Now the SP is able to select the algorithm to be used on signatures

Author: pitbulk

README.md

@@ -323,7 +323,15 @@ In addition to the required settings data (idp, sp), there is extra information
         // Provide the desired Timestamp, for example 2015-06-26T20:00:00Z
         'metadataValidUntil': null,
         // Provide the desired duration, for example PT518400S (6 days)
-        'metadataCacheDuration': null
+        'metadataCacheDuration': null,
+
+        // Algorithm that the toolkit will use on signing process. Options:
+        //    'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+        //    'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
+        //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
+        //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
+        //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
+        'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
     },
 
     // Contact information template, it is recommended to suply a

demo-django/saml/advanced_settings.json

@@ -8,6 +8,7 @@
         "wantMessagesSigned": false,
         "wantAssertionsSigned": false,
         "wantNameIdEncrypted": false
+        "signatureAlgorithm" => "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
     },
     "contactPerson": {
         "technical": {
@@ -26,4 +27,4 @@
             "url": "http://sp.example.com"
         }
     }
-}
+}

demo-flask/saml/advanced_settings.json

@@ -7,7 +7,8 @@
         "signMetadata": false,
         "wantMessagesSigned": false,
         "wantAssertionsSigned": false,
-        "wantNameIdEncrypted": false
+        "wantNameIdEncrypted": false,
+        "signatureAlgorithm" => "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
     },
     "contactPerson": {
         "technical": {

src/onelogin/saml2/auth.py

@@ -152,8 +152,8 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_
 
                 security = self.__settings.get_security_data()
                 if 'logoutResponseSigned' in security and security['logoutResponseSigned']:
-                    parameters['SigAlg'] = OneLogin_Saml2_Constants.RSA_SHA1
-                    parameters['Signature'] = self.build_response_signature(logout_response, parameters.get('RelayState', None))
+                    parameters['SigAlg'] = security['signatureAlgorithm']
+                    parameters['Signature'] = self.build_response_signature(logout_response, parameters.get('RelayState', None), security['signatureAlgorithm'])
 
                 return self.redirect_to(self.get_slo_url(), parameters)
         else:
@@ -274,8 +274,8 @@ def login(self, return_to=None, force_authn=False, is_passive=False):
 
         security = self.__settings.get_security_data()
         if security.get('authnRequestsSigned', False):
-            parameters['SigAlg'] = OneLogin_Saml2_Constants.RSA_SHA1
-            parameters['Signature'] = self.build_request_signature(saml_request, parameters['RelayState'])
+            parameters['SigAlg'] = security['signatureAlgorithm']
+            parameters['Signature'] = self.build_request_signature(saml_request, parameters['RelayState'], security['signatureAlgorithm'])
         return self.redirect_to(self.get_sso_url(), parameters)
 
     def logout(self, return_to=None, name_id=None, session_index=None):
@@ -315,8 +315,8 @@ def logout(self, return_to=None, name_id=None, session_index=None):
 
         security = self.__settings.get_security_data()
         if security.get('logoutRequestSigned', False):
-            parameters['SigAlg'] = OneLogin_Saml2_Constants.RSA_SHA1
-            parameters['Signature'] = self.build_request_signature(saml_request, parameters['RelayState'])
+            parameters['SigAlg'] = security['signatureAlgorithm']
+            parameters['Signature'] = self.build_request_signature(saml_request, parameters['RelayState'], security['signatureAlgorithm'])
         return self.redirect_to(slo_url, parameters)
 
     def get_sso_url(self):
@@ -342,7 +342,7 @@ def get_slo_url(self):
             url = idp_data['singleLogoutService']['url']
         return url
 
-    def build_request_signature(self, saml_request, relay_state):
+    def build_request_signature(self, saml_request, relay_state, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
         """
         Builds the Signature of the SAML Request.
 
@@ -351,21 +351,27 @@ def build_request_signature(self, saml_request, relay_state):
 
         :param relay_state: The target URL the user should be redirected to
         :type relay_state: string
+
+        :param sign_algorithm: Signature algorithm method
+        :type sign_algorithm: string
         """
-        return self.__build_signature(saml_request, relay_state, 'SAMLRequest')
+        return self.__build_signature(saml_request, relay_state, 'SAMLRequest', sign_algorithm)
 
-    def build_response_signature(self, saml_response, relay_state):
+    def build_response_signature(self, saml_response, relay_state, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
         """
         Builds the Signature of the SAML Response.
         :param saml_request: The SAML Response
         :type saml_request: string
 
         :param relay_state: The target URL the user should be redirected to
         :type relay_state: string
+
+        :param sign_algorithm: Signature algorithm method
+        :type sign_algorithm: string
         """
-        return self.__build_signature(saml_response, relay_state, 'SAMLResponse')
+        return self.__build_signature(saml_response, relay_state, 'SAMLResponse', sign_algorithm)
 
-    def __build_signature(self, saml_data, relay_state, saml_type):
+    def __build_signature(self, saml_data, relay_state, saml_type, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
         """
         Builds the Signature
         :param saml_data: The SAML Data
@@ -376,6 +382,9 @@ def __build_signature(self, saml_data, relay_state, saml_type):
 
         :param saml_type: The target URL the user should be redirected to
         :type saml_type: string  SAMLRequest | SAMLResponse
+
+        :param sign_algorithm: Signature algorithm method
+        :type sign_algorithm: string
         """
         assert saml_type in ['SAMLRequest', 'SAMLResponse']
 
@@ -395,10 +404,20 @@ def __build_signature(self, saml_data, relay_state, saml_type):
 
         saml_data_str = '%s=%s' % (saml_type, quote_plus(saml_data))
         relay_state_str = 'RelayState=%s' % quote_plus(relay_state)
-        alg_str = 'SigAlg=%s' % quote_plus(OneLogin_Saml2_Constants.RSA_SHA1)
+        alg_str = 'SigAlg=%s' % quote_plus(sign_algorithm)
 
         sign_data = [saml_data_str, relay_state_str, alg_str]
         msg = '&'.join(sign_data)
 
-        signature = dsig_ctx.signBinary(str(msg), xmlsec.TransformRsaSha1)
+        # Sign the metadata with our private key.
+        sign_algorithm_transform_map = {
+            OneLogin_Saml2_Constants.DSA_SHA1: xmlsec.TransformDsaSha1,
+            OneLogin_Saml2_Constants.RSA_SHA1: xmlsec.TransformRsaSha1,
+            OneLogin_Saml2_Constants.RSA_SHA256: xmlsec.TransformRsaSha256,
+            OneLogin_Saml2_Constants.RSA_SHA384: xmlsec.TransformRsaSha384,
+            OneLogin_Saml2_Constants.RSA_SHA512: xmlsec.TransformRsaSha512
+        }
+        sign_algorithm_transform = sign_algorithm_transform_map.get(sign_algorithm, xmlsec.TransformRsaSha1)
+
+        signature = dsig_ctx.signBinary(str(msg), sign_algorithm_transform)
         return b64encode(signature)

src/onelogin/saml2/constants.py

@@ -76,12 +76,30 @@ class OneLogin_Saml2_Constants(object):
     STATUS_PARTIAL_LOGOUT = 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout'
     STATUS_PROXY_COUNT_EXCEEDED = 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded'
 
-    # Crypto
-    RSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
-
+    # Namespaces
     NSMAP = {
         'samlp': NS_SAMLP,
         'saml': NS_SAML,
         'ds': NS_DS,
         'xenc': NS_XENC
     }
+
+    # Sign & Crypto
+    SHA1 = 'http://www.w3.org/2000/09/xmldsig#sha1'
+    SHA256 = 'http://www.w3.org/2001/04/xmlenc#sha256'
+    SHA384 = 'http://www.w3.org/2001/04/xmlencsha384'
+    SHA512 = 'http://www.w3.org/2001/04/xmlenc#sha512'
+
+    DSA_SHA1 = 'http://www.w3.org/2000/09/xmld/sig#dsa-sha1'
+    RSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+    RSA_SHA256 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
+    RSA_SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
+    RSA_SHA512 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
+
+    # Enc
+    TRIPLEDES_CBC = 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc'
+    AES128_CBC = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc'
+    AES192_CBC = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc'
+    AES256_CBC = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
+    RSA_1_5 = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'
+    RSA_OAEP_MGF1P = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'

src/onelogin/saml2/metadata.py

@@ -153,7 +153,7 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
         return metadata
 
     @staticmethod
-    def sign_metadata(metadata, key, cert):
+    def sign_metadata(metadata, key, cert, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
         """
         Signs the metadata with the key/cert provided
 
@@ -166,10 +166,13 @@ def sign_metadata(metadata, key, cert):
         :param cert: x509 cert
         :type cert: string
 
+        :param sign_algorithm: Signature algorithm method
+        :type sign_algorithm: string
+
         :returns: Signed Metadata
         :rtype: string
         """
-        return OneLogin_Saml2_Utils.add_sign(metadata, key, cert)
+        return OneLogin_Saml2_Utils.add_sign(metadata, key, cert, False, sign_algorithm)
 
     @staticmethod
     def add_x509_key_descriptors(metadata, cert=None):

src/onelogin/saml2/settings.py

@@ -295,6 +295,10 @@ def __add_default_values(self):
         if 'wantNameIdEncrypted' not in self.__security.keys():
             self.__security['wantNameIdEncrypted'] = False
 
+        # Signature Algorithm
+        if 'signatureAlgorithm' not in self.__security.keys():
+            self.__security['signatureAlgorithm'] = OneLogin_Saml2_Constants.RSA_SHA1
+
         if 'x509cert' not in self.__idp:
             self.__idp['x509cert'] = ''
         if 'certFingerprint' not in self.__idp:

src/onelogin/saml2/utils.py

@@ -759,7 +759,7 @@ def write_temp_file(content):
         return f_temp
 
     @staticmethod
-    def add_sign(xml, key, cert, debug=False):
+    def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
         """
         Adds signature key and senders certificate to an element (Message or
         Assertion).
@@ -770,11 +770,14 @@ def add_sign(xml, key, cert, debug=False):
         :param key: The private key
         :type: string
 
+        :param cert: The public
+        :type: string
+
         :param debug: Activate the xmlsec debug
         :type: bool
 
-        :param cert: The public
-        :type: string
+        :param sign_algorithm: Signature algorithm method
+        :type sign_algorithm: string
         """
         if xml is None or xml == '':
             raise Exception('Empty string supplied as input')
@@ -807,7 +810,16 @@ def add_sign(xml, key, cert, debug=False):
             xmlsec.set_error_callback(print_xmlsec_errors)
 
         # Sign the metadata with our private key.
-        signature = Signature(xmlsec.TransformExclC14N, xmlsec.TransformRsaSha1)
+        sign_algorithm_transform_map = {
+            OneLogin_Saml2_Constants.DSA_SHA1: xmlsec.TransformDsaSha1,
+            OneLogin_Saml2_Constants.RSA_SHA1: xmlsec.TransformRsaSha1,
+            OneLogin_Saml2_Constants.RSA_SHA256: xmlsec.TransformRsaSha256,
+            OneLogin_Saml2_Constants.RSA_SHA384: xmlsec.TransformRsaSha384,
+            OneLogin_Saml2_Constants.RSA_SHA512: xmlsec.TransformRsaSha512
+        }
+        sign_algorithm_transform = sign_algorithm_transform_map.get(sign_algorithm, xmlsec.TransformRsaSha1)
+
+        signature = Signature(xmlsec.TransformExclC14N, sign_algorithm_transform)
 
         issuer = OneLogin_Saml2_Utils.query(elem, '//saml:Issuer')
         if len(issuer) > 0: