def test_xmlsec_err(): conf = config.SPConfig() conf.load_file("server_conf") md = MetadataStore([saml, samlp], None, conf) md.load("local", full_path("idp_example.xml")) conf.metadata = md conf.only_use_keys_in_metadata = False sec = sigver.security_context(conf) assertion = factory( saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part("11111", sec.my_cert, 1), attribute_statement=do_attribute_statement( {("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", ""), }) ) try: sec.sign_statement(assertion, class_name(assertion), key_file=full_path("tes.key"), node_id=assertion.id) except (XmlsecError, SigverError) as err: # should throw an exception pass else: assert False
def setup_class(self): # This would be one way to initialize the security context : # # conf = config.SPConfig() # conf.load_file("server_conf") # conf.only_use_keys_in_metadata = False # # but instead, FakeConfig() is used to really only use the minimal # set of parameters needed for these test cases. Other test cases # (TestSecurityMetadata below) excersise the SPConfig() mechanism. # conf = FakeConfig() self.sec = sigver.security_context(conf) self._assertion = factory( saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Föö", ""), ("", "", "givenName"): ("Bär", ""), }) )
def test_do_attribute_statement(): statement = do_attribute_statement({"surName": ("Jeter", ""), "givenName": (["Derek", "Sanderson"], "")}) assert statement.keyswv() == ["attribute"] assert len(statement.attribute) == 2 attr0 = statement.attribute[0] assert _eq(attr0.keyswv(), ["name", "attribute_value", "name_format"]) attr1 = statement.attribute[1] assert _eq(attr1.keyswv(), ["name", "attribute_value", "name_format"]) if attr0.name == "givenName": assert len(attr0.attribute_value) == 2 assert _eq([av.text for av in attr0.attribute_value], ["Derek", "Sanderson"]) assert attr1.name == "surName" assert attr1.attribute_value[0].text == "Jeter" assert len(attr1.attribute_value) == 1 else: assert attr0.name == "surName" assert attr0.attribute_value[0].text == "Jeter" assert len(attr0.attribute_value) == 1 assert attr1.name == "givenName" assert len(attr1.attribute_value) == 2 assert _eq([av.text for av in attr1.attribute_value], ["Derek", "Sanderson"])
def test_xmlsec_err_non_ascii_ava(): conf = config.SPConfig() conf.load_file("server_conf") md = MetadataStore([saml, samlp], None, conf) md.load("local", IDP_EXAMPLE) conf.metadata = md conf.only_use_keys_in_metadata = False sec = sigver.security_context(conf) assertion = factory( saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part("11111", sec.my_cert, 1), attribute_statement=do_attribute_statement( {("", "", "surName"): ("Föö", ""), ("", "", "givenName"): ("Bär", ""), }) ) with raises(XmlsecError): sec.sign_statement( assertion, class_name(assertion), key_file=INVALID_KEY, node_id=assertion.id, )
def test_do_attribute_statement(): statement = do_attribute_statement({"surName": ("Jeter", ""), "givenName": (["Derek", "Sanderson"], "")}) assert statement.keyswv() == ["attribute"] assert len(statement.attribute) == 2 attr0 = statement.attribute[0] assert _eq(attr0.keyswv(), ["name", "attribute_value"]) attr1 = statement.attribute[1] assert _eq(attr1.keyswv(), ["name", "attribute_value"]) if attr0.name == "givenName": assert len(attr0.attribute_value) == 2 assert _eq([av.text for av in attr0.attribute_value], ["Derek", "Sanderson"]) assert attr1.name == "surName" assert attr1.attribute_value[0].text == "Jeter" assert len(attr1.attribute_value) == 1 else: assert attr0.name == "surName" assert attr0.attribute_value[0].text == "Jeter" assert len(attr0.attribute_value) == 1 assert attr1.name == "givenName" assert len(attr1.attribute_value) == 2 assert _eq([av.text for av in attr1.attribute_value], ["Derek", "Sanderson"])
def test_sign_verify_assertion_with_cert_from_instance(self): assertion = factory(saml.Assertion, version="2.0", id="11100", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part("11100", self.sec .my_cert), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Fox", ""), ("", "", "givenName"): ("Bear", ""), }) ) to_sign = [(class_name(assertion), assertion.id)] s_assertion = sigver.signed_instance_factory(assertion, self.sec, to_sign) print(s_assertion) ass = assertion_from_string(s_assertion) ci = "".join(sigver.cert_from_instance(ass)[0].split()) assert ci == self.sec.my_cert res = self.sec.verify_signature(s_assertion, node_name=class_name(ass)) assert res res = self.sec._check_signature(s_assertion, ass, class_name(ass)) assert res
def test_sign_response_2(self): assertion2 = factory( saml.Assertion, version= "2.0", id= "11122", issue_instant= "2009-10-30T13:20:28Z", signature= sigver.pre_signature_part("11122", self.sec.my_cert), attribute_statement=do_attribute_statement({ ("","","surName"): ("Fox",""), ("","","givenName") :("Bear",""), }) ) response = factory(samlp.Response, assertion=assertion2, id="22233", signature=sigver.pre_signature_part("22233", self.sec.my_cert)) to_sign = [(class_name(assertion2), assertion2.id), (class_name(response), response.id)] s_response = sigver.signed_instance_factory(response, self.sec, to_sign) assert s_response is not None response2 = response_from_string(s_response) sass = response2.assertion[0] assert _eq(sass.keyswv(), ['attribute_statement', 'issue_instant', 'version', 'signature', 'id']) assert sass.version == "2.0" assert sass.id == "11122" item = self.sec.check_signature(response2, class_name(response), s_response) assert isinstance(item, samlp.Response)
def test_xbox_non_ascii_ava(): conf = config.SPConfig() conf.load_file("server_conf") md = MetadataStore([saml, samlp], None, conf) md.load("local", IDP_EXAMPLE) conf.metadata = md conf.only_use_keys_in_metadata = False sec = sigver.security_context(conf) assertion = factory( saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part("11111", sec.my_cert, 1), attribute_statement=do_attribute_statement( { ("", "", "surName"): ("Föö", ""), ("", "", "givenName"): ("Bär", ""), } ) ) sigass = sec.sign_statement( assertion, class_name(assertion), key_file=PRIV_KEY, node_id=assertion.id, ) _ass0 = saml.assertion_from_string(sigass) encrypted_assertion = EncryptedAssertion() encrypted_assertion.add_extension_element(_ass0) _, pre = make_temp( str(pre_encryption_part()).encode('utf-8'), decode=False ) enctext = sec.crypto.encrypt( str(encrypted_assertion), conf.cert_file, pre, "des-192", '/*[local-name()="EncryptedAssertion"]/*[local-name()="Assertion"]', ) decr_text = sec.decrypt(enctext, key_file=PRIV_KEY) _seass = saml.encrypted_assertion_from_string(decr_text) assertions = [] assers = extension_elements_to_elements( _seass.extension_elements, [saml, samlp] ) for ass in assers: _txt = sec.verify_signature( str(ass), PUB_KEY, node_name=class_name(assertion) ) if _txt: assertions.append(ass) assert assertions print(assertions)
def test_response(self): response = sigver.response_factory( in_response_to="_012345", destination="https:#www.example.com", status=s_utils.success_status_factory(), assertion=s_utils.assertion_factory( subject=factory(saml.Subject, text="_aaa", name_id=saml.NAMEID_FORMAT_TRANSIENT), attribute_statement=do_attribute_statement( { ("", "", "sn"): ("Jeter", ""), ("", "", "givenName"): ("Derek", ""), } ), issuer=self.server._issuer(), ), issuer=self.server._issuer(), ) print(response.keyswv()) assert _eq(response.keyswv(), ['destination', 'assertion', 'status', 'in_response_to', 'issue_instant', 'version', 'issuer', 'id']) assert response.version == "2.0" assert response.issuer.text == "urn:mace:example.com:saml:roland:idp" assert response.destination == "https:#www.example.com" assert response.in_response_to == "_012345" # status = response.status print(status) assert status.status_code.value == samlp.STATUS_SUCCESS
def test_sha256_signing_non_ascii_ava(): conf = config.SPConfig() conf.load_file("server_conf") md = MetadataStore([saml, samlp], None, conf) md.load("local", IDP_EXAMPLE) conf.metadata = md conf.only_use_keys_in_metadata = False sec = sigver.security_context(conf) assertion = factory(saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part( "11111", sec.my_cert, 1, sign_alg=SIG_RSA_SHA256), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Föö", ""), ("", "", "givenName"): ("Bär", ""), })) s = sec.sign_statement(assertion, class_name(assertion), key_file=PRIV_KEY, node_id=assertion.id) assert s
def test_exception_sign_verify_with_cert_from_instance(self): assertion = factory(saml.Assertion, version="2.0", id="11100", issue_instant="2009-10-30T13:20:28Z", #signature= sigver.pre_signature_part("11100", # self.sec.my_cert), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", ""), }) ) response = factory(samlp.Response, assertion=assertion, id="22222", signature=sigver.pre_signature_part("22222", self.sec .my_cert)) to_sign = [(class_name(response), response.id)] s_response = sigver.signed_instance_factory(response, self.sec, to_sign) response2 = response_from_string(s_response) # Change something that should make everything fail response2.id = "23456" raises(sigver.SignatureError, self.sec._check_signature, s_response, response2, class_name(response2))
def test_exception_sign_verify_with_cert_from_instance(self): assertion = factory( saml.Assertion, version="2.0", id="11100", issue_instant="2009-10-30T13:20:28Z", #signature= sigver.pre_signature_part("11100", # self.sec.my_cert), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", ""), })) response = factory(samlp.Response, assertion=assertion, id="22222", signature=sigver.pre_signature_part( "22222", self.sec.my_cert)) to_sign = [(class_name(response), response.id)] s_response = sigver.signed_instance_factory(response, self.sec, to_sign) response2 = response_from_string(s_response) # Change something that should make everything fail response2.id = "23456" raises(sigver.SignatureError, self.sec._check_signature, s_response, response2, class_name(response2))
def test_xmlsec_err(): conf = config.SPConfig() conf.load_file("server_conf") md = MetadataStore([saml, samlp], None, conf) md.load("local", full_path("idp_example.xml")) conf.metadata = md conf.only_use_keys_in_metadata = False sec = sigver.security_context(conf) assertion = factory(saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part( "11111", sec.my_cert, 1), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", ""), })) try: sec.sign_statement(assertion, class_name(assertion), key_file=full_path("tes.key"), node_id=assertion.id) except (XmlsecError, SigverError) as err: # should throw an exception pass else: assert False
def test_sign_verify_assertion_with_cert_from_instance(self): assertion = factory(saml.Assertion, version="2.0", id="11100", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part( "11100", self.sec.my_cert), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Fox", ""), ("", "", "givenName"): ("Bear", ""), })) to_sign = [(class_name(assertion), assertion.id)] s_assertion = sigver.signed_instance_factory(assertion, self.sec, to_sign) print(s_assertion) ass = assertion_from_string(s_assertion) ci = "".join(sigver.cert_from_instance(ass)[0].split()) assert ci == self.sec.my_cert res = self.sec.verify_signature(s_assertion, node_name=class_name(ass)) assert res res = self.sec._check_signature(s_assertion, ass, class_name(ass)) assert res
def test_response(self): response = sigver.response_factory( in_response_to="_012345", destination="https:#www.example.com", status=s_utils.success_status_factory(), assertion=s_utils.assertion_factory( subject=factory(saml.Subject, text="_aaa", name_id=saml.NAMEID_FORMAT_TRANSIENT), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Jeter", ""), ("", "", "givenName"): ("Derek", ""), }), issuer=self.server._issuer(), ), issuer=self.server._issuer(), ) print response.keyswv() assert _eq(response.keyswv(), [ 'destination', 'assertion', 'status', 'in_response_to', 'issue_instant', 'version', 'issuer', 'id' ]) assert response.version == "2.0" assert response.issuer.text == "urn:mace:example.com:saml:roland:idp" assert response.destination == "https:#www.example.com" assert response.in_response_to == "_012345" # status = response.status print status assert status.status_code.value == samlp.STATUS_SUCCESS
def test_xmlsec_err(): conf = config.SPConfig() conf.load_file("server_conf") md = MetadataStore([saml, samlp], None, conf) md.load("local", IDP_EXAMPLE) conf.metadata = md conf.only_use_keys_in_metadata = False sec = sigver.security_context(conf) assertion = factory(saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part( "11111", sec.my_cert, 1), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", ""), })) with raises(XmlsecError): sec.sign_statement( assertion, class_name(assertion), key_file=INVALID_KEY, node_id=assertion.id, )
def test_assertion(self): assertion = s_utils.assertion_factory( subject=factory( saml.Subject, text="_aaa", name_id=factory(saml.NameID, format=saml.NAMEID_FORMAT_TRANSIENT) ), attribute_statement=do_attribute_statement( {("", "", "surName"): ("Jeter", ""), ("", "", "givenName"): ("Derek", "")} ), issuer=self.server._issuer(), ) assert _eq(assertion.keyswv(), ["attribute_statement", "issuer", "id", "subject", "issue_instant", "version"]) assert assertion.version == "2.0" assert assertion.issuer.text == "urn:mace:example.com:saml:roland:idp" # assert assertion.attribute_statement attribute_statement = assertion.attribute_statement assert len(attribute_statement.attribute) == 2 attr0 = attribute_statement.attribute[0] attr1 = attribute_statement.attribute[1] if attr0.attribute_value[0].text == "Derek": assert attr0.friendly_name == "givenName" assert attr1.friendly_name == "surName" assert attr1.attribute_value[0].text == "Jeter" else: assert attr1.friendly_name == "givenName" assert attr1.attribute_value[0].text == "Derek" assert attr0.friendly_name == "surName" assert attr0.attribute_value[0].text == "Jeter" # subject = assertion.subject assert _eq(subject.keyswv(), ["text", "name_id"]) assert subject.text == "_aaa" assert subject.name_id.format == saml.NAMEID_FORMAT_TRANSIENT
def setup_class(self): # This would be one way to initialize the security context : # # conf = config.SPConfig() # conf.load_file("server_conf") # conf.only_use_keys_in_metadata = False # # but instead, FakeConfig() is used to really only use the minimal # set of parameters needed for these test cases. Other test cases # (TestSecurityMetadata below) excersise the SPConfig() mechanism. # conf = FakeConfig() self.sec = sigver.security_context(FakeConfig()) self._assertion = factory( saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", ""), }) )
def test_xbox_non_ascii_ava(): conf = config.SPConfig() conf.load_file("server_conf") md = MetadataStore([saml, samlp], None, conf) md.load("local", IDP_EXAMPLE) conf.metadata = md conf.only_use_keys_in_metadata = False sec = sigver.security_context(conf) assertion = factory(saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part( "11111", sec.my_cert, 1), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Föö", ""), ("", "", "givenName"): ("Bär", ""), })) sigass = sec.sign_statement( assertion, class_name(assertion), key_file=PRIV_KEY, node_id=assertion.id, ) _ass0 = saml.assertion_from_string(sigass) encrypted_assertion = EncryptedAssertion() encrypted_assertion.add_extension_element(_ass0) _, pre = make_temp(str(pre_encryption_part()).encode('utf-8'), decode=False) enctext = sec.crypto.encrypt( str(encrypted_assertion), conf.cert_file, pre, "des-192", '/*[local-name()="EncryptedAssertion"]/*[local-name()="Assertion"]', ) decr_text = sec.decrypt(enctext, key_file=PRIV_KEY) _seass = saml.encrypted_assertion_from_string(decr_text) assertions = [] assers = extension_elements_to_elements(_seass.extension_elements, [saml, samlp]) for ass in assers: _txt = sec.verify_signature(str(ass), PUB_KEY, node_name=class_name(assertion)) if _txt: assertions.append(ass) assert assertions print(assertions)
def test_xbox(): conf = config.SPConfig() conf.load_file("server_conf") md = MetadataStore([saml, samlp], None, conf) md.load("local", full_path("idp_example.xml")) conf.metadata = md conf.only_use_keys_in_metadata = False sec = sigver.security_context(conf) assertion = factory(saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part( "11111", sec.my_cert, 1), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", ""), })) sigass = sec.sign_statement(assertion, class_name(assertion), key_file=full_path("test.key"), node_id=assertion.id) _ass0 = saml.assertion_from_string(sigass) encrypted_assertion = EncryptedAssertion() encrypted_assertion.add_extension_element(_ass0) _, pre = make_temp(str(pre_encryption_part()).encode('utf-8'), decode=False) enctext = sec.crypto.encrypt( str(encrypted_assertion), conf.cert_file, pre, "des-192", '/*[local-name()="EncryptedAssertion"]/*[local-name()="Assertion"]') decr_text = sec.decrypt(enctext) _seass = saml.encrypted_assertion_from_string(decr_text) assertions = [] assers = extension_elements_to_elements(_seass.extension_elements, [saml, samlp]) sign_cert_file = full_path("test.pem") for ass in assers: _ass = "%s" % ass #_ass = _ass.replace('xsi:nil="true" ', '') #assert sigass == _ass _txt = sec.verify_signature(_ass, sign_cert_file, node_name=class_name(assertion)) if _txt: assertions.append(ass) print(assertions)
def test_do_attribute_statement_0(): statement = do_attribute_statement({"vo_attr": ("foobar", "")}) assert statement.keyswv() == ["attribute"] assert len(statement.attribute) == 1 attr0 = statement.attribute[0] assert _eq(attr0.keyswv(), ["name", "attribute_value"]) assert attr0.name == "vo_attr" assert len(attr0.attribute_value) == 1 assert attr0.attribute_value[0].text == "foobar"
def test_xbox(): conf = config.SPConfig() conf.load_file("server_conf") md = MetadataStore([saml, samlp], None, conf) md.load("local", full_path("idp_example.xml")) conf.metadata = md conf.only_use_keys_in_metadata = False sec = sigver.security_context(conf) assertion = factory( saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part("11111", sec.my_cert, 1), attribute_statement=do_attribute_statement( {("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", "")} ), ) sigass = sec.sign_statement(assertion, class_name(assertion), key_file=full_path("test.key"), node_id=assertion.id) _ass0 = saml.assertion_from_string(sigass) encrypted_assertion = EncryptedAssertion() encrypted_assertion.add_extension_element(_ass0) _, pre = make_temp(str(pre_encryption_part()).encode("utf-8"), decode=False) enctext = sec.crypto.encrypt( str(encrypted_assertion), conf.cert_file, pre, "des-192", '/*[local-name()="EncryptedAssertion"]/*[local-name()="Assertion"]', ) decr_text = sec.decrypt(enctext) _seass = saml.encrypted_assertion_from_string(decr_text) assertions = [] assers = extension_elements_to_elements(_seass.extension_elements, [saml, samlp]) sign_cert_file = full_path("test.pem") for ass in assers: _ass = "%s" % ass # _ass = _ass.replace('xsi:nil="true" ', '') # assert sigass == _ass _txt = sec.verify_signature(_ass, sign_cert_file, node_name=class_name(assertion)) if _txt: assertions.append(ass) print(assertions)
def test_do_attribute_statement_multi(): statement = do_attribute_statement( {("urn:oid:1.3.6.1.4.1.5923.1.1.1.7", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "eduPersonEntitlement"): ("Jeter", "")}) assert statement.keyswv() == ["attribute"] assert len(statement.attribute) assert _eq(statement.attribute[0].keyswv(), ["name", "name_format", "friendly_name", "attribute_value"]) attribute = statement.attribute[0] assert attribute.name == "urn:oid:1.3.6.1.4.1.5923.1.1.1.7" assert attribute.name_format == ( "urn:oasis:names:tc:SAML:2.0:attrname-format:uri") assert attribute.friendly_name == "eduPersonEntitlement"
def test_do_attribute_statement_multi(): statement = do_attribute_statement({ ("urn:oid:1.3.6.1.4.1.5923.1.1.1.7", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "eduPersonEntitlement"): ("Jeter", "") }) assert statement.keyswv() == ["attribute"] assert len(statement.attribute) assert _eq(statement.attribute[0].keyswv(), ["name", "name_format", "friendly_name", "attribute_value"]) attribute = statement.attribute[0] assert attribute.name == "urn:oid:1.3.6.1.4.1.5923.1.1.1.7" assert attribute.name_format == ( "urn:oasis:names:tc:SAML:2.0:attrname-format:uri") assert attribute.friendly_name == "eduPersonEntitlement"
def setup_class(self): xmlexec = get_xmlsec_binary() self.sec = sigver.SecurityContext(xmlexec, key_file=PRIV_KEY, cert_file=PUB_KEY, debug=1) self._assertion = factory( saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1), attribute_statement=do_attribute_statement({ ("","","surName"): ("Foo",""), ("","","givenName") :("Bar",""), }) )
def setup_class(self): xmlexec = get_xmlsec_binary() self.sec = sigver.SecurityContext(xmlexec, key_file=PRIV_KEY, cert_file=PUB_KEY, debug=1) self._assertion = factory(saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part( "11111", self.sec.my_cert, 1), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", ""), }))
def test_sign_response_2(self): assertion2 = factory( saml.Assertion, version="2.0", id="id-11122", issuer=saml.Issuer(text="the-issuer-2"), issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part("id-11122", self.sec .my_cert), attribute_statement=do_attribute_statement({ ("name:surName", "nameformat", "surName"): ("Fox", ""), ("name:givenName", "nameformat", "givenName"): ("Bear", ""), }) ) response = factory( samlp.Response, issuer=saml.Issuer(text="the-isser-2"), status=success_status_factory(), assertion=assertion2, version="2.0", issue_instant="2099-10-30T13:20:28Z", id="id-22233", signature=sigver.pre_signature_part("id-22233", self.sec.my_cert), ) to_sign = [(class_name(assertion2), assertion2.id), (class_name(response), response.id)] s_response = sigver.signed_instance_factory(response, self.sec, to_sign) assert s_response is not None response2 = response_from_string(s_response) sass = response2.assertion[0] ['signature', 'attribute_statement', 'version', 'id', 'issue_instant'] ['issuer', 'attribute_statement', 'issue_instant', 'version', 'signature', 'id'] assert _eq(sass.keyswv(), ['issuer', 'attribute_statement', 'issue_instant', 'version', 'signature', 'id']) assert sass.version == "2.0" assert sass.id == "id-11122" item = self.sec.check_signature(response2, class_name(response), s_response) assert isinstance(item, samlp.Response)
def setup_class(self): conf = config.SPConfig() conf.load_file("server_conf") md = MetadataStore([saml, samlp], None, conf) md.load("local", full_path("metadata_cert.xml")) conf.metadata = md conf.only_use_keys_in_metadata = False self.sec = sigver.security_context(conf) assertion = factory( saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1), attribute_statement=do_attribute_statement( {("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", ""), }) )
def setup_class(self): xmlexec = get_xmlsec_binary() md = MetadataStore([saml, samlp], None, xmlexec) md.load("local", full_path("metadata_cert.xml")) crypto = get_xmlsec_cryptobackend() self.sec = sigver.SecurityContext(crypto, key_file=PRIV_KEY, cert_file=PUB_KEY, debug=1, metadata=md) self._assertion = factory( saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1), attribute_statement=do_attribute_statement({ ("","","surName"): ("Foo",""), ("","","givenName") :("Bar",""), }) )
def test_attribute_statement(): statement = do_attribute_statement({"surName": ("Jeter", ""), "givenName": ("Derek", "")}) print(statement) assert statement.keyswv() == ["attribute"] assert len(statement.attribute) == 2 attr0 = statement.attribute[0] assert _eq(attr0.keyswv(), ["name", "attribute_value", "name_format"]) assert len(attr0.attribute_value) == 1 attr1 = statement.attribute[1] assert _eq(attr1.keyswv(), ["name", "attribute_value", "name_format"]) assert len(attr1.attribute_value) == 1 if attr0.name == "givenName": assert attr0.attribute_value[0].text == "Derek" assert attr1.name == "surName" assert attr1.attribute_value[0].text == "Jeter" else: assert attr0.name == "surName" assert attr0.attribute_value[0].text == "Jeter" assert attr1.name == "givenName" assert attr1.attribute_value[0].text == "Derek"
def test_attribute_statement(): statement = do_attribute_statement({"surName": ("Jeter", ""), "givenName": ("Derek", "")}) print(statement) assert statement.keyswv() == ["attribute"] assert len(statement.attribute) == 2 attr0 = statement.attribute[0] assert _eq(attr0.keyswv(), ["name", "attribute_value"]) assert len(attr0.attribute_value) == 1 attr1 = statement.attribute[1] assert _eq(attr1.keyswv(), ["name", "attribute_value"]) assert len(attr1.attribute_value) == 1 if attr0.name == "givenName": assert attr0.attribute_value[0].text == "Derek" assert attr1.name == "surName" assert attr1.attribute_value[0].text == "Jeter" else: assert attr0.name == "surName" assert attr0.attribute_value[0].text == "Jeter" assert attr1.name == "givenName" assert attr1.attribute_value[0].text == "Derek"
def test_assertion(self): assertion = s_utils.assertion_factory( subject=factory(saml.Subject, text="_aaa", name_id=factory( saml.NameID, format=saml.NAMEID_FORMAT_TRANSIENT)), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Jeter", ""), ("", "", "givenName"): ("Derek", ""), }), issuer=self.server._issuer(), ) assert _eq(assertion.keyswv(), [ 'attribute_statement', 'issuer', 'id', 'subject', 'issue_instant', 'version' ]) assert assertion.version == "2.0" assert assertion.issuer.text == "urn:mace:example.com:saml:roland:idp" # assert assertion.attribute_statement attribute_statement = assertion.attribute_statement assert len(attribute_statement.attribute) == 2 attr0 = attribute_statement.attribute[0] attr1 = attribute_statement.attribute[1] if attr0.attribute_value[0].text == "Derek": assert attr0.friendly_name == "givenName" assert attr1.friendly_name == "surName" assert attr1.attribute_value[0].text == "Jeter" else: assert attr1.friendly_name == "givenName" assert attr1.attribute_value[0].text == "Derek" assert attr0.friendly_name == "surName" assert attr0.attribute_value[0].text == "Jeter" # subject = assertion.subject assert _eq(subject.keyswv(), ["text", "name_id"]) assert subject.text == "_aaa" assert subject.name_id.format == saml.NAMEID_FORMAT_TRANSIENT
def test_sign_response_2(self): assertion2 = factory(saml.Assertion, version="2.0", id="11122", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part( "11122", self.sec.my_cert), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Räv", ""), ("", "", "givenName"): ("Björn", ""), })) response = factory(samlp.Response, assertion=assertion2, id="22233", signature=sigver.pre_signature_part( "22233", self.sec.my_cert)) to_sign = [(class_name(assertion2), assertion2.id), (class_name(response), response.id)] s_response = sigver.signed_instance_factory(response, self.sec, to_sign) assert s_response is not None response2 = response_from_string(s_response) sass = response2.assertion[0] assert _eq(sass.keyswv(), [ 'attribute_statement', 'issue_instant', 'version', 'signature', 'id' ]) assert sass.version == "2.0" assert sass.id == "11122" item = self.sec.check_signature(response2, class_name(response), s_response) assert isinstance(item, samlp.Response)
def test_sha256_signing(): conf = config.SPConfig() conf.load_file("server_conf") md = MetadataStore([saml, samlp], None, conf) md.load("local", full_path("idp_example.xml")) conf.metadata = md conf.only_use_keys_in_metadata = False sec = sigver.security_context(conf) assertion = factory( saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part("11111", sec.my_cert, 1, sign_alg=SIG_RSA_SHA256), attribute_statement=do_attribute_statement( {("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", "")} ), ) s = sec.sign_statement(assertion, class_name(assertion), key_file=full_path("test.key"), node_id=assertion.id) assert s
def test_exception_sign_verify_with_cert_from_instance(self): assertion = factory( saml.Assertion, version="2.0", id="id-11100", issuer=saml.Issuer(text="the-issuer-2"), issue_instant="2009-10-30T13:20:28Z", attribute_statement=do_attribute_statement({ ("name:surName", "nameformat", "surName"): ("Foo", ""), ("name:givenName", "nameformat", "givenName"): ("Bar", ""), }) ) response = factory( samlp.Response, issuer=saml.Issuer(text="the-isser"), status=success_status_factory(), assertion=assertion, version="2.0", issue_instant="2099-10-30T13:20:28Z", id="id-22222", signature=sigver.pre_signature_part( "id-22222", self.sec.my_cert ), ) to_sign = [(class_name(response), response.id)] s_response = sigver.signed_instance_factory(response, self.sec, to_sign) response2 = response_from_string(s_response) # Change something that should make everything fail response2.id = "id-23456" with raises(sigver.SignatureError): self.sec._check_signature(s_response, response2, class_name(response2))
def setup_class(self): logging.debug("Creating test pkcs11 token using softhsm") try: self.softhsm_db = self._tf() self.softhsm_conf = self._tf() self.signer_cert_pem = self._tf() self.openssl_conf = self._tf() self.signer_cert_der = self._tf() logging.debug("Generating softhsm.conf") with open(self.softhsm_conf, "w") as f: f.write("#Generated by pysaml2 cryptobackend test\n0:%s\n" % self.softhsm_db) logging.debug("Initializing the token") self._p( ["softhsm", "--slot", "0", "--label", "test", "--init-token", "--pin", "secret1", "--so-pin", "secret2"] ) logging.debug("Importing test key {!r} into SoftHSM".format(PRIV_KEY)) self._p( [ "softhsm", "--slot", "0", "--label", "test", "--import", PRIV_KEY, "--id", "a1b2", "--pin", "secret1", "--so-pin", "secret2", ] ) logging.debug("Transforming PEM certificate to DER") self._p( ["openssl", "x509", "-inform", "PEM", "-outform", "DER", "-in", PUB_KEY, "-out", self.signer_cert_der] ) logging.debug("Importing certificate into token") self._p( [ "pkcs11-tool", "--module", P11_MODULE, "-l", "--slot", "0", "--id", "a1b2", "--label", "test", "-y", "cert", "-w", self.signer_cert_der, "--pin", "secret1", ] ) # list contents of SoftHSM self._p(["pkcs11-tool", "--module", P11_MODULE, "-l", "--pin", "secret1", "-O"]) self._p(["pkcs11-tool", "--module", P11_MODULE, "-l", "--pin", "secret1", "-T"]) self._p(["pkcs11-tool", "--module", P11_MODULE, "-l", "--pin", "secret1", "-L"]) self.sec = sigver.security_context(FakeConfig(pub_key=PUB_KEY)) self._assertion = factory( saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1), attribute_statement=do_attribute_statement( {("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", "")} ), ) self.configured = True except Exception as ex: print("-" * 64) traceback.print_exc() print("-" * 64) logging.warning("PKCS11 tests disabled: unable to initialize test token: %s" % ex) raise
def setup_class(self): logging.debug("Creating test pkcs11 token using softhsm") try: self.softhsm_db = self._tf() self.softhsm_conf = self._tf() self.signer_cert_pem = self._tf() self.openssl_conf = self._tf() self.signer_cert_der = self._tf() logging.debug("Generating softhsm.conf") with open(self.softhsm_conf, "w") as f: f.write("#Generated by pysaml2 cryptobackend test\n0:%s\n" % self.softhsm_db) logging.debug("Initializing the token") self._p(['softhsm', '--slot', '0', '--label', 'test', '--init-token', '--pin', 'secret1', '--so-pin', 'secret2']) logging.debug("Importing test key {!r} into SoftHSM".format(PRIV_KEY)) self._p(['softhsm', '--slot', '0', '--label', 'test', '--import', PRIV_KEY, '--id', 'a1b2', '--pin', 'secret1', '--so-pin', 'secret2']) logging.debug("Transforming PEM certificate to DER") self._p(['openssl', 'x509', '-inform', 'PEM', '-outform', 'DER', '-in', PUB_KEY, '-out', self.signer_cert_der]) logging.debug("Importing certificate into token") self._p(['pkcs11-tool', '--module', P11_MODULE, '-l', '--slot', '0', '--id', 'a1b2', '--label', 'test', '-y', 'cert', '-w', self.signer_cert_der, '--pin', 'secret1']) # list contents of SoftHSM self._p(['pkcs11-tool', '--module', P11_MODULE, '-l', '--pin', 'secret1', '-O']) self._p(['pkcs11-tool', '--module', P11_MODULE, '-l', '--pin', 'secret1', '-T']) self._p(['pkcs11-tool', '--module', P11_MODULE, '-l', '--pin', 'secret1', '-L']) self.sec = sigver.security_context(FakeConfig(pub_key = PUB_KEY)) self._assertion = factory(saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1), attribute_statement=do_attribute_statement( {("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", ""), }) ) self.configured = True except Exception, ex: print "-" * 64 traceback.print_exc() print "-" * 64 logging.warning("PKCS11 tests disabled: unable to initialize test token: %s" % ex) raise
def test_sign_then_encrypt_assertion(self): # Begin with the IdPs side _sec = self.server.sec assertion = s_utils.assertion_factory( subject=factory(saml.Subject, text="_aaa", name_id=factory( saml.NameID, format=saml.NAMEID_FORMAT_TRANSIENT)), attribute_statement=do_attribute_statement( { ("", "", "surName"): ("Jeter", ""), ("", "", "givenName"): ("Derek", ""), } ), issuer=self.server._issuer(), ) assertion.signature = sigver.pre_signature_part( assertion.id, _sec.my_cert, 1) sigass = _sec.sign_statement(assertion, class_name(assertion), key_file="pki/mykey.pem", node_id=assertion.id) # Create an Assertion instance from the signed assertion _ass = saml.assertion_from_string(sigass) response = sigver.response_factory( in_response_to="_012345", destination="https:#www.example.com", status=s_utils.success_status_factory(), issuer=self.server._issuer(), assertion=_ass ) enctext = _sec.crypto.encrypt_assertion(response, _sec.cert_file, pre_encryption_part()) seresp = samlp.response_from_string(enctext) # Now over to the client side _csec = self.client.sec if seresp.encrypted_assertion: decr_text = _csec.decrypt(enctext) seresp = samlp.response_from_string(decr_text) resp_ass = [] sign_cert_file = "pki/mycert.pem" for enc_ass in seresp.encrypted_assertion: assers = extension_elements_to_elements( enc_ass.extension_elements, [saml, samlp]) for ass in assers: if ass.signature: if not _csec.verify_signature("%s" % ass, sign_cert_file, node_name=class_name(ass)): continue resp_ass.append(ass) seresp.assertion = resp_ass seresp.encrypted_assertion = None #print _sresp assert seresp.assertion
def setup_class(self): logging.debug("Creating test pkcs11 token using softhsm") try: self.softhsm_db = self._tf() self.softhsm_conf = self._tf() self.signer_cert_pem = self._tf() self.openssl_conf = self._tf() self.signer_cert_der = self._tf() logging.debug("Generating softhsm.conf") with open(self.softhsm_conf, "w") as f: f.write("#Generated by pysaml2 cryptobackend test\n0:%s\n" % self.softhsm_db) logging.debug("Initializing the token") self._p([ 'softhsm', '--slot', '0', '--label', 'test', '--init-token', '--pin', 'secret1', '--so-pin', 'secret2' ]) logging.debug( "Importing test key {!r} into SoftHSM".format(PRIV_KEY)) self._p([ 'softhsm', '--slot', '0', '--label', 'test', '--import', PRIV_KEY, '--id', 'a1b2', '--pin', 'secret1', '--so-pin', 'secret2' ]) logging.debug("Transforming PEM certificate to DER") self._p([ 'openssl', 'x509', '-inform', 'PEM', '-outform', 'DER', '-in', PUB_KEY, '-out', self.signer_cert_der ]) logging.debug("Importing certificate into token") self._p([ 'pkcs11-tool', '--module', P11_MODULE, '-l', '--slot', '0', '--id', 'a1b2', '--label', 'test', '-y', 'cert', '-w', self.signer_cert_der, '--pin', 'secret1' ]) # list contents of SoftHSM self._p([ 'pkcs11-tool', '--module', P11_MODULE, '-l', '--pin', 'secret1', '-O' ]) self._p([ 'pkcs11-tool', '--module', P11_MODULE, '-l', '--pin', 'secret1', '-T' ]) self._p([ 'pkcs11-tool', '--module', P11_MODULE, '-l', '--pin', 'secret1', '-L' ]) self.sec = sigver.security_context(FakeConfig(pub_key=PUB_KEY)) self._assertion = factory( saml.Assertion, version="2.0", id="11111", issue_instant="2009-10-30T13:20:28Z", signature=sigver.pre_signature_part("11111", self.sec.my_cert, 1), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Foo", ""), ("", "", "givenName"): ("Bar", ""), })) self.configured = True except Exception as ex: print("-" * 64) traceback.print_exc() print("-" * 64) logging.warning( "PKCS11 tests disabled: unable to initialize test token: %s" % ex) raise
def test_sign_then_encrypt_assertion(self): # Begin with the IdPs side _sec = self.server.sec assertion = s_utils.assertion_factory( subject=factory(saml.Subject, text="_aaa", name_id=factory( saml.NameID, format=saml.NAMEID_FORMAT_TRANSIENT)), attribute_statement=do_attribute_statement({ ("", "", "surName"): ("Jeter", ""), ("", "", "givenName"): ("Derek", ""), }), issuer=self.server._issuer(), ) assertion.signature = sigver.pre_signature_part( assertion.id, _sec.my_cert, 1) sigass = _sec.sign_statement(assertion, class_name(assertion), key_file=full_path("test.key"), node_id=assertion.id) # Create an Assertion instance from the signed assertion _ass = saml.assertion_from_string(sigass) response = sigver.response_factory( in_response_to="_012345", destination="https:#www.example.com", status=s_utils.success_status_factory(), issuer=self.server._issuer(), assertion=_ass) enctext = _sec.crypto.encrypt_assertion(response, _sec.cert_file, pre_encryption_part()) seresp = samlp.response_from_string(enctext) # Now over to the client side _csec = self.client.sec if seresp.encrypted_assertion: decr_text = _csec.decrypt(enctext) seresp = samlp.response_from_string(decr_text) resp_ass = [] sign_cert_file = full_path("test.pem") for enc_ass in seresp.encrypted_assertion: assers = extension_elements_to_elements( enc_ass.extension_elements, [saml, samlp]) for ass in assers: if ass.signature: if not _csec.verify_signature( "%s" % ass, sign_cert_file, node_name=class_name(ass)): continue resp_ass.append(ass) seresp.assertion = resp_ass seresp.encrypted_assertion = None #print _sresp assert seresp.assertion