Merge lp://staging/~roadmr/django-saml2-idp/fix-digest-signature-xml-identifiers-algorithm into lp://staging/~ubuntuone-pqm-team/django-saml2-idp/stable
Status: | Merged |
---|---|
Merged at revision: | 77 |
Proposed branch: | lp://staging/~roadmr/django-saml2-idp/fix-digest-signature-xml-identifiers-algorithm |
Merge into: | lp://staging/~ubuntuone-pqm-team/django-saml2-idp/stable |
Diff against target: |
309 lines (+168/-21) 6 files modified
idptest/keys/sample/sample-public-key.pub (+4/-0) idptest/saml2idp/tests/signing.py (+116/-4) idptest/saml2idp/xml_signing.py (+41/-13) idptest/saml2idp/xml_templates.py (+2/-2) requirements.txt (+4/-1) setup.py (+1/-1) |
To merge this branch: | bzr merge lp://staging/~roadmr/django-saml2-idp/fix-digest-signature-xml-identifiers-algorithm |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Guillermo Gonzalez | Approve | ||
Review via email:
|
Commit message
Properly implement sha2 saml signatures.
Changes needed from my prior, naive branch:
- Digest and signature method identifiers aren't simply about s/sha1/sha256/; the identifier is a complete URL which is distinct depending on algorithm and purpose.
- M2crypto way of generating the signature defaulted to sha1 (suggests M2crypto is old as hell), a bit of extra code to tune this was needed.
- Existing tests did not actually cryptowankily verify the signature, new tests now do.
Description of the change
A possible way of testing is hacking the test code to spit out a full SAML signed assertion, then validate it using https:/
An example SAML assertion:
<samlp:Response xmlns:samlp=
Values to configure in the saml validator:
entityid http://
sp entityid example.net
sp attribute http://
url destination https:/
Certificate MIICKzCCAdWgAwI
Don't really know much about SAML, but looks reasonable and I share the pain of xml handling in python (in every language probably)
Just 1 small comment/question