Check allowed signature and digest algo for the POST binding

Signed-off-by: Ivan Kanakarakis <[email protected]>

Author: c00kiemon5ter

src/saml2/client.py

@@ -14,7 +14,7 @@
 from saml2 import BINDING_HTTP_POST
 from saml2 import BINDING_SOAP
 
-import saml2.xmldsig as ds
+from saml2.xmldsig import DefaultSignature
 
 from saml2.ident import decode, code
 from saml2.httpbase import HTTPError
@@ -264,7 +264,7 @@ def do_logout(self, name_id, entity_ids, reason, expire, sign=None,
                 if sign is None:
                     sign = self.logout_requests_signed
 
-                def_sig = ds.DefaultSignature()
+                def_sig = DefaultSignature()
                 sign_alg = def_sig.get_sign_alg() if sign_alg is None else sign_alg
                 digest_alg = (
                     def_sig.get_digest_alg()

src/saml2/client_base.py

@@ -54,8 +54,9 @@
 from saml2 import BINDING_HTTP_POST
 from saml2 import BINDING_PAOS
 
-import saml2.xmldsig as ds
-
+from saml2.xmldsig import SIG_ALLOWED_ALG
+from saml2.xmldsig import DIGEST_ALLOWED_ALG
+from saml2.xmldsig import DefaultSignature
 
 logger = logging.getLogger(__name__)
 
@@ -450,10 +451,19 @@ def create_authn_request(
         # XXX will be used to embed the signature to the xml doc - ie, POST binding
         # XXX always called by the SP, no need to check the context
         sign = self.authn_requests_signed if sign is None else sign
-        def_sig = ds.DefaultSignature()
+        def_sig = DefaultSignature()
         sign_alg = sign_alg or def_sig.get_sign_alg()
         digest_alg = digest_alg or def_sig.get_digest_alg()
 
+        if sign_alg not in [long_name for short_name, long_name in SIG_ALLOWED_ALG]:
+            raise Exception(
+                "Signature algo not in allowed list: {algo}".format(algo=sign_alg)
+            )
+        if digest_alg not in [long_name for short_name, long_name in DIGEST_ALLOWED_ALG]:
+            raise Exception(
+                "Digest algo not in allowed list: {algo}".format(algo=digest_alg)
+            )
+
         if (sign and self.sec.cert_handler.generate_cert()) or client_crt is not None:
             with self.lock:
                 self.sec.cert_handler.update_cert(True, client_crt)

src/saml2/entity.py

@@ -74,7 +74,7 @@
 from saml2.pack import http_redirect_message
 from saml2.pack import http_form_post_message
 
-import saml2.xmldsig as ds
+from saml2.xmldsig import DefaultSignature
 
 
 logger = logging.getLogger(__name__)
@@ -231,7 +231,7 @@ def apply_binding(
             else None
         )
         sign = sign_config if sign is None else sign
-        def_sig = ds.DefaultSignature()
+        def_sig = DefaultSignature()
         sigalg = sigalg or def_sig.get_sign_alg()
 
         # unless if BINDING_HTTP_ARTIFACT

src/saml2/pack.py

@@ -186,7 +186,6 @@ def http_redirect_message(
         args["RelayState"] = relay_state
 
     if sign:
-        # XXX check for allowed algo -- should do the same for POST binding
         # sigalgs, should be one defined in xmldsig
         if sigalg not in [long_name for short_name, long_name in SIG_ALLOWED_ALG]:
             raise Exception(