Exemplo n.º 1
0
def test_enc1():
    with closing(Server("idp_conf")) as server:
        name_id = server.ident.transient_nameid(
            "urn:mace:example.com:saml:roland:sp", "id12")

        resp_ = server.create_authn_response(
            IDENTITY, "id12", "http://lingon.catalogix.se:8087/",
            "urn:mace:example.com:saml:roland:sp", name_id=name_id)

    statement = pre_encrypt_assertion(resp_)

    tmpl = full_path("enc_tmpl.xml")
    # tmpl_file = open(tmpl, "w")
    # tmpl_file.write("%s" % pre_encryption_part())
    # tmpl_file.close()

    data = full_path("pre_enc.xml")
    # data_file = open(data, "w")
    # data_file.write("%s" % statement)
    # data_file.close()

    key_type = "des-192"
    com_list = [xmlsec_path, "encrypt", "--pubkey-cert-pem", full_path("pubkey.pem"),
                "--session-key", key_type, "--xml-data", data,
                "--node-xpath", ASSERT_XPATH]

    crypto = CryptoBackendXmlSec1(xmlsec_path)
    (_stdout, _stderr, output) = crypto._run_xmlsec(
        com_list, [tmpl], exception=EncryptError, validate_output=False)

    print output
    assert _stderr == ""
    assert _stdout == ""
Exemplo n.º 2
0
def test_reshuffle_response():
    server = Server("idp_conf")
    name_id = server.ident.transient_nameid("urn:mace:example.com:saml:roland:sp", "id12")

    resp_ = server.create_authn_response(
        IDENTITY, "id12", "http://lingon.catalogix.se:8087/", "urn:mace:example.com:saml:roland:sp", name_id=name_id
    )

    resp2 = pre_encrypt_assertion(resp_)

    print resp2
    assert resp2.encrypted_assertion.extension_elements
Exemplo n.º 3
0
def test_reshuffle_response():
    with closing(Server("idp_conf")) as server:
        name_id = server.ident.transient_nameid(
            "urn:mace:example.com:saml:roland:sp", "id12")

        resp_ = server.create_authn_response(
            IDENTITY,
            "id12",
            "http://lingon.catalogix.se:8087/",
            "urn:mace:example.com:saml:roland:sp",
            name_id=name_id)

    resp2 = pre_encrypt_assertion(resp_)

    assert resp2.encrypted_assertion.extension_elements
Exemplo n.º 4
0
def test_enc1():
    with closing(Server("idp_conf")) as server:
        name_id = server.ident.transient_nameid(
            "urn:mace:example.com:saml:roland:sp", "id12")

        resp_ = server.create_authn_response(
            IDENTITY,
            "id12",
            "http://lingon.catalogix.se:8087/",
            "urn:mace:example.com:saml:roland:sp",
            name_id=name_id)

    statement = pre_encrypt_assertion(resp_)

    tmpl = full_path("enc_tmpl.xml")
    # tmpl_file = open(tmpl, "w")
    # tmpl_file.write("%s" % pre_encryption_part())
    # tmpl_file.close()

    data = full_path("pre_enc.xml")
    # data_file = open(data, "w")
    # data_file.write("%s" % statement)
    # data_file.close()

    key_type = "des-192"
    com_list = [
        xmlsec_path, "encrypt", "--pubkey-cert-pem",
        full_path("pubkey.pem"), "--session-key", key_type, "--xml-data", data,
        "--node-xpath", ASSERT_XPATH
    ]

    crypto = CryptoBackendXmlSec1(xmlsec_path)
    (_stdout, _stderr, output) = crypto._run_xmlsec(com_list, [tmpl],
                                                    exception=EncryptError,
                                                    validate_output=False)

    print output
    assert _stderr == ""
    assert _stdout == ""
Exemplo n.º 5
0
    def _response(self, in_response_to, consumer_url=None, status=None,
                  issuer=None, sign=False, to_sign=None, sp_entity_id=None,
                  encrypt_assertion=False, encrypt_assertion_self_contained=False, encrypted_advice_attributes=False,
                  encrypt_cert_advice=None, encrypt_cert_assertion=None,sign_assertion=None, pefim=False, **kwargs):
        """ Create a Response.
            Encryption:
                encrypt_assertion must be true for encryption to be performed. If encrypted_advice_attributes also is
                true, then will the function try to encrypt the assertion in the the advice element of the main
                assertion. Only one assertion element is allowed in the advice element, if multiple assertions exists
                in the advice element the main assertion will be encrypted instead, since it's no point to encrypt
                If encrypted_advice_attributes is
                false the main assertion will be encrypted. Since the same key

        :param in_response_to: The session identifier of the request
        :param consumer_url: The URL which should receive the response
        :param status: The status of the response
        :param issuer: The issuer of the response
        :param sign: Whether the response should be signed or not
        :param to_sign: If there are other parts to sign
        :param sp_entity_id: Entity ID for the calling service provider.
        :param encrypt_assertion: True if assertions should be encrypted.
        :param encrypt_assertion_self_contained: True if all encrypted assertions should have alla namespaces
        selfcontained.
        :param encrypted_advice_attributes: True if assertions in the advice element should be encrypted.
        :param encrypt_cert_advice: Certificate to be used for encryption of assertions in the advice element.
        :param encrypt_cert_assertion: Certificate to be used for encryption of assertions.
        :param sign_assertion: True if assertions should be signed.
        :param pefim: True if a response according to the PEFIM profile should be created.
        :param kwargs: Extra key word arguments
        :return: A Response instance
        """

        if not status:
            status = success_status_factory()

        _issuer = self._issuer(issuer)

        response = response_factory(issuer=_issuer,
                                    in_response_to=in_response_to,
                                    status=status)

        if consumer_url:
            response.destination = consumer_url

        self._add_info(response, **kwargs)

        if not sign and to_sign and not encrypt_assertion:
            return signed_instance_factory(response, self.sec, to_sign)

        has_encrypt_cert = self.has_encrypt_cert_in_metadata(sp_entity_id)
        if not has_encrypt_cert and encrypt_cert_advice is None:
            encrypted_advice_attributes = False
        if not has_encrypt_cert and encrypt_cert_assertion is None:
            encrypt_assertion = False

        if encrypt_assertion or (encrypted_advice_attributes and response.assertion.advice is not None and
                                         len(response.assertion.advice.assertion) == 1):
            if sign:
                response.signature = pre_signature_part(response.id,
                                                        self.sec.my_cert, 1)
                sign_class = [(class_name(response), response.id)]
            cbxs = CryptoBackendXmlSec1(self.config.xmlsec_binary)
            encrypt_advice = False
            if encrypted_advice_attributes and response.assertion.advice is not None \
                    and len(response.assertion.advice.assertion) > 0:
                _assertions = response.assertion
                if not isinstance(_assertions, list):
                    _assertions = [_assertions]
                for _assertion in _assertions:
                    _assertion.advice.encrypted_assertion = []
                    _assertion.advice.encrypted_assertion.append(EncryptedAssertion())
                    _advice_assertions = copy.deepcopy(_assertion.advice.assertion)
                    _assertion.advice.assertion = []
                    if not isinstance(_advice_assertions, list):
                        _advice_assertions = [_advice_assertions]
                    for tmp_assertion in _advice_assertions:
                        to_sign_advice = []
                        if sign_assertion and not pefim:
                            tmp_assertion.signature = pre_signature_part(tmp_assertion.id, self.sec.my_cert, 1)
                            to_sign_advice.append((class_name(tmp_assertion), tmp_assertion.id))
                        #tmp_assertion = response.assertion.advice.assertion[0]
                        _assertion.advice.encrypted_assertion[0].add_extension_element(tmp_assertion)

                        if encrypt_assertion_self_contained:
                            advice_tag = response.assertion.advice._to_element_tree().tag
                            assertion_tag = tmp_assertion._to_element_tree().tag
                            response = \
                                response.get_xml_string_with_self_contained_assertion_within_advice_encrypted_assertion(
                                    assertion_tag, advice_tag)
                        node_xpath = ''.join(["/*[local-name()=\"%s\"]" % v for v in
                                              ["Response", "Assertion", "Advice", "EncryptedAssertion", "Assertion"]])

                        if to_sign_advice:
                            response = signed_instance_factory(response, self.sec, to_sign_advice)
                        response = self._encrypt_assertion(encrypt_cert_advice, sp_entity_id, response, node_xpath=node_xpath)
                        response = response_from_string(response)

            if encrypt_assertion:
                to_sign_assertion = []
                if sign_assertion is not None and sign_assertion:
                    _assertions = response.assertion
                    if not isinstance(_assertions, list):
                        _assertions = [_assertions]
                    for _assertion in _assertions:
                        _assertion.signature = pre_signature_part(_assertion.id, self.sec.my_cert, 1)
                        to_sign_assertion.append((class_name(_assertion), _assertion.id))
                if encrypt_assertion_self_contained:
                    try:
                        assertion_tag = response.assertion._to_element_tree().tag
                    except:
                        assertion_tag = response.assertion[0]._to_element_tree().tag
                    response = pre_encrypt_assertion(response)
                    response = response.get_xml_string_with_self_contained_assertion_within_encrypted_assertion(
                        assertion_tag)

                if to_sign_assertion:
                    response = signed_instance_factory(response, self.sec, to_sign_assertion)
                response = self._encrypt_assertion(encrypt_cert_assertion, sp_entity_id, response)
            else:
                if to_sign:
                    response = signed_instance_factory(response, self.sec, to_sign)
            if sign:
                return signed_instance_factory(response, self.sec, sign_class)
            else:
                return response

        if sign:
            return self.sign(response, to_sign=to_sign)
        else:
            return response
Exemplo n.º 6
0
    def _response(self,
                  in_response_to,
                  consumer_url=None,
                  status=None,
                  issuer=None,
                  sign=False,
                  to_sign=None,
                  encrypt_assertion=False,
                  encrypt_assertion_self_contained=False,
                  encrypted_advice_attributes=False,
                  encrypt_cert=None,
                  **kwargs):
        """ Create a Response.
            Encryption:
                encrypt_assertion must be true for encryption to be performed. If encrypted_advice_attributes also is
                true, then will the function try to encrypt the assertion in the the advice element of the main
                assertion. Only one assertion element is allowed in the advice element, if multiple assertions exists
                in the advice element the main assertion will be encrypted instead, since it's no point to encrypt
                If encrypted_advice_attributes is
                false the main assertion will be encrypted. Since the same key

        :param in_response_to: The session identifier of the request
        :param consumer_url: The URL which should receive the response
        :param status: The status of the response
        :param issuer: The issuer of the response
        :param sign: Whether the response should be signed or not
        :param to_sign: If there are other parts to sign
        :param kwargs: Extra key word arguments
        :return: A Response instance
        """

        if not status:
            status = success_status_factory()

        _issuer = self._issuer(issuer)

        response = response_factory(issuer=_issuer,
                                    in_response_to=in_response_to,
                                    status=status)

        if consumer_url:
            response.destination = consumer_url

        self._add_info(response, **kwargs)

        if not sign and to_sign and not encrypt_assertion:
            return signed_instance_factory(response, self.sec, to_sign)

        if encrypt_assertion:
            node_xpath = None
            if sign:
                response.signature = pre_signature_part(
                    response.id, self.sec.my_cert, 1)
                sign_class = [(class_name(response), response.id)]
            cbxs = CryptoBackendXmlSec1(self.config.xmlsec_binary)
            if encrypted_advice_attributes and response.assertion.advice is not None \
                    and len(response.assertion.advice.assertion) == 1:
                tmp_assertion = response.assertion.advice.assertion[0]
                response.assertion.advice.encrypted_assertion = []
                response.assertion.advice.encrypted_assertion.append(
                    EncryptedAssertion())
                if isinstance(tmp_assertion, list):
                    response.assertion.advice.encrypted_assertion[
                        0].add_extension_elements(tmp_assertion)
                else:
                    response.assertion.advice.encrypted_assertion[
                        0].add_extension_element(tmp_assertion)
                response.assertion.advice.assertion = []
                if encrypt_assertion_self_contained:
                    advice_tag = response.assertion.advice._to_element_tree(
                    ).tag
                    assertion_tag = tmp_assertion._to_element_tree().tag
                    response = response.get_xml_string_with_self_contained_assertion_within_advice_encrypted_assertion(
                        assertion_tag, advice_tag)
                node_xpath = ''.join([
                    "/*[local-name()=\"%s\"]" % v for v in [
                        "Response", "Assertion", "Advice",
                        "EncryptedAssertion", "Assertion"
                    ]
                ])
            elif encrypt_assertion_self_contained:
                assertion_tag = response.assertion._to_element_tree().tag
                response = pre_encrypt_assertion(response)
                response = response.get_xml_string_with_self_contained_assertion_within_encrypted_assertion(
                    assertion_tag)
            else:
                response = pre_encrypt_assertion(response)
            if to_sign:
                response = signed_instance_factory(response, self.sec, to_sign)
            _, cert_file = make_temp("%s" % encrypt_cert, decode=False)
            response = cbxs.encrypt_assertion(response,
                                              cert_file,
                                              pre_encryption_part(),
                                              node_xpath=node_xpath)
            # template(response.assertion.id))
            if sign:
                return signed_instance_factory(response, self.sec, sign_class)
            else:
                return response

        if sign:
            return self.sign(response, to_sign=to_sign)
        else:
            return response
Exemplo n.º 7
0
    def _response(self, in_response_to, consumer_url=None, status=None,
                  issuer=None, sign=False, to_sign=None,
                  encrypt_assertion=False, encrypt_assertion_self_contained=False, encrypted_advice_attributes=False,
                  encrypt_cert=None, **kwargs):
        """ Create a Response.
            Encryption:
                encrypt_assertion must be true for encryption to be performed. If encrypted_advice_attributes also is
                true, then will the function try to encrypt the assertion in the the advice element of the main
                assertion. Only one assertion element is allowed in the advice element, if multiple assertions exists
                in the advice element the main assertion will be encrypted instead, since it's no point to encrypt
                If encrypted_advice_attributes is
                false the main assertion will be encrypted. Since the same key

        :param in_response_to: The session identifier of the request
        :param consumer_url: The URL which should receive the response
        :param status: The status of the response
        :param issuer: The issuer of the response
        :param sign: Whether the response should be signed or not
        :param to_sign: If there are other parts to sign
        :param kwargs: Extra key word arguments
        :return: A Response instance
        """

        if not status:
            status = success_status_factory()

        _issuer = self._issuer(issuer)

        response = response_factory(issuer=_issuer,
                                    in_response_to=in_response_to,
                                    status=status)

        if consumer_url:
            response.destination = consumer_url

        self._add_info(response, **kwargs)

        if not sign and to_sign and not encrypt_assertion:
            return signed_instance_factory(response, self.sec, to_sign)

        if encrypt_assertion:
            node_xpath = None
            if sign:
                response.signature = pre_signature_part(response.id,
                                                        self.sec.my_cert, 1)
                sign_class = [(class_name(response), response.id)]
            cbxs = CryptoBackendXmlSec1(self.config.xmlsec_binary)
            if encrypted_advice_attributes and response.assertion.advice is not None \
                    and len(response.assertion.advice.assertion) == 1:
                tmp_assertion = response.assertion.advice.assertion[0]
                response.assertion.advice.encrypted_assertion = []
                response.assertion.advice.encrypted_assertion.append(EncryptedAssertion())
                if isinstance(tmp_assertion, list):
                    response.assertion.advice.encrypted_assertion[0].add_extension_elements(tmp_assertion)
                else:
                    response.assertion.advice.encrypted_assertion[0].add_extension_element(tmp_assertion)
                response.assertion.advice.assertion = []
                if encrypt_assertion_self_contained:
                    advice_tag = response.assertion.advice._to_element_tree().tag
                    assertion_tag = tmp_assertion._to_element_tree().tag
                    response = response.get_xml_string_with_self_contained_assertion_within_advice_encrypted_assertion(
                        assertion_tag, advice_tag)
                node_xpath = ''.join(["/*[local-name()=\"%s\"]" % v for v in
                                      ["Response", "Assertion", "Advice", "EncryptedAssertion", "Assertion"]])
            elif encrypt_assertion_self_contained:
                assertion_tag = response.assertion._to_element_tree().tag
                response = pre_encrypt_assertion(response)
                response = response.get_xml_string_with_self_contained_assertion_within_encrypted_assertion(
                    assertion_tag)
            else:
                response = pre_encrypt_assertion(response)
            if to_sign:
                response = signed_instance_factory(response, self.sec, to_sign)
            _, cert_file = make_temp("%s" % encrypt_cert, decode=False)
            response = cbxs.encrypt_assertion(response, cert_file,
                                              pre_encryption_part(), node_xpath=node_xpath)
                                              # template(response.assertion.id))
            if sign:
                return signed_instance_factory(response, self.sec, sign_class)
            else:
                return response

        if sign:
            return self.sign(response, to_sign=to_sign)
        else:
            return response