def testCalculateX509Fingerprint(self):
"""
Tests the calculateX509Fingerprint method of the OneLogin_Saml2_Utils
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
cert_path = settings.get_cert_path()
key = self.file_contents(cert_path + 'sp.key')
cert = self.file_contents(cert_path + 'sp.crt')
self.assertEqual(None, OneLogin_Saml2_Utils.calculate_x509_fingerprint(key))
self.assertEqual('afe71c28ef740bc87425be13a2263d37971da1f9', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert))
def testCalculateX509Fingerprint(self):
"""
Tests the calculateX509Fingerprint method of the OneLogin_Saml2_Utils
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
cert_path = settings.get_cert_path()
key = self.file_contents(cert_path + 'sp.key')
cert = self.file_contents(cert_path + 'sp.crt')
self.assertEqual(None,
OneLogin_Saml2_Utils.calculate_x509_fingerprint(key))
self.assertEqual('afe71c28ef740bc87425be13a2263d37971da1f9',
OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert))
def key_identifier(self):
fp_ascii = OneLogin_Saml2_Utils.calculate_x509_fingerprint(
self.sp_cer_body)
# --> unicode str in ascii: 'b5a10daa4250aea3b036b4a2a6e66829f852363f'
from binascii import a2b_hex, b2a_base64
fp_hex = a2b_hex(fp_ascii)
# --> unicode str in hex: '\xb5\xa1\r\xaaBP\xae\xa3\xb06\xb4\xa2\xa6\xe6h)\xf8R6?'
return b2a_base64(fp_hex).strip() # 'taENqkJQrqOwNrSipuZoKfhSNj8=\n'
def testCalculateX509Fingerprint(self):
"""
Tests the calculateX509Fingerprint method of the OneLogin_Saml2_Utils
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
cert_path = settings.get_cert_path()
key = self.file_contents(cert_path + 'sp.key')
cert = self.file_contents(cert_path + 'sp.crt')
self.assertEqual(None, OneLogin_Saml2_Utils.calculate_x509_fingerprint(key))
self.assertEqual('afe71c28ef740bc87425be13a2263d37971da1f9', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert))
self.assertEqual('afe71c28ef740bc87425be13a2263d37971da1f9', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha1'))
self.assertEqual('c51cfa06c7a49767f6eab18238eae1c56708e29264da3d11f538a12cd2c357ba', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha256'))
self.assertEqual('bc5826e6f9429247254bae5e3c650e6968a36a62d23075eb168134978d88600559c10830c28711b2c29c7947c0c2eb1d', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha384'))
self.assertEqual('3db29251b97559c67988ea0754cb0573fc409b6f75d89282d57cfb75089539b0bbdb2dcd9ec6e032549ecbc466439d5992e18db2cf5494ca2fe1b2e16f348dff', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha512'))
def testCalculateX509Fingerprint(self):
"""
Tests the calculateX509Fingerprint method of the OneLogin_Saml2_Utils
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
cert_path = settings.get_cert_path()
key = self.file_contents(cert_path + 'sp.key')
cert = self.file_contents(cert_path + 'sp.crt')
self.assertEqual(None, OneLogin_Saml2_Utils.calculate_x509_fingerprint(key))
self.assertEqual('afe71c28ef740bc87425be13a2263d37971da1f9', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert))
self.assertEqual('afe71c28ef740bc87425be13a2263d37971da1f9', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha1'))
self.assertEqual('c51cfa06c7a49767f6eab18238eae1c56708e29264da3d11f538a12cd2c357ba', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha256'))
self.assertEqual('bc5826e6f9429247254bae5e3c650e6968a36a62d23075eb168134978d88600559c10830c28711b2c29c7947c0c2eb1d', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha384'))
self.assertEqual('3db29251b97559c67988ea0754cb0573fc409b6f75d89282d57cfb75089539b0bbdb2dcd9ec6e032549ecbc466439d5992e18db2cf5494ca2fe1b2e16f348dff', OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert, 'sha512'))
def testValidateSign(self):
"""
Tests the validate_sign method of the OneLogin_Saml2_Utils
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
idp_data = settings.get_idp_data()
cert = idp_data['x509cert']
settings_2 = OneLogin_Saml2_Settings(
self.loadSettingsJSON('settings2.json'))
idp_data2 = settings_2.get_idp_data()
cert_2 = idp_data2['x509cert']
fingerprint_2 = OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert_2)
fingerprint_2_256 = OneLogin_Saml2_Utils.calculate_x509_fingerprint(
cert_2, 'sha256')
try:
self.assertFalse(OneLogin_Saml2_Utils.validate_sign('', cert))
except Exception as e:
self.assertEqual('Empty string supplied as input', str(e))
# expired cert
xml_metadata_signed = self.file_contents(
join(self.data_path, 'metadata', 'signed_metadata_settings1.xml'))
self.assertTrue(
OneLogin_Saml2_Utils.validate_metadata_sign(
xml_metadata_signed, cert))
# expired cert, verified it
self.assertFalse(
OneLogin_Saml2_Utils.validate_metadata_sign(xml_metadata_signed,
cert,
validatecert=True))
xml_metadata_signed_2 = self.file_contents(
join(self.data_path, 'metadata', 'signed_metadata_settings2.xml'))
self.assertTrue(
OneLogin_Saml2_Utils.validate_metadata_sign(
xml_metadata_signed_2, cert_2))
self.assertTrue(
OneLogin_Saml2_Utils.validate_metadata_sign(
xml_metadata_signed_2, None, fingerprint_2))
xml_response_msg_signed = b64decode(
self.file_contents(
join(self.data_path, 'responses',
'signed_message_response.xml.base64')))
# expired cert
self.assertTrue(
OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed, cert))
# expired cert, verified it
self.assertFalse(
OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed,
cert,
validatecert=True))
# modified cert
other_cert_path = join(dirname(__file__), '..', '..', '..', 'certs')
f = open(other_cert_path + '/certificate1', 'r')
cert_x = f.read()
f.close()
self.assertFalse(
OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed,
cert_x))
self.assertFalse(
OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed,
cert_x,
validatecert=True))
xml_response_msg_signed_2 = b64decode(
self.file_contents(
join(self.data_path, 'responses',
'signed_message_response2.xml.base64')))
self.assertTrue(
OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed_2,
cert_2))
self.assertTrue(
OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed_2, None,
fingerprint_2))
self.assertTrue(
OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed_2, None,
fingerprint_2, 'sha1'))
self.assertTrue(
OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed_2, None,
fingerprint_2_256, 'sha256'))
xml_response_assert_signed = b64decode(
self.file_contents(
join(self.data_path, 'responses',
'signed_assertion_response.xml.base64')))
# expired cert
self.assertTrue(
OneLogin_Saml2_Utils.validate_sign(xml_response_assert_signed,
cert))
# expired cert, verified it
self.assertFalse(
OneLogin_Saml2_Utils.validate_sign(xml_response_assert_signed,
cert,
validatecert=True))
xml_response_assert_signed_2 = b64decode(
self.file_contents(
join(self.data_path, 'responses',
'signed_assertion_response2.xml.base64')))
self.assertTrue(
OneLogin_Saml2_Utils.validate_sign(xml_response_assert_signed_2,
cert_2))
self.assertTrue(
OneLogin_Saml2_Utils.validate_sign(xml_response_assert_signed_2,
None, fingerprint_2))
xml_response_double_signed = b64decode(
self.file_contents(
join(self.data_path, 'responses',
'double_signed_response.xml.base64')))
# expired cert
self.assertTrue(
OneLogin_Saml2_Utils.validate_sign(xml_response_double_signed,
cert))
# expired cert, verified it
self.assertFalse(
OneLogin_Saml2_Utils.validate_sign(xml_response_double_signed,
cert,
validatecert=True))
xml_response_double_signed_2 = b64decode(
self.file_contents(
join(self.data_path, 'responses',
'double_signed_response2.xml.base64')))
self.assertTrue(
OneLogin_Saml2_Utils.validate_sign(xml_response_double_signed_2,
cert_2))
self.assertTrue(
OneLogin_Saml2_Utils.validate_sign(xml_response_double_signed_2,
None, fingerprint_2))
dom = parseString(xml_response_msg_signed_2)
self.assertTrue(OneLogin_Saml2_Utils.validate_sign(
dom.toxml(), cert_2))
dom.firstChild.firstChild.firstChild.nodeValue = 'https://idp.example.com/simplesaml/saml2/idp/metadata.php'
dom.firstChild.getAttributeNode(
'ID').nodeValue = u'_34fg27g212d63k1f923845324475802ac0fc24530b'
# Reference validation failed
self.assertFalse(
OneLogin_Saml2_Utils.validate_sign(dom.toxml(), cert_2))
invalid_fingerprint = 'afe71c34ef740bc87434be13a2263d31271da1f9'
# Wrong fingerprint
self.assertFalse(
OneLogin_Saml2_Utils.validate_metadata_sign(
xml_metadata_signed_2, None, invalid_fingerprint))
dom_2 = parseString(xml_response_double_signed_2)
self.assertTrue(
OneLogin_Saml2_Utils.validate_sign(dom_2.toxml(), cert_2))
dom_2.firstChild.firstChild.firstChild.nodeValue = 'https://example.com/other-idp'
# Modified message
self.assertFalse(
OneLogin_Saml2_Utils.validate_sign(dom_2.toxml(), cert_2))
# Try to validate directly the Assertion
dom_3 = parseString(xml_response_double_signed_2)
assert_elem_3 = dom_3.firstChild.firstChild.nextSibling.nextSibling.nextSibling
assert_elem_3.setAttributeNS(OneLogin_Saml2_Constants.NS_SAML,
'xmlns:saml',
OneLogin_Saml2_Constants.NS_SAML)
self.assertFalse(
OneLogin_Saml2_Utils.validate_sign(assert_elem_3.toxml(), cert_2))
# Wrong scheme
no_signed = b64decode(
self.file_contents(
join(self.data_path, 'responses', 'invalids',
'no_signature.xml.base64')))
self.assertFalse(OneLogin_Saml2_Utils.validate_sign(no_signed, cert))
no_key = b64decode(
self.file_contents(
join(self.data_path, 'responses', 'invalids',
'no_key.xml.base64')))
self.assertFalse(OneLogin_Saml2_Utils.validate_sign(no_key, cert))
# Signature Wrapping attack
wrapping_attack1 = b64decode(
self.file_contents(
join(self.data_path, 'responses', 'invalids',
'signature_wrapping_attack.xml.base64')))
self.assertFalse(
OneLogin_Saml2_Utils.validate_sign(wrapping_attack1, cert))
def testValidateSign(self):
"""
Tests the validate_sign method of the OneLogin_Saml2_Utils
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
idp_data = settings.get_idp_data()
cert = idp_data['x509cert']
settings_2 = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings2.json'))
idp_data2 = settings_2.get_idp_data()
cert_2 = idp_data2['x509cert']
fingerprint_2 = OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert_2)
fingerprint_2_256 = OneLogin_Saml2_Utils.calculate_x509_fingerprint(cert_2, 'sha256')
try:
self.assertFalse(OneLogin_Saml2_Utils.validate_sign('', cert))
except Exception as e:
self.assertEqual('Empty string supplied as input', e.message)
try:
self.assertFalse(OneLogin_Saml2_Utils.validate_sign(1, cert))
except Exception as e:
self.assertEqual('Error parsing xml string', e.message)
# expired cert
xml_metadata_signed = self.file_contents(join(self.data_path, 'metadata', 'signed_metadata_settings1.xml'))
self.assertTrue(OneLogin_Saml2_Utils.validate_metadata_sign(xml_metadata_signed, cert))
# expired cert, verified it
self.assertFalse(OneLogin_Saml2_Utils.validate_metadata_sign(xml_metadata_signed, cert, validatecert=True))
xml_metadata_signed_2 = self.file_contents(join(self.data_path, 'metadata', 'signed_metadata_settings2.xml'))
self.assertTrue(OneLogin_Saml2_Utils.validate_metadata_sign(xml_metadata_signed_2, cert_2))
self.assertTrue(OneLogin_Saml2_Utils.validate_metadata_sign(xml_metadata_signed_2, None, fingerprint_2))
xml_response_msg_signed = b64decode(self.file_contents(join(self.data_path, 'responses', 'signed_message_response.xml.base64')))
# expired cert
self.assertTrue(OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed, cert))
# expired cert, verified it
self.assertFalse(OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed, cert, validatecert=True))
# modified cert
other_cert_path = join(dirname(__file__), '..', '..', '..', 'certs')
f = open(other_cert_path + '/certificate1', 'r')
cert_x = f.read()
f.close()
self.assertFalse(OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed, cert_x))
self.assertFalse(OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed, cert_x, validatecert=True))
xml_response_msg_signed_2 = b64decode(self.file_contents(join(self.data_path, 'responses', 'signed_message_response2.xml.base64')))
self.assertTrue(OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed_2, cert_2))
self.assertTrue(OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed_2, None, fingerprint_2))
self.assertTrue(OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed_2, None, fingerprint_2, 'sha1'))
self.assertTrue(OneLogin_Saml2_Utils.validate_sign(xml_response_msg_signed_2, None, fingerprint_2_256, 'sha256'))
xml_response_assert_signed = b64decode(self.file_contents(join(self.data_path, 'responses', 'signed_assertion_response.xml.base64')))
# expired cert
self.assertTrue(OneLogin_Saml2_Utils.validate_sign(xml_response_assert_signed, cert))
# expired cert, verified it
self.assertFalse(OneLogin_Saml2_Utils.validate_sign(xml_response_assert_signed, cert, validatecert=True))
xml_response_assert_signed_2 = b64decode(self.file_contents(join(self.data_path, 'responses', 'signed_assertion_response2.xml.base64')))
self.assertTrue(OneLogin_Saml2_Utils.validate_sign(xml_response_assert_signed_2, cert_2))
self.assertTrue(OneLogin_Saml2_Utils.validate_sign(xml_response_assert_signed_2, None, fingerprint_2))
xml_response_double_signed = b64decode(self.file_contents(join(self.data_path, 'responses', 'double_signed_response.xml.base64')))
# expired cert
self.assertTrue(OneLogin_Saml2_Utils.validate_sign(xml_response_double_signed, cert))
# expired cert, verified it
self.assertFalse(OneLogin_Saml2_Utils.validate_sign(xml_response_double_signed, cert, validatecert=True))
xml_response_double_signed_2 = b64decode(self.file_contents(join(self.data_path, 'responses', 'double_signed_response2.xml.base64')))
self.assertTrue(OneLogin_Saml2_Utils.validate_sign(xml_response_double_signed_2, cert_2))
self.assertTrue(OneLogin_Saml2_Utils.validate_sign(xml_response_double_signed_2, None, fingerprint_2))
dom = parseString(xml_response_msg_signed_2)
self.assertTrue(OneLogin_Saml2_Utils.validate_sign(dom, cert_2))
dom.firstChild.firstChild.firstChild.nodeValue = 'https://idp.example.com/simplesaml/saml2/idp/metadata.php'
dom.firstChild.getAttributeNode('ID').nodeValue = u'_34fg27g212d63k1f923845324475802ac0fc24530b'
# Reference validation failed
self.assertFalse(OneLogin_Saml2_Utils.validate_sign(dom, cert_2))
invalid_fingerprint = 'afe71c34ef740bc87434be13a2263d31271da1f9'
# Wrong fingerprint
self.assertFalse(OneLogin_Saml2_Utils.validate_metadata_sign(xml_metadata_signed_2, None, invalid_fingerprint))
dom_2 = parseString(xml_response_double_signed_2)
self.assertTrue(OneLogin_Saml2_Utils.validate_sign(dom_2, cert_2))
dom_2.firstChild.firstChild.firstChild.nodeValue = 'https://example.com/other-idp'
# Modified message
self.assertFalse(OneLogin_Saml2_Utils.validate_sign(dom_2, cert_2))
# Try to validate directly the Assertion
dom_3 = parseString(xml_response_double_signed_2)
assert_elem_3 = dom_3.firstChild.firstChild.nextSibling.nextSibling.nextSibling
self.assertFalse(OneLogin_Saml2_Utils.validate_sign(assert_elem_3, cert_2))
# Wrong scheme
no_signed = b64decode(self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_signature.xml.base64')))
self.assertFalse(OneLogin_Saml2_Utils.validate_sign(no_signed, cert))
no_key = b64decode(self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_key.xml.base64')))
self.assertFalse(OneLogin_Saml2_Utils.validate_sign(no_key, cert))
# Signature Wrapping attack
wrapping_attack1 = b64decode(self.file_contents(join(self.data_path, 'responses', 'invalids', 'signature_wrapping_attack.xml.base64')))
self.assertFalse(OneLogin_Saml2_Utils.validate_sign(wrapping_attack1, cert))