示例#1
0
    def test_verify_SAML_assertion2(self):
        """
        Test that we reject a modified XML document.
        """
        case = copy.deepcopy(self.cases['SAML_assertion1'])

        # modify the givenName in the XML and make sure the signature
        # does NOT validate anymore
        case.data['out.xml'] = case.data['out.xml'].replace('>Bar<', '>Malory<')

        print("XML input :\n{}\n\n".format(case.as_buf('out.xml')))
        with self.assertRaises(xmlsec.XMLSigException):
            xmlsec.verify(case.as_etree('out.xml'), self.public_keyspec)
示例#2
0
    def test_sign_verify_all(self):
        """
        Run through all testcases, sign and verify using xmlsec1
        """
        for case in self.cases.values():
            if case.has_data('in.xml'):
                signed = xmlsec.sign(case.as_etree('in.xml'),
                                     key_spec=self.private_keyspec,
                                     cert_spec=self.public_keyspec)
                res = xmlsec.verify(signed, self.public_keyspec)
                self.assertTrue(res)
                with open(self.tmpf.name, "w") as fd:
                    xml_str = utils.etree_to_string(signed)
                    fd.write(xml_str)

                run_cmd([
                    XMLSEC1, '--verify', '--store-references', '--id-attr:ID',
                    'urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor',
                    '--id-attr:ID',
                    'urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor',
                    '--id-attr:ID',
                    'urn:oasis:names:tc:SAML:2.0:assertion:Assertion',
                    '--verification-time', '2009-11-01 12:00:00',
                    '--trusted-pem', self.public_keyspec, self.tmpf.name
                ])
示例#3
0
    def test_verify_SAML_assertion1(self):
        """
        Test that we can verify signatures created by another implementation (xmlsec1).
        """
        case = self.cases['SAML_assertion1']
        print("XML input :\n{}\n\n".format(case.as_buf('out.xml')))

        res = xmlsec.verify(case.as_etree('out.xml'),
                            self.public_keyspec)
        self.assertTrue(res)
示例#4
0
    def test_sign_verify_SAML_assertion1(self):
        """
        Test signing a SAML assertion, and making sure we can verify it.
        """
        case = self.cases['SAML_assertion1']
        print("XML input :\n{}\n\n".format(case.as_buf('in.xml')))

        signed = xmlsec.sign(case.as_etree('in.xml'),
                             key_spec=self.private_keyspec,
                             cert_spec=self.public_keyspec)
        res = xmlsec.verify(signed, self.public_keyspec)
        self.assertTrue(res)
示例#5
0
    def test_sign_verify_SAML_assertion_sha256(self):
        """
        Test signing a SAML assertion using sha256, and making sure we can verify it.
        """
        case = self.cases['SAML_assertion_sha256']
        print("XML input :\n{}\n\n".format(case.as_buf('in.xml')))

        signed = xmlsec.sign(case.as_etree('in.xml'),
                             key_spec=self.private_keyspec,
                             cert_spec=self.public_keyspec)
        res = xmlsec.verify(signed, self.public_keyspec)
        self.assertTrue(res)
    def test_sign_xades(self):
        """
        Test that we can sign an already signed document without breaking the first signature
        """

        case = self.cases['dont_break_xades']
        t = case.as_etree('in.xml')

        signed = xmlsec.sign(t, self.private_keyspec)
        self.assertIsNotNone(signed)
        digests = [dv.text for dv in signed.findall('.//{%s}DigestValue' % xmlsec.NS['ds'])]
        assert 'JvmW5vKjaTEVHzOdiC/H3HSGNocGamY9sDeU86ld6TA=' in digests
        res = xmlsec.verify(signed, self.public_keyspec)
        self.assertTrue(res)
    def test_sign_xades(self):
        """
        Test that we can sign an already signed document without breaking the first signature
        """

        case = self.cases['dont_break_xades']
        t = case.as_etree('in.xml')

        signed = xmlsec.sign(t, self.private_keyspec)
        self.assertIsNotNone(signed)
        digests = [dv.text for dv in signed.findall('.//{%s}DigestValue' % xmlsec.NS['ds'])]
        assert 'JvmW5vKjaTEVHzOdiC/H3HSGNocGamY9sDeU86ld6TA=' in digests
        res = xmlsec.verify(signed, self.public_keyspec)
        self.assertTrue(res)
示例#8
0
    def test_SAML_sign_with_pkcs11(self):
        """
        Test signing a SAML assertion using PKCS#11 and then verifying it using plain file.
        """
        case = self.cases['SAML_assertion1']
        print("XML input :\n{}\n\n".format(case.as_buf('in.xml')))

        os.environ['SOFTHSM_CONF'] = softhsm_conf

        signed = xmlsec.sign(case.as_etree('in.xml'),
                             key_spec="pkcs11://%s:0/test?pin=secret1" % P11_MODULE)

        # verify signature using the public key
        res = xmlsec.verify(signed, signer_cert_pem)
        self.assertTrue(res)
示例#9
0
    def test_SAML_sign_with_pkcs11(self):
        """
        Test signing a SAML assertion using PKCS#11 and then verifying it using plain file.
        """
        case = self.cases['SAML_assertion1']
        print("XML input :\n{}\n\n".format(case.as_buf('in.xml')))

        os.environ['SOFTHSM_CONF'] = softhsm_conf

        signed = xmlsec.sign(case.as_etree('in.xml'),
                             key_spec="pkcs11://%s:0/test?pin=secret1" %
                             P11_MODULE)

        # verify signature using the public key
        res = xmlsec.verify(signed, signer_cert_pem)
        self.assertTrue(res)
示例#10
0
文件: sigver.py 项目: gbel/pysaml2
    def validate_signature(self, signedtext, cert_file, cert_type, _node_name,
                           _node_id, _id_attr):
        """
        Validate signature on XML document.

        The parameters actually used in this CryptoBackend
        implementation are :

        :param signedtext: The signed XML data as string
        :param cert_file: xmlsec key_spec string(), filename,
            "pkcs11://" URI or PEM data
        :param cert_type: string, must be 'pem' for now
        :returns: True on successful validation, False otherwise
        """
        if cert_type != "pem":
            raise Unsupported("Only PEM certs supported here")
        import xmlsec

        xml = xmlsec.parse_xml(signedtext)
        try:
            return xmlsec.verify(xml, cert_file)
        except xmlsec.XMLSigException:
            return False
示例#11
0
    def validate_signature(self, signedtext, cert_file, cert_type, _node_name,
                           _node_id, _id_attr):
        """
        Validate signature on XML document.

        The parameters actually used in this CryptoBackend
        implementation are :

        :param signedtext: The signed XML data as string
        :param cert_file: xmlsec key_spec string(), filename,
            "pkcs11://" URI or PEM data
        :param cert_type: string, must be 'pem' for now
        :returns: True on successful validation, False otherwise
        """
        if cert_type != "pem":
            raise Unsupported("Only PEM certs supported here")
        import xmlsec

        xml = xmlsec.parse_xml(signedtext)
        try:
            return xmlsec.verify(xml, cert_file)
        except xmlsec.XMLSigException:
            return False
示例#12
0
    def test_sign_verify_all(self):
        """
        Run through all testcases, sign and verify using xmlsec1
        """
        for case in self.cases.values():
            if case.has_data('in.xml'):
                signed = xmlsec.sign(case.as_etree('in.xml'),
                                     key_spec=self.private_keyspec,
                                     cert_spec=self.public_keyspec)
                res = xmlsec.verify(signed, self.public_keyspec)
                self.assertTrue(res)
                with open(self.tmpf.name, "w") as fd:
                    fd.write(etree.tostring(signed))

                run_cmd([XMLSEC1,
                         '--verify',
                         '--store-references',
                         '--id-attr:ID', 'urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor',
                         '--id-attr:ID', 'urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor',
                         '--id-attr:ID', 'urn:oasis:names:tc:SAML:2.0:assertion:Assertion',
                         '--verification-time', '2009-11-01 12:00:00',
                         '--trusted-pem', self.public_keyspec,
                         self.tmpf.name])
示例#13
0
        signed_sv = _get_all_signatures(signed)

        print "Signed   SignatureValue: %s" % (repr(signed_sv))
        print "Expected SignatureValue: %s" % (repr(expected_sv))

        self.assertEquals(digest, expected_digest)
        self.assertEqual(signed_sv, expected_sv)

    def test_verify_href(self):
        case = self.cases['href']
        t = case.as_etree('href.xml',
                          remove_comments=False,
                          remove_whitespace=False)
        href_signer = os.path.join(
            self.datadir, "signverify/href/href-metadata-signer-2011.crt")
        res = xmlsec.verify(t, href_signer)
        self.assertTrue(res)

    def test_edugain_with_xmlsec1(self):
        case = self.cases['edugain']
        t = case.as_etree('xmlsec1_in.xml')
        signed = xmlsec.sign(t,
                             key_spec=self.private_keyspec,
                             cert_spec=self.public_keyspec)

        expected = case.as_etree('xmlsec1_out.xml')

        print " --- Expected"
        print etree.tostring(expected)
        print " --- Actual"
        print etree.tostring(signed)
示例#14
0
 def test_verify_href(self):
     case = self.cases['href']
     t = case.as_etree('href.xml',remove_comments=False,remove_whitespace=False)
     href_signer = os.path.join(self.datadir, "signverify/href/href-metadata-signer-2011.crt")
     res = xmlsec.verify(t, href_signer)
     self.assertTrue(res)
示例#15
0
            t = etree.parse(fn, base_url=base_url, parser=etree.XMLParser(resolve_entities=False))
            t.xinclude()
            schema().assertValid(t)
        except DocumentInvalid, ex:
            log.debug(_e(ex.error_log))
            raise ValueError("XML schema validation failed")
        except Exception, ex:
            log.debug(_e(schema().error_log))
            log.error(ex)
            if fail_on_error:
                raise ex
            return None
        if key is not None:
            try:
                log.debug("verifying signature using %s" % key)
                xmlsec.verify(t, key)
            except Exception, ex:
                tb = traceback.format_exc()
                print tb
                log.error(ex)
                return None

        return t

    def import_metadata(self, t, url=None):
        """
:param t: An EntitiesDescriptor element
:param url: An optional URL to used to identify the EntitiesDescriptor in the MDRepository

Import an EntitiesDescriptor element using the @Name attribute (or the supplied url parameter). All
EntityDescriptor elements are stripped of any @ID attribute and are then indexed before the collection
示例#16
0
 def test_verify_all(self):
     for case in self.cases.values():
         public_keyspec = os.path.join(self.resource_dir, case.name, "signer.crt")
         res = xmlsec.verify(case.as_etree("in.xml"), public_keyspec)
         self.assertTrue(res)