Skip to content

Some fixes for use with pysaml2. #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
leifj merged 3 commits into from
Jan 17, 2017
Merged

Some fixes for use with pysaml2. #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6cea97d
note that result of C_Initialize should be checked
fredrikt Jan 17, 2017
c76f996
Remove prefix 'xmlsec+' from keyspec.
fredrikt Jan 17, 2017
d85ad45
Allow using the '/rawsign' pyeleven endpoint.
fredrikt Jan 17, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 15 additions & 4 deletions src/xmlsec/crypto.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,15 @@ def from_keyspec(keyspec, private=False, signature_element=None):
set to a function calling the 'sign' function for the key,
and the rest based on the (public) key returned by
xmlsec.pk11.signer().
- an http:// URL REST URL used for signing (see pyeleven).
- a fingerprint. If signature_element is provided, the key is located using
the fingerprint (provided as string).
- X.509 string. An X.509 certificate as string.

If the keyspec is prefixed by 'xmlsec+', that prefix will be removed.
This is a workaround for pysaml2 that handles keyspecs starting with
'http' differently.

Resulting dictionary (used except for 'callable') :

{'keyspec': keyspec,
Expand All @@ -47,6 +52,9 @@ def from_keyspec(keyspec, private=False, signature_element=None):
:param signature_element:
:returns: dict, see above.
"""
if keyspec.startswith('xmlsec+'):
# workaround for pysaml2 which handles http keyspecs differently
keyspec = keyspec[7:]
thread_local = threading.local()
cache = getattr(thread_local, 'keycache', {})
if keyspec in cache:
Expand Down Expand Up @@ -156,14 +164,17 @@ def __init__(self, signature_element, keyspec):
class XMLSecCryptoREST(XMlSecCrypto):
def __init__(self, keyspec):
super(XMLSecCryptoREST, self).__init__(source="rest", do_padding=False, private=True)
self._url = "%s/sign" % keyspec
self._keyspec = keyspec

def sign(self, data):
def sign(self, data, raw_sign=False):
try:
import requests
import json
r = requests.post(self._url,
json=dict(mech='RSAPKCS1', data=data.encode("base64")))
if raw_sign:
url = '{!s}/rawsign'.format(self._keyspec)
else:
url = '{!s}/sign'.format(self._keyspec)
r = requests.post(url, json=dict(mech='RSAPKCS1', data=data.encode("base64")))
if r.status_code != requests.codes.ok:
r.raise_for_status()
msg = r.json()
Expand Down
1 change: 1 addition & 0 deletions src/xmlsec/pk11.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ def _session(library, slot, pin=None):
lib = PyKCS11.PyKCS11Lib()
assert type(library) == str # lib.load does not like unicode
lib.load(library)
# XXX should check result of C_Initialize()
lib.lib.C_Initialize()
_modules[library] = lib
else:
Expand Down