CBMCYWMxDTALBgNVBAcTBHVtZWExHDAaBgNVBAoTE0lUUyBVbWVhIFVuaXZlcnNp
+dHkxDTALBgNVBAsTBERJUkcxFTATBgNVBAMTDGxvY2FsaG9zdC5jYTCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEA0+e/ncbbFMpsYc7Pb5wub2Q0jBpaaae3ZklR
+8QNLgQnja6kkKseRR3oOBioo9e7qZbN1N6E2mIye/pMtlOuBcAmp3A+F4rn5VC5p
+U9MMliLaYYY9369lrMk/1u/mOvHmrkV5XdkinR9cY82A2swexWrpNg0IXJorrWXM
+l6mgCncCAwEAATANBgkqhkiG9w0BAQsFAAOBgQBQmC3rYQCyB3iCJBhRF4H10EMw
+NCNMPUiOMvu0+TOIz09hx71LjRbtxUQ+NeksuHJ3ii6UG2XIgXvFCaE0v/pB1UkK
+oTqyfzUSZGvPyODEBX+erq5sQeUeONGHDIEK9c200kwlSnfHSoDSk/C3ceIYY/Ry
+nD3fl05aOEowsVesMw==
+-----END CERTIFICATE-----
diff --git a/example/sp-wsgi/pki/localhost.ca.key b/example/sp-wsgi/pki/localhost.ca.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDT57+dxtsUymxhzs9vnC5vZDSMGlppp7dmSVHxA0uBCeNrqSQq
+x5FHeg4GKij17upls3U3oTaYjJ7+ky2U64FwCancD4XiuflULmlT0wyWItphhj3f
+r2WsyT/W7+Y68eauRXld2SKdH1xjzYDazB7Fauk2DQhcmiutZcyXqaAKdwIDAQAB
+AoGBALORf19EVAKaRp3bkw0RXIgoch8HdfZymYekOjvyftkqd/2Tp4JY+1OGqruu
+nmdJvnfQS1SI2KsM/u7b6ZR4vYWYqKIMRK5FTBjW0DNp70DV7Y7Y3Bl17xYfo2eJ
+Zn80OOHBXyLrhWAnQCDERasXtFpHN5hYFoAx2S5YvyYef1aBAkEA8ZgBooYWkzAO
+feEgIywvAaUtCv7TnLwZkTk5wUz4JavkX49LHjMdVef8vRohVOzv5+YPL8L/Aa+C
+afsB56jtbQJBAOCKigLo9XtCrgm7j69r+C4MZaVPMEbXPzgOQFcsI5/K4FiGHeRF
+9XCnVGJP7/tdRBbhX+CrQWIVy+fqqqQR3PMCQQDlQlky0Em17SGjZLIpjnEg/4zJ
+5V4MWxdsD0D2ZUMKBJ9X61PeWaUZ82aMULKWs61Jg7Cfo0x4XgPE7HQ3UL/VAkAm
+Ttx+5JnE/rpMhMhdyFDeIlVRH7J/04dAnAXUGX62a1ldIPyGjnzyTEn0P+kUfHP6
+Z1cBMJaGEmvoVDvqo/WLAkEAhIpFpf1j0c+FrtkGCmNPiANlpWJVz0u1Qt34adZS
+R4GwY5YPKtQ9wo+Z0/K0sEuUBUQYv5nKlXCxRNcL1azr7g==
+-----END RSA PRIVATE KEY-----
diff --git a/example/sp-wsgi/sp.py b/example/sp-wsgi/sp.py
@@ -2,13 +2,14 @@
 import logging
 import re
 import argparse
+from saml2.extension.pefim import SPCertEnc
 import service_conf
 
 from Cookie import SimpleCookie
 from urlparse import parse_qs
 import sys
 
-from saml2 import BINDING_HTTP_REDIRECT
+from saml2 import BINDING_HTTP_REDIRECT, element_to_extension_element
 from saml2 import BINDING_SOAP
 from saml2 import time_util
 from saml2 import ecp
@@ -33,6 +34,8 @@
 from saml2.s_utils import sid
 from saml2.s_utils import rndstr
 #from srtest import exception_trace
+from saml2.md import Extensions
+import xmldsig as ds
 
 logger = logging.getLogger("")
 hdlr = logging.FileHandler('spx.log')
@@ -152,6 +155,7 @@ def __init__(self):
         self.uid2user = {}
         self.cookie_name = "spauthn"
         self.outstanding_queries = {}
+        self.outstanding_certs = {}
         self.relay_state = {}
         self.user = {}
         self.result = {}
@@ -348,7 +352,7 @@ def do(self, response, binding, relay_state="", mtype="response"):
 
         try:
             self.response = self.sp.parse_authn_request_response(
-                response, binding, self.outstanding_queries)
+                response, binding, self.outstanding_queries, self.cache.outstanding_certs)
         except UnknownPrincipal, excp:
             logger.error("UnknownPrincipal: %s" % (excp,))
             resp = ServiceError("UnknownPrincipal: %s" % (excp,))
@@ -551,13 +555,31 @@ def redirect_to_auth(self, _cli, entity_id, came_from):
                 "assertion_consumer_service"]
             # just pick one
             endp, return_binding = acs[0]
+
+            extensions = None
+            cert = None
+            if _cli.config.generate_cert_func is not None:
+                    cert_str, req_key_str = _cli.config.generate_cert_func()
+                    cert = {
+                        "cert": cert_str,
+                        "key": req_key_str
+                    }
+                    spcertenc = SPCertEnc(x509_data=ds.X509Data(
+                        x509_certificate=ds.X509Certificate(text=cert_str)))
+                    extensions = Extensions(extension_elements=[
+                        element_to_extension_element(spcertenc)])
+
             req_id, req = _cli.create_authn_request(destination,
-                                                    binding=return_binding)
+                                                    binding=return_binding, extensions=extensions)
             _rstate = rndstr()
             self.cache.relay_state[_rstate] = came_from
             ht_args = _cli.apply_binding(_binding, "%s" % req, destination,
                                          relay_state=_rstate)
             _sid = req_id
+
+            if cert is not None:
+                self.cache.outstanding_certs[_sid] = cert
+
         except Exception, exc:
             logger.exception(exc)
             resp = ServiceError(
