Related to #53. Support sign validation of different kinds of algorithm

pitbulk · pitbulk · commit f1b3f93c56cb · 2015-07-17T01:18:21.000+02:00
diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
@@ -306,9 +306,6 @@ def is_valid(self, request_data):
                 else:
                     sign_alg = get_data['SigAlg']
 
-                if sign_alg != OneLogin_Saml2_Constants.RSA_SHA1:
-                    raise Exception('Invalid signAlg in the recieved Logout Request')
-
                 signed_query = 'SAMLRequest=%s' % quote_plus(get_data['SAMLRequest'])
                 if 'RelayState' in get_data:
                     signed_query = '%s&RelayState=%s' % (signed_query, quote_plus(get_data['RelayState']))
@@ -318,12 +315,12 @@ def is_valid(self, request_data):
                     raise Exception('In order to validate the sign on the Logout Request, the x509cert of the IdP is required')
                 cert = idp_data['x509cert']
 
-                if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query, b64decode(get_data['Signature']), cert):
+                if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query, b64decode(get_data['Signature']), cert, sign_alg):
                     raise Exception('Signature validation failed. Logout Request rejected')
 
             return True
         except Exception as err:
-            # pylint: disable=R0801
+            # pylint: disable=R0801sign_alg
             self.__error = err.__str__()
             debug = self.__settings.is_debug_active()
             if debug:
diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
@@ -120,9 +120,6 @@ def is_valid(self, request_data, request_id=None):
                 else:
                     sign_alg = get_data['SigAlg']
 
-                if sign_alg != OneLogin_Saml2_Constants.RSA_SHA1:
-                    raise Exception('Invalid signAlg in the recieved Logout Response')
-
                 signed_query = 'SAMLResponse=%s' % quote_plus(get_data['SAMLResponse'])
                 if 'RelayState' in get_data:
                     signed_query = '%s&RelayState=%s' % (signed_query, quote_plus(get_data['RelayState']))
@@ -132,7 +129,7 @@ def is_valid(self, request_data, request_id=None):
                     raise Exception('In order to validate the sign on the Logout Response, the x509cert of the IdP is required')
                 cert = idp_data['x509cert']
 
-                if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query, b64decode(get_data['Signature']), cert):
+                if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query, b64decode(get_data['Signature']), cert, sign_alg):
                     raise Exception('Signature validation failed. Logout Response rejected')
 
             return True
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
@@ -963,7 +963,7 @@ def validate_sign(xml, cert=None, fingerprint=None, fingerprintalg='sha1', valid
             return False
 
     @staticmethod
-    def validate_binary_sign(signed_query, signature, cert=None, algorithm=xmlsec.TransformRsaSha1, debug=False):
+    def validate_binary_sign(signed_query, signature, cert=None, algorithm=OneLogin_Saml2_Constants.RSA_SHA1, debug=False):
         """
         Validates signed bynary data (Used to validate GET Signature).
 
@@ -995,7 +995,17 @@ def validate_binary_sign(signed_query, signature, cert=None, algorithm=xmlsec.Tr
             dsig_ctx.signKey = xmlsec.Key.load(file_cert.name, xmlsec.KeyDataFormatCertPem, None)
             file_cert.close()
 
-            dsig_ctx.verifyBinary(signed_query, algorithm, signature)
+            # Sign the metadata with our private key.
+            sign_algorithm_transform_map = {
+                OneLogin_Saml2_Constants.DSA_SHA1: xmlsec.TransformDsaSha1,
+                OneLogin_Saml2_Constants.RSA_SHA1: xmlsec.TransformRsaSha1,
+                OneLogin_Saml2_Constants.RSA_SHA256: xmlsec.TransformRsaSha256,
+                OneLogin_Saml2_Constants.RSA_SHA384: xmlsec.TransformRsaSha384,
+                OneLogin_Saml2_Constants.RSA_SHA512: xmlsec.TransformRsaSha512
+            }
+            sign_algorithm_transform = sign_algorithm_transform_map.get(algorithm, xmlsec.TransformRsaSha1)
+
+            dsig_ctx.verifyBinary(signed_query, sign_algorithm_transform, signature)
             return True
         except Exception:
             return False
