providers/saml: add changeable signature and digest algorithm

passbook/providers/saml/utils/xml_signing.py

@@ -1,4 +1,6 @@
 """Signing code goes here."""
+from typing import TYPE_CHECKING
+
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 from lxml import etree  # nosec
@@ -7,25 +9,34 @@ from structlog import get_logger
 
 from passbook.lib.utils.template import render_to_string
 
+if TYPE_CHECKING:
+    from passbook.providers.saml.models import SAMLProvider
+
 LOGGER = get_logger()
 
 
-def sign_with_signxml(private_key, data, cert, reference_uri=None):
+def sign_with_signxml(data: str, provider: "SAMLProvider", reference_uri=None) -> str:
     """Sign Data with signxml"""
     key = serialization.load_pem_private_key(
-        str.encode("\n".join([x.strip() for x in private_key.split("\n")])),
+        str.encode("\n".join([x.strip() for x in provider.signing_key.split("\n")])),
         password=None,
         backend=default_backend(),
     )
     # defused XML is not used here because it messes up XML namespaces
     # Data is trusted, so lxml is ok
     root = etree.fromstring(data)  # nosec
-    signer = XMLSigner(c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#")
-    signed = signer.sign(root, key=key, cert=[cert], reference_uri=reference_uri)
-    XMLVerifier().verify(signed, x509_cert=cert)
+    signer = XMLSigner(
+        c14n_algorithm="http://www.w3.org/2001/10/xml-exc-c14n#",
+        signature_algorithm=provider.signature_algorithm,
+        digest_algorithm=provider.digest_algorithm,
+    )
+    signed = signer.sign(
+        root, key=key, cert=[provider.signing_cert], reference_uri=reference_uri
+    )
+    XMLVerifier().verify(signed, x509_cert=provider.signing_cert)
     return etree.tostring(signed).decode("utf-8")  # nosec
 
 
-def get_signature_xml():
+def get_signature_xml() -> str:
     """Returns XML Signature for subject."""
     return render_to_string("saml/xml/signature.xml", {})