def test_verify_SAML_assertion2(self):
"""
Test that we reject a modified XML document.
"""
case = copy.deepcopy(self.cases['SAML_assertion1'])
# modify the givenName in the XML and make sure the signature
# does NOT validate anymore
case.data['out.xml'] = case.data['out.xml'].replace('>Bar<', '>Malory<')
print("XML input :\n{}\n\n".format(case.as_buf('out.xml')))
with self.assertRaises(xmlsec.XMLSigException):
xmlsec.verify(case.as_etree('out.xml'), self.public_keyspec)
def test_sign_verify_all(self):
"""
Run through all testcases, sign and verify using xmlsec1
"""
for case in self.cases.values():
if case.has_data('in.xml'):
signed = xmlsec.sign(case.as_etree('in.xml'),
key_spec=self.private_keyspec,
cert_spec=self.public_keyspec)
res = xmlsec.verify(signed, self.public_keyspec)
self.assertTrue(res)
with open(self.tmpf.name, "w") as fd:
xml_str = utils.etree_to_string(signed)
fd.write(xml_str)
run_cmd([
XMLSEC1, '--verify', '--store-references', '--id-attr:ID',
'urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor',
'--id-attr:ID',
'urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor',
'--id-attr:ID',
'urn:oasis:names:tc:SAML:2.0:assertion:Assertion',
'--verification-time', '2009-11-01 12:00:00',
'--trusted-pem', self.public_keyspec, self.tmpf.name
])
def test_verify_SAML_assertion1(self):
"""
Test that we can verify signatures created by another implementation (xmlsec1).
"""
case = self.cases['SAML_assertion1']
print("XML input :\n{}\n\n".format(case.as_buf('out.xml')))
res = xmlsec.verify(case.as_etree('out.xml'),
self.public_keyspec)
self.assertTrue(res)
def test_sign_verify_SAML_assertion1(self):
"""
Test signing a SAML assertion, and making sure we can verify it.
"""
case = self.cases['SAML_assertion1']
print("XML input :\n{}\n\n".format(case.as_buf('in.xml')))
signed = xmlsec.sign(case.as_etree('in.xml'),
key_spec=self.private_keyspec,
cert_spec=self.public_keyspec)
res = xmlsec.verify(signed, self.public_keyspec)
self.assertTrue(res)
def test_sign_verify_SAML_assertion_sha256(self):
"""
Test signing a SAML assertion using sha256, and making sure we can verify it.
"""
case = self.cases['SAML_assertion_sha256']
print("XML input :\n{}\n\n".format(case.as_buf('in.xml')))
signed = xmlsec.sign(case.as_etree('in.xml'),
key_spec=self.private_keyspec,
cert_spec=self.public_keyspec)
res = xmlsec.verify(signed, self.public_keyspec)
self.assertTrue(res)
def test_sign_xades(self):
"""
Test that we can sign an already signed document without breaking the first signature
"""
case = self.cases['dont_break_xades']
t = case.as_etree('in.xml')
signed = xmlsec.sign(t, self.private_keyspec)
self.assertIsNotNone(signed)
digests = [dv.text for dv in signed.findall('.//{%s}DigestValue' % xmlsec.NS['ds'])]
assert 'JvmW5vKjaTEVHzOdiC/H3HSGNocGamY9sDeU86ld6TA=' in digests
res = xmlsec.verify(signed, self.public_keyspec)
self.assertTrue(res)
def test_sign_xades(self):
"""
Test that we can sign an already signed document without breaking the first signature
"""
case = self.cases['dont_break_xades']
t = case.as_etree('in.xml')
signed = xmlsec.sign(t, self.private_keyspec)
self.assertIsNotNone(signed)
digests = [dv.text for dv in signed.findall('.//{%s}DigestValue' % xmlsec.NS['ds'])]
assert 'JvmW5vKjaTEVHzOdiC/H3HSGNocGamY9sDeU86ld6TA=' in digests
res = xmlsec.verify(signed, self.public_keyspec)
self.assertTrue(res)
def test_SAML_sign_with_pkcs11(self):
"""
Test signing a SAML assertion using PKCS#11 and then verifying it using plain file.
"""
case = self.cases['SAML_assertion1']
print("XML input :\n{}\n\n".format(case.as_buf('in.xml')))
os.environ['SOFTHSM_CONF'] = softhsm_conf
signed = xmlsec.sign(case.as_etree('in.xml'),
key_spec="pkcs11://%s:0/test?pin=secret1" % P11_MODULE)
# verify signature using the public key
res = xmlsec.verify(signed, signer_cert_pem)
self.assertTrue(res)
def test_SAML_sign_with_pkcs11(self):
"""
Test signing a SAML assertion using PKCS#11 and then verifying it using plain file.
"""
case = self.cases['SAML_assertion1']
print("XML input :\n{}\n\n".format(case.as_buf('in.xml')))
os.environ['SOFTHSM_CONF'] = softhsm_conf
signed = xmlsec.sign(case.as_etree('in.xml'),
key_spec="pkcs11://%s:0/test?pin=secret1" %
P11_MODULE)
# verify signature using the public key
res = xmlsec.verify(signed, signer_cert_pem)
self.assertTrue(res)
def validate_signature(self, signedtext, cert_file, cert_type, _node_name,
_node_id, _id_attr):
"""
Validate signature on XML document.
The parameters actually used in this CryptoBackend
implementation are :
:param signedtext: The signed XML data as string
:param cert_file: xmlsec key_spec string(), filename,
"pkcs11://" URI or PEM data
:param cert_type: string, must be 'pem' for now
:returns: True on successful validation, False otherwise
"""
if cert_type != "pem":
raise Unsupported("Only PEM certs supported here")
import xmlsec
xml = xmlsec.parse_xml(signedtext)
try:
return xmlsec.verify(xml, cert_file)
except xmlsec.XMLSigException:
return False
def validate_signature(self, signedtext, cert_file, cert_type, _node_name,
_node_id, _id_attr):
"""
Validate signature on XML document.
The parameters actually used in this CryptoBackend
implementation are :
:param signedtext: The signed XML data as string
:param cert_file: xmlsec key_spec string(), filename,
"pkcs11://" URI or PEM data
:param cert_type: string, must be 'pem' for now
:returns: True on successful validation, False otherwise
"""
if cert_type != "pem":
raise Unsupported("Only PEM certs supported here")
import xmlsec
xml = xmlsec.parse_xml(signedtext)
try:
return xmlsec.verify(xml, cert_file)
except xmlsec.XMLSigException:
return False
def test_sign_verify_all(self):
"""
Run through all testcases, sign and verify using xmlsec1
"""
for case in self.cases.values():
if case.has_data('in.xml'):
signed = xmlsec.sign(case.as_etree('in.xml'),
key_spec=self.private_keyspec,
cert_spec=self.public_keyspec)
res = xmlsec.verify(signed, self.public_keyspec)
self.assertTrue(res)
with open(self.tmpf.name, "w") as fd:
fd.write(etree.tostring(signed))
run_cmd([XMLSEC1,
'--verify',
'--store-references',
'--id-attr:ID', 'urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor',
'--id-attr:ID', 'urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor',
'--id-attr:ID', 'urn:oasis:names:tc:SAML:2.0:assertion:Assertion',
'--verification-time', '2009-11-01 12:00:00',
'--trusted-pem', self.public_keyspec,
self.tmpf.name])
signed_sv = _get_all_signatures(signed)
print "Signed SignatureValue: %s" % (repr(signed_sv))
print "Expected SignatureValue: %s" % (repr(expected_sv))
self.assertEquals(digest, expected_digest)
self.assertEqual(signed_sv, expected_sv)
def test_verify_href(self):
case = self.cases['href']
t = case.as_etree('href.xml',
remove_comments=False,
remove_whitespace=False)
href_signer = os.path.join(
self.datadir, "signverify/href/href-metadata-signer-2011.crt")
res = xmlsec.verify(t, href_signer)
self.assertTrue(res)
def test_edugain_with_xmlsec1(self):
case = self.cases['edugain']
t = case.as_etree('xmlsec1_in.xml')
signed = xmlsec.sign(t,
key_spec=self.private_keyspec,
cert_spec=self.public_keyspec)
expected = case.as_etree('xmlsec1_out.xml')
print " --- Expected"
print etree.tostring(expected)
print " --- Actual"
print etree.tostring(signed)
def test_verify_href(self):
case = self.cases['href']
t = case.as_etree('href.xml',remove_comments=False,remove_whitespace=False)
href_signer = os.path.join(self.datadir, "signverify/href/href-metadata-signer-2011.crt")
res = xmlsec.verify(t, href_signer)
self.assertTrue(res)
t = etree.parse(fn, base_url=base_url, parser=etree.XMLParser(resolve_entities=False))
t.xinclude()
schema().assertValid(t)
except DocumentInvalid, ex:
log.debug(_e(ex.error_log))
raise ValueError("XML schema validation failed")
except Exception, ex:
log.debug(_e(schema().error_log))
log.error(ex)
if fail_on_error:
raise ex
return None
if key is not None:
try:
log.debug("verifying signature using %s" % key)
xmlsec.verify(t, key)
except Exception, ex:
tb = traceback.format_exc()
print tb
log.error(ex)
return None
return t
def import_metadata(self, t, url=None):
"""
:param t: An EntitiesDescriptor element
:param url: An optional URL to used to identify the EntitiesDescriptor in the MDRepository
Import an EntitiesDescriptor element using the @Name attribute (or the supplied url parameter). All
EntityDescriptor elements are stripped of any @ID attribute and are then indexed before the collection
def test_verify_all(self):
for case in self.cases.values():
public_keyspec = os.path.join(self.resource_dir, case.name, "signer.crt")
res = xmlsec.verify(case.as_etree("in.xml"), public_keyspec)
self.assertTrue(res)