incubator-heraldry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ket...@apache.org
Subject svn commit: r493304 - in /incubator/heraldry/libraries/python/openid/trunk/openid: association.py consumer/consumer.py server/server.py test/test_association.py test/test_consumer.py test/test_server.py
Date Sat, 06 Jan 2007 05:18:26 GMT
Author: keturn
Date: Fri Jan  5 21:18:25 2007
New Revision: 493304

URL: http://svn.apache.org/viewvc?view=rev&rev=493304
Log:
[python-to-heraldry @ FIX #1367: Remove SIGNALL associations]

Original author: Josh Hoyt <josh@janrain.com>
Date: 2006-11-17 01:06:24+00:00

Modified:
    incubator/heraldry/libraries/python/openid/trunk/openid/association.py
    incubator/heraldry/libraries/python/openid/trunk/openid/consumer/consumer.py
    incubator/heraldry/libraries/python/openid/trunk/openid/server/server.py
    incubator/heraldry/libraries/python/openid/trunk/openid/test/test_association.py
    incubator/heraldry/libraries/python/openid/trunk/openid/test/test_consumer.py
    incubator/heraldry/libraries/python/openid/trunk/openid/test/test_server.py

Modified: incubator/heraldry/libraries/python/openid/trunk/openid/association.py
URL: http://svn.apache.org/viewvc/incubator/heraldry/libraries/python/openid/trunk/openid/association.py?view=diff&rev=493304&r1=493303&r2=493304
==============================================================================
--- incubator/heraldry/libraries/python/openid/trunk/openid/association.py (original)
+++ incubator/heraldry/libraries/python/openid/trunk/openid/association.py Fri Jan  5 21:18:25
2007
@@ -13,13 +13,7 @@
 
 all_association_types = [
     'HMAC-SHA1',
-    'HMAC-SHA1-SIGNALL',
-    'HMAC-SHA256-SIGNALL',
-    ]
-
-signall_association_types = [
-    'HMAC-SHA1-SIGNALL',
-    'HMAC-SHA256-SIGNALL',
+    'HMAC-SHA256',
     ]
 
 if hasattr(cryptutil, 'hmacSha256'):
@@ -27,40 +21,33 @@
 
     default_association_order = [
         ('HMAC-SHA1', 'DH-SHA1'),
-        ('HMAC-SHA1-SIGNALL', 'DH-SHA1'),
-        ('HMAC-SHA256-SIGNALL', 'DH-SHA256'),
         ('HMAC-SHA1', 'no-encryption'),
-        ('HMAC-SHA1-SIGNALL', 'no-encryption'),
-        ('HMAC-SHA256-SIGNALL', 'no-encryption'),
+        ('HMAC-SHA256', 'DH-SHA256'),
+        ('HMAC-SHA256', 'no-encryption'),
         ]
 
     only_encrypted_association_order = [
         ('HMAC-SHA1', 'DH-SHA1'),
-        ('HMAC-SHA1-SIGNALL', 'DH-SHA1'),
-        ('HMAC-SHA256-SIGNALL', 'DH-SHA256'),
+        ('HMAC-SHA256', 'DH-SHA256'),
         ]
 else:
     supported_association_types = ['HMAC-SHA1']
 
     default_association_order = [
         ('HMAC-SHA1', 'DH-SHA1'),
-        ('HMAC-SHA1-SIGNALL', 'DH-SHA1'),
         ('HMAC-SHA1', 'no-encryption'),
-        ('HMAC-SHA1-SIGNALL', 'no-encryption'),
         ]
 
     only_encrypted_association_order = [
         ('HMAC-SHA1', 'DH-SHA1'),
-        ('HMAC-SHA1-SIGNALL', 'DH-SHA1'),
         ]
 
 def getSessionTypes(assoc_type):
     """Return the allowed session types for a given association type"""
     assoc_to_session = {
         'HMAC-SHA1': ['DH-SHA1', 'no-encryption'],
-        'HMAC-SHA256-SIGNALL': ['DH-SHA256', 'no-encryption'],
+        'HMAC-SHA256': ['DH-SHA256', 'no-encryption'],
         }
-    assoc_to_session['HMAC-SHA1-SIGNALL'] = assoc_to_session['HMAC-SHA1']
     return assoc_to_session.get(assoc_type, [])
 
 def checkSessionType(assoc_type, session_type):
@@ -121,9 +108,9 @@
 encrypted_negotiator = SessionNegotiator(only_encrypted_association_order)
 
 def getSecretSize(assoc_type):
-    if assoc_type in ('HMAC-SHA1', 'HMAC-SHA1-SIGNALL'):
+    if assoc_type == 'HMAC-SHA1':
         return 20
-    elif assoc_type == 'HMAC-SHA256-SIGNALL':
+    elif assoc_type == 'HMAC-SHA256':
         return 32
     else:
         raise ValueError('Unsupported association type: %r' % (assoc_type,))
@@ -171,10 +158,6 @@
     @type assoc_type: C{str}
 
 
-    @ivar sign_all: True if this association type signs all fields, as
-        opposed to those listed in an C{openid.signed} list.
-    @type sign_all: bool
-    
     @sort: __init__, fromExpiresIn, getExpiresIn, __eq__, __ne__,
         handle, secret, issued, lifetime, assoc_type
     """
@@ -192,9 +175,8 @@
 
     _macs = {
         'HMAC-SHA1': cryptutil.hmacSha1,
-        'HMAC-SHA256-SIGNALL': cryptutil.hmacSha256,
+        'HMAC-SHA256': cryptutil.hmacSha256,
         }
-    _macs['HMAC-SHA1-SIGNALL'] = _macs['HMAC-SHA1']
 
 
     def fromExpiresIn(cls, expires_in, handle, secret, assoc_type):
@@ -289,7 +271,6 @@
         self.issued = issued
         self.lifetime = lifetime
         self.assoc_type = assoc_type
-        self.sign_all = assoc_type in signall_association_types
 
     def getExpiresIn(self, now=None):
         """
@@ -452,12 +433,11 @@
         signed_message = message.copy()
         signed_message.setArg(OPENID_NS, 'assoc_handle', self.handle)
         message_keys = signed_message.toPostArgs().keys()
-        if not self.sign_all:
-            signed_list = [k[7:] for k in message_keys
-                           if k.startswith('openid.')]
-            signed_list.append('signed')
-            signed_list.sort()
-            signed_message.setArg(OPENID_NS, 'signed', ','.join(signed_list))
+        signed_list = [k[7:] for k in message_keys
+                       if k.startswith('openid.')]
+        signed_list.append('signed')
+        signed_list.sort()
+        signed_message.setArg(OPENID_NS, 'signed', ','.join(signed_list))
         sig = self.getMessageSignature(signed_message)
         signed_message.setArg(OPENID_NS, 'sig', sig)
         return signed_message
@@ -477,26 +457,6 @@
 
 
     def _makePairs(self, message):
-        # Feels a bit kludgy to dispatch here instead of of letting the class
-        # have the method appropriately defined, but this seemed to be the
-        # least complicated alternative at the time.
-        if self.sign_all:
-            return self._makePairsSignAll(message)
-        else:
-            return self._makePairsSignedList(message)
-
-
-    def _makePairsSignAll(self, message):
-        pairs = message.toPostArgs()
-        if 'openid.sig' in pairs:
-            # A sig does not sign itself.
-            del pairs['openid.sig']
-        pairs = pairs.items()
-        pairs.sort()
-        return pairs
-
-
-    def _makePairsSignedList(self, message):
         signed = message.getArg(OPENID_NS, 'signed')
         if not signed:
             raise ValueError('Message has no signed list: %s' % (message,))

Modified: incubator/heraldry/libraries/python/openid/trunk/openid/consumer/consumer.py
URL: http://svn.apache.org/viewvc/incubator/heraldry/libraries/python/openid/trunk/openid/consumer/consumer.py?view=diff&rev=493304&r1=493303&r2=493304
==============================================================================
--- incubator/heraldry/libraries/python/openid/trunk/openid/consumer/consumer.py (original)
+++ incubator/heraldry/libraries/python/openid/trunk/openid/consumer/consumer.py Fri Jan 
5 21:18:25 2007
@@ -571,11 +571,6 @@
             if not assoc.checkMessageSignature(message):
                 raise ValueError('Bad signature')
 
-            if assoc.sign_all:
-                signed_list = message.toPostArgs().keys()
-            else:
-                signed_list = message.getArg(OPENID_NS, 'signed').split(',')
-                
         else:
             # It's not an association we know about.  Stateless mode is our
             # only possible path for recovery.
@@ -584,17 +579,7 @@
             if not self._checkAuth(message, server_url):
                 raise ValueError('Server denied check_authentication')
 
-            # XXX: Danger!  We don't know what the server's signing algorithm
-            # is.  We assume that if there is no signed list, the server
-            # is not so brain-dead as to return is_valid=true unless it is
-            # using sign-all.
-            signed_list = message.getArg(OPENID_NS, 'signed')
-            if not signed_list:
-                signed_list = message.toPostArgs().keys()
-            else:
-                signed_list = signed_list.split(',')
-
-        return signed_list
+        return message.getArg(OPENID_NS, 'signed').split(',')
 
 
     def _idResCheckForFields(self, message, signed_list):
@@ -653,15 +638,6 @@
         return self._processCheckAuthResponse(response, server_url)
 
     def _createCheckAuthRequest(self, message):
-        signed = message.getArg(OPENID_NS, 'signed')
-        if signed:
-            return self._createCheckAuthRequestSignedList(message)
-        else:
-            # XXX: assuming that no signed list means sign all.
-            return self._createCheckAuthRequestSignAll(message)
-
-
-    def _createCheckAuthRequestSignedList(self, message):
         # Arguments that are always passed to the server and not
         # included in the signature.
         whitelist = ['assoc_handle', 'sig', 'signed', 'invalidate_handle']
@@ -687,13 +663,6 @@
         check_args['openid.mode'] = 'check_authentication'
         return check_args
 
-
-    def _createCheckAuthRequestSignAll(self, message):
-        check_args = message.toPostArgs()
-        check_args['openid.mode'] = 'check_authentication'
-        return check_args
-
-
     def _processCheckAuthResponse(self, response, server_url):
         is_valid = response.get('is_valid', 'false')
 
@@ -933,7 +902,7 @@
     def formMarkup(self, trust_root, return_to, immediate=False,
             form_tag_attrs=None):
         """Get html for a form to submit this request to the IDP.
-         
+
         @param form_tag_attrs: Dictionary of attributes to be added to
             the form tag. 'accept-charset' and 'enctype' have defaults
             that can be overridden. If a value is supplied for
@@ -941,7 +910,7 @@
         @type form_tag_attrs: {unicode: unicode}
         """
         message = self.getMessage(trust_root, return_to, immediate)
-        return message.toFormMarkup(self.endpoint.server_url, 
+        return message.toFormMarkup(self.endpoint.server_url,
                     form_tag_attrs)
 
 FAILURE = 'failure'

Modified: incubator/heraldry/libraries/python/openid/trunk/openid/server/server.py
URL: http://svn.apache.org/viewvc/incubator/heraldry/libraries/python/openid/trunk/openid/server/server.py?view=diff&rev=493304&r1=493303&r2=493304
==============================================================================
--- incubator/heraldry/libraries/python/openid/trunk/openid/server/server.py (original)
+++ incubator/heraldry/libraries/python/openid/trunk/openid/server/server.py Fri Jan  5 21:18:25
2007
@@ -252,7 +252,7 @@
     @see: AssociateRequest
     """
     session_type = 'no-encryption'
-    allowed_assoc_types = ['HMAC-SHA1', 'HMAC-SHA256-SIGNALL']
+    allowed_assoc_types = ['HMAC-SHA1', 'HMAC-SHA256']
 
     def fromMessage(cls, unused_request):
         return cls()
@@ -284,7 +284,7 @@
     """
     session_type = 'DH-SHA1'
     hash_func = staticmethod(cryptutil.sha1)
-    allowed_assoc_types = ['HMAC-SHA1', 'HMAC-SHA1-SIGNALL']
+    allowed_assoc_types = ['HMAC-SHA1']
 
     def __init__(self, dh, consumer_pubkey):
         self.dh = dh
@@ -345,7 +345,7 @@
 class DiffieHellmanSHA256ServerSession(DiffieHellmanSHA1ServerSession):
     session_type = 'DH-SHA256'
     hash_func = staticmethod(cryptutil.sha256)
-    allowed_assoc_types = ['HMAC-SHA256-SIGNALL']
+    allowed_assoc_types = ['HMAC-SHA256']
 
 class AssociateRequest(OpenIDRequest):
     """A request to establish an X{association}.
@@ -890,13 +890,8 @@
             data.
         @type assoc_handle: str
 
-        @param sig: The base-64 encoded signature to check.
-        @type sig: str
-
-        @param signed_pairs: The data to check, an ordered list of key-value
-            pairs.  The keys should be as they are in the request's C{signed}
-            list, without any C{"openid."} prefix.
-        @type signed_pairs: list of pairs
+        @param message: The signed message to verify
+        @type message: openid.message.Message
 
         @returns: C{True} if the signature is valid, C{False} if not.
         @returntype: bool
@@ -938,7 +933,7 @@
             # disabling expiration check because even if the association
             # is expired, we still need to know some properties of the
             # association so that we may preserve those properties when
-            # creating the fallback association.  (i.e. SIGNALL)
+            # creating the fallback association.
             assoc = self.getAssociation(assoc_handle, dumb=False,
                                         checkExpiration=False)
 
@@ -954,7 +949,6 @@
                 assoc = self.createAssociation(dumb=True, assoc_type=assoc_type)
         else:
             # dumb mode.
-            # XXX: provide the option to use a signall association here.
             assoc = self.createAssociation(dumb=True)
 
         signed_response.fields = assoc.signMessage(signed_response.fields)

Modified: incubator/heraldry/libraries/python/openid/trunk/openid/test/test_association.py
URL: http://svn.apache.org/viewvc/incubator/heraldry/libraries/python/openid/trunk/openid/test/test_association.py?view=diff&rev=493304&r1=493303&r2=493304
==============================================================================
--- incubator/heraldry/libraries/python/openid/trunk/openid/test/test_association.py (original)
+++ incubator/heraldry/libraries/python/openid/trunk/openid/test/test_association.py Fri Jan
 5 21:18:25 2007
@@ -6,6 +6,16 @@
 from openid import association
 import time
 
+try:
+    from openid import cryptutil
+    cryptutil.sha256('')
+except NotImplementedError:
+    import warnings
+    warnings.warn("Not running SHA256 tests.")
+    has_sha256 = False
+else:
+    has_sha256 = True
+
 class AssociationSerializationTest(unittest.TestCase):
     def test_roundTrip(self):
         issued = int(time.time())
@@ -89,9 +99,9 @@
             3600, '{sha1}', 'very_secret', "HMAC-SHA1")
 
 
-    def testMakePairsSignedList(self):
+    def testMakePairs(self):
         """Make pairs using the OpenID 1.x type signed list."""
-        pairs = self.assoc._makePairsSignedList(self.message)
+        pairs = self.assoc._makePairs(self.message)
         expected = [
             ('identifier', '=example'),
             ('mode', 'id_res'),
@@ -99,31 +109,6 @@
         self.failUnlessEqual(pairs, expected)
 
 
-    def testMakePairsSignAll(self):
-        pairs = self.assoc._makePairsSignAll(self.message)
-        expected = [
-            ('openid.identifier', '=example'),
-            ('openid.mode', 'id_res'),
-            ('openid.ns', 'http://openid.net/specs/2.0/base'),
-            ('openid.signed', 'identifier,mode'),
-            ('xey', 'value'),
-            ]
-        self.failUnlessEqual(pairs, expected)
-
-
-
-class TestIsSignAll(unittest.TestCase):
-    def test_sha1(self):
-        self.assoc = association.Association.fromExpiresIn(
-            3600, '{sha1}', 'very_secret', "HMAC-SHA1")
-        self.failUnlessEqual(self.assoc.sign_all, False)
-
-
-    def test_sha1signAll(self):
-        self.assoc = association.Association.fromExpiresIn(
-            3600, '{sha1-sa}', 'very_secret', "HMAC-SHA1-SIGNALL")
-        self.failUnlessEqual(self.assoc.sign_all, True)
-
 
 class TestMac(unittest.TestCase):
     def setUp(self):
@@ -139,25 +124,10 @@
         sig = assoc.sign(self.pairs)
         self.failUnlessEqual(sig, expected)
 
-
-    def test_sha1signAll(self):
-        assoc = association.Association.fromExpiresIn(
-            3600, '{sha1SA}', 'very_secret', "HMAC-SHA1-SIGNALL")
-        expected = ('\xe0\x1bv\x04\xf1G\xc0\xbb\x7f\x9a\x8b'
-                    '\xe9\xbc\xee}\\\xe5\xbb7*')
-        sig = assoc.sign(self.pairs)
-        self.failUnlessEqual(sig, expected)
-
-    try:
-        from openid import cryptutil
-        cryptutil.sha256('')
-    except NotImplementedError:
-        import warnings
-        warnings.warn("Not running SHA256 tests.")
-    else:
-        def test_sha256signAll(self):
+    if has_sha256:
+        def test_sha256(self):
             assoc = association.Association.fromExpiresIn(
-                3600, '{sha256SA}', 'very_secret', "HMAC-SHA256-SIGNALL")
+                3600, '{sha256SA}', 'very_secret', "HMAC-SHA256")
             expected = ('\xfd\xaa\xfe;\xac\xfc*\x988\xad\x05d6-\xeaVy'
                         '\xd5\xa5Z.<\xa9\xed\x18\x82\\$\x95x\x1c&')
             sig = assoc.sign(self.pairs)
@@ -183,16 +153,19 @@
         self.failUnless(signed.getArg(OPENID_NS, "sig"))
         self.failUnlessEqual(signed.getArg(OPENID_NS, "signed"),
                              "assoc_handle,identifier,mode,ns,signed")
-
-
-    def test_signAll(self):
-        assoc = association.Association.fromExpiresIn(
-            3600, '{sha1}', 'very_secret', "HMAC-SHA1-SIGNALL")
-        signed = assoc.signMessage(self.message)
-        self.failUnless(signed.getArg(OPENID_NS, "sig"))
-        self.failUnlessEqual(signed.getArg(OPENID_NS, "signed", None), None)
         self.failUnlessEqual(signed.getArg(BARE_NS, "xey"), "value",
                              signed)
+
+    if has_sha256:
+        def test_signSHA256(self):
+            assoc = association.Association.fromExpiresIn(
+                3600, '{sha1}', 'very_secret', "HMAC-SHA256")
+            signed = assoc.signMessage(self.message)
+            self.failUnless(signed.getArg(OPENID_NS, "sig"))
+            self.failUnlessEqual(signed.getArg(OPENID_NS, "signed"),
+                                 "assoc_handle,identifier,mode,ns,signed")
+            self.failUnlessEqual(signed.getArg(BARE_NS, "xey"), "value",
+                                 signed)
 
 
 class TestCheckMessageSignature(unittest.TestCase):

Modified: incubator/heraldry/libraries/python/openid/trunk/openid/test/test_consumer.py
URL: http://svn.apache.org/viewvc/incubator/heraldry/libraries/python/openid/trunk/openid/test/test_consumer.py?view=diff&rev=493304&r1=493303&r2=493304
==============================================================================
--- incubator/heraldry/libraries/python/openid/trunk/openid/test/test_consumer.py (original)
+++ incubator/heraldry/libraries/python/openid/trunk/openid/test/test_consumer.py Fri Jan
 5 21:18:25 2007
@@ -73,7 +73,6 @@
 class GoodAssociation:
     expiresIn = 3600
     handle = "-blah-"
-    sign_all = False
 
     def getExpiresIn(self):
         return self.expiresIn
@@ -279,7 +278,6 @@
         TestIdRes.setUp(self)
         self.assoc = GoodAssociation()
         self.assoc.handle = "{not_dumb}"
-        self.assoc.sign_all = True
         self.store.storeAssociation(self.endpoint.server_url, self.assoc)
 
         self.message = Message.fromPostArgs({
@@ -287,22 +285,25 @@
             'openid.identity': '=example',
             'openid.sig': GOODSIG,
             'openid.assoc_handle': self.assoc.handle,
+            'openid.signed': 'mode,identity,assoc_handle,signed',
             'frobboz': 'banzit',
             })
-        self.expected_signed = ['openid.mode','openid.identity','openid.sig',
-                                'openid.assoc_handle','frobboz']
+        self.expected_signed = ['mode',
+                                'signed',
+                                'identity',
+                                'assoc_handle']
         self.expected_signed.sort()
 
 
-    def test_signall(self):
-        # assoc_handle to assoc with good sig and sign_all = True
+    def test_sign(self):
+        # assoc_handle to assoc with good sig
         signed = self.consumer._idResCheckSignature(self.message,
                                                     self.endpoint.server_url)
         signed.sort()
         self.failUnlessEqual(self.expected_signed, signed)
 
 
-    def test_signall_stateless(self):
+    def test_stateless(self):
         # assoc_handle missing assoc, consumer._checkAuth returns goodthings
         self.message.setArg(OPENID_NS, "assoc_handle", "dumbHandle")
         self.consumer._processCheckAuthResponse = (
@@ -759,21 +760,6 @@
             }
         consumer = BadArgCheckingConsumer(self.store)
         consumer._checkAuth(Message.fromPostArgs(query), 'does://not.matter')
-
-
-    def test_signAll(self):
-        query = {
-            'openid.mode': 'id_res',
-            'openid.sig': 'rabbits',
-            'openid.identity': '=example',
-            'openid.assoc_handle': 'munchkins',
-            'foo': 'bar',
-            }
-        expected = query.copy()
-        expected['openid.mode'] = 'check_authentication'
-        args = self.consumer._createCheckAuthRequest(
-            Message.fromPostArgs(query))
-        self.failUnlessEqual(args, expected)
 
 
     def test_signedList(self):

Modified: incubator/heraldry/libraries/python/openid/trunk/openid/test/test_server.py
URL: http://svn.apache.org/viewvc/incubator/heraldry/libraries/python/openid/trunk/openid/test/test_server.py?view=diff&rev=493304&r1=493303&r2=493304
==============================================================================
--- incubator/heraldry/libraries/python/openid/trunk/openid/test/test_server.py (original)
+++ incubator/heraldry/libraries/python/openid/trunk/openid/test/test_server.py Fri Jan  5
21:18:25 2007
@@ -217,22 +217,6 @@
         self.failUnlessEqual(r.sig, 'sigblob')
 
 
-    def test_checkAuthSignAll(self):
-        args = {
-            'openid.mode': 'check_authentication',
-            'openid.assoc_handle': '{dumb-signall}{handle}',
-            'openid.sig': 'sigblob',
-            'openid.identity': 'signedval1',
-            'openid.return_to': 'signedval2',
-            'baz': 'also-signed',
-            }
-        r = self.decode(args)        
-        self.failUnless(isinstance(r, server.CheckAuthRequest))
-        expected_message = Message.fromPostArgs(args)
-        expected_message.setArg(OPENID_NS, "mode", "id_res")
-        self.failUnlessEqual(r.signed, expected_message)
-
-
     def test_checkAuthMissingSignature(self):
         args = {
             'openid.mode': 'check_authentication',
@@ -824,17 +808,18 @@
         warnings.warn("Not running SHA256 tests.")
     else:
         def test_dhSHA256(self):
-            self.assoc = self.signatory.createAssociation(dumb=False, assoc_type='HMAC-SHA256-SIGNALL')
+            self.assoc = self.signatory.createAssociation(
+                dumb=False, assoc_type='HMAC-SHA256')
             from openid.dh import DiffieHellman
             from openid.server.server import DiffieHellmanSHA256ServerSession
             consumer_dh = DiffieHellman.fromDefaults()
             cpub = consumer_dh.public
             server_dh = DiffieHellman.fromDefaults()
             session = DiffieHellmanSHA256ServerSession(server_dh, cpub)
-            self.request = server.AssociateRequest(session, 'HMAC-SHA256-SIGNALL')
+            self.request = server.AssociateRequest(session, 'HMAC-SHA256')
             response = self.request.answer(self.assoc)
             rfg = lambda f: response.fields.getArg(OPENID_NS, f)
-            self.failUnlessEqual(rfg("assoc_type"), "HMAC-SHA256-SIGNALL")
+            self.failUnlessEqual(rfg("assoc_type"), "HMAC-SHA256")
             self.failUnlessEqual(rfg("assoc_handle"), self.assoc.handle)
             self.failIf(rfg("mac_key"))
             self.failUnlessEqual(rfg("session_type"), "DH-SHA256")
@@ -876,7 +861,7 @@
             
         s1_session = DiffieHellmanSHA1ConsumerSession()
 
-        invalid_s1 = {'openid.assoc_type':'HMAC-SHA256-SIGNALL',
+        invalid_s1 = {'openid.assoc_type':'HMAC-SHA256',
                       'openid.session_type':'DH-SHA1',}
         invalid_s1.update(s1_session.getRequest())
 
@@ -913,7 +898,7 @@
         self.failIf(rfg("dh_server_public"))
 
     def test_plaintext256(self):
-        self.assoc = self.signatory.createAssociation(dumb=False, assoc_type='HMAC-SHA256-SIGNALL')
+        self.assoc = self.signatory.createAssociation(dumb=False, assoc_type='HMAC-SHA256')
         response = self.request.answer(self.assoc)
         rfg = lambda f: response.fields.getArg(OPENID_NS, f)
 
@@ -1003,14 +988,14 @@
 
         Should give back an error message with a fallback type.
         """
-        self.server.negotiator.setAllowedTypes([('HMAC-SHA256-SIGNALL', 'DH-SHA256')])
+        self.server.negotiator.setAllowedTypes([('HMAC-SHA256', 'DH-SHA256')])
         request = server.AssociateRequest.fromMessage(Message.fromPostArgs({}))
         response = self.server.openid_associate(request)
         self.failUnless(response.fields.hasKey(OPENID_NS, "error"))
         self.failUnless(response.fields.hasKey(OPENID_NS, "error_code"))
         self.failIf(response.fields.hasKey(OPENID_NS, "assoc_handle"))
         self.failUnlessEqual(response.fields.getArg(OPENID_NS, "assoc_type"),
-                             'HMAC-SHA256-SIGNALL')
+                             'HMAC-SHA256')
         self.failUnlessEqual(response.fields.getArg(OPENID_NS, "session_type"),
                              'DH-SHA256')
 
@@ -1022,13 +1007,13 @@
         def test_associate4(self):
             """DH-SHA256 association session"""
             self.server.negotiator.setAllowedTypes(
-                [('HMAC-SHA256-SIGNALL', 'DH-SHA256')])
+                [('HMAC-SHA256', 'DH-SHA256')])
             query = {
                 'openid.dh_consumer_public':
                 'ALZgnx8N5Lgd7pCj8K86T/DDMFjJXSss1SKoLmxE72kJTzOtG6I2PaYrHX'
                 'xku4jMQWSsGfLJxwCZ6280uYjUST/9NWmuAfcrBfmDHIBc3H8xh6RBnlXJ'
                 '1WxJY3jHd5k1/ZReyRZOxZTKdF/dnIqwF8ZXUwI6peV0TyS/K1fOfF/s',
-                'openid.assoc_type': 'HMAC-SHA256-SIGNALL',
+                'openid.assoc_type': 'HMAC-SHA256',
                 'openid.session_type': 'DH-SHA256',
                 }
             message = Message.fromPostArgs(query)
@@ -1134,51 +1119,6 @@
         self.failIf(self.store.getAssociation(self._normal_key, new_assoc_handle))
         self.failUnless(self.messages)
 
-    def test_signExpiredSignAll(self):
-        request = server.OpenIDRequest()
-        request.namespace = OPENID2_NS
-        assoc_handle = '{assoc}{lookatme}'
-
-        expired_assoc = association.Association.fromExpiresIn(
-            -10, assoc_handle, 'sekrit', 'HMAC-SHA1-SIGNALL')
-
-        self.failUnless(expired_assoc.sign_all)
-        self.store.storeAssociation(self._normal_key, expired_assoc)
-        self.failUnless(self.store.getAssociation(self._normal_key, assoc_handle))
-
-        request.assoc_handle = assoc_handle
-        response = server.OpenIDResponse(request)
-        response.fields = Message.fromOpenIDArgs({
-            'foo': 'amsigned',
-            'bar': 'notsigned',
-            'azu': 'alsosigned',
-            })
-        sresponse = self.signatory.sign(response)
-
-        new_assoc_handle = sresponse.fields.getArg(OPENID_NS, 'assoc_handle')
-        self.failUnless(new_assoc_handle)
-        self.failIfEqual(new_assoc_handle, assoc_handle)
-
-        self.failUnlessEqual(
-            sresponse.fields.getArg(OPENID_NS, 'invalidate_handle'),
-            assoc_handle)
-
-        # make sure the new key is a dumb mode association
-        new_assoc = self.store.getAssociation(self._dumb_key, new_assoc_handle)
-        self.failUnless(new_assoc)
-        self.failIf(self.store.getAssociation(self._normal_key,
-                                              new_assoc_handle))
-        # and the new key is a sign-all key like the old one was.
-        self.failUnless(new_assoc.sign_all)
-
-        # make sure the expired association is gone
-        self.failIf(self.store.getAssociation(self._normal_key, assoc_handle))
-
-
-        self.failUnlessEqual(sresponse.fields.getArg(OPENID_NS, 'signed', None),
-                             None)
-        self.failUnless(sresponse.fields.getArg(OPENID_NS, 'sig'))
-
 
     def test_signInvalidHandle(self):
         request = server.OpenIDRequest()
@@ -1215,14 +1155,16 @@
     def test_verify(self):
         assoc_handle = '{vroom}{zoom}'
         assoc = association.Association.fromExpiresIn(
-            60, assoc_handle, 'sekrit', 'HMAC-SHA1-SIGNALL')
+            60, assoc_handle, 'sekrit', 'HMAC-SHA1')
 
         self.store.storeAssociation(self._dumb_key, assoc)
 
         signed = Message.fromPostArgs({
-            'foo': 'bar',
-            'apple': 'orange',
-            'openid.sig': "d71xlHtqnq98DonoSgoK/nD+QRM=",
+            'openid.foo': 'bar',
+            'openid.apple': 'orange',
+            'openid.assoc_handle': assoc_handle,
+            'openid.signed': 'apple,assoc_handle,foo,signed',
+            'openid.sig': 'uXoT1qm62/BB09Xbj98TQ8mlBco=',
             })
 
         verified = self.signatory.verify(assoc_handle, signed)
@@ -1233,19 +1175,21 @@
     def test_verifyBadSig(self):
         assoc_handle = '{vroom}{zoom}'
         assoc = association.Association.fromExpiresIn(
-            60, assoc_handle, 'sekrit', 'HMAC-SHA1-SIGNALL')
+            60, assoc_handle, 'sekrit', 'HMAC-SHA1')
 
         self.store.storeAssociation(self._dumb_key, assoc)
 
         signed = Message.fromPostArgs({
-            'foo': 'bar',
-            'apple': 'orange',
-            'openid.sig': "d71xlHtqnq98DonoSgoK/nD+QRM=".encode('rot13'),
+            'openid.foo': 'bar',
+            'openid.apple': 'orange',
+            'openid.assoc_handle': assoc_handle,
+            'openid.signed': 'apple,assoc_handle,foo,signed',
+            'openid.sig': 'uXoT1qm62/BB09Xbj98TQ8mlBco='.encode('rot13'),
             })
 
         verified = self.signatory.verify(assoc_handle, signed)
-        self.failIf(verified)
         self.failIf(self.messages, self.messages)
+        self.failIf(verified)
 
     def test_verifyBadHandle(self):
         assoc_handle = '{vroom}{zoom}'



Mime
View raw message