Improve how fingerprint is calcultated

pitbulk · pitbulk · commit 826f4f53812e · 2018-02-27T14:31:55.000+01:00
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
@@ -557,9 +557,9 @@ def delete_local_session(callback=None):
     @staticmethod
     def calculate_x509_fingerprint(x509_cert, alg='sha1'):
         """
-        Calculates the fingerprint of a x509cert.
+        Calculates the fingerprint of a formatted x509cert.
 
-        :param x509_cert: x509 cert
+        :param x509_cert: x509 cert formatted
         :type: string
 
         :param alg: The algorithm to build the fingerprint
@@ -572,23 +572,27 @@ def calculate_x509_fingerprint(x509_cert, alg='sha1'):
 
         lines = x509_cert.split('\n')
         data = ''
+        inData = False
 
         for line in lines:
             # Remove '\r' from end of line if present.
             line = line.rstrip()
-            if line == '-----BEGIN CERTIFICATE-----':
-                # Delete junk from before the certificate.
-                data = ''
-            elif line == '-----END CERTIFICATE-----':
-                # Ignore data after the certificate.
-                break
-            elif line == '-----BEGIN PUBLIC KEY-----' or line == '-----BEGIN RSA PRIVATE KEY-----':
-                # This isn't an X509 certificate.
-                return None
+            if not inData:
+                if line == '-----BEGIN CERTIFICATE-----':
+                    inData = True
+                elif line == '-----BEGIN PUBLIC KEY-----' or line == '-----BEGIN RSA PRIVATE KEY-----':
+                    # This isn't an X509 certificate.
+                    return None
             else:
+                if line == '-----END CERTIFICATE-----':
+                    break
+
                 # Append the current line to the certificate data.
                 data += line
 
+        if not data:
+            return None
+
         decoded_data = base64.b64decode(data)
 
         if alg == 'sha512':
@@ -1131,9 +1135,11 @@ def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, finger
             if len(x509_certificate_nodes) > 0:
                 x509_certificate_node = x509_certificate_nodes[0]
                 x509_cert_value = OneLogin_Saml2_Utils.element_text(x509_certificate_node)
-                x509_fingerprint_value = OneLogin_Saml2_Utils.calculate_x509_fingerprint(x509_cert_value, fingerprintalg)
+                x509_cert_value_formatted = OneLogin_Saml2_Utils.format_cert(x509_cert_value)
+                x509_fingerprint_value = OneLogin_Saml2_Utils.calculate_x509_fingerprint(x509_cert_value_formatted, fingerprintalg)
+
                 if fingerprint == x509_fingerprint_value:
-                    cert = OneLogin_Saml2_Utils.format_cert(x509_cert_value)
+                    cert = x509_cert_value_formatted
 
         # Check if Reference URI is empty
         # reference_elem = OneLogin_Saml2_Utils.query(signature_node, '//ds:Reference')
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1430,7 +1430,7 @@ def testIsValid2(self):
         self.assertTrue(response_2.is_valid(self.get_request_data()))
 
         settings_info_3 = self.loadSettingsJSON('settings2.json')
-        idp_cert = settings_info_3['idp']['x509cert']
+        idp_cert = OneLogin_Saml2_Utils.format_cert(settings_info_3['idp']['x509cert'])
         settings_info_3['idp']['certFingerprint'] = OneLogin_Saml2_Utils.calculate_x509_fingerprint(idp_cert)
         settings_info_3['idp']['x509cert'] = ''
         settings_3 = OneLogin_Saml2_Settings(settings_info_3)
