From 00f83fc41cdb6c451af1575ddaa8fda3046df602 Mon Sep 17 00:00:00 2001 From: Luca Leonardo Scorcia Date: Wed, 3 Mar 2021 15:39:50 -0500 Subject: [PATCH] Fix #325 Allow XML signatures that include both X509Data and KeyValue elements --- testenv/crypto.py | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/testenv/crypto.py b/testenv/crypto.py index ad970cf5..399d8680 100644 --- a/testenv/crypto.py +++ b/testenv/crypto.py @@ -11,7 +11,7 @@ from lxml import objectify from lxml.etree import fromstring, tostring from signxml import XMLSigner, XMLVerifier -from signxml.exceptions import InvalidDigest, InvalidSignature as InvalidSignature_ +from signxml.exceptions import InvalidDigest, InvalidInput, InvalidSignature as InvalidSignature_ from testenv import log from testenv.exceptions import SignatureVerificationError @@ -289,8 +289,19 @@ def _ensure_matching_certificate(self): def _verify_signature(self): try: - self._verifier.verify( - self._request.saml_request, x509_cert=self._cert) + try: + self._verifier.verify( + self._request.saml_request, x509_cert=self._cert) + except InvalidInput as e: + # Work around issue https://github.com/XML-Security/signxml/issues/143 + if "Use verify(ignore_ambiguous_key_info=True)" in str(e): + logger.info("Found both X509Data and KeyValue in XML signature, validating signature using X509Data only") + self._verifier.verify( + self._request.saml_request, x509_cert=self._cert, + ignore_ambiguous_key_info=True + ) + else: + raise e except InvalidDigest: self._fail('Il valore del digest non รจ valido.') except InvalidSignature_: