providers/saml: fix wrong signing property being checked

closes PASSBOOK-45
This commit is contained in:
Jens Langhammer 2020-04-10 21:52:03 +02:00
parent 7b9d1a1159
commit 9a1270c693
3 changed files with 3 additions and 10 deletions

View file

@ -1,8 +1,8 @@
"""passbook management command to bootstrap""" """passbook management command to bootstrap"""
from argparse import REMAINDER from argparse import REMAINDER
from subprocess import Popen # nosec from subprocess import Popen # nosec
from sys import stderr, stdin, stdout
from sys import exit as _exit from sys import exit as _exit
from sys import stderr, stdin, stdout
from time import sleep from time import sleep
from typing import List from typing import List

View file

@ -82,7 +82,7 @@ def get_response_xml(parameters, saml_provider: SAMLProvider, assertion_id=""):
raw_response = render_to_string("saml/xml/response.xml", params) raw_response = render_to_string("saml/xml/response.xml", params)
if not saml_provider.signing: if not saml_provider.signing_kp:
return raw_response return raw_response
signature_xml = get_signature_xml() signature_xml = get_signature_xml()

View file

@ -1,8 +1,6 @@
"""Signing code goes here.""" """Signing code goes here."""
from typing import TYPE_CHECKING from typing import TYPE_CHECKING
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from lxml import etree # nosec from lxml import etree # nosec
from signxml import XMLSigner, XMLVerifier from signxml import XMLSigner, XMLVerifier
from structlog import get_logger from structlog import get_logger
@ -17,11 +15,6 @@ LOGGER = get_logger()
def sign_with_signxml(data: str, provider: "SAMLProvider", reference_uri=None) -> str: def sign_with_signxml(data: str, provider: "SAMLProvider", reference_uri=None) -> str:
"""Sign Data with signxml""" """Sign Data with signxml"""
key = serialization.load_pem_private_key(
str.encode("\n".join([x.strip() for x in provider.signing_key.split("\n")])),
password=None,
backend=default_backend(),
)
# defused XML is not used here because it messes up XML namespaces # defused XML is not used here because it messes up XML namespaces
# Data is trusted, so lxml is ok # Data is trusted, so lxml is ok
root = etree.fromstring(data) # nosec root = etree.fromstring(data) # nosec
@ -32,7 +25,7 @@ def sign_with_signxml(data: str, provider: "SAMLProvider", reference_uri=None) -
) )
signed = signer.sign( signed = signer.sign(
root, root,
key=key, key=provider.signing_kp.private_key,
cert=[provider.signing_kp.certificate_data], cert=[provider.signing_kp.certificate_data],
reference_uri=reference_uri, reference_uri=reference_uri,
) )