Support encryption

This commit is contained in:
Benjamin Dauvergne 2015-03-19 15:30:20 +01:00
parent 5dcde8614e
commit bb08da0f9e
3 changed files with 36 additions and 5 deletions

15
README
View File

@ -100,14 +100,25 @@ doing key roll-over
MELLON_PRIVATE_KEY
------------------
The PKCS#8 PEM encoded private key, if not provided request will not
be signed.
The PKCS#8 PEM encoded private key. If neither MELLON_PRIVATE_KEYS and
MELLON_PRIVATE_KEY are set, request will not be signed.
MELLON_PRIVATE_KEY_PASSWORD
---------------------------
Password for the private key if needed, default is None
MELLON_PRIVATE_KEYS
-------------------
A list of private keys contained in strings (same format ass
MELLON_PRIVATE_KEY) or of tuple paris (private_key, private_key_password). If
MELLON_PRIVATE_KEY is None, the first key in MELLON_PRIVATE_KEYS will be used
to sign messages. Other keys are only for decrypting encrypted assertions. If
the same key appear in MELLON_PRIVATE_KEY and MELLON_PRIVATE_KEYS it will be
ignored the second time. If neither MELLON_PRIVATE_KEYS and MELLON_PRIVATE_KEY
are set, request will not be signed.
MELLON_NAME_ID_FORMATS
----------------------

View File

@ -6,6 +6,7 @@ class AppSettings(object):
__DEFAULTS = {
'PUBLIC_KEYS': (),
'PRIVATE_KEY': None,
'PRIVATE_KEYS': (),
'PRIVATE_KEY_PASSWORD': None,
'NAME_ID_FORMATS': (),
'NAME_ID_POLICY_FORMAT': None,

View File

@ -42,9 +42,28 @@ def create_server(request):
if root not in SERVERS:
idps = get_idps()
metadata = create_metadata(request)
if app_settings.PRIVATE_KEY:
private_key = app_settings.PRIVATE_KEY
private_key_password = app_settings.PRIVATE_KEY_PASSWORD
elif app_settings.PRIVATE_KEYS:
private_key = app_settings.PRIVATE_KEYS
private_key_password = None
if isinstance(private_key, (tuple, list)):
private_key_password = private_key[1]
private_key = private_key[0]
else: # no signature
private_key = None
private_key_password = None
server = lasso.Server.newFromBuffers(metadata,
private_key_content=app_settings.PRIVATE_KEY,
private_key_password=app_settings.PRIVATE_KEY_PASSWORD)
private_key_content=private_key,
private_key_password=private_key_password)
server.setEncryptionPrivateKeyWithPassword(private_key, private_key_password)
for key in app_settings.PRIVATE_KEYS:
password = None
if isinstance(key, (tuple, list)):
password = key[1]
key = key[0]
server.setEncryptionPrivateKeyWithPassword(key, password)
for idp in idps:
if 'METADATA_URL' in idp and 'METADATA' not in idp:
idp['METADATA'] = urllib.urlopen(idp['METADATA_URL']).read()
@ -59,7 +78,7 @@ def create_server(request):
def create_login(request):
server = create_server(request)
login = lasso.Login(server)
if not app_settings.PRIVATE_KEY:
if not app_settings.PRIVATE_KEY and not app_settings.PRIVATE_KEYS:
login.setSignatureHint(lasso.PROFILE_SIGNATURE_HINT_FORBID)
return login